Security Breaches: A Lesson For All From A Small Company

News of security breaches has become so commonplace that we hardly react with surprise or outrage any longer. The scenario plays out in an almost scripted fashion. Computer hackers located in Russia or China identify a system’s vulnerability, break in, and steal sensitive customer or patient (in the case of electronic medical records) information. Defending against these outsider attacks has become a high priority for any organization which possesses confidential records. The failures which make headlines are those where data thieves have looted the systems of large entities containing millions of records and huge infrastructures. We’ve all been impacted to some degree as consumers, but as business managers and owners we may harbor a false sense of immunity to data security breaches. A recent action brought by the Department of Health and Human Services Office of Civil Rights (OCR) brings the problem closer to home for smaller entities which manage more limited amounts of information.

The case involves Anchorage Community Mental Health Services, Inc. (ACMHS), a five-facility nonprofit provider of behavioral health care services to children, adults and families in Anchorage, Alaska. As required by the Health Insurance and Portability and Accountability Act (HIPAA), ACMHS notified OCR of a breach of 2,743 patient records caused by malware on one of its desktop computers. OCR conducted an investigation of the incident and found ACMHS had failed to protect sensitive patient information. On December 10, 2014, ACMHS agreed to pay a $150,000 fine and undertake a corrective action plan to address the deficiencies which caused the breach. Here is what OCR’s investigation revealed:

1) ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization’s employees for a seven-year period, from 2005 to 2012.

The practices at ACMHS are not unique to health care providers. All too often organizations maintain a template of written policies and procedures which are not tailored to the organization’s actual method of operation. For health care providers, simply having in place template policies and procedures is insufficient to satisfy HIPAA requirements. Organizations outside the health care industry do not face monetary penalties for security breaches but nonetheless are exposed to data security risk for failure to evaluate compliance with written data security protocols.

2) ACMHS failed to update its software.

OCR found that the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. The settlement agreement stated, ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.” Once again, all organizations, not just health care businesses, can suffer losses for delaying or neglecting software updates. It’s not always an easy task, and the cost to implement an upgrade may push it down on the company’s priority list. But the downside to avoiding the upgrade process has potential for serious consequences, not to mention the eventual value impact on the organization caused by using old software.

C3 Advisors, LLC
December 15, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

Are LinkedIn Contacts Protectable Trade Secrets? For Now, The Answer May Be Yes

Stealing customer lists from an employer for competitive motives is nothing new. Court dockets are full of legal disputes between employers and former employees for trade secret theft. One recent case, though, is worth careful consideration because of its implications for social media in a business development context. The controversy involves an employer which sued a former salesperson for trade secret protection of the LinkedIn contacts that individual maintained after he was terminated from employment. Given the vast networks of individuals and organizations available to the 300 million LinkedIn users across the globe, it hardly seems likely that such information could be deemed secret. But for now, the courts have agreed with the employer’s claim that the former employee misappropriated its proprietary information. Employers and anyone in a sales or business development role should pay close attention to this case as it winds its way through the courts.

The majority of facts in this case are not unusual. David Oakes worked as a sales manager for Cellular Accessories for Less, Inc. (Cellular) from 2004 to 2010. While employed there he signed an employment agreement that precluded him from removing any proprietary information from Cellular, either physically or electronically, including Cellular’s customer database. He also signed a statement of confidentiality forbidding the disclosure or use of the company’s information without prior consent. In 2010, Cellular terminated Oakes, and he then struck out on his own to start a competing business, Trinitas, Inc. Shortly after his termination, Oakes emailed himself a file containing the contact information for more than 900 personal and business contacts, another file with information for purchasing agents, detailed client billing preferences, client pricing requests and a Cellular strategy document. What merits attention is that he also maintained his LinkedIn contacts after termination. Subsequently, Cellular sued Oakes for trade secret misappropriation. See Cellular Accessories for Less, Inc. v. Trinitas, LLC, No. CV 12-06736 DDP (C.D. Cal. Sept. 16, 2014).

Customer lists are not trade secrets, per se, because they may contain information which is readily accessible through open sources. They tend to be considered trade secrets when time and money has been expended through sophisticated methods to compile the information. The court agreed with Cellular in this instance that the customer lists taken by Oakes are trade secrets due to the economics of their creation and development. But LinkedIn is commonly viewed as a personal network, not the proprietary information of an employer. So why did the court rule in favor of Cellular? Here are the arguments which resulted in that decision.

Oakes asserted that the LinkedIn contacts were not secret because Cellular had encouraged its employees to create and use LinkedIn, his contacts were viewable to any other contact he has on LinkedIn, and any competitor could search LinkedIn to recreate the list. Finally, he argued that Cellular authorized salespeople to disclose the identities of clients to other customers as a way of attracting new business and failed to inform employees that the LinkedIn contacts were proprietary or confidential.

Cellular refuted Oakes defense saying that LinkedIn contacts are not automatically viewable because an account is only visible to the extent that the user chooses to make it public. LinkedIn is not configured to automatically share contact information and Oakes deviated from the default settings in deciding to make his network public. The court declined to take judicial notice of the functions of LinkedIn (judicial notice allows a court to accept the existence of a commonly known fact) and stated that the parties did not make clear the extent to which the contacts were made public, or whether it was done with Cellular’s permission.

