Security Recommendations in the wake of Cyber Security month

According to the U.S. Department of Homeland Security, October was National Cyber Security Awareness Month.  However, for me, it started on Wednesday, September 27th, when the Greater New Haven Chamber of Commerce’s Technology Council provided a presentation on cyber security by Kyber Security, a division of CONNECT Computer, an IT services company owned and run by President and CEO, Lynn M. Souza.  This was just the beginning of heightened cyber security awareness for me.

On Tuesday, October 3rd, I attended an MIT Enterprise Forum titled “Securing the Internet of Things:  Reducing Risk in a Connected World!”  The panelists at this forum focused on (i) securing devices which have small microprocessors which cannot be secured in the same ways in which our desktop and laptop computers, tablets and smartphones are secured, (ii) securing the 100+ processors which can be found in most automobiles today, and (iii) securing a large network with thousands of computers like the system at Yale University.  One of the presenters said that he is more worried about a coordinated cyber-attack from North Korea than he is about nuclear war with North Korea.

Finally, on Tuesday, October 17th, I attended a full morning presentation, again presented by Kyber Security, during which the presenters went into greater detail about cyber risks. In addition to the Kyber Security team, there were presentations about cyber risk insurance by Robert T. Sargent, President of Tennant Risk Services, and about Datto Inc.’s data security solution with built in ransomware detection by Mike DePalma, of Datto Inc.

In case I was not completely anxious after these presentations, during the first half of October I read Dan Brown’s novel Digital Fortress, published in 1999.  Although it is a bit outdated, so many of the issues dealt with in Brown’s bestseller have become the background to our lives in the past 18 years.

The balance of this article provides a summary of the recommendations for protecting yourself and your data which I received from Kyber Security.

  1. 1.Use strong passwords which are at least 16 characters in length and utilize random words (letters), numbers and special characters.  Don’t use the same passwords for everything.  Hackers have a slew of tools which allow them to crack less complicated passwords and they eventually will crack your password or steal it from a service or institution which you use.  If you use the same password for everything, once they crack (or steal) your password they will have access to everything you have, every device, every software, every bank and credit card attack.  Use a password with words you can remember, but not words which are significant  to your life.  Do not use your kids’ names, college name, etc.  Hackers can easily obtain that information from social media sites and use it to crack your password.
  2. Obtain and use a password storage software, such as Last Pass or 1Password. These programs are designed to assist you with creating complicated passwords and remembering all of your many passwords.
  3. Use 2-factor authentication (or two-step verification as it is sometimes called) for logging into online services as almost all of them are now offering this. 2-factor authentication is when you need to enter a username and a password (one factor), and also the service will text you a series of numbers that you need to input to sign in as well (second factor).  For example, when I sign into Facebook, Gmail, LinkedIn or many other online services, I will enter my username and password, and then click the button on the screen to receive my one-time code.  Once I receive it, I will enter that into the site to complete my login.  This will prevent anyone who may have stolen your password from accessing your online services; they will not have your phone to get the one-time code.
  4. Set up all of your systems and software so that they automatically update as soon as new software/security patches are released. You don’t want to only update your software when you get around to it, because at some point that will be too late.  If you don’t update constantly, eventually a hacker will access your system through a “hole” in your software that you did not patch in time.
  5. Make sure that you are backing up everything automatically and continuously to an offsite location, as well as to a local appliance or hard drive. Datto provides a best-in-class solution for data security, backups and business continuity. I highly recommend you look into their solution.  If you don’t have good backups, you will not be able to restore your data in the event of a ransomware attack.
  6. Uninstall your commercial antivirus software and adopt/install a “whitelisting” application. Commercial antivirus software uses a blacklist approach.  As computer viruses are discovered, the commercial software developers develop a patch which allows the software to notice the viruses as infected documents are reviewed before being opened for use.  Each new patch adds a new virus to the software’s “blacklist.”  Experts say that no commercial antivirus product can possibly cover the multiple viruses that hackers are constantly developing.  Eventually, your anti-virus software will not have a patch for the newest virus when you are attacked.  Consequently, the better approach is to develop a list of software, a “white list,” which is allowed to run on your computer.  With this approach, anything else (not on your “white list”) that tries to run will not be allowed.  If you decide to add a new software package to your computer, you will need to add it to the “white list” before it will be allowed to run.  This is the only recommendation which I received from Kyber Security which I have not (YET) adopted.  I will do this as soon as I figure out how to do it.
  7. Sign up for your free “dark web” scan with Kyber Security by going to http://kybersecure.com/darkweb. You will need to enter some information which they will use to search the “dark web” to see if your passwords have already been obtained by hackers.  Wikipedia defines the “dark web” as “the World Wide Web content that exists on darknets, overlay networks which use the Internet but require specific software, configurations or authorization to access. The dark web forms a small part of the deep web, the part of the Web not indexed by search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.  The darknets which constitute the dark web include small, friend-to-friend peer-to-peer networks, as well as large, popular networks like Tor, Freenet, and I2P, operated by public organizations and individuals. Users of the dark web refer to the regular web as Clearnet due to its unencrypted nature.
  8. DO ALL OF THIS NOW!!! Don’t procrastinate!!!

