Last July, I wrote an article for where I argued that as a basic tenet of our profession, Canadian lawyers should be required to have a minimum understanding of technology, privacy, and cybersecurity in order to adequately service their clients. The same is true for lawyers in the U.S.

Regardless of whether there is a mandatory legal duty of technological competence required of lawyers by our law societies, arguably lawyers practicing law during this time of pandemic now have an even greater duty to understand and deploy the necessary technological measures and practices to protect client data from unwanted intrusion.

In Ontario, § 3.1.1. of the Rules of Professional Conduct sets out the various positive duties of competence that lawyers are supposed to possess. For example, a “competent lawyer” is a lawyer who has and applies relevant knowledge, skills, and attributes in a manner appropriate to each matter undertaken on behalf of a client, applying appropriate legal skills, pursuing appropriate professional development to maintain and enhance legal knowledge and skills, and adapting otherwise to changing professional requirements, standards, techniques, and practices.

Unfortunately, Canada currently lags behind the United States in recognizing this duty. As Massachusetts lawyer Robert J. Ambrogi notes in his excellent blog , the ABA formally approved a change to the Model Rules of Professional Conduct in 2012 to clarify that lawyers have a duty to be competent, not only in the law and its practice, but also in technology. By way of reminder, Model Rule 1.1 provides that “a lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation”.

Comment 8 to Model Rule 1.1 specifically requires U.S. attorneys to maintain technological competence as follows:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

To date, 38 U.S. states have adopted the duty of technological competence. While California has not formally adopted the change to its rules of professional conduct, Ambrogi notes that the state has issued an ethics opinion (State Bar of California Formal Opinion No. 2015-193) that expressly acknowledges a duty of lawyers to be competent in technology, i.e. requiring lawyers who represent clients in litigation either to be competent in e-discovery or associate with others who are competent. The opinion expressly cites the ABA’s Comment 8 and states:

Maintaining learning and skill consistent with an attorney’s duty of competence includes “keeping abreast of changes in the law and its practice, including the benefits and risks associated with technology.”

The global ascendance of COVID-19 has only spurred the activities of phishing, malware, and ransomware attacks. Rob , Corporate Vice President for  Microsoft 365 Security, reported in his April 8, 2019, blog that every country in the world has seen at least one COVID-19-themed attack, with China, the United States, and Russia being hit the hardest.

Given the heightened security risks of working during a pandemic, I believe more than ever that technological competence must be read into the “duties of competence” that all lawyers are “supposed to possess” today, even if some regulators haven’t caught up with this new reality.

What does technological competence look like for lawyers practicing during a pandemic?

First and foremost, lawyers must take steps to ensure they have in place reasonable measures to protect client data against unauthorized access. Technology that contains or is used to access client data should be hardened against the increased threat of third-party hackers and malware, using firewalls, encryption tools, appropriate up-to-date antivirus technology/URL threat protection, and other security software. Outdated legacy software should be shelved, free unsupported versions of software should no longer be used, and all security patches and updates received from vendors should be implemented in a timely fashion. Lawyers should only use dedicated VPNs and secured Wi-Fi to access critical networks.

Additionally, lawyers wishing to better protect their clients’ confidential information should consider the following tips:

(1) Zoom wisely. Videoconferencing has been a boon to organizations that have traditionally relied on face-to-face meetings to get things done. But as anyone following recent headlines regarding the vulnerabilities of video conferencing services can attest, it is not without privacy and security risks.

The Office of the Federal Privacy Commissioner in Canada recently provided a series of privacy tips for using videoconferencing services  The suggestions are both timely and useful for lawyers practicing anywhere.  For example the OPC recommends that users that sign up for a new account with a videoconferencing service should use unique passwords, not existing social media accounts, to sign into a new service. Meetings should be made private or only accessible to invited participants, and they should not be publicly posted to social media to prevent unwanted guests from joining. Disable features such as “join before host,” screen sharing, or file transfers to minimize the threat of “Zoombombing,” gate crashing, and other intrusions. Video conferencing calls should be protected with a password if possible, especially if the parties intend to discuss sensitive personal information. Each call should have its own password to prevent uninvited participants. Lawyers that host should consider disabling their participants’ ability to record the call.

Other helpful advice includes being careful about where one sits during the call, as background details can reveal a lot of information that you might not want to share. Anyone using a web browser for the video call should open a new window with no other browser tabs and close other applications to avoid inadvertently sharing notification pop-ups (e.g., incoming emails) with other participants and the videoconferencing service provider. Of course all personal home assistants (Alexa, Siri, Google Home, etc.), and smart speakers should be turned off during videoconference to avoid accidentally triggering the assistant and/or recording the call.

(2) Retain and Dispose of Confidential Information Securely. Now is not the time to discard highly sensitive client confidential information with your used coffee grounds and pet litter. Significant data breaches have occurred when documents containing personal information and health information were found tumbling around in alleyways and on city streets. Working from home does not mean that lawyers cease to have a duty to protect sensitive client data from prying eyes or other third party exposures. Sensitive information should be securely stored (whether in locked cabinets, boxes, or otherwise). Invest in a decent paper shredder and use it. Or save all of your confidential information until you can return it your office for secure disposal.

(3) Have adequate (and secure) backup. It’s critical for lawyers and their law firms to invest in the acquisition of professional backup, recovery, and restoration software, and to establish a relationship with a reputable backup/data recovery provider, so that if any confidential or client data is inadvertently lost, the organization can seek to recover such data with a minimum of panic and fuss. Law firms and lawyers should never rely on free backup software downloads to protect sensitive client data.

Not all backup and restore software is created equally. Lawyers should choose vendors whose software (i) can safely remove malware or other viruses, verify that the backups do not contain infections, and ensure that any restored files are clean to forestall additional infections; (ii) has two-factor authentication enabled to prevent credential theft, leading to unlawful access and deletion of backup data; and (iii) has the backup data stored on immutable storage media.

(4) Develop and Maintain Data/Cyber Breach Incident Response Plans. All law firms should ensure that they have a proper privacy/cybersecurity incident response plan in place. The plan should clearly identify the specific contact information for the individuals or committee initially tasked with investigating, containing, and managing the breach, as well as those charged with evaluating risk and handling mitigation.

If you do make a mistake and expose client data, you will need to know who to contact internally immediately in order to contain the risk and threat exposure promptly. It’s much too late to figure all of this out in the middle of the incident. To avoid the loss of valuable time, this incident response plan should be carefully crafted in advance and approved by firm management. All lawyers and staff should be made familiar with it. It’s also critical to have such a plan in place to forestall internal confusion that could lead to inadvertent disclosures of such incidents on social media or elsewhere.

It is worth reminding lawyers that law firms may have to comply with mandated time-sensitive reporting obligations to federal, provincial, or state privacy regulators, and potentially other regulators, individuals, and third party organizations, depending on the nature of the breach and the type and sensitivity of the data involved. Additional service providers, such as preferred cybersecurity experts, credit monitoring services, and media firms should also be chosen and retained in advance. Plans should be reviewed at least annually and updated as required to stay current and effective. Smaller firms and solo practitioners should adopt modified versions of these plans as relevant to them.

Regardless of whether lawyers are now formally obliged to check off one more box on their yearly state bar annual filing or other regulatory report, one may argue that all lawyers today already have a positive and meaningful duty of technological competence. Our clients deserve nothing less.

Lisa R. Lifshitz

The COVID-19 pandemic hit employers hard and fast—it caused employers to deal with loss of revenue, tough decisions about workforce and pay issues, and new laws and other guidelines that had to be analyzed and implemented quickly, with little time for planning or preparation. As states begin the process for what is hoped to be an eventual return to some sort of “new” normal, employers must be ready to recognize the risks, mitigate those risks, and be prepared to defend the actions and decisions they made in response to the COVID-19 pandemic. In the course of the next several months (and perhaps over the next several years), we anticipate employers will be faced with several types of employment lawsuits stemming from the COVID-19 pandemic.

Where are employers facing the most risk?

1. Families First Coronavirus Response Act (“FFCRA”)

In mid-March, Congress passed the FFCRA, which requires certain employers to provide paid sick leave or expanded family and medical leave to employees for several COVID-19-related issues. Specifically, under the paid sick leave provision of the FFCRA, an employee qualifies for paid sick leave if the employee is unable to work (or unable to telework) and the employee fits within any of the following qualifying reasons:

1. Is subject to a federal, state, or local quarantine or isolation order related to COVID-19;
2. Has been advised by a health care provider to self-quarantine related to COVID-19;
3. Is experiencing COVID-19 symptoms and is seeking a medical diagnosis;
4. Is caring for an individual subject to an order described in (a) or self-quarantine as described in (b);
5. Is caring for a child whose school or place of care is closed (or childcare provider is unavailable) for reasons related to COVID-19; or
6. Is experiencing any other substantially similar condition specified by the Secretary of Health and Human Services, in consultation with the Secretaries of Labor and Treasury.

Under the expanded family and medical leave provision of the FFCRA, an employee qualifies for additional leave if the employee is caring for a child whose school or place of care is closed (or childcare provider is unavailable) for reasons related to COVID-19.

As with any new employment law, it is likely that employers will face lawsuits alleging they failed to meet their obligations under the FFCRA, particularly in regard to the issues of determining eligibility of their workers for paid leave and paying leave in the required manner and at the required rate.

Additionally, even if an employer administers paid leave under the FFCRA in an accurate manner, it is likely employers will face lawsuits alleging they retaliated against employees who requested and/or took paid leave.

2. OSHA and Other Safety Claims

As states begin to allow businesses to reopen, several state and local governmental bodies have developed guidelines and protocols that all employers are required to follow, with many additional requirements for some industry-specific businesses. These guidelines and protocols often are very detailed and onerous on employers. In addition to state and local guidelines and protocols, the CDC, OSHA, and other entities likewise have distributed materials regarding safety measures that employers should be taking in light of the ongoing COVID-19 pandemic. Many of the guidelines and protocols have changed over time as the medical community has learned more about the COVID-19 virus and the ways in which the virus can be spread.