Considering that social media has become inextricably woven into marketing and business development philosophies at every level of commerce, this ruling should be carefully examined. The concept that a social media account is not public and that it belongs to an employer may be difficult for an employee to understand. From the employer’s perspective, a client list may lose its value as a trade secret if employees are encouraged to use social media without restrictions for business development purposes. What’s more, as demonstrated by Cellular v. Trinitas, it cannot be assumed that judges understand the intricacies of social media forums, including the mechanics of privacy settings. While there is no perfect solution, businesses can establish practices to better protect their trade secrets.

Agreements and Policies—Frequently update employment contracts, non-compete agreements, non-disclosure agreements and social media policies to redefine trade secrets in the context of online networking and spell out restrictive terms and conditions regarding the use of various social media platforms. Specify that the accounts remain the property of the company.

Training—Educate employees regarding the proprietary and confidential nature of customer information located in social media platforms, privacy settings and how to avoid unwanted disclosure.

Business-Only Social Media Accounts–Require that employees’ personal social media accounts remain completely separate from their business accounts, which should be linked only to a company email address.

Client Database—Establish a password protected internal database to which employees should add any client contact information that they obtain through social media or otherwise.

Costs—Maintain records which capture the time and money spent to develop customer lists.

Employee Termination–Upon employment termination, voluntary or otherwise, terminate the employee’s access to business accounts.

The federal judge denied Oakes’ motion for dismissal and found that the case can move forward. Stay tuned for the next phase, and consider changes to policies and procedures which are important for the protection of company proprietary information.

C3 Advisors, LLC
November 13, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

Is Digital Hoarding Hurting Your Business?

 

Hoarding shows are popular these days. The images are consistent: Boxes stacked to the ceilings. Piles of newspapers dating back to the Nixon era. Feral cats skittering behind furniture. Empty cans of cat food, beans and soup scattered everywhere. Most people know a hoarder. Maybe it’s an aunt. Maybe it’s the neighbor with a sofa on the front porch and motorcycle parts strewn across the lawn. Or, maybe it’s you. Have you taken a look at your email inbox lately?

What Is Digital Hoarding?
Digital hoarding also known as e-hoarding is excessive acquisition and reluctance to delete electronic material no longer valuable to the user. The behavior includes the mass storage of digital artifacts and retaining unnecessary or irrelevant electronic data. As with physical space in which excess items are described as clutter or junk, excess digital media is often referred to as “digital clutter.” Digital hoarding occurs in any electronic space where information is stored. In a business setting the areas where digital clutter may exist are email inboxes, electronic documents and file folders, excessive desktop icons, old software/computer programs/apps no longer being used, and Internet bookmarks no longer being referenced. Hoarding of electronic information is a common problem that reduces employee productivity, raises information technology operational expense and heightens the risks and costs of regulatory action and litigation. We’re probably all guilty of holding onto some information we really don’t need and will never use again. Our collective proclivity for accumulating vast quantities of digital information has resulted in these following statistics reported by Contoural Inc.:
• The size of the digital universe in 2012 was estimated at 2.7 zettabytes (2.7 trillion gigabytes), and is forecast to be 40 zettabytes by 2020 – a 50-fold growth since 2010 (source: IDC).
• Businesses sent and received 89 billion emails per day in 2012 which should grow to over 146 billion by year-end 2016 (source: Radicati Group).
• Unstructured data (files, documents, information generated by applications) is growing at up to the rate of 80 percent (source: Gartner).
The widespread availability of content on the Internet makes it easier for users to obtain digital information and since it does not take up physical space it is less likely to be perceived as clutter. Digital hoarding stems from a variety of individual habits coupled with corporate conditions and trends. We can all relate to one or more of the following reasons for holding on to digital content: fear losing something important, no methodology for determining which content is worth keeping, lack of time to evaluate and delete unnecessary records, and inexpensive data storage options that reduce the need to save data selectively.

Why Is Digital Hoarding A Problem For Businesses?
Findability—The more you save, the more you will have to sift through. A recent survey by the technology market research firm Radicati Group reported that “the typical corporate email user sends and receives about 105 email messages per day.” That is a lot of email to process, categorize or store. Heavy users of email see upwards of 200 to 300 messages per day. Add documents, spreadsheets and presentations, and this number balloons. Sorting through old messages and rummaging through our boxes strips hours from each day. If you’re a well-paid knowledge worker, the productivity lost while purging old files may well cost your organization more than the bloated storage costs. That is, until it comes time to find something. Powerful search engines like Google create the illusion that information is always at our fingertips. The reality is that even for large organizations with enterprise search capabilities, findability falls way short in terms of efficiency. For businesses which rely solely on desktop and email search for digital content retrieval, the process causes even more lost productivity.
Data Security—Digital content is vulnerable to anonymous attacks from thousands of miles away. Data can be stolen, altered, misused, and abused by foreign governments and cyber criminals alike, as well as by negligent or disgruntled employees and bored teenagers. Securing email and desktop documents from a data breach may not be considered as a serious matter compared with protecting a system or application from data destruction or theft. Nonetheless it is one component of an organization’s digital presence, which must be guarded in totality.
Litigation Discovery—The problem of saving too much information can come back and bite an organization during the discovery phase of a lawsuit. According to Jeff Fehrman, vice president of forensics and consulting at Integreon, a provider of legal and research solutions, e-hoarding becomes an even more serious problem when your organization faces a lawsuit. “During the discovery phase, if you don’t have your data properly classified and legal teams are handling a bunch of information that is not relevant to the case, you can spend millions on e-discovery,” he says.
Judy Selby and James A. Sherer of the law firm BakerHostetler explain that stakeholders should understand that all that stored data might become discoverable in litigation, and a store-everything approach is no defense. Even if data isn’t subject to production in a given lawsuit, it still might be subjected to a litigation hold, collected and subsequently reviewed by counsel—at a significant per-hour cost—even if it is later determined that it need not be produced. In addition, the costs, administrative burden, functionality disruptions, and inefficiencies associated with subjecting data to legal holds can be quite substantial.
Storage and Backup—Although the hard cost of data storage has trended downward over the past few years, the cost is still real and adds up, especially when carried out ad infinitum. While the cost of storing data has dropped, ancillary costs haven’t, including costs for adding space in data centers and paying for escalating HVAC bills. As data grows, the chore of backing up critical data becomes more costly and complex.