Not all companies or entrepreneurs are the same, and not every lawyer has the experience handling the complexities of growth-oriented businesses. Using the legal process strategically is much more than just handling day-to-day operations, it’s understanding the company’s structure and ownership, the goals of the principals, and having a deep understanding of financing, mergers and acquisitions, licensing, and negotiations.

I provide a free consultation, a “Business Strategy Session,” before every representation to ensure my clients understand how legal issues can impact the future of their companies. If I am not the right attorney for your company, I will help you find an attorney with the expertise you need. Just call me at (203) 387-1595 to schedule your free consultation.

Isaiah D. Cooper

Practical Solutions for Complex Business Transactions!

Advertisements

Do Your Due Diligence Before You Acquire A Company!

Before you finalize an agreement to purchase a company, undertake a thorough due diligence process in order to verify that the information presented by the seller is accurate and that there are no hidden liabilities.  As a purchaser, you should structure the transaction as an acquisition of the assets of the company, rather than an acquisition of the stock or other equity interests in the company.  If you acquire assets you don‘t need to acquire any liabilities attached to the assets.  However, if you acquire the stock or other equity interests in the company, you will acquire all of the assets and the liabilities of the target company.

You should begin the due diligence process after all involved parties have signed a letter of intent (LOI).  The LOI should provide for a due diligence period of sixty (60) to ninety (90) days and have the target company agree to provide the purchaser with access to all of the target companys records.  Due diligence is a complex undertaking consisting of legal, financial, and operational components.  By doing it correctly, you will minimize the risk of wasting your money on an unprofitable business, acquiring unwanted liabilities and headaches or paying far more than the true value of the assets.

Legal

Your objective in carrying out legal due diligence is to make sure that the target company is on a sound legal footing.  First of all, you want to confirm that the business has been legitimately formed and that it exists.  You want to understand the companys ownership structure, the rights of different owners, how it is managed and who has the authority to approve the transaction.  You also should review agreements with key suppliers, key customers and key personnel.  Find out if there are any pending or threatened lawsuits, or if litigation is likely to arise in the future.  Check to see if the companys insurance is adequate.  Verify that the company is in compliance with all applicable laws and regulations.

Financial

Your aim in doing financial due diligence is to verify that the financial information on which you base your buying decision and purchase price is accurate.  You should gain a thorough understanding of the companys finances so that you can include potential contingencies in your projections and financial models.  Find out if there are customer collection or cash flow problems.  Check to see if there are unfunded liabilities such as pension benefits for current and future retirees and bonuses promised to employees. Depending on the size of the deal and your level of expertise, you may want to engage accountants or financial advisors to help you analyze the financial data.

Operational

Your goal in performing operational due diligence is to make sure that the target company will function as expected after you have purchased it.  The business may be profitable now, but it might not be able to generate the same level of earnings after it has been acquired for a variety of reasons.  The target company may be dependent upon key employees, key suppliers or a small customer base.  Leases and loan agreements are often non-transferable, or may require the consent of the lessor or of the lender, even in the context of an acquisition of the stock or equity interests in the target company (which you should avoid anyhow).  You should also verify that the company owns its intellectual property and trade names.

Why You Need to Consult an Attorney

Due diligence is a major project that involves scrutinizing an enormous quantity of information.  Your approach to due diligence should be thorough, organized, and strategic.  You should work closely with your attorney, accountants, and financial advisors to map out a strategy before you begin and get their advice at every step of the process. As you perform due diligence, you may uncover legal or financial liabilities or asset impairments in the target company that suggest it is worth far less than the sellers asking price or that make you think twice about acquiring the company.  The cost of doing due diligence inadequately could be far higher than the cost of carrying it out properly.

 

Yes, the representation and warranties in a Purchase Agreement matter!

John Client was ready to sell his business.  He negotiated the price, agreed on the basic terms, and received a purchase agreement from the Buyer.  However, there were pages and pages of representations and warranties.  Rather than consulting with his attorney to ask about this, Mr. Client figured this was standard procedure and didn’t think twice about it or inform his attorney.