It is very likely employers will see an increase in state and local government enforcement actions and OSHA enforcement actions in situations where the employer is not following the numerous required safety guidelines and protocols that are applicable to its business and/or in situations where an employee makes a complaint alleging the employer is not doing enough to protect employee safety. Likewise, in situations where an employee contracts COVID-19 and believes they were exposed to the virus at work, employers likely will be faced with workers’ compensation claims, and perhaps even deliberate intent type claims in some situations.

3. Wage and Hour Claims

Under the Fair Labor Standards Act and state law equivalents, employers are required to pay non-exempt, hourly employees a set minimum wage for every hour worked, as well as overtime pay for any hours worked in excess of 40 per week.

During the course of the COVID-19 pandemic, many states have required that employers allow employees to work from home to the maximum extent possible. As employers took steps to allow employees to work from home, they were left with little means to track employees’ work hours and little ability to monitor whether employees were sticking to their regular work schedules. Such inability to track hours might lead to costly wage payment claims and perhaps even class actions alleging that employees were shorted for hours worked from home.

Additionally, the move to telework may have forced some employees to buy equipment or personal devices for work. The FLSA requires businesses to reimburse employees when expenses push them below minimum wage. Accordingly, some employers may be responsible for some of these costs.

Finally, as employees are allowed to return to physical work, many employers are following federal, state, and local guidelines requesting or requiring employers to implement new safety measures (such as temperature checks, cleaning of personal protective equipment, and responding to questionnaires about medical conditions). Employers need to be aware that they are responsible for paying employees for time spent under their control and these new safety procedures might be alleged to fit within such responsibility. As a best practice, employers should plan on paying employees for the additional time spent by the employees in complying with any new safety measures implemented by the employer.

4. Lawsuits Related to Layoff, Furlough, and Separation

Under the federal Work Adjustment Retraining Notification Act (“WARN Act”), employers with 100 or more employees are required to give at least 60 days’ notice before closing or laying off a certain number of employees. If an employer misses this window, it may have to provide employees with back pay, plus penalties.

In situations where employers were forced into making mass reductions in force due to a sudden loss of business related to the COVID-19 pandemic, we anticipate employees may allege a violation of the WARN Act. Fortunately for employers, not all sudden layoffs violate the WARN Act. For example, under the WARN Act, a business that shuts down due to “unforeseeable” business circumstances is not liable, and the COVID-19 pandemic may fit within this exception. Additionally, generally, a WARN Notice is not required for a temporary layoff that is expected to be less than six months, thereby providing many employers an additional WARN claim defense.

Additionally, we anticipate employers will be faced with disparate treatment discrimination and retaliation lawsuits in regard to any layoff, furlough, or separation decisions made due to the COVID-19 pandemic should an individual feel that they were selected for layoff or separation based upon a protected characteristic and/or based upon a protected complaint made in the workplace. Likewise, employers should anticipate being faced with disparate impact discrimination lawsuits if the adverse employment decision disproportionately impacted a protected class, even if the employer did not intentionally discriminate.

5. Disability Discrimination Claims

As employees are being asked to transition back to in-person work, some employees may be reluctant to return due to a fear of contracting COVID-19, particularly if the employee has a medical condition that makes them more susceptible to COVID-19. If an employer requires the employees to return to work, the employer may be faced with a failure to accommodate the disability discrimination claim.

Under the Americans with Disabilities Act, and state law equivalents, an employee with a serious health condition has the right to request a “reasonable accommodation” allowing them to perform the essential functions of the job. We anticipate many employees who were allowed to work from home during the height of the COVID-19 pandemic might request to continue to be allowed to do so as a reasonable accommodation for the employee’s disability. Depending on the circumstances, which will need to be accessed on a case-by-case basis, it is possible an employer will need to allow an employee that fits within a disability protected class to continue to work from home, even after the majority of the workforce returns to in-person work.

Employers also should be on the lookout for newly enacted state or local laws that provide extra protections to employees who fit within a class that makes them more susceptible to COVID-19 or risk running afoul of such new legal requirements.

What are employers to do?

This is a complex and ever-changing environment. It is important for employers to understand employment litigation trends in order to best plan to mitigate problems. It is critical to make sure the right policies and procedures are in place (updated accommodation procedures, compliant wage and hour protocols, a fully vetted layoff process, a robust return to work playbook, and so on). Although there is no way to completely eliminate the risk of litigation, complying with best practices now will certainly pay off in the long run.

The COVID-19 pandemic and the drastic measures taken in an effort to mitigate its adverse impact have sent shock waves throughout the US and global financial systems. COVID-19 and related measures including travel bans, shelter-in-place orders and widespread business closures have caused precipitous changes in customer spending and demand, supply chain disruptions, sharp declines in revenue, and other operational issues across a wide range of economic sectors. Businesses worldwide now confront unprecedented and mounting challenges and distress.

As in prior periods of economic distress, vanishing earnings and cash flows, as well as crunched credit and equity markets, are leading to payment and covenant defaults under debt obligations. In an attempt to stem the rising tide of defaults, the US government has committed trillions of dollars in business stimulus programs intended to provide liquidity and maintain the flow of credit to companies and individuals affected by the COVID-19 pandemic. However, for a significant number of businesses, such aid is proving insufficient to weather the current economic storm. Consequently, lenders and landlords are coping with a deluge of requests from borrowers and tenants for forbearance arrangements, waivers, and amendments to existing facilities.

This increasing economic turmoil will undoubtedly result in a dramatic rise in bankruptcy filings over the coming months and a concurrent increase in distressed M&A activity, including asset sales under Section 363 (“Section 363”) of the United States Bankruptcy Code (the “Bankruptcy Code”). For many strategic purchasers and private equity firms with relatively strong cash positions, the new wave of Section 363 auctions will present significant opportunities to purchase assets at discounted prices. Section 363 sales also offer purchasers protections that are generally not available outside of a bankruptcy context.

This update provides an overview of the Section 363 sales process and outlines key advantages and risks for prospective purchasers in distressed asset sales under Section 363, including COVID-19-specific implications.

Section 363 Sale Process

A typical Section 363 sale process begins with the debtor’s professional advisors (i.e. investment bankers, brokers, and/or consultants) marketing the target assets to potential purchasers to identify a “stalking horse bidder”—the bidder submitting the highest and best initial bid. The stalking horse bid sets the floor price for the assets to be sold at a subsequent bankruptcy auction.

The timing of execution of the stalking horse asset purchase agreement (“APA”) and auction bid procedures varies. Large publically traded companies usually attempt to finalize the stalking horse APA and bid procedures prior to filing for bankruptcy protection, whereas middle market companies often undertake some of these steps after the bankruptcy filing. It is not uncommon for small companies to file for bankruptcy protection and seek approval of bid procedures prior to identification of a stalking horse bidder. Regardless, the debtor must provide creditors with 21 days’ advance notice of the bankruptcy court hearing seeking approval of the stalking horse APA, the bid procedures, and the sale process. If creditors or other parties-in-interest object during the notice period, the bankruptcy court will decide whether the contemplated sale is in the debtor’s best interest.

Following bankruptcy court approval of the bid procedures, the debtor’s professional advisors will solicit higher and better offers. To the extent the debtor receives competing bids that satisfy all requirements, the debtor’s professional advisors or the bankruptcy court will conduct a formal auction. After completion of the auction, the debtor will seek bankruptcy court approval of the sale to the winning bidder. As part of the approval process, all the transaction documents are submitted to the bankruptcy court for review and approval. The sale transaction typically closes shortly following entry of the bankruptcy court’s sale order and the expiration of any applicable stay period. Moreover, to the extent that the bankruptcy court makes a finding that the successful bidder at the auction is a good faith purchaser, any appeal seeking to challenge the sale is statutorily moot.

There are both pros and cons to acting as the stalking horse bidder. Key among the potential disadvantages is that, after being selected in the initial auction process as the winning bidder, and investing significant time, effort, and money in diligence and purchase agreement negotiations, the stalking horse bidder may be outbid by higher and better offers at the public auction stage of the process prior to the bankruptcy court’s approval of the sale. Some potential purchasers accordingly will prefer to refrain from participating in the process until the bankruptcy auction stage and make a topping bid, piggybacking on the efforts of the stalking horse (though a purchaser that decides to “wait and see” will bear risks associated with a less thorough diligence investigation).

In terms of benefits, as noted above, the stalking horse’s bid will set the floor price, and the debtor and the stalking horse bidder will negotiate the terms of the APA, which will then serve as the standard form of APA that other bidders may be required to conform their offers to when submitting bids. The stalking horse bidder will also have a role in negotiating the bankruptcy bid procedures which will set the timelines for the auction schedule, including marketing, due diligence, and bid deadlines (often 60 to 90 days after bankruptcy court approval of the bid procedures). Stalking horse bidders are often able to negotiate break-up fees (commonly between 2% and 3% of the transaction value) to cover anticipated due diligence and professional fee expenses in the event that the stalking horse bidder is not the successful bidder at auction and overbid amounts. Stalking horse bidders also have more time to complete due diligence than potential purchasers who wait to engage a debtor until formal bid procedures are established.

Advantages of Section 363 Sales

While Section 363 sales require compliance with the formalities of the bankruptcy process and can be more time intensive and costly than non-bankruptcy sale transactions, asset sales under Section 363 provide significant advantages and protections that are not otherwise available to purchasers outside of the bankruptcy context.

One key attractive feature of Section 363 sales for purchasers is that, with limited exceptions, the purchaser can acquire the assets of the business “free and clear” of liens, claims, and encumbrances, and, in some instances, creditors can be enjoined from asserting successor liability claims against the purchaser. Further, to the extent that a creditor attempts to assert claims against a Section 363 sale purchaser, the purchaser may be able seek protection from the bankruptcy court. The ability to purchase assets “free and clear” may prove extremely attractive to potential purchasers in the COVID-19 market who are faced with an entirely new set of diligence risks and a myriad of actual and potential impacts that the pandemic has had and may have on the assets or business subject to the sale. Moreover, COVID-19 quarantine orders, travel restrictions, and social distancing protocols will further impair the ability of potential purchasers to conduct due diligence. Potential purchasers should begin exploring new methods and processes for conducting efficient and comprehensive legal and financial diligence investigations of likely targets.