Can The Problem Be Corrected?
How does the average professional know what will not prove to be valuable information months and years later? And should the decision as to what should be retained be left to individual employees? Large organizations tend to rely on enterprise systems and information governance policies where information is under management’s control and digital hoarding is not allowed. Unfortunately, the benefits of these content management tools are often undermined when employees, who are afraid of losing their information, save it elsewhere without security and lawsuit discovery protections.
For organizations, large and small, how do we get employees to understand that hanging on to useless content makes about as much sense as saving empty cereal boxes and hundreds of old plastic bags? Ingrained habits can be difficult to change. Businesses which are successful at managing digital content are those with an organizational culture which creates, communicates and enforces policies and procedures for content retention and deletion, from the C-suite down. The first step in changing rooted practices may be to ask employees to consider this question each time they save digital content—“Would you save it if it were paper?”

C3 Advisors, LLC
October 15, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or email us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

Cyber Insurance: What Is It and Who Needs It?

Breaking news earlier this month reported one of the biggest cyber attacks ever. A cybercrime gang of less than a dozen people from south central Russia had amassed a staggering 1.2 billion user name and password combinations and 500 million email addresses from poorly protected sites. The level of complexity involved in their work seems worryingly basic—checking company websites for vulnerabilities, and then once found, stealing user credentials. An attack of this magnitude should cause all business owners and managers to reconsider the security of their systems and question whether their risk protection is adequate. As headline stories of cyber attacks and data breaches have increased so has the demand for cyber insurance grown among companies as they expand their risk mitigation strategies.

What Is Cyber Insurance?
The cyber insurance market is still in its infancy and as such cyber insurance is not a standard product. Policies are tailored to the unique needs of the insured but protect against first party and third party risks.

Third Party Coverage—Insures for the liability of the policyholder to third parties, including clients, business associates and governmental entities. This type of insurance is more readily available than first party insurance, described below.
• Litigation and regulatory costs of lawsuits, judgments, settlements and penalties
• Legal and other professional expenses in responding to inquiries from governmental entities and the related expenses of fines, penalties or other sanctions
• Costs to notify clients, employees or victims of a cyber event
• Crisis management and public relations costs of a cyber event
• Media liability for copyright, trademark or service mark infringement for online publication by the insured
• Liability to clients or employees for a privacy breach

First Party Coverage—Insures for losses to the policyholder’s data, lost income or other harm to the business. This type of insurance is less prevalent because of the limited amount and nature of coverage it offers.

• Destruction or loss of data due to a cyber event
• Theft and transfer of funds
• Legal and other professional services to assess, mitigate or stop a cyber attack
• Business interruption and lost income related to a cyber event
• Extortion payments for threats to disclose sensitive information and related investigations
• Loss of computer-related assets and data restoration
The Department of Homeland Security Cybersecurity Insurance Workshop Report states that one of obstacles in developing a robust cyber insurance market, especially first party coverage, is the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks. Some of the elements of cyber insurance coverage may be interconnected or overlap with existing coverage but be aware of the battle raging between companies and insurers over the definition of property damage. A standard definition of property damage includes “physical injury” to “tangible property”, including all resulting loss of use of that property. Insurers typically argue that data is not “tangible property” that can suffer “physical injury” and, therefore, is not “property damage”. However, a number of courts have disagreed holding that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” Companies that lack explicit cyber coverage often try to bring cyber incident claims in under other policies which is leading insurers to add exclusions for cyber incidents in general liability policies. What losses are covered under general liability policies and what losses will be segregated out for separate coverage is an evolving area.

Premiums for cyber insurance vary widely. Although cyber insurance has been around for more than ten years, there still is little empirical data on incidents. Companies don’t want the public to know about security breaches and other vulnerabilities in their systems, so many incidents go unreported. Therefore, standardized insurance prices and policies are hard to come by. The nature of the risk for any given business is often unique so policies are built and priced around the needs of the business, but even the same set of circumstances can result in divergent premium amounts because insurers and buyers don’t always understand the risks that are being transferred. In order to purchase cyber insurance, a company will have to demonstrate that its first line of defense against a cyber incident is self-protection through a comprehensive risk management program.

Who Needs Cyber Insurance?
In general, small and midsize businesses are ideal candidates for cyber insurance, because they may be less prepared for a cyber incident and less able to absorb the associated costs. They often rely on someone else to host their Web sites, track inventory or authorize credit card purchases and generally have no control over those systems’ reliability and maintenance. Larger companies, with more substantial risk management and legal departments, are better equipped technically and financially for a cyber incident, which could make insurance a less effective risk management tool. Larger corporations usually do things in-house and can keep an eye on processes better.

