As is happening with almost everything in business, COVID-19 is having an impact on ERP software systems and digital transformation projects – particularly with respect to interruptions or delays in software implementation projects. Some companies are postponing their implementation or drastically reducing the scope of their implementations.

While halting or postponing an implementation project in the face of COVID-19 may make sense, there is a risk of losing the institutional knowledge accumulated by the integration team working on the project.

Consultants that understood your business requirements may not be available at a future date. There will also be additional costs associated with getting new consultants on board who have an understanding of where the implementation project has been, where it is going, and how the project addresses unique business requirements.

We went through the options facing users when we spoke at the virtual 2020 Digital Stratosphere conference in late April. We also explored how current contracts can be renegotiated and what should be included in new contracts.

Creating Workarounds in a COVID-19 World

For implementation projects in progress, instead of stopping them altogether, a better option may be to narrow the scope to essential modules or pieces of functionality. If you are moving forward with your implementation, whether with a reduced scope or not, you need to ensure you have reasonable workarounds in place to account for the project disruption associated with stay-at-home orders, social distancing, and consultants working remotely.

Diligently managing the scope and the cost of the implementation is more important than ever. It is imperative you focus on project governance. You need to ensure you receive project status updates on a regular basis, and that the updates you receive provide meaningful information that allows you to make informed decisions about the project.

Similarly, you need to focus on change orders to counteract the likelihood of scope creep and budget expansion. You may also be able to use change orders to “back-door” amendments to the implementation contract.

Protecting Remote Integration

Data security and maintaining confidentiality of information in an ERP software system has always been critical, but is now even more so with consultants working remotely.

Long before COVID-19 created worldwide problems, the ERP software system contracts we negotiated for clients always included clauses that detailed specific responsibilities for the vendor, the integrator, and the user. Now, with many people using their personal computers, the chances of a breach, whether by accident or due to a hack, have multiplied ten-fold.

With consultants working remotely, having a structure in place for coordinating a project is essential. Users need to incorporate proper nondisclosure provisions into their contracts, which take into account the increased data security risk. Important data could be compromised. It is critical to account for the consultants who have possession of your information, as well as the security protocols you have in place to protect your information.

Right now, users have more leverage over vendors and integrators than they realize. This is important with new contracts and existing agreements, whether those contracts are on-premise or cloud contracts. Renegotiating onerous provisions or provisions that no longer make sense in the current environment is critical to success.

Take a practical approach and begin with the premise that vendors are your partners. However, don’t talk with the sales team who sold the project. Have the conversation with a senior decision-maker who is empowered to say yes and can fully appreciate the value of maintaining a long-term customer relationship.

It may also be possible to arrange for discounts and fee adjustments for either cloud services or the ERP software system.

Create a Long-Term, Flexible IT Strategy 

Now is a good time to evaluate your critical IT initiatives and prioritize those that are strategically important to your business. Digital transformations are often complicated undertakings with many moving parts. If you have questions or concerns, feel free to contact Taft. We are happy to share our experience, and can also refer you to highly reputable consultants.

Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) continues to be the most consumer-friendly biometric privacy law in the country. In the wake of the Illinois Supreme Court’s seminal 2019 decision in Rosenbach v. Six Flags, plaintiffs have filed hundreds of class action lawsuits against businesses and employers in a broad range of industries, including manufacturing, logistics, retail, hospitality, food and beverage, health and technology. These lawsuits have been filed because of a perception that BIPA, as interpreted by the Illinois Supreme Court in Rosenbach, creates significant liability where biometric information has been collected from an employee or consumer without first providing notification and obtaining consent, even if no actual damages have been suffered.

In the spring of 2020, however, there have been a handful of court decisions that have bucked the previously plaintiff-friendly BIPA trends and perceptions.

To read the full Taft law bulletin on this topic, click here.

In an interview with TechTarget, Chicago Taft partners Marcus Harris and Daniel Saeedi explored the impacts that the pandemic will have on ERP implementations and what customers can do to alleviate risk and protect their ERP investments. In a separate interview, Marcus Harris also provided advice on renegotiating ERP contracts when the scope of ERP implementation projects change due to the COVID-19 crisis.

The full interviews are available by clicking on the following links:

Taft Chicago partners Marcus Harris and Daniel Saeedi presented several sessions during the Digital Stratosphere Online Edition, April 20-24, 2020. Each day featured different presenters discussing the new realities of ERP, HCM and digital transformation projects in a post-COVID-19 world. Harris and Saeedi spoke jointly on “How to Negotiate (and Renegotiate) ERP Contracts During Crisis;” Saeedi spoke on “Cleanse and Protect: Why Data and Cybersecurity are More Important than Ever” and Harris spoke on “Mitigating Digital Transformation Risk Amidst Disruption and Uncertainty.”