In addition, sales by a corporation of all or substantially all of its assets, when accomplished outside of bankruptcy, necessitate majority stockholder approval, whereas stockholder consents to a sale are not required in the Section 363 context, although stockholder approvals of the bankruptcy filing may be required under the corporation’s charter or other contractual arrangements.

Further, asset sales outside of the bankruptcy context generally require a number of contractual counterparty consents, which may be even more difficult to obtain while third parties are displaced due to office closures and addressing their own business needs in the face of COVID-19.¹ In contrast, purchasers of assets pursuant to Section 363 sales are able to take assignment of most executory contracts and unexpired leases pursuant to Section 365 of the Bankruptcy Code notwithstanding most contractual restrictions on assignment. This is a significant differentiator because purchasers in private M&A and other non-bankruptcy transactions cannot compel contractual counterparties (including customers, suppliers, and lease parties) to consent to the assignment of contracts and leases, thus forcing purchasers into a series of one-off negotiations that can be costly and time-consuming. Likewise, debtors and purchasers in Section 363 sales are able to negotiate the rejection of burdensome contracts.² The ability to “cherry pick” contracts with favorable terms and reject contracts for which better terms can be obtained will be particularly valuable to many purchasers in light of current market upheaval.

Purchasers of assets in the Section 363 sale context are also protected from fraudulent conveyance claims by creditors (i.e., claims that the sale was made with an intent to hinder, delay, or defraud creditors, or for less than “reasonably equivalent value”).³ Whereas, purchasers of assets in private M&A transactions, particularly those involving distressed assets, face greater risks from fraudulent transfer claims, which, whether or not successful, can be costly for purchasers as a result of litigation- and settlement-related expenses. Parties in the private M&A context can obtain solvency opinions (if applicable) and fairness opinions to help mitigate the risk of fraudulent conveyance claims, but these alternatives are not as protective as a bankruptcy court order approving a Section 363 sale.

Purchasers of assets in private M&A and other non-bankruptcy transactions also face heightened risk in that the underlying purchase agreement, or related contracts, such as transition services agreements, could be rejected in a pre- or post-closing bankruptcy, leaving the purchaser with an unsecured claim for damages in respect of unfulfilled obligations—a fate that can be prevented with a Section 363 sale. Similarly, post-closing purchase price adjustment and similar payments contracted for in a non-bankruptcy sale context may be subject to clawback in a subsequent bankruptcy filing. Particularly for purchasers concerned about the solvency of the seller and the impact that the rejection of transaction agreements containing seller obligations would have on the value of the acquired assets, these are significant risks that make the Section 363 sale process an attractive alternative to private acquisitions of distressed assets outside of the bankruptcy context.

Finally, the bankruptcy automatic stay helps protect the going concern value of the target by preventing a counterparty from terminating contracts essential to the operation of the business.

Disadvantages of Section 363 Sales

Although Section 363 sales offer many protections to distressed asset acquirers, potential purchasers and sellers should be aware of attendant drawbacks as well, including new COVID-19 related considerations.

For example, a number of contractual protections that a purchaser typically obtains in a private non-bankruptcy driven M&A transaction are unavailable or significantly limited in Section 363 sales (and other distressed transactions involving a seller in the zone of insolvency). For instance, in a Section 363 sale, assets are often sold “as is, where is,” and asset purchase agreements contain a significantly scaled back set of representations and warranties, which usually terminate at closing. Though representations and warranties (“R&W”) insurance can help bridge this gap, such coverage may not cover COVID-19 issues, as most R&W insurers have begun stipulating at least some degree of exclusion relating to COVID-19 exposures.⁴

Section 363 sale purchasers also typically have limited indemnification rights with little or no escrow holdbacks (and only to the extent approved by the bankruptcy court). While R&W insurance can blunt to some extent the limited indemnification, it will not provide coverage for “known” or otherwise disclosed potential liabilities. Due to the relative lack of post-close remedies for a purchaser in a Section 363 sale, even greater stress is placed on the purchaser’s due diligence investigation to uncover issues which can be priced into their offer prior to signing an APA. Further, APAs in Section 363 sale transactions typically contain few closing conditions beyond certain regulatory⁵ or licensing approvals, so purchasers have much less wiggle room to attempt to walk away from a deal post-signing. Moreover, purchasers in Section 363 sales typically must pay all cash at closing, thus preventing the use of deferred/contingent consideration or earnouts. In addition, the existence and terms of a Section 363 APA and transaction are made public, which can result in an unwanted spotlight on a purchaser and the distressed nature of the target business (though perhaps less of a reputational hazard in the current economic environment given that so many businesses are similarly situated).

Another key reason that potential purchasers may prefer a private sale outside of bankruptcy to a Section 363 sale process is the heightened execution risk inherent in the Section 363 sale context, including risk as a result of stakeholder and other third party challenges and interference in the process which can significantly delay and negatively impact the value of the transaction.

Although bankruptcy courts generally have remained open during the COVID-19 crisis (as discussed here), transaction parties must adapt to the new normal of telephonic and/or video conference hearings, as many bankruptcy courts have suspended in-person hearings for health and safety reasons. Moreover, bankruptcy courts have greatly reduced evidentiary hearings. These changes have impacted the efficiency of bankruptcy courts and may result in backlogs when bankruptcy courts resume normal operations. Further, the expected increase in bankruptcy filings across all industries and sectors of the economy will likely result in additional backlog. As such, M&A participants in Section 363 sales should expect to encounter at least somewhat costlier and lengthier sale processes as compared to pre-COVID-19 scenarios. For some purchasers and sellers, the potential delays may necessitate additional consideration of out-of-bankruptcy alternatives given the need for expediency to preserve going concern value of a “melting ice cube.” It remains to be seen what other changes to the Section 363 sale process may lie in store in light of the COVID-19 pandemic.

Conclusion

In the new economic reality brought on by the COVID-19 pandemic, businesses are facing unprecedented challenges, and many will seek bankruptcy protection. For capital-rich purchasers, Section 363 sales inevitably will present interesting opportunities to acquire attractive assets at significantly reduced valuations. While potential purchasers will want to consider the range of available acquisition strategies (including out-of-court asset sales, Article 9 sales, sales following an assignment for the benefit of creditors, and sales pursuant to a Chapter 11 plan of reorganization) with their professional advisors, the Section 363 option can certainly offer value to purchasers.

¹ Given the widespread economic distress caused by COVID-19, however, counterparties may be more inclined to provide consents if doing so could enhance the value to be obtained by them through the sale or preserve a beneficial contractual relationship that might otherwise be rejected if the seller files for bankruptcy.
² Exceptions include contracts pursuant to which the non-debtor counterparty would, under applicable non-bankruptcy law, be excused from accepting performance from a person or entity other than the debtor, including personal service contracts and government contracts. Note also that, based on recent US Supreme Court case law, a third party’s continued right to use licensed intellectual property may survive a debtor’s rejection of a trademark license.
³ The statutes of limitations on fraudulent conveyance claims can be as long as six years and can be extended even longer by subsequent bankruptcy filings.
⁴ Bill Monat, The impact of COVID-19 on representations & warranties insurance coverage: Transactional insurance solutions update, (April 16, 2020) https://www.willistowerswatson.com/en-US/Insights/2020/04/the-impact-of-covid-19-on-representations-and-warranties-insurance-coverage (last visited April 28, 2020).
⁵ Of note, the waiting period for Hart Scott Rodino Act filings is shortened to 15 days (from the usual 30 days) in the Section 363 sale context.

Many things will never be the same after the COVID-19 affliction. More and more employees will spend less and less time at an office. As more employees work remotely, they will use more technologies to connect and collaborate, and they will store more company information in the Cloud and on various home devices with a range of setups and vulnerabilities. Bad actors, cyberthieves, and hackers will undoubtedly have greater luck exploiting the resulting chinks in the information security armor. Indeed, hackers and cyberwarriors began attacking the soft underbelly of corporate security—the devices employees use (sometimes their own and sometimes provided by the company) and the networks on which they connect—right after COVID-19 hit. Businesses must have a concrete plan to deal with these new realities and become more “information lean.”
This new environment is also accelerating digitalization, which is building better business processes through strategic use of technologies. That is important because it provides companies the opportunity to reevaluate what they are doing and why. Shifting through old processes allows not only new efficiencies to emerge, but also the chance to build compliance needs processes from the beginning, which can make them transparent and seamless. In other words, addressing issues such as privacy and security in planning and design phases of a project means it will not need to be retrofitted downstream.
The article will reveal some essential truths about the new reality for businesses after COVID-19 and the concrete planning required to become information lean.

The Truth About Home Workers

Employees prefer their own devices, so even if policy prohibits it, company information finds its way onto personal devices, which implicates privacy and security issues. The security protections in a personal environment tend to be less robust than in the corporate setting or in the Cloud. Thus, although home workers may limit a company’s computer and office expenses, they present different security challenges.

The Truth About Information Piles

Information volumes have been growing every year for many decades and will not stop growing unless something or someone intervenes. That is not happening very often in most big businesses. Piles tend to be ill-managed or not managed at all, and tend to mix important with unimportant information. That makes environments like the shared drive the perfect target of hackers because employees store all kinds of information there, including information that may have substantial value to the company like intellectual property. When it comes to information piles, the more information and the more locations, the greater the privacy and security risk. Competing interests (like Big Data proponents) inside any given company that will want more information for longer periods of time must be addressed.

The Truth About Security and Privacy

Information security has become a core business activity that requires resources, expertise, and vigilance. No matter how much money and effort you throw at securing information, hackers will be successful from time to time. So, information security is really about seeking to minimize the pain and harm exacted on the company.