Third-party risks exist for just about any business, though. Any business that collects protected health information or personally identifiable, non-public information like bank account numbers, credit card numbers, or Social Security numbers, has an insurable risk. One of the biggest risks for a company is unauthorized access from a virus, allowing a third-party to breach the system. Data breach notification laws require a business is to comply with those laws in addressing the breach and notifying potential victims. The aftermath of an incident is far reaching, can drag on for months and result in devastating losses.

The Computer Security Institute Computer Crime and Security Survey report offered a sobering insight which makes a case for including cyber insurance in the risk management strategy of any business. Respondents did not seem to feel that their challenges were attributable to a lack of investment in their security programs or dissatisfaction with security tools, but rather that, despite all their efforts, they still could not be certain about what was really going on in their environments, nor whether all their efforts were truly effective. This lack of visibility into the severity of threats and the degree to which threats are effectively mitigated is a perennial problem in security and it presents problems for anyone trying to make sense of the state of information security.

What Is Government’s Role?
In recent years, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has brought together a diverse group of private and public sector stakeholders – including insurance carriers, risk managers, IT/cyber experts, critical infrastructure owners, and social scientists – to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management. Its efforts are fueled by the belief that a robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Between November 2012 and July 2014, DHS has convened the stakeholders for four workshops on the topic of cyber insurance. Read the workshop reports at http://www.dhs.gov/publication/cybersecurity-insurance.

C3 Advisors, LLC
August 15, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

 

Personal Liability For Business Debt: The Protection Of A Corporation Is Not Automatic

A key reason that business owners and shareholders choose to form a business as a corporation or limited liability company (LLC) is the protection from personal liability for business debt that is afforded those business types. Corporations and LLCs exist separately from their owners as do the assets and liabilities of those entities. But the protection from personal liability is not automatic. Business owners have a responsibility to show that the business operates independently from its owners. Failing to do so puts the owners at risk that a creditor may be able to disregard the company as a separate legal entity, and impose personal liability upon the entity’s owners, shareholders or members. This process of seeking to hold owners personally responsible for the debts of the business entity is known as “piercing the corporate veil.” When this happens, the owners’ personal assets can be used to satisfy business debts and liabilities. This means creditors can go after the owner’s home, bank account, investments, and other assets to satisfy the corporate debt. To ensure the protection of a corporation or LLC remains intact business processes must be in place to demonstrate the separation a business entity from its owners. At the inception of a business and then continuing during the life of a business, processes must be proactively managed to avoid situations which could cause the corporate veil to be pierced. Consider the most common factors courts use in determining whether to pierce the corporate veil:

Following Corporate Formalities:  Corporations have strict formalities they must follow, and while LLCs do not face the same requirements, many of the same steps are advisable. Small corporations are less likely than their larger counterparts to observe corporate formalities, which makes them more vulnerable to a piercing of their corporate veil. It’s important for small corporations and LLCs to comply with the rules governing formation and maintenance of a corporation and to maintain proof of compliance, as follows:

Corporations
• Create and regularly update bylaws
• Issue shares of stock to owners (shareholders) and maintain a stock transfer ledger
• Hold both an initial and then annual meetings of both directors and shareholders
• Undertake any annual filings required by the state of incorporation in a timely manner
• Pay the necessary filing fees and corporate taxes

LLCs
• Undertake any annual filings required by the state of incorporation in a timely manner
• Pay the necessary filing fees
• Create and regularly update an operating agreement
• Issue membership certificates to owners
• Keep a membership transfer ledger
• Hold both initial and then annual meetings of the members and managers
In both instances the organization must ensure that officers, agents, or members abide by the requirements of either the bylaws or operating agreement.

Ensuring Adequate Capitalization:  A business requires money and the equipment and items necessary both to start and continue operations. There are several sources of funds for business operations: capital contributions from business owners, investments from others and business loans. Whatever the approach, without adequate capital, a business will not survive. (Also keep in mind, this capital needs to be designated to the business and not the business owner.) There is no requirement that a corporation or LLC be flush with cash in order to preserve its limited liability, but it is necessary to have sufficient funds so that creditors are not left with uncollectible invoices due to a customer’s irresponsible overspending. Typically, courts recognize that cash flow problems can and do occur and will allow a creditor to pierce the corporate veil only if it is determined that the entity was “grossly undercapitalized” at the time the debt was incurred. This means that taking on significant debt at a time when a company can’t meet its current obligations puts it at risk that a creditor may be able to look to the individual shareholders for payment. Starting a large project or purchasing supplies or inventory with the knowledge that the business cannot pay the related debt increases the likelihood that a court will permit the company’s veil to be pierced.

Maintaining Separation Of Business And Personal Assets:   Small-business owners may be more likely than their larger counterparts to intermingle their personal assets with those of the corporation or LLC. Some small-business owners divert corporate assets for their own personal use by writing a check from the company account to make a payment on a personal obligation or by depositing a check made payable to the corporation into the owner’s personal bank account. This is called “commingling of assets.” A business owner may find it is easier to pay personal bills from a business account rather than write one check to cover the owner’s salary and then a second check from the owner’s account to pay a bill. Regularly following this practice could allow a creditor to pierce the corporate veil, particularly when the owner’s scheduled salary or draw is not enough to cover personal bills. To ensure that business and personal assets remain separate, the corporation should maintain its own bank account and the owner should never use the company account for personal use or deposit checks payable to the company in a personal account. Likewise, a business credit card should be used for business expenses only.