After John Client and the Buyer signed the agreement, the Buyer decided he paid too much for John Client’s business.  The Buyer used the language in the representations and warranties to threaten to sue Client unless Client agreed to reduce the purchase price, and, according to the language in the representations and warranties, the Buyer was within his rights to do so.

When selling a business, a smart owner will do everything necessary to limit risk.  This is especially true with representations, warranties and indemnities.  Sellers should get their attorney involved early in the process, when they are negotiating the basic terms of the transactions.  The Seller may not understand the implication of some of these terms. Sellers should not presume that the representations, warranties and indemnity provisions of the selling contract are just “standard boilerplate language.”  They are incredibly important and the language can be negotiated to reduce the Seller’s risk.  If the representations, warranties and indemnities aren’t crafted specifically to fit the Seller’s circumstances and minimize the Seller’s risk, the Buyer may be able to use these provisions to sue for damages or to re-negotiate (read: reduce) the purchase price when the Seller believed it was a done deal!

Representations and warranties.  Crafting accurate representations and warranties lay the foundation for a solid legal document. If the Buyer finds any misrepresentations or is not satisfied with the representations or the warranties provided by the Seller, the Buyer can walk away from the deal or, even worse, come back after the fact and sue for damages.  A good selling contract will have detailed and accurate representations about the formation of the company being sold, the company’s approval of the transaction, the authority of the officers who will sign the definitive agreement(s), intellectual property, existing contracts, previous or current litigation, employees, customers, and tax issues, among many other issues.

Disclose.  The representations and warranties can be the most tedious section of a purchase agreement.  The Seller can reduce its risk by disclosing any exceptions to the representations and warranties in a schedule (referred to in each subsection of the representations and warranties provisions and attached to the agreement).  The Seller should review each representation and each warranty with the Seller’s attorney to make sure (1) the Seller understand each representation and each warranty, (2) the Seller understand whether s/he can make each representation and each warranty, and (3) whether there are exceptions which need to be noted on the attached schedule.  This takes time and is not the place to cut corners.  A smart Seller will get involved in the disclosure process and fully understand what the disclosures say about their business. This section isn’t just legal language tinkering, but has the potential to make or break the deal.

Indemnities. An indemnity is  a promise to reimburse the Buyer if a specific set of circumstances are met.  If a Buyer finds that the Seller has misrepresented any aspect of their business in the selling contract, then the Buyer can sue for damages.   So, if a Seller over-reports revenue, misrepresents customer information or under-reports tax burdens, a Buyer can sue for a breach of warranty and demand payment equal to the Buyer’s losses due to the  misrepresentation.

Set Limits.  A smart Seller can reduce his or her risk by reducing the limits on indemnities as much as possible.  This would include keeping the term of the indemnity short to keep the Buyer from making claims years down the road and restricting the types of damages the Buyer may recover.  So, instead of a 4-year term on tax claims, the Seller and the Seller’s attorney might ask for a 2-year term on environmental claims and either completely remove tax claims or limit them to those arising within one or two years of the closing.  Setting good limits reduces the chance that the Buyer can bring legal action against the Seller.

Sellers can protect themselves from frivolous lawsuits and massive headaches by using an experienced attorney with the knowledge to negotiate and craft a better purchase agreement, as well as by being involved in the process and knowing (or asking) where the Seller can help to limit its risk.

What Should Be in a Letter of Intent to Buy or Sell a Business?

Whether you are buying or selling a company, you should give careful consideration to the letter of intent (LOI). People often make the mistake of rushing through the LOI or being vague on details on the assumption that details can be worked out later.  Beware:  Leaving out critical provisions might be costly over the long run.  It is easier to include all the terms you care about in the LOI than to get your counterparty to agree to significant changes later. A well-crafted LOI walks the fine line between covering the important points while not getting mired in minutiae.

Here are some essential items that you should include in your letter of intent:

Asset or Equity/Stock Sale?

Specify whether the proposed sale will be a sale/purchase of assets or of equity interests (stock for corporations or LLC interests or units for LLCs).  Discuss this with the other party as early as possible.  Whether you choose to structure the deal as a sale/purchase of assets or of equity will have significant tax and risk implications for you and for the other party.

If the deal will be structured as an asset sale, itemize the assets to be sold/acquired and allocate a portion of the purchase price to each. Allocation of purchase price can affect tax liabilities for all parties to the transaction.  List all assets (and liabilities) which the seller is not including in the sale (or which the buyer does not want to acquire).

It is helpful to list the liabilities which the buyer will be assuming as well as the liabilities which the buyer will not be assuming or acquiring.