The Truth About How Companies Got “Information Chunky”

Most businesses are keeping too much information, and some are keeping everything. The law of diminishing returns applies to information to the extent that there is so much that litigation response becomes a huge headache and significant expense. Lawyers are to blame in part for that reality. With the advent of electronic discovery, lawyers over-preserved because they thought it was the conservative position and did not want to be responsible for destruction of evidence. Once information was on legal hold, it often remained on legal hold. Unwinding the “preserve everything” approach to litigation response is challenging, especially if a company has lots of litigation. However, bad habits and over-retention must stop, and lawyers will be central in taking on this issue.

Remember Goldilocks to Become Information Lean

Most privacy laws and regulations make clear that less is more when it comes to privacy. That means keeping as little as possible for as short as necessary. In the case of the GDPR (the EU privacy directive), information must be retained no longer than its original intended purpose, but as short as possible to run the business and comply with the law.
In addition, although Big Data and analytics folks might want more data for longer, there are several important compliance and business drivers that militate in favor of keeping less. For the most part, information value goes down rather quickly after it is created and used, so keeping everything forever is bad business. The following chart helps explain the declining value of information over time while risk increases.

Moreover, as the piles grow, so does the challenge of protecting the growing volume of information because growth usually means more applications, more storage locations, and thus more ways for the bad guys to exploit information assets. Costs of storing more information make the overall costs go up, even if the storage unit costs go down over time. The volume increase and overall increase in cost is not to be ignored because someone fallaciously asserted that “storage is cheap.” Big companies may be spending hundreds of millions of dollars to store their information.

The take-away from the children’s tale Goldilocks and the Three Bears is simple: find the right bowl of porridge to eat and the right bed to sleep in. In other words, this pile of information is too big, and that pile of information is too small, but this pile is just right. Businesses must strive to be information lean by not keeping too much or too little. The Cloud helps and hinders in this regard. On the one hand, the Cloud has infinite scalability, which lets companies keep just what they need and not overbuild underutilized infrastructure. On the other hand, the Cloud has infinite scalability, and human nature (packratitis) and business pressures (Cloud providers want maximum revenue and stickiness by having as much of your company information stored there as possible) promote over-retention of information.

12-Month Plan to Be Leaner

What follows is a basic, pragmatic plan to become information lean in a post-COVID-19 world where more employees are working from home and company information is more exposed than ever before.

In this new reality, businesses must be more information-security minded and vigilant, more privacy-centric, and much more protective of their intellectual property. All that begins with being information lean.

In December 2018, the Delaware Court of Chancery issued an opinion holding that federal-forum charter provisions—those that require plaintiffs to bring actions under the federal securities laws in federal court and not in state court—are “ineffective and invalid.”* Sciabacucchi v. Salzberg, 2018 Del. Ch. LEXIS 578 (Del. Ch. Dec. 19, 2018). At that time I wrote: “Assuming that Sciabacucchi is not reversed on appeal, Delaware law allows Delaware corporations to adopt forum selection bylaws or charter provisions governing actions related to the internal affairs of the corporation, but does not allow Delaware corporations to adopt federal-forum provisions governing federal securities law claims.” https://blog.hfk.law/sciabacucchi/ Sciabacucchi has now been reversed by the Delaware Supreme Court. Salzberg v. Sciabacucchi, 2020 Del. LEXIS 100 (Del. Mar. 18, 2020).

A typical federal-forum provision in a certificate of incorporation states that “the federal district courts of the United States of America shall be the exclusive forum for the resolution of any complaint asserting a cause of action arising under the Securities Act of 1933.” The Securities Act of 1933, or the ’33 Act, requires companies offering securities to the public “to make full and fair disclosure of relevant information” by filing registration statements with the United States Securities and Exchange Commission (SEC). The ’33 Act created private causes of action for investors and provided that those claims could be brought in state or federal court. 

The Delaware Supreme Court found that federal-forum charter provisions “can survive a facial challenge under our law.” The high court rejected the Court of Chancery’s conclusion that “constitutive documents of a Delaware corporation cannot bind a plaintiff to a particular forum when the claim does not involve rights or relationships that were established by or under Delaware’s corporate law.”

The Delaware Supreme Court began its analysis with section 102 of the Delaware General Corporation Law (DGCL), which governs matters that may be included in a certificate of incorporation. Section 102(b)(1) of the DGCL allows two types of provisions:

any provision for the management of the business and for the conduct of the affairs of the corporation,

and

any provision creating, defining, limiting and regulating the powers of the corporation, the directors, and the stockholders, or any class of the stockholders, . . . if such provisions are not contrary to the laws of this State.

The court found that a federal-forum provision “could easily fall within either of these broad categories, and thus, is facially valid”:

The drafting, reviewing, and filing of registration statements by a corporation and its directors is an important aspect of a corporation’s management of its business and affairs and of its relationship with its stockholders.

Thus, federal-forum provisions are permissible under both parts of section 102(b)(1) as to the management of the business and affairs of the corporation and as to its relationship with its stockholders.

The court found that federal-forum provisions “can provide a corporation with certain efficiencies in managing the procedural aspects of securities litigation.” When multiple actions are filed in federal and state court, there is no procedural mechanism for consolidating the cases in a single court, resulting in possible inconsistent rulings and other “costs and inefficiencies.” Federal-forum provisions reduce those effects by requiring all actions to be brought in federal court, where they can be transferred to one jurisdiction and consolidated, or can be handled as a single, multidistrict litigation.

The court based its holding that federal-forum provisions are permissible on Cyan, Inc. v. Beaver County Employees Retirement Fund, 138 S. Ct. 1061 (2018), in which the U.S Supreme Court held that class actions based on federal securities laws can be brought in either federal or state court (and cannot be removed to federal court when brought in state court). After Cyan, state-court filings of class actions under federal securities laws “escalated,” with 55 percent more cases filed in state court than in federal court in 2019.

In 2015, the Delaware General Assembly adopted a new section 115 of the DGCL, providing that a Delaware corporation’s charter or bylaws may require “internal corporate claims” to be brought in Delaware courts. The term “internal corporate claims” was defined to include (but was not necessarily limited to) claims of breach of fiduciary duty and claims based on the DGCL. In Sciabacucchi, the Court of Chancery found that federal securities law claims were “external” claims, that section 115 said nothing about external claims, and that it was “understood” that corporate documents could not be used to regulate external claims. The Delaware Supreme Court disagreed, noting that the synopsis to the bill introducing the new section 115 stated that the statute was “not intended to authorize a provision that purports to foreclose suit in a federal court based on federal jurisdiction.” However, federal-forum provisions “do not foreclose suits in federal court”; to the contrary, they direct federal claims to be filed in federal courts. Therefore, federal forum provisions are not inconsistent with section 115.

The appellees argued that section 115 implicitly limited the scope of section 102(b)(1) so as to exclude federal-forum provisions from certificates of incorporation. The Delaware Supreme Court rejected that argument, finding that section 102(b)(1) is “clear and unambiguous” and “does not incorporate Section 115.” The court also found that there is no “irreconcilable conflict” between section 115 and section 102(b)(1) that would cause section 115 to supersede or alter the earlier section. The court harmonized the two sections, finding that section 115 “simply clarifies that for certain claims, Delaware courts may be the only forum, but they cannot be excluded as a forum.”

The Court of Chancery found that federal securities law claims are “external” and therefore cannot be regulated by a certificate of incorporation because “[t]he cause of action does not arise out of or relate to the ownership of the share, but rather from the purchase of the share.” The Delaware Supreme Court rejected that argument too, finding that not all federal securities law claims arise from the purchase rather than the ownership of shares, that existing stockholders can assert such claims, and that other provisions the DGCL “address[] a number of situations involving the purchase or transfer of shares.” The court found that although securities law claims are not concerned with the “internal affairs” of Delaware corporations, neither are they “external.” Instead, such claims are in an “Outer Band” of “intra-corporate” matters covered by section 102(b)(1) of the DGCL but not within the internal affairs of the corporation.

The Delaware Supreme Court embraced the U.S. Supreme Court’s definition of “internal affairs” as matters “peculiar to the relationships among or between the corporation and its current officers, directors, and shareholders.” Edgar v. MITE Corp., 457 U.S. 624, 645 (1982). However, the Delaware Supreme Court found that section 102(b)(1) allows a certificate of incorporation to regulate matters located in the Outer Band of intra-corporate matters beyond internal affairs. This regulation of Outer Band matters does not violate federal law because the U.S. Supreme Court has held that federal law “has no objection to provisions that preclude state litigation of Securities Act claims” (citing Rodriquez de Quijas v. Shearson/American Express, Inc., 490 U.S. 477 (1989)).

Finally, the Delaware Supreme Court found that federal-forum provisions do not “offend principles of horizontal sovereignty” among states, largely because although states are limited in their ability to enact substantive laws that affect other states, forum-selection provisions govern only procedural and not substantive matters. They “regulate where stockholders may file suit, not whether the stockholder may file suit or the kind of remedy that the stockholder may obtain on behalf of herself or the corporation” (quoting Edgar, 457 U.S. at 951–52). As such, they do not “offend sister states [or] exceed the inherent limits of the State’s power.”

The Delaware Supreme Court also noted that federal-forum provisions are less restrictive than Delaware forum provisions because the latter may require stockholder plaintiffs to bring suit far from their home jurisdictions, whereas federal-forum provisions could allow suits to be brought in federal court in any jurisdiction. Nonetheless, combining a Delaware forum charter provision with a federal-forum provision would limit federal securities law claims to the U.S. District Court for the District of Delaware.

Writing in December 2018, I suggested that Delaware corporations should adopt Delaware forum provisions in their certificates of incorporation, but that they could not adopt federal-forum provisions. Now, after the Delaware Supreme Court’s decision in Salzberg v. Sciabacucchi, Delaware corporations can—and should—do both.

*  James G. (Jay) McMillan is a partner in the Wilmington, Delaware office of Halloran Farkas + Kittila LLP. He concentrates his practice in complex corporate and commercial matters, with a particular focus on litigation in the Delaware Court of Chancery.