Inadequate processes are not the only reason the corporate veil may be pierced to satisfy a creditor’s claim. Business owners or shareholders may lose the insulation from personal liability for business debt if a court finds that the company’s actions were wrongful or fraudulent. If the owners recklessly borrowed and lost money, made business deals knowing the business couldn’t pay the invoices, or otherwise acted recklessly or dishonestly, a court could find financial fraud was perpetrated and that the limited liability protection shouldn’t apply.

C3 Advisors, LLC
June 16, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk, and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

Clearing The Air: E-cigarettes In The Workplace

 

For many of the Gen X and Gen Y’s of today’s workforce, smoking in the workplace is something only known from watching an episode of Mad Men, a TV series that takes place during the 1950s and 1960s. In an era where traditional cigarettes tend to make headlines when large retailers, such as CVS, propose to discontinue selling tobacco products, electronic cigarettes (also known as vaporizers) are the new controversy.

What are e-cigarettes?

E-cigarettes are electronic nicotine delivery systems by which a battery powered heating element vaporizes a liquid solution, usually containing nicotine, creating water vapor as opposed to smoke. These personal vaporizers started appearing in the marketplace around 2006 and have quickly evolved in recent years. The early models produced small amounts of vapor, but with the increased battery capacity, the newer generations of these devices now produce significant amounts. Unlike tobacco products, e-cigarettes are not regulated by the Food and Drug Administration (FDA). Due to the lack of federal regulations, manufacturers of these products are not required to list the ingredients used to create the solutions. Most contain a mixture of propylene glycol, glycerin and nitrosamines.

Why all of the controversy?

Proponents of e-cigarettes are quick to point out that the chemicals used in most solutions are found in many products that have been deemed safe by the FDA. For example, propylene glycol and glycerin can be found in such things as toothpaste and asthma inhalers. While nitrosamines are known carcinogens and are linked to liver cancer, they can be found in many household products such as latex gloves. E-cigarette advocates point to the low levels of nitrosamines in personal vaporizers and compare the levels to those omitted by non consumable products. While many agree that using e-cigarettes can be a safer alternative to tobacco use, the void of research does not mean they are actually safe and point out that in the early years of “big tobacco”, many believed that smoking traditional cigarettes were safe and is now known to be a leading cause of lung cancer and emphysema, not only among smokers but to those who have been subjected to secondhand smoke.

What does this mean for the workplace?

While only 28 states and the District of Columbia have bans on smoking in the workplace, most would be hard pressed to find any company that still allows the practice on-site. 150 cities, including Chicago, have banned the use of e-cigarettes in public places such as restaurants, bars and offices requiring smokers of any kind to stand at least 15 feet from entryways of such establishments before lighting up or “vaping.” For those who work in areas not covered by such a ban, the issue may come down to how e-cigarettes are classified and the broad nature of some employee policies. Many believe that regardless of whether they are electronic or traditional, if they contain nicotine they are cigarettes and should be treated as such. Others point out that they are actually smoking cessation products designed to help smokers quit–and they have a point. Nicotine Replacement Therapies (NRT’s) such as patches and gums, which also contain various levels of nicotine, are not only permitted in the workplace, but some companies reimburse employees for the expense of such products in order to help in the quitting process.

Regardless of one’s personal viewpoint on the use of e-cigarettes as a smoking alternative or NRT, companies have a responsibility to not only treat their employees fairly but also to ensure the safety of their employees while on the job. It is important to consider the well-being of the workforce as a whole when drafting and implementing workplace policies. When considering non smoking policies and the use of e-cigarettes, policies should be clearly constructed and detailed in order to alleviate any confusion. If the company provides any kind of assistance to those employees who are trying to quit using tobacco products with the use of NRT’s, policies regarding their use and expense reimbursements should be detailed and include which products are covered and what is not. When in doubt, it may be worth it to error on the side of caution when deciding on whether or not to allow vaping on company property.

C3 Advisors, LLC
May 15, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
Process Optimization focuses on establishing formalized operational functions that facilitate increased productivity, mitigate risk, and provide the foundation for optimal profitability.
People Integration addresses staffing and workforce issues that are critical to the success of continually cost efficient, low risk, and productive processes.
Technology Maximization ensures the ROI on a technology investment is fully realized through complete use of systems functionality and business intelligence.

We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.

To Pay or Not to Pay: The Internship Debate

With winter finally coming to an end and the return of the summer months, businesses across the country are starting to ramp up efforts to bring in summer interns.  Internship programs can be beneficial for students who need to gain experience in their field of study even if they will not be paid for the work that is being assigned.   Those benefits also include developing experience for inclusion on a resume, potential future employment references and, sometimes, additional college credit for the work that is done.  There are many benefits to business, as well, in terms of reducing heavy workloads, filling future recruiting pipelines, and increasing employee managerial skills, just to name a few.   The mutual benefits that can be derived from an internship program are clear but, in reality, employers can lose at the internship game if their programs are not designed and managed properly.