If you are interested in learning more about these topics, please contact Marcus Harris or Daniel Saeedi.

The China Council for the Promotion of International Trade has currently issued at least 4,811 force majeure certificates due to the COVID-19 pandemic (link). These certificates qualify the coronavirus outbreak as a force majeure event and certify that a party’s partial performance or failure to perform under an agreement be excused if there is a force majeure clause in the agreement.  According to a Xinhua state media report, the total contract value for the agreements associated with the certificates is an alarming 373.7 billion Chinese yuan (equivalent to US$53.79 billion). Unfortunately, for many U.S. businesses impacted by the economic hardships caused by COVID-19, these force majeure certificates will be of little use if their contracts are governed by U.S. law. Companies should understand the impact and application of their existing force majeure clauses to COVID-19.

A typical force majeure clause releases obligations and liability if an extraordinary event occurs. These events are usually limited to events like war, fire, natural disasters, civil disorder, strikes or labor disputes, acts of God or other circumstances beyond a party’s reasonable control. When these unanticipated circumstances arise, the force majeure clause may be invoked to relieve the parties from their contractual obligations or to terminate the contract with no further liability from either party.

Far too often, force majeure clauses are an afterthought during the contract negotiation process.  Although seemingly unimportant when the parties are trying to close a deal, these clauses have substantive impacts to the business when unanticipated events occur. As the spread of COVID-19 disrupts global supply chains and results in the imposition of emergency rules and regulations, it becomes imperative for companies to prepare themselves for impending commercial disputes.

As a historical example, the SARS virus outbreak in 2003 resulted in many companies asserting force majeure clauses. Northwest Airlines famously relied on the force majeure clause in its labor contracts to lay off employees without notice, asserting that the SARS virus caused its air traffic to Asia to significantly decline. Not surprisingly, the Aircraft Mechanics Fraternal Association, an independent aviation union, claimed the layoffs were an immoral exploitation of the provision and challenged Northwest Airlines’ legal justification by filing a class-action grievance. The arbitration board held that while a number of the layoffs were justified by force majeure events, a certain subset of mechanics were unjustifiably laid off, and Northwest Airlines was ordered to rehire those mechanics. The takeaway from this is that a force majeure clause may not apply uniformly to different circumstances.

While the SARS virus resulted in many companies revising the force majeure clauses in their contracts to include “global epidemics” as triggering events, the Northwest Airlines example shows that COVID-19 should be carefully analyzed in its specific impact to different industries. In addition, other contract provisions will alter the legal analysis about whether a specific force majeure clause can be invoked. For example, certain jurisdictions may interpret “acts of God” or “epidemic” differently, so the governing law provision will have an effect on whether the force majeure clause may be invoked. Moreover, force majeure clauses are drafted with specific terms that impact their interpretation. For example, a force majeure clause that does not specifically cite “disease” or “epidemics” may nonetheless have an all-inclusive catch-all phrase (such as “any similar event beyond the reasonable control of a party”) that would lead to the COVID-19 pandemic qualifying as a force majeure event.

Just as companies must take a proactive approach to their employees’ health and safety with respect to COVID-19, companies should also take a proactive approach to the other business effects of COVID-19. If a company’s obligations have been affected by COVID-19 in any capacity, the company should consider certain practices in anticipation of any disputes and to prepare for the possible invocation of a force majeure clause, including, but not limited to the following:

  • keeping detailed records of COVID-19’s impact on its business functions and on any inability to perform the company’s contractual duties;
  • documenting COVID-19’s impact on the company’s supply chains, such as its vendor’s inability to secure raw materials, parts, components, or disruption to the capabilities of the vendor’s suppliers or independent distributors;
  • continuously evaluating the current events of COVID-19 and how the incident is affecting governments and the company’s industry. The situation is changing day-by-day, and keeping abreast of the current events will allow the company to quickly reassess its obligations and liabilities;
  • reviewing both existing customer agreements and vendor agreements, to analyze the legal obligations and liabilities of all parties under the agreements. Force majeure clauses are each drafted differently and should be interpreted by legal counsel.  Companies should also keep in mind notice provisions within its agreements, so that it does not inadvertently run afoul of its obligations to notify the other party; and
  • reviewing insurance coverages and whether the company’s current insurance covers business interruption related to COVID-19.