COVID-19 has claimed many M&A deals in March, the largest being Xerox Holdings Corporation’s termination of its proposed $32.85 billion hostile takeover of HP Inc. on March 31, 2020. Xerox wrote in its press release that “[t]he current global health crisis and resulting macroeconomic and market turmoil caused by COVID-19 have created an environment that is not conducive to Xerox continuing to pursue an acquisition of HP Inc.” Quite a few companies are finding themselves in a similar situation, with reports of deal terminations and delays continuing through April and into May.

As of April 8, 2020, 66 M&A deals were terminated since the World Health Organization’s declaration of the pandemic on March 11, 2020. These included the $32.85 billion Xerox-HP deal and the $3 billion WeWork-Softbank tender offer. Some analysts report that U.S. volume of M&A deals in March 2020 was only about half of what it was in January 2020, and Canadian deal activity was down almost 57 percent in the first quarter of 2020 as compared to a year ago, all due to COVID-19.[1]

However, the impact of the pandemic on pending deals may be overstated, given that many pending U.S. deals are proceeding as planned. Out of 57 of deals valued at US$1 billion or more announced in Q1 of 2020, six already closed, 49 are still pending without any publicly announced changes, and only two have been terminated or disputed so far.[2]

Other terminations will follow in the days to come, and many of the pending deals are delayed. No one will be surprised to see price adjustments negotiated into the terms of those that do end up closing.

If parties do not mutually agree to terminate, the unilateral terminations may be based on a material adverse effect (MAE) carveout, failure to operate in the ordinary course, or even the doctrine of impossibility. MAE carveouts will now come sharply into focus for all M&A parties. Most MAEs have not typically contained express carveout language relating to pandemics, epidemics, or COVID-19, but deals signed in April and March of 2020 have indeed been including these carveouts into their MAE clauses.

A few recent examples of these clauses include:

1. Asset Purchase Agreement between Orgenesis Inc. and Tamir Biotechnology, Inc. (April 12, 2020):

“Material Adverse Effect” means any change, event, circumstance, condition, fact or effect (each, an “Effect”) that is, or would reasonably be expected to become, individually or taken together with all other Effects, materially adverse to (i) the business, results of operations, financial condition or assets of Seller or the Business, or (ii) the ability of Seller to consummate the Transactions, in each case, except to the extent that any such Effect results from . . . (e) any act of war, act of terrorism, natural or man-made disaster, act of god or pandemic (including the COVID-19 virus). . . .; provided, that any Effect referred to in the foregoing clauses (a), (b), (c), (e) and (h) above shall be taken into account in determining whether a Material Adverse Effect has occurred or would reasonably be expected to occur to the extent that such Effect has a disproportionate effect on the Business as compared to other participants in the industries in which the Business operates.

2. Agreement and Plan of Merger between Turning Point Brands, Inc. and Standard Diversified Inc. (April 7, 2020):

“TPB Material Adverse Effect” means any effect that would prevent or materially delay the ability of TPB to consummate the Contemplated Transactions; provided that any effects resulting from the COVID-19 crisis shall not constitute a TPB Material Adverse Effect for purposes of this Agreement.

3. Membership Interest Purchase and Sale Agreement between Carbon Energy Corporation, Nytis Exploration (USA) Inc. and Diversified Gas & Oil Corporation:

“Material Adverse Effect” means any event, occurrence, fact, condition or change that is or would reasonably be expected to be, individually or in the aggregate, materially adverse to (a) the business, results of operations, financial condition, operations or assets of the Company Entities considered as a whole, or (b) the ability of Sellers to consummate the Contemplated Transactions; provided, however, that none of the following shall be deemed to constitute, and none of the following shall be taken into account in determining whether there has been or would reasonably be expected to be a Material Adverse Effect: (a) any adverse change, event, development, or effect arising from or relating to: . . . (ii) national or international political or social conditions, including the engagement by the United States in hostilities, whether or not pursuant to the declaration of a national emergency or war, or the occurrence of any military or terrorist attack upon the United States, or any of its territories, possessions, or diplomatic or consular offices or upon any military installation, equipment, or personnel of the United States; natural disasters, weather conditions, outbreaks of disease, epidemics and pandemics (including the CoVid-19 pandemic) and effects thereof, and similar force majeure events . . . and (b) any adverse change in or effect on the Acquired Assets or Operations of the Company Entities that is cured or, if such adverse change is with respect to a Material Contract, waived in writing before the earlier of the Closing Date and the termination of this Agreement.

4. Membership Interest Purchase Agreement between CAPSS LLC and MSG NATIONAL PROPERTIES, LLC (March 24, 2020):

“Material Adverse Effect” means any event, change, circumstance, occurrence, effect or state of facts first occurring after the Effective Date that has a material adverse effect on (a) the Company or the assets, liabilities, results of operations and financial condition thereof, taken as a whole, or (b) Seller’s ability to consummate the Transactions; provided, that any such event, change, circumstance, occurrence, effect or state of facts resulting from any of the following, individually or in the aggregate, will not be considered when determining whether a Material Adverse Effect has occurred for purposes of clause (a) above: . . . (iv) conditions in jurisdictions in which the Company operates, including epidemics, pandemics or disease outbreaks (including the COVID-19 virus), hostilities, acts of war, sabotage, terrorism or military actions, or any escalation or worsening of any of the foregoing . . . provided that any adverse effects resulting from matters described in any of the foregoing clauses (i), (ii), (iii), (iv) or (vii) may be taken into account in determining whether there is or has been a Material Adverse Effect to the extent, and only to the extent, that they have a disproportionate effect on the Business relative to other participants in the industries or geographies in which the Business operates.

5. Asset Purchase Agreement between Silicon Laboratories Inc. and Redpine Signals, Inc. (March 11, 2020):

“Material Adverse Effect” shall mean any event, change, violation or effect that is, or would reasonably be expected to be, materially adverse to the Target Business, financial condition, properties, assets, Liabilities, operations or results of operations of the Group Companies, taken as a whole, but will not include any adverse event, change, violation or effect to the extent arising from: . . . (h) any spread of Novel Coronavirus (i.e. COVID-19); except in the case of each of clauses (a), (b), (c), or (f), to the extent such event, change, violation or effect disproportionately affects the Group Companies relative to other participants in the industries in which the Group Companies operate.

Considering that the likelihood of the second wave of infections and subsequent shutdowns is not insignificant, careful drafting of the MAE clause in currently negotiated or soon-to-be-negotiated agreements is crucial. Buyers and sellers should pay careful attention to the wording of the clause to properly allocate the risk.

It is also important to note that each company’s situation is different and will be evaluated on the facts and circumstances surrounding its particular business. A MAE clause must be tailored to the transaction at hand and the vulnerabilities of the parties involved. It is important to remember that issues stemming from COVID-19 or a similar pandemic may prove disproportionately disastrous for target X, thereby triggering the MAE clause in target X’s case, but not nearly as disproportionally dire for target Y, leaving target Y’s buyer without a MAE out.

[1] See ANALYSIS: M&A Terminations Are Here, Mostly of All-Cash Deals, Bloomberg Law (last visited May 6, 2020).

[2] See Most pending US M&A deals are proceeding as agreed, despite COVID-19, White & Case M&A Explorer (last visited May 6, 2020).

As a result of the COVID-19 pandemic, businesses across the United States are suffering from unprecedented losses.* In cities and suburbs around the country, commerce has ground to a halt as businesses close their doors because of potential exposure to the deadly virus and in response to state and local government orders. Which of these businesses will be able to reopen will depend largely on how they are able to manage those losses.

Although the news in recent weeks has focused largely on funds available to small businesses through the recently passed CARES Act, that relief is, for the most part, unrelated to losses incurred and is entirely unavailable for companies with more than 500 employees. Therefore, the survival of many businesses both large and small will turn on whether they have private insurance coverage available to cover all or a portion of their losses. Unfortunately, even for those that maintain robust coverage, whether it will be available is far from certain.

Even though insurance policies differ, business interruption and certain other types of coverage are typically drafted to cover losses arising from “direct physical loss” or “damage to” covered property. Insureds are already receiving denial letters from carriers taking the position that coverage is not provided because they do not consider COVID-19 or any governmental order closing the business to constitute physical loss or damage to the property. Is this correct? The answer apparently will not only depend on the specific language of the insured’s policy, but also on a company’s ability to prove the physical presence of the virus and what will be considered valid proof.

Guidance from the Gopher State

Although states’ interpretations of insurance provisions often differ, a line of cases out of Minnesota provides an instructive illustration of how courts may approach the issue of whether coronavirus constitutes a physical loss or damage to property and what question may ultimately be presented to a jury.

The Loss Need Not Be Physical. In the mid-1990s, upon a routine inspection, the FDA discovered traces of an unapproved but safe pesticide in oat stocks at one of General Mills’ facilities. Under the FDA’s rules, even though the pesticide was safe and used on other approved products, its presence would be considered an improper adulteration. Upon notification of the discovery, General Mills immediately halted distribution and production of oat products, but by that time the equivalent of 55 million boxes of Cheerios and other cereals had been affected.

General Mills voluntarily held the adulterated cereals, even though they were completely safe and there was no discernible difference in the product. Although General Mills considered petitioning the FDA for a waiver that would have permitted distribution, it concluded the waiver could not be obtained in the time necessary to bring the affected cereal to market.

The food company sought coverage for its losses under various policies, including an all-risks policy issued through Gold Medal Ins. Co. for which coverage was denied. Gold Medal argued that FDA regulations, rather than the presence of the pesticide, caused the loss; therefore, there was not a “physical loss or damage.” When presented with the question of whether there was physical loss or damage, the Minnesota Court of Appeals determined that there was. The court found that direct physical loss can exist without actual destruction of property or structural damage to property, and that it is sufficient to show that the insured property is injured in some way and that an impairment in value satisfies that burden. Gen. Mills, Inc. v. Gold Medal Ins. Co., 622 N.W.2d 147, 152 (Minn. App. 2001).