 The Fair Labor Standards Act (FLSA)

Most employers know that the FLSA differentiates between employees and independent contractors, but many don’t realize that an intern can often fall within the definition of an employee if care is not taken to differentiate the intern’s role and responsibilities.  As with independent contractors, the Department of Labor has defined specific tests that must be met in order to properly classify interns vs. employees.

 FLSA Internship Test

Under the FLSA, the following six tests must be met in order for a worker to be classified as an intern:

 1.       The internship, even though it includes a role in the actual operation of the business or facilities of the employer, is similar to training which would be provided in an educational environment;

2.       The internship experience must be designed for the benefit of the intern, and is not with expectations of commercial benefit for the business;

3.       The intern does not displace regular employees, but works under close supervision of existing staff;

4.       The employer that provides the training  derives no immediate advantage from the activities of the intern; and on occasion operation of the employer’s core business functions could be impeded;

5.       The intern is not necessarily entitled to a job at the conclusion of the internship; and

6.       The intern and the employer mutually understand that the intern is not entitled to wages for time spent in the internship.

 It is important to note that all six of the requirements must be met in order to demonstrate that an “employment relationship” does not exist, and the intern is not entitled to the benefits and protections afforded to employees under the FLSA rules.

The Pitfalls of Misclassification

Beware of assigning menial tasks to interns or hiring interns in lieu of employees.  And, be careful, to pay attention to wage and hour rules if interns are to be paid, even when the payment is in the form of a stipend.

In 2013, the United States District Court for the Southern District of New York held that duties performed by interns such as taking lunch orders, making deliveries, and organizing file cabinets demonstrated the existence of an employment relationship and that the unpaid interns charged with these tasks should have been classified as employees (Glatt v. Fox Searchlight Pictures). The case demonstrated that menial office duties were not for the educational and/or training benefit of the intern and only benefited the employer.  Therefore, the interns should have been classified as employees and paid.  In the same court, a collective class action suit was filed against a modeling management company.  In that case, the petitioner filed a $50 million suit alleging that the modeling agency knowingly misclassified employees as unpaid interns in order to avoid paying wages and overtime.

 Unpaid internship programs are not the only programs at risk. Internship programs that offer stipends that do not meet the minimum wage requirements are also at risk of wage and hour claims.  Take the situation where a student receives an internship for a company and receives a stipend for his/her work.  If the amount of the stipend is not adequate and in conformity with minimum wage and overtime requirements, there could be an actionable wage and hour issue.  In this case, an attempt at providing some compensation to the intern could actually backfire in a meaningful way.

 Finally, let’s not forget the issue of commercial benefit.  The tech-savvy intern who is brought on to develop a new program or application that may be offered for sale in the future probably isn’t going to be classified as a true intern under the FLSA’s rules and that individual should be compensated for his/her work.

 Conclusion

When properly designed, the use of interns can offer a company many benefits.  Overhead and overall wage and benefit expenses can be controlled.  Interns often bring new skills, particularly in areas such as technology, to the fore during an internship. Recruitment of interns can often be done using free websites such as intern.com.  Interns also derive significant benefit from the practical experience that an internship may provide.  All in all, offering internships can be a win/win situation for both the company and the student as long as the program follows the requirements set forth by the FLSA and, if applicable, state wage and hour laws.  Take these rules into account when designing your program and, when in doubt, seek the advice of legal counsel before taking the plunge.  Remember that an hour of your attorney’s time may mean the difference between a successful internship experience and a costly mistake that could end up in litigation.

Minimize Losses and Risks: Three Part Framework For Implementing or Strengthening Internal Controls

Internal control—it’s not the latest trend or likely to be the topic of a social media post.  It may even be one of the least interesting business principles.  Bland and uninspiring as the subject may be, it is the foundation of a well run business.  Inadequate or missing internal controls have real dollar consequences that impact the bottom line. And it’s not limited to only small companies with less manpower and resources.   Large businesses are just as vulnerable.    There are numerous examples of theft of assets due to weak or absent internal controls which can be discussed and analyzed.  But the more likely scenario resulting from deficient internal controls is that where a business is exposed to risk and losses due to errors.   What can you do to strengthen your company’s internal controls to minimize business losses?

I.                     Start With the Basics

Any discussion of internal controls begins with a definition.  We like this one from the Business Dictionary,  “Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.” www.businessdictionary.com.  Management is responsible for maintaining an adequate system of internal control, including communicating the expectations and duties of staff.   Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.  Control activities are the specific policies and procedures management uses to achieve its objectives.  The most important control activities appear below.

1)       Segregation of duties requires that different individuals be assigned responsibility for different elements of related activities, particularly those involving authorization, custody, or recordkeeping. Having different individuals perform these functions creates a system of checks and balances.

2)       Proper authorization of transactions and activities helps ensure that all company activities adhere to established guide lines unless responsible managers authorize another course of action.

3)       Adequate documents and records provide evidence that financial statements are accurate. Controls designed to ensure adequate recordkeeping include the creation of invoices and other documents that are easy to use and sufficiently informative; the use of pre-numbered, consecutive documents; and the timely preparation of documents.

4)       Physical control over assets and records helps protect the company’s assets. These control activities may include electronic or mechanical controls (such as a safe, employee ID cards, fences, cash registers, fireproof files, and locks) or computer-related controls dealing with access privileges or established backup and recovery procedures.

5)       Independent checks on performance, which are carried out by employees who did not do the work being checked, help ensure the reliability of accounting information and the efficiency of operations.