Purchase Price and Payment Method

Be sure to include both the purchase price and, if possible, the method used to arrive at the purchase price.  If the method is not agreed upon, the due diligence process could invalidate one or more of the assumptions used to calculate the purchase price. If both parties agree on a method, it will be easier to adjust the purchase price if due diligence reveals some changes to the assumptions.  Include working capital adjustment provisions.

State the method of payment and payment terms.  Will it be a cash deal?  Will the seller hold onto a promissory note issued by the buyer for a portion of the purchase price or retain an interest in the company until paid in full?  Include the basic terms of seller financing or earnouts if applicable.

Include the anticipated closing date. List significant closing conditions, such as whether the deal hinges on the buyer obtaining financing.

The Target Company’s Principals and Employees

Describe the basic terms of employment for the selling company’s principals after closing.  How long will the principals provide consulting services to the buyer after the sale?  What will their titles and salaries be?

Include non-compete agreements for the seller(s) to sign. For example, the seller might agree to refrain from competing with the sold company for three years after the sale or within 50 or 100 miles of the sold company.

Indicate what will happen to the company’s employees after the sale.  Will they continue to work at their current jobs or will they be hired by the buyer through a separate or new company?

Due Diligence

Outline the due diligence process.  The seller will want to specify all items to be retained by the seller pending execution of the sale. Such items might include sensitive customer information.  Even if a comprehensive non-disclosure agreement is signed at the beginning of negotiations, either include non-disclosure provisions in the LOI or incorporate the previously signed NDA into the LOI to protect the seller’s confidential information.

Be sure to include a “good faith” clause that prevents any of the involved parties from using the negotiation and due diligence process solely to extract information about the other party or their company.

Identify who will be required to provide representations and warranties.  Will it be the selling entity, its owners or both the entity and its owners?  Outline the basic indemnification terms.

Other Things You Should Include

Include an exclusivity clause or no-shop provision.  This can be mutual, where the seller agrees to not consider other buyers while negotiations are in effect or for a stated period of time and vice versa.  Provide enough time to complete due diligence and to get definitive documents drafted, negotiated, and signed.

Specify who will pay deal expenses in the event that the deal fails to close. If you are the seller, you want to make the buyer pay his or her own costs, especially if the deal fails to close.

Put in boilerplate provisions such as governing laws and jurisdiction disputes.

Add anything that is unique to the target company and that might not be found in boilerplate provisions.

Last but not least, include language that clearly identifies the document as a letter of intent (LOI) and not a purchase contract.  List all binding and non-binding provisions.  Generally, the confidentiality provisions and the exclusivity or no-shop provisions should be the only binding clauses, though the allocation of expenses may also be binding.

Why You Should Work with an Attorney

A carefully drafted LOI paves the way for a successful acquisition or sale. The scope and complexity of the legal issues applicable to the various provisions of the document make it essential that you collaborate with an experienced attorney when putting together the LOI.

Isaiah Cooper provides a free consultation, a “Business Strategy Session,” before every representation to ensure clients understand how legal issues can impact the future of their companies.

If Isaiah is not the right attorney for your company, he will find you an attorney with the expertise you need. Just call his office at (203) 387-1595 to schedule your free consultation.

Non-Disclosure Agreements

Before beginning serious negotiations about the terms of a transaction the parties should enter into a non-disclosure agreement covering the respective rights of the disclosing party and the receiving party in and to the material disclose.  I have seen, reviewed and revised many different NDAs with a really broad range of complexity and many different provisions.  In reaction I have developed a clear set of preferences for NDA provisions.  For me, two provisions are critical.

The first is that everything disclosed should be assumed to be proprietary to the disclosing party and that the receiving party should be obligated to keep the disclosed information confidential.  The corollary to this idea is that the disclosing party should not be obligated to mark items and documents disclosed as “confidential” or “proprietary.”  Of course this assumption may be escaped if the disclosed information is shown to be in the public domain.

The second main concept is that the disclosing party does not lose control of the disclosed information and that the recipient does not gain any rights in or to the disclosed information.  NDAs often provide a term during which they are effective.  The NDA should specifically provide that at the end of the term each disclosing party will retain control of its own information and that the receiving party will gain no rights in the information disclosed.  This means that although the term of the NDA does not continue, the obligation of the receiving party to maintain the confidentiality of the disclosures continues beyond the term of the agreement.Image

My first blog post!

Well I finally set up a blog.  I have been thinking about this and planning to do this for years!  I intend to use this blog as a place to write some of my thoughts about business law and new developments in business and technology as they impact my clients and my law practice.

Hopefully, my posts will be of some value to my clients and other readers.

Time will tell . . . .

Stay tuned!