Well, Maybe a Little Physical. On the other side of things, Source Food Tech., Inc. v. United States Fidelity & Guaranty Co., 465 F.3d 834, 836–38 (8th Cir.2006) (applying Minnesota law) is likely a case that will be cited by insurance carriers in the months ahead. In that decision, the 8th Circuit refused to extend the General Mills decision to solely an economic injury stemming from a governmental regulation. In Source Food, a manufacturer could not transport its beef product from its supplier in Canada to the United States after the USDA prohibited the importation of all beef from Canada due to fears surrounding mad cow disease. Citing General Mills, the manufacturer argued that the loss of function of the beef product constituted direct physical loss to its property. The 8th Circuit concluded that as it was undisputed that the beef was not contaminated or adulterated, there was not “direct physical loss to the property” to trigger coverage. Of particular relevance for insureds is that the 8th Circuit noted that if the policy used “of” instead of “to,” there may have been a different result.

Demonstrating Physical Damage Through Means Other Than Proving Contamination. In both General Mills and Source Food, the factual records were undisputed—there was no question that the oats and beef had been contaminated. What if the question of contamination is unclear?

A year after Source Food, the Minnesota Court of Appeals was asked to address that question. In United Sugars Corp. v. St. Paul Fire and Marine Ins. Co., A06-1933, 2007 WL 1816412 (Minn. App. June 26, 2007), there was an open question as to whether the removal of certain foreign substances from sugar cured the at-issue contamination or whether, despite the removal, it remained “physically damaged.” The Court of Appeals was asked to determine if a jury instruction provided by the lower court requiring that the jury find “contamination” to trigger coverage for losses, rather than “adulteration” as requested by the insured, was reversible error. The Court of Appeals held that it was reversible error to limit the question to one of contamination because the lower court did not allow a jury to find “physically damaged by any means other than proof that it actually contained ‘foreign matter.’” Accordingly, the court seemed to recognize that although there needed to be some physical link, proof of its presence was not necessary to establish “physical damage.”

The Unique Problem with Coronavirus

As courts begin to address coverage for losses arising from coronavirus, they undoubtedly will face the same questions. Must a business demonstrate that it was physically contaminated by the virus? Is an employee who tested positive sufficient to demonstrate physical damage? Will high exposure rates in a given area be sufficient to demonstrate physical damage? Although these questions are difficult enough when courts are addressing nonemergency situations of isolated food contamination, the current dynamic presents stark, practical public-policy concerns.

Testing of both individuals and locations remains limited. Furthermore, asymptomatic carriers, unknowns regarding how long the virus can live on surfaces, and limitations on available PPE, testing labs, and appropriately trained individuals makes identifying the presence of coronavirus a practical impossibility for many under the current circumstances. Due to these issues, most people across all fields are simply advised to act like everyone has the virus. In fact, the CDC’s guidelines throughout the crisis have instructed employers to treat any potential case, or even potential exposure, the same as a positive case and mandating14-days quarantines in almost all circumstances.

The Solution of a Presumed Positive Presence

Considering the current limitations, it appears unfair and unadvisable to require insureds to be focusing on attempting to prove direct contamination of their business when such testing would potentially increase the public risk through additional social contact, require business expenditures at a time businesses are focusing on maintaining employment, and place yet additional players in a market for needed resources.

In light of these concerns, legislative intervention that balances the rights of both the insureds and insurers should be seriously considered by affected states. Although certain legislation under consideration such as New Jersey Bill A-3844, which would render coronavirus a covered peril under all business-interruption insurance policies in the state, may be a step too far, there appears to be a less radical solution. Legislation that established an evidentiary presumption that the coronavirus was present at all locations impacted by applicable civil orders would fairly preserve all contractual exclusions and other relevant policy language while taking an undue burden off insureds.

No doubt insurers will still have numerous arguments at their disposal to support denying coverage based on policy language; however, allowing insurers to avoid coverage because a business focused on keeping its employees healthy and employed, rather than procuring testing of its property, would not only be unjust, it would further hamper future economic recovery efforts. In this time of national emergency, state legislators should address the reality that we have all been physically damaged by the coronavirus whether we have a positive test to prove it or not.

* Evan W. Bolla is a partner and general counsel for New York litigation boutique Harris St. Laurent LLP.  Trusted for his efficiency and his practical legal and business judgment, Evan represents companies and individuals in insurance, executive employment, professional malpractice, and general commercial disputes and litigation. Evan’s insurance and professional defense practice focuses on identifying and obtaining coverage, advancement, and indemnification for his clients and defending professionals against claims of malpractice, negligence, and fraud. He can be reached at [email protected] and you can learn more about his practice and results at https://hs-law.com/evan-bolla.

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act).[1]  In section 1102 of the CARES Act, Congress established the Paycheck Protection Program (PPP), which provides for hundreds of billions of dollars’ worth of loans under section 7(a) of the Small Business Act (SBA)[2] to borrowers that consist of, among others, eligible small businesses.

In applying for an SBA section 7(a) loan under the PPP (a PPP loan), eligible applicants must, among other requirements, be able to make a good-faith certification that the uncertainty of current economic conditions makes the PPP loan request “necessary” to support the ongoing operations of that eligible applicant (a “necessity” certification). However, further complicating the analysis, section 1102(I) of the CARES Act suspends the ordinary requirement that an applicant for a section 7(a) loan be unable to obtain “credit elsewhere”, which is defined in section 3(h) of the SBA[3] to mean the ability to obtain credit from non-federal sources on reasonable terms and conditions, taking into consideration the prevailing rates and terms in the community in or near where the borrower transacts business, for similar purposes and periods of time. Unlike a borrower for a traditional section 7(a) loan, under the CARES Act, an applicant for a PPP loan is not required to certify that it is unable to obtain credit elsewhere. Instead, PPP loan applicants must consider alternate sources of liquidity in connection with their PPP loan application to assess whether the current economic uncertainty makes its PPP loan request necessary to support its ongoing operations.

On April 23, 2020, the SBA issued updated FAQs[4] (SBA FAQs) addressing the “necessity” certification in the PPP loan application but failing to provide any specific standard or quantitative metrics for defining the applicant’s need for the PPP loan. The SBA FAQs did, however, make clear that:

• applicants must make a reasonable, good-faith determination of need
• applicants must assess their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business
• applicants that receive a PPP loan should maintain records supporting their determination of need and be ready to demonstrate to a federal regulator the basis for having made their certification

Fortunately, for smaller borrowers—for these purposes, these are borrowers that, together with their affiliates, receive or have received PPP loans in an original, aggregate principal amount of less than $2 million (a Micro-Borrower)—the SBA, in consultation with the U.S. Department of the Treasury, just amended the SBA FAQs to include a safe harbor for Micro-Borrower’s making the “necessity” certification.[5] Under the new safe harbor, Micro-Borrowers will be deemed to have made the “necessity” certification in good faith.

As a consequence of the new safe harbor, the focus on the “necessity” certification has shifted to borrowers that, together with their affiliates, receive or had received PPP loans in an original, aggregate principal amount of $2 million or more (Significant Borrowers); borrowers unable to rely on the safe harbor described above for Micro-Borrowers. Best exemplifying this risk, especially for the larger borrower, is the first official action taken by the Select Subcommittee on the Coronavirus Crisis (the Subcommittee), which is a special investigatory subcommittee established by the U.S. House of Representatives under the House Oversight Committee empowered to oversee that the funds for the PPP loans are used effectively and not subjected to fraud or waste.

On May 8, 2020, the Subcommittee delivered letters to five large, public corporations demanding that they immediately return the PPP loan proceeds that they had received, funds that Congress had intended for small businesses struggling to survive during the coronavirus crisis.[6] These letters were sent to public companies with market capitalization of more than $25 million and 600 employees, PPP loan applicants that sought and received “small business” loans of $10 million or more.  The Subcommittee instructed each of these companies to respond by May 11^th as to whether they would return their PPP loan funds; otherwise, the Subcommittee gave them until May 15^th to produce all documents and communications (1) between that borrower and the SBA and the Department of the Treasury relating to its PPP loan, and (2) between that borrower and any financial institution relating to its PPP loan, including all applications for a PPP loan. Thus, in its first official action, the Subcommittee sent a clear signal of the real risk that a borrower unable to rely on the Micro-Borrower safe harbor incurs in making the “necessity” certification. Where the Subcommittee will eventually draw the line on sending out similar demands to Significant Borrowers is anyone’s guess. Time, as always, will provide that answer.

What are Significant Borrowers to do in the interim? Unfortunately, the good-faith certification as to the necessity for the PPP loan by the applicant still leaves unanswered questions such as: “How do you define good faith?” “How do you truly determine whether the PPP loan is necessary?” “What law or rule governs these definitions?”

Many commentators have spoken critically about these issues and the ambiguity of these terms. For example, in discussing the process of applying for a PPP loan, Don McGahn, former White House counsel from 2017–18 and now a partner at a large, private law firm, opined in the Wall Street Journal on April 27, 2020,[7] that:

To get a loan, a business must certify that “current economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.”

A lax standard, to be sure. But is anyone really going to question that there is “current economic uncertainty”? And that such uncertainty makes a loan request “necessary” to support operations? There is no statutory requirement that a company would go under but for the loan, or that it must, with any degree of certainty, prove need in a detailed way. Hotels and restaurants were given additional statutory leeway: a per location size standard. Regardless of what the goal-post movers now claim they intended, the Cares Act says what it says, and its loose language was sold as a feature, not a bug.

Thus, Mr. McGahn makes the case that every qualified business applying for a PPP loan is capable of making this “necessity” certification in good faith.

However, in the Wall Street Journal the following day,[8] Paul S. Atkins, a former Commissioner with the Securities and Exchange Commission and now CEO of Patomak Global Partners, stirred the pot further by cautioning businesses about taking federal money:

But borrower beware! Businesses with flexibility should seriously consider to what extent accepting the terms of federal loans or other support may be a Faustian bargain. The ultimate cost may dramatically outweigh the temporary gain.

Through the congressional oversight commission established under the Cares Act, the new Special Inspector General for Pandemic Recovery, and numerous other freshly funded inspectors general, the groundwork is already laid for aggressive investigation and review of which businesses received—and how they spent—federal emergency funds.