In theory these activities make sense and can be reasonably incorporated into the processes and procedures and of a business.  In reality, though, internal controls are often not strong enough to prevent errors, monetary loss, risk exposure, and potentially the integrity of financial data.  So where does the breakdown typically arise?   Number 5 — Independent Checks on Performance.  This control activity is not merely a periodic review of transactions or entries.  It has more far reaching implications which place the burden on management and supervisors to ensure their subordinates are adequately trained for their responsibilities and are performing their duties properly.  An adequate system for independent checks on performance will identify not only errors but also procedural deficiencies or staff incompetence that cause repeated mistakes or expose the company to risk.    Reviewing subordinates’ work product and processes should be done on a routine and non routine basis.  Routine activity should be reviewed when tasks and transactions are completed, as well as on a spot check basis which is not predictable.  Non routine activity encompasses such things as processing unusual transactions, hiring new staff, implementing new systems or upgrades, changing processes and procedures, or addressing new industry regulations/requirements.  Review of non routine activity should be done as situations arise or periodically if no events trigger the need.   The detection of errors and inefficiencies can lead to stronger controls when management and supervisors use the information to identify the need for improved documentation, more efficient processes, proper authorizations, and staff training.

II.                   Preventing Errors and Losses

The following checklist provides a framework for implementing or strengthening internal controls for conducting independent checks on performance.

1)      Transaction Review:  Verify supporting documentation or other information to substantiate transactions, including correspondence and communication prepared by staff, to ensure accuracy and timeliness.

ü  Transactions which are over or outside a pre-determined limit, based on value/amount, volume and dates.

ü  Activity in large customer and vendor accounts, based on value/amount, volume, and dates.

ü  Adjustments, corrections, or write offs which are over or outside a pre-determined limit, based on value/amounts, volume, and dates.

ü  Reconciliations of accounts or balances for reconciling items which are over a pre-determined limit.

ü  Handling and disposition of unusual transactions.

2)      Workflow Review:  Conduct a review of processes and procedures from initiation to completion to identify weaknesses which can create errors or wasted resources.

ü  Duplication of procedures by more than one individual.

ü  Unnecessary steps or document preparation.

ü  Missing or inadequate reviews or document preparation needed to support an audit trail or regulatory compliance.

ü  Record retention for completeness and accuracy.

3)      Systems Review:  Verify that systems are used correctly and functionality is maximized.

ü  Staff knowledge of system functionality, including upgrades, is tested.

ü  Workarounds are used only if approved by management.

ü  Records created outside the system are approved by management as necessary and are verified routinely as part of transaction review.

ü  Reports available through the system are used to facilitate tasks and communicate information.

The time it takes to complete the steps above may be a burden on managers who are already stretched thin.  In the long run, though, the cost savings to a business in terms of reduced errors and risk exposure can be substantial, especially in a highly competitive or regulated industry.

C3 Advisors, LLC

February 14, 2014

C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk.  Our services help our clients improve process optimization, people integration and technology maximization.

We have specific expertise in post-acute healthcare, technology and service companies.  Please visit our website at www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.

Find us on Facebook and LinkedIn.  Subscribe to our newsletter by emailing debd@c3advisors.com.

Expense Reimbursements: Are Your Employees Paying to Work?

How many times have you walked to your supply room because the printer ran out of paper, only to find that someone else took the last ream and didn’t bother to tell anyone to order more? Chances are you have had to make a run to the local office supply store on occasion, or better yet, you’ve had someone else in the office do it for you. When that happens, who pays the price for the trip?

 Whether they are buying uniforms, picking up random office supplies, or even driving to make the daily bank deposit, it is probably costing at least some of your employees to work.  So, the question becomes whether, when and for what costs employees should be reimbursed by the company. 

 Various internet sites are filled with questions posted by employees as to their “rights” when it comes to being reimbursed for business expenses.  Answers to questions vary, but for most employers the question basically boils down to a review of Fair Labor Standards requirements, state law and current policy statements on the subject.

 Federal Requirements – Minimum Wage Issues

 The Fair Labor Standards Act only requires expense reimbursements for employees when the expense offsets the employee’s hourly wage and results in an effective hourly rate that falls below the minimum wage standard. For example, a delivery driver making $7.25 an hour who is not afforded a company owned vehicle for deliveries, must receive a mileage reimbursement at the rate of at least $ 56.5 cents per mile. However, if that same driver makes $15 per hour and drives 15 miles in the course of a workday, an expense reimbursement is not required as the effective hourly wage (actual wages less calculated mileage) is $13.94 per hour.  For example: ($15 per hour * 8 hours) – (56.5cents per mile * 15 miles) = $13.94 per hour.

 State Requirements

 With only two exceptions, state law is silent on an employer’s obligation to reimburse business related employee expenses.  California requires employers to reimburse their employees for business related expenses; however, Massachusetts only requires mileage reimbursements. California’s covered expenses include, but are not limited to:

 ·         Travel required for making bank deposits,

·         The purchase of supplies,

·         Travel between business sites,

·         Travel required for the delivery of inventory or equipment.

 Best Practices

 Regardless of your business location or state wage and hour law, following best practices in the area of expense reimbursement may mean the difference between attracting/retaining talented employees or increasing other expenses related to high turnover rates. Expense reimbursement policies should detail which expenses are covered, and to what extent. For example, if your policy covers a computer case for those employees who frequently travel, a limit of $100 (or whatever your organization defines as “reasonable”) can be put in place.  Expense policies should include the use of proper documentation, authorization, and an appropriate time requirement for submitting the reimbursement request.