Thus, if a Delaware corporation is applying for a PPP loan, would Delaware General Corporation Law determine whether that entity (and its board of directors) had acted in “good faith” in making its “necessity” certification for a PPP loan? Is not every decision of the board of directors of a Delaware corporation required to be taken in good faith? Remember, section 102(b)(7) of the Delaware General Corporation Law expressly provides that directors cannot be shielded from liability for actions not taken in good faith or breaches of the duty of loyalty.

Moreover, the duty of good faith under Delaware law falls under the protection of the business judgment rule. In Cede & Co. v. Technicolor, Inc., 634 A.2d 345, 360–61 (1993) (citations omitted), the Delaware Supreme Court stated that:

The [business judgment] rule operates as both a procedural guide for litigants and a substantive rule of law. As a rule of evidence, it creates a ‘presumption that in making a business decision, the directors of a corporation acted on an informed basis [i.e., with due care], in good faith and in the honest belief that the action taken was in the best interest of the company.’ The presumption initially attaches to a director-approved transaction within a board’s conferred or apparent authority in the absence of any evidence of ‘fraud, bad faith, or self-dealing in the usual sense of personal profit or betterment.

. . . To rebut the [business judgment] rule, a shareholder plaintiff assumes the burden of providing evidence that directors, in reaching their challenged decision, breached any one of the triads of their fiduciary duty—good faith, loyalty or due care.

If a shareholder plaintiff fails to meet this evidentiary burden, the business judgment rule attaches to protect corporate officers and directors and the decisions they make, and our courts will not second-guess these business judgments.

Thus, an applicant for a PPP loan could argue that its good-faith determination was subject to the business judgment rule, which protects directors from second guessing if they can demonstrate that they have fulfilled their fiduciary duties: the duty of loyalty and duty of care. If the board of directors can demonstrate that its members made a good faith determination, then the directors should be protected by the business judgment rule. After all, the business judgment rule dictates that courts defer to decisions taken by the board of directors if the directors acted in good faith and in what they reasonably believed to be in the best interest of the corporation after the exercise of due care. The duty of loyalty, which means that a director must act in good faith and free from any conflict of interest, should not be an issue with respect to a PPP loan. The second component of the director’s fiduciary duty is the duty of care, which requires, first, that directors inform themselves of all material information reasonably available to them prior to making a business decision on behalf of the corporation; and then, after becoming appropriately informed, the directors must act with requisite care in the discharge of their duties. Although the duty of care can be in play with respect to a PPP loan, it is not relevant for determining whether a PPP loan applicant’s “necessity” certification was done in good faith. If that were the case, then the new federal-level Special Inspector General for Pandemic Recovery would, for example, be obliged to look at how each of the states have interpreted the term “good faith,” applying principles of state law (corporation, limited liability company, or limited partnership law, as applicable), in order to determine whether an applicant from that state which applied for a PPP loan satisfied its obligation to make a “necessity” certification in good faith. You know that will not be the case.

The CARES Act is not governed by notions of corporate law because section 7(a) loans involve a federal statutory duty or obligation, which is outside the purview of the Delaware General Corporation Law. The CARES Act is federal law and unfortunately does not include definitions of “necessary,” “necessity,” or “good faith.” So, what are applicants for PPP loans of $2 million or more to do? A good first step is to determine whether there are any SBA rules and interpretations regarding section 7(a) loans that offer guidance in construing these terms.

One SBA publication does in fact shed light on the definition of “good faith”—publication SBA SOP 50 57 from the Office of Capital Access, Small Business Administration, dated March 1, 2013, titled “7(a) Loan Servicing and Liquidation.” Item 16 on page 12 of publication SBA SOP 50 57 provides the following definition of “good faith”:

Good Faith, whether capitalized or not, means the absence of any intention to seek an unfair advantage or to defraud another party; i.e., an honest and sincere intention to fulfill one’s obligations in the conduct or transaction concerned.

Thus, the SBA itself defines “good faith” to include “an honest and sincere intention” and an “absence of any intention to defraud . . . [or to] seek an unfair advantage.” These are helpful standards that businesses can utilize to reduce risks associated with any lack of good faith in applying for a PPP loan.

Also helpful to PPP loan applicants are a question and a comment buried inside a PPP loan guide prepared by the U.S. Senate Committee on Small Business and Entrepreneurship titled, “The Small Business Owner’s Guide to the CARES Act” (the SBA Guide. Taken together, they illustrate the purpose and intent of the CARES Act (italics added):

[Do you need c]apital to cover the cost of retaining employees?

The program would provide cash-flow assistance through 100 percent federally guaranteed loans to employers who maintain their payroll during this emergency.

The SBA Guide therefore makes clear that the primary aim of the PPP is to protect workers and help maintain their jobs; thus, applicants interested in protecting their workers and maintaining their payrolls should apply for a PPP loan, in good faith, especially during this unprecedented time.

Facts and circumstances are paramount. Each business applying for a PPP loan should carefully consider and reasonably document its determinations and considerations of issues such as:

• whether it is subject to any risk of losing employees because of the economic uncertainty caused by the COVID-19 pandemic
• whether the PPP loan may help the applicant maintain its payroll during this emergency
• whether alternative sources of liquidity are available
• the terms of any alternative source of liquidity, including repayment terms, if any
• the likelihood and timing of closing on those alternative sources of liquidity
• whether any additional preference overhang might be created by such alternative sources of liquidity
• the dilutive effect upon existing owners of pursuing alternative sources of liquidity

So, rather than “borrower beware,” we say, “Significant Borrowers, don’t worry, just act in good faith and be sure to document your determinations!”

[1] The full text of the CARES Act can be found at this link: https://www.govinfo.gov/content/pkg/BILLS-116hr748enr/pdf/BILLS-116hr748enr.pdf.

[2] Section 7(a) of the Small Business Act can be found at this link: https://www.sba.gov/sites/default/files/Small%20Business%20Act_0.pdf

[3] See https://www.sba.gov/sites/default/files/Small%20Business%20Act_0.pdf.

[4] full text of the updated the Paycheck Protection Program Loans – Frequently Asked Questions (FAQ) can be found at this link: https://www.sba.gov/sites/default/files/2020-05/Paycheck-Protection-Program-Frequently-Asked-Questions_05%2013%2020.pdf.

[5] See question 46 of the Paycheck Protection Program Loans – Frequently Asked Questions (FAQ), dated May 13, 2020.

[6] See https://oversight.house.gov/news/press-releases/in-first-official-action-house-coronavirus-panel-demands-that-large-public.

[7] Opinion piece in the Wall Street Journal, dated April 27, 2020, by Don McGahn, titled “The Cares Act Game Begins”, posted at this link: https://www.wsj.com/articles/the-cares-act-blame-game-begins-11588026158.

[8] Opinion piece in the Wall Street Journal, dated April 28, 2020, by Paul S. Atkins, titled “Borrower Beware: Cares Loans Carry a Steep Cost”, posted at this link: https://www.wsj.com/articles/borrower-beware-cares-loans-carry-a-steep-cost-11588113575.

In today’s global economy, cross-border lending activity is on the rise, with an increase in both the number of loans made to foreign borrowers and the number of participating foreign jurisdictions. A secured lender in the United States entering into a transaction with one or more foreign obligors must comply with the complex provisions of the Uniform Commercial Code (UCC) in order to perfect or crystalize its security interests in the assets of foreign obligors that are pledged as collateral. This article provides a brief guide to applicable UCC provisions and highlights some of the other enforcement and conflict-of-laws challenges lenders should understand when structuring and evaluating the merits of a proposed cross-border secured transaction.

Under UCC Section 9-301, the “location” of an obligor determines the proper place for filing a UCC-1 financing statement to perfect a security interest in personal property. Section 9-307 sets out the rules for determining the “location” of U.S. and foreign obligors based on entity type, jurisdiction of formation, and place of business. As a general rule under section 9-307(b), for purposes of filing a UCC-1 financing statement, an obligor that is an organization with only one place of business is located at its place of business, and an obligor that is an organization with more than one place of business is located at its chief executive office.

However, section 9-307(e) provides an exception to this general rule for organizations formed under the laws of the United States. U.S. organizations are deemed to be “located” in the state in which they are formed. Accordingly, U.S. secured creditors file UCC financing statements in the state of formation of domestic obligors in order to perfect their security interests in such obligors’ collateral.

Section 9-307(c) provides another exception to the general rule of section 9-307(b) for certain foreign obligors. It limits the applicability of section 9-307(b) to foreign obligors with a place of business or chief executive office “located” in a jurisdiction with a UCC-style public recordation system for tracking security interests and establishing priority against other secured parties. Foreign obligors whose place of business or chief executive office is not “located” in a jurisdiction with a UCC-style public recordation system are deemed to be “located” in Washington, D.C. Two key policy considerations underlying this section 9-307(c) exception for foreign obligors are: (1) an interest in providing a reliable and streamlined framework for U.S. secured parties to search, perfect, and protect the priority of their security interests in collateral of foreign obligors; and (2) facilitating lower transactional costs for borrowers and U.S. lenders.

A few hypotheticals are useful to understand the filing rules for foreign obligors:

In the first hypothetical, the obligor is a Canadian company with its chief executive office in Toronto, Ontario. Given that Ontario has a UCC-style public recordation system, a U.S. lender making a loan secured by the assets of such Canadian obligor would file a financing statement in Ontario to perfect its security interest in such assets. As a precautionary measure, the U.S. lender may also choose to file a financing statement with the Recorder of Deeds in Washington, D.C., although such filing technically would not be required.

In the second hypothetical, the obligor is a Spanish company with its sole place of business or chief executive office in Spain. Assuming Spain does not have a UCC-style public recordation system, a U.S. lender making a loan secured by the assets of such Spanish obligor would file a financing statement in Washington, D.C. to perfect its security interest in such assets.