 Policy Considerations

 An expense reimbursement policy does not need to follow a “one size fits all” approach. Depending on the organization’s culture and the individual employee’s business travel or expenditure requirements, the policy can be tailored to fit business needs without causing the organization  undue hardship to the company.   Things to consider include:

 ·         Job responsibilities

·         Employee classification (executive, professional, etc.)

·         Company culture

 Additionally, expense reimbursements can be negotiated at the time of the employment offer. For some employees, reimbursement of out-of-pocket expenses may be an important consideration. For example, an executive level sales position may require a great deal of overnight travel which may require the reimbursement of meals. But, company expense for meals away from home can be limited by imposing a per diem limit.  Other expenses to consider include:

 ·         Cell phone reimbursements – Does the company issue cell phones for work purposes?  If not, what percent of an employee’s cell phone bill is the organization prepared to reimburse?

·         Internet – Which employees work from remote locations?  Is this a requirement of their position? How much of their internet expense is for work and personal use?

·         Travel Upgrades – Does the company want to pay for an upgrade to first class for those employees who spend most of their time traveling to client sites?

·         Personal Equipment – If it is used for work purposes, is the company willing to reimburse the expense of iPads or other personal electronics?  What about app’s that allow the employee to remotely access their computers?

Irrespective of the type of expenses the company is willing to reimburse, and for which employees, the key is to implement a policy that is well thought out and clearly communicated. The best approach in developing an expense reimbursement policy is to solicit feedback from multiple department managers including finance, HR and operations.

Learn more about C3 Advisors, LLC at www.c3adviors.com.  Find us on Facebook and LinkedIn.  Subscribe to our newsletter by emailing debd@c3advisors.com.

Five Reasons Why It Is Important for Business Owners to Prepare Financial Statements

As a business owner you may have a very good sense of the profitability of your business.  You are aware of revenue because you are intimately involved with your customers and the sales process.  You see the bills that come in from vendors and know the payment terms you have negotiated with them.  You purchased the assets owned by the company, and arranged for their financing.  And likely the most important factor by which you gauge your company’s financial health is the cash flow that comes into the business.  So why is it important to prepare financial statements on a monthly and quarterly basis?

 

Five Reasons to Prepare Financial Statements

Even though a business owner has deep insight into his company operations, financial statements can reveal a different picture of the company’s true profitability. Taking time to prepare financial statements each month and quarter equips the business owner with current information to make informed, intelligent decisions affecting the success or failure of day-to-day operations. The information is also important to outsiders such as lenders, investors, suppliers and customers who rely on financial information to make decisions about whether they will do business with a company.  Typically a company closes its books within a few days after month’s end.  Establishing a process for financial statement preparation and sticking to a regular schedule not only ensures that financial information is up to date but also that it is available when unexpected circumstances arise.   Scrambling to pull financial records together, especially if statements have not been routinely generated, can put the business at a competitive disadvantage in time sensitive situations such as when the need for working capital arises.  Here are five reasons to maintain current financial statements:

 1)      Banks require financial statements as a prelude to determining whether or not to loan money.  Current financial statements are used to determine the likelihood that the company can pay back current or future debt, either from expected future income or from the sale of assets.  Even with a history of successful loan repayment, it is a certainty that a lender will require updated statements before considering a new loan request.  And, once the loan is granted, the lender will require periodic financial statements in order to monitor the continuing creditworthiness of the business and to help spot potential barriers to prompt repayment.  

2)      Investors need financial statements to analyze investment potential in terms of the risk that is present in an investment opportunity as well as the kinds of rewards or returns that can be expected.  An investor who puts money behind a company with the intent of making a financial return needs assurance that it is investing in a quality company with a strong balance sheet, solid earnings and positive cash flows.

3)      Suppliers may require a company’s financial statement before committing to selling their product to a business. They use financial statements to ascertain the risk involved in receiving payment by understanding the value of their product to a company and by assessing the price that they are charging for the supplies.  Payment terms and delivery quantities are often dictated by the buyer’s financial risk profile as portrayed in its financial statements.

4)      Customers require financial statements to decide whether a company can meet their needs for product delivery. This is important where customers are dependent on the goods/services they buy from the business.  Financial statements reveal the viability of a business and likelihood of continued operations to produce supplies and services, as well as its capacity for order size.

5)       Nearly every business owner will, at some point, terminate his ownership of the company.  Often, that is accomplished through a business sale.  The single most important source of information a prospective buyer of a business will want is the seller’s financial statements, usually going back several years. The financial statements reveal financial/operational trends and will be a critical to negotiating a sale price and committing to the purchase.

A few more reasons for preparing financial statement include:

• ·         They are necessary to prepare federal and state income tax returns. 
• ·         In the event that claims for losses are submitted to insurance companies, accounting records are necessary to substantiate the original value of fixed assets.
• ·         If business disputes develop, financial statements may be valuable to prove the nature and extent of any loss.

Preparing monthly, quarterly and annual financial statements on a timely basis provides internal and external sources with the information needed for decision making purposes and is critical to a business’ competitive advantage.

Learn more about C3 Advisors, LLC at www.c3adviors.com.  Find us on Facebook and LinkedIn.  Subscribe to our newsletter by emailing debd@c3advisors.com.