The analysis becomes more complex with hypotheticals involving foreign obligors with offices in the United States. In the third hypothetical, the obligor is a Canadian company organized under the laws of Toronto, Ontario, with its sole place of business in New York or with more than one place of business and its chief executive office in New York. Under section 9-307(b), for purposes of the UCC, the Canadian obligor would be deemed to be “located” in New York—the location of its sole place of business or chief executive office—and the exception set forth in section 9-307(c) for a filing in Washington, D.C. would not apply. A U.S. lender making a loan secured by the assets of such Canadian obligor would file a financing statement in New York to perfect its security interests in such obligor’s assets. The lender may also want to file a financing statement in Washington, D.C. as a precautionary measure, although such filing technically would not be required under either U.S. law or Ontario law.

In the fourth hypothetical, the obligor is a Spanish company with its sole place of business or chief executive office in New York. Under section 9-307(b), the Spanish obligor would be deemed to be “located” in New York, the location of its sole place of business or chief executive office. Given that New York, as the location of the obligor, has a UCC-style public recordation system, the exception set forth in section 9-307(c) for filing in Washington, D.C. would not apply regardless of whether Spain, as the obligor’s home country, has a UCC-style public recordation system. A U.S. lender making a loan secured by the assets of such Spanish obligor would file a financing statement in New York to perfect its security interests in such obligor’s assets. Again, the lender may also want to file a financing statement in Washington, D.C. as a precautionary measure, although such filing technically would not be required.

How does a U.S. secured lender determine whether a foreign jurisdiction has a UCC-style public recordation system? Some questions to consider are as follows: Does the foreign jurisdiction have a filing, recordation, or registration system for nonpossessory security interests in personal property? Does the foreign jurisdiction generally require filing in its registration system to achieve priority over competing lien creditors? Is filing information in the foreign jurisdiction’s system available to third-party searchers? Although there is no definitive list of jurisdictions with UCC-style public recordation systems, it is generally accepted and understood that such a list includes Canada, Australia, and New Zealand. For some foreign jurisdictions, the analysis may not be straightforward due to the limited scope of collateral covered, an inability to establish or determine priorities among competing secured creditors, or an inability to perform lien searches.

In addition to the UCC analysis regarding rules for perfecting security interests in foreign obligors’ assets, U.S. secured lenders in cross-border transactions should also consider, among other matters, potential enforcement risks and conflict-of-laws issues. A U.S. secured lender cannot assume that a foreign court would recognize the validity or priority of a security interest created under the UCC and perfected by filing in Washington, D.C. or in another U.S. jurisdiction. In addition, under applicable conflict-of-laws principles for most tangible collateral, the “location of the debtor” rule only governs perfection and not the effect of perfection or nonperfection, or the priority of security interests. If a security interest in inventory of a foreign obligor is perfected by a UCC filing in Washington, D.C., but the inventory is located in the foreign country of the obligor’s formation, priority would be governed by applicable foreign law and not the Washington, D.C. UCC. For most intangible collateral of such a foreign obligor, the Washington, D.C. UCC would determine whether a security interest is properly perfected and whether it has priority over other security interests, but there still may be potential enforceability issues in the foreign obligor’s jurisdiction of formation. Accordingly, when structuring cross-border loans to foreign obligors with collateral located outside the United States, U.S. lenders should engage external counsel in the jurisdiction where the foreign collateral is located, in addition to following UCC requirements.

As we hunker down in our home offices and endeavour to protect ourselves and our communities from the ravages of COVID-19, it is worth remembering that in addition to the threats posed by the virus, we are also increasingly at risk from scammers and hackers seeking to exploit existing cybersecurity gaps (and our general sense of panic) through various phishing efforts, spear phishing campaigns, and malware scams.

Preying on users’ cybersecurity weaknesses is not new. What’s different now is that many employees are novice remote workers who may not have had the time or ability to secure their at-home work environment. In our haste to obey mandatory municipal, provincial, state, and federal self-isolation or stay-at-home requirements, some companies have scrambled to provide their workers with adequate and necessary hardware, but may not have had the opportunity to carefully consider and protect against security threats, i.e. ensuring critical systems and corporate software have been fully updated and patched. Employees were not provided with supplementary security training. In some instances, the need for speed – to ensure business continuity and the ongoing ability to service clients – has resulted in poor cyber-hygiene, even as workers scramble to make do with a combination of work-provided and unvetted personal devices and vulnerable WiFi networks.

It’s also not terribly surprising that stressed employees are far more likely to fall victim to cyber criminals. Tensions are high, anxiety is elevated, and workers are trying to focus while surrounded by their equally concerned families, creating a pressure-cooked environment where bad judgment can ensue. Employees who are trying to show their companies that they are still being diligent workers can easily be misled by hackers pretending to be their boss or co-workers sending them authentic looking but fake emails from alleged ‘personal accounts’ asking them to do something, like providing critical network credentials or confidential/private information. Caught up in the moment, these emails can dupe unsuspecting employees, particularly those that are using new or unfamiliar technology, like laptops with smaller screens.

So far, much of nefarious online COVID-19 activity has involved phishing, spear phishing and the introduction of malware. “Phishing”—defined by the Canadian Centre for Cybersecurity (CCC)—as attempts by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing, a specific, usually well-known brand, usually for financial gain- typically involves attempts to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which the tricksters may then use to commit fraudulent acts. By contrast, “spear phishing” involves the use of spoofed emails to persuade people within an organization to reveal their usernames or passwords. Unlike phishing, which involves mass mailing, spear phishing is small-scale and targeted. Hackers also use email to deliver “malware,” malicious software designed to infiltrate or damage a computer system, without the owner’s consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.

To date, there have been myriad examples of scammers trying to trick the unsuspecting public through the use of phishing, spear phishing and malware. As recently reported by the CBC on March 30, virtual private network provider Atlas VPN has determined that the number of active websites used for phishing has increased by 350 percent between January and March, just as the COVID-19 crisis erupted. Barracuda Networks, based in California, has reported a 667 percent spike in phishing emails from the end of February until late March.

Canada’s Communications Security Establishment (CSE), the parent agency of the CCC, has been kept busy identifying and taking down malicious websites spoofing Government of Canada websites (i.e., the Public Health Agency of Canada and the Canada Revenue Agency) that were spreading COVID-19 misinformation. The CSE has also reported cases of COVID-19 maps that infected devices with malware, phishing emails with malicious links and attachments, and spoofed COVID-19 websites. The CSE’s March 23^rd Alert has noted several examples of these COVID-19 phishing attempts, with such tantalizing emails subjects as:

Cancel shipment due to corona virus _ New shipping schedule details

Corona is spinning out of control

Feeling helpless against Corona?

Military source exposes shocking TRUTH about Coronavirus

Corona virus is here, are you ready? (Learn how to survive)

Get your coronavirus supplies while they last

Canadians are encouraged to take some simple steps to protect themselves, not just during the COVID-19 isolation period, but at all times.

Security firm Forcepoint has recently noted that fake coronavirus spam tries to induce individuals to click on links to shady websites and fraudulent services or encourage people to buy a specific (fake) product which is supposed to help protect against COVID-19. Recently, some individuals received email supposedly from the World Health Organization (WHO) with information containing a recording that described necessary precautions against COVID-19. This email actually contained a small HTML file that directed users to a spoofed Microsoft Outlook login page, where they were prompted to log in to access the recording. Of course, hackers would then harvest the users’ passwords. Another fake WHO email from Italy was a “malware dropper” designed to avoid security software by not carrying any malware itself but instead containing a simple script that ran on victims’ computers for the purpose of installing other malware.

What steps can companies take to ensure that their workers are better protected from these cyber-hackers? And how can individual employees protect themselves?Some recommendations are below:

Companies should ensure that their employees use company devices (not their own!) that access company networks using secured VPNs (virtual private networks) or other secure portals. Company networks should only be accessible using multi-factor authentication. Organizations should promptly deploy all required security patches and updates to their critical enterprise software as well as implement current anti-virus or anti-malware software on computers/networks. Computers, router firmware, and web browser software should be kept up-to-date and legacy software should be replaced with currently supported versions. Consider using software that scans emails for malicious links and attachments. Companies should ensure that access to sensitive documentation is limited to those who especially require access, and all employees should receive basic cybersecurity training, reinforced through internal policies and periodic testing. Companies should advise their employees not to download confidential proprietary documents onto their personal devices and employees should be required to use sophisticated passwords (not “Password!”) that are different from their home accounts. As busy as they are trying to keep the lights on, companies should periodically remind their employees about increased risks during this pandemic, including being on the lookout for not-so-obvious phishing attempts.

Individual employees should wake up and recognize that they have a personal responsibility to be especially vigilant now, given the incredible increase in coronavirus scams. As recommended by the CCC, to protect against malicious email, users should make sure the address or attachment is relevant to the content of the email. It’s critical to take the time to make sure that you actually know the sender of the email and that the email is legitimate – typos are a dead give-away that they are not. No one should open email attachments that come from sources they are unsure of.

To protect against malicious attachments, employees should ensure that the sender’s email address has a valid username and domain name, and should be extra cautious if the tone of the email seems “urgent” or is otherwise off. It doesn’t hurt to verify an unexpected email with an attachment by calling the supposed sender. Remember that so-called critical information that comes via attachments may also be scams—most legitimate emails put critical information in the main body of the message.

To protect against malicious websites, make sure that the proffered URLs are spelled correctly. It’s safer to directly type the URL in the search bar instead of clicking a provided link just to be certain. If you must click on a hyperlink, hover your mouse over the link to check if it directs to the right website and try to avoid clicking on links in email addresses that direct you to log into a website. Take the time to search and find the login page yourself using your own web browser and log in that way.

Never just “take the bait”—if you intuitively think there’s a reason to question the legitimacy of a message that you receive, it’s better to simply ignore it and try to contact the sender to verify it. Do not respond to any requests for sensitive information, even if it’s supposedly to update payment information with an account.

Lastly, if you make a mistake and fall for these scams, remember you are only human. However, if your errors have resulted in the unauthorized disclosure of personal information or confidential information, you (or your organization) may have triggered various mandatory data breach reporting requirements under various state and federal laws as well as other regulatory reporting requirements. It’s best to alert your company as soon as possible so it can work quickly to remediate the situation. Be careful out there and stay safe!

Lisa R. Lifshitz