As companies work together to create business solutions to the impact that COVID-19 has had on all industries, not all businesses will come out unscathed. Although these are uncertain and challenging times, Taft understands the importance of business continuity and is resolved to maintain our high standard of responsiveness and excellence for our clients. Taft’s team of attorneys is ready to advise clients on all aspects of legal issues, obligations, and liabilities associated with COVID-19.

These are thoroughly disturbing statistics that should make every ERP user shudder:

A survey of more than 400 IT professionals conducted by Onapsis Research Labs found that 64-percent of ERP software systems suffered a data breach in the past two years. Onapsis reported that 90-percent of SAP’s ERP software systems remain vulnerable to a nasty virus called 10KBLAZE discovered one year ago.  Onapsis also reported that there are serious security weaknesses in Oracle’s ERP payment modules.

It seems that every week news of another data breach involving businesses, hospitals, and other organizations in the healthcare field and even government agencies find its way into the news media. For users of ERP software systems, there is a two-pronged risk they need to confront and address proactively:

  • The loss of valuable proprietary information about their supply chain, production processes, and even trade secrets that could command a high price in the underground market from unsavory competitors and counterfeiters in unfriendly countries.
  • Violating various state data breach and privacy laws including, the California Consumer Privacy Act (CCPA), if personally identifiable information of employees or customers is revealed.

In many respects, a leak of personal customer information would be as damaging as having business processes revealed to competitors. First off, there comes to the time, expenses and opportunity costs of properly responding to a data breach and providing the applicable notices to affected individuals, state regulators and the media.  Then comes the public embarrassment with a possible loss of trust along with the real possibility of penalties imposed by the state. This is all in addition to a wave of potential lawsuits that could be filed by affected individuals under state law, including the  CCPA, which allows for a private right of action.

Protecting ERP from Incidents

An ERP software system is a particularly inviting target for private and state-sponsored criminals as well as run-of-the-mill mischief-makers. For most companies, so many employees need access to the software that accidental or inadvertent data incidents can easily occur.

We wrote recently on the need for all businesses to prepare to defend themselves against CCPA lawsuits or penalties. For users of ERP software systems, beyond the obvious, there are additional steps organizations should implement.

One that often gets overlooked is to promptly install patches and fixes when the vendor sends them. As attorneys who’ve spent our careers working with clients on legal issues connected to data security matters relating to ERP software systems, often we are amazed at how slow some companies do this (or maintain and review log files). Now there is a kind of “double jeopardy” for not installing updates quickly: The software might become vulnerable to a hack or breach and the risk of possible CCPA penalties if there is a breach.

Establish Cybersecurity Policies

A related necessity is to ensure comprehensive and compliant cybersecurity procedures are established along with a software application maintenance policy. Part of this includes an audit methodology that delves deep into the system so that vulnerabilities can be identified even if the vendor has yet to launch a patch for it.

Keep in mind the law specifies that doing these things proactively can help create a safe harbor in the event of a hack, leak, or data incident, possibly preventing state investigators from knocking on your door.

Another important way of preventing data incidents is to limit the people who have access to identifiable customer data. A contractor who is part of the supply chain may very well need to know how many and when the components they provide must arrive at a manufacturer. They don’t need to be able to see which customers ordered the finished product. From both a current technological and cost perspective, there is little excuse for any company to allow access to identifiable customer data when there is no need for such access.

Finally, keep reinforcing to everyone who has access to data that security is as much their responsibility as it is the responsibility of the IT department. Far more breaches result from employee carelessness inside an organization than are the result of criminal activity. Remember that the CCPA does not distinguish between a deliberate hack and a mistake; the liability for an ERP user is the same.

ERP Contract Precautions

There are other preventative measures related to the CCPA that can be taken even before the contract for a new or upgraded ERP software system is signed.

Perhaps the most important is to ensure that the contract specifies who is responsible for data security and under what circumstances: Users, vendors, or integrators. The template ERP contracts used by vendors and integrators are usually vague about this, so greater specificity needs to be negotiated and written into the document.

Another aspect deals with specifying the roles and responsibilities of third-party contractors from when a contract is signed to when the ERP software system goes live. It is common for an integrator to use outside resources, which means there could be dozens of people unknown to the customer who will have at least temporary access to identifiable data. These entities need to have a contractual obligation to be responsible if their work is the cause of an incident or breach.

By the way, all of these precautions are important steps to take to help comply with not just the CCPA but most data privacy and data breach laws as well, such as New York’s new Shield Law.

We’ve spent our career negotiating and drafting contracts for ERP software systems and handling disputes that arise when there is an issue. If you’re an executive or inside counsel at an organization concerned about possible liability under the CCPA due to an ERP implementation, feel free to contact us. We will be pleased to share our knowledge and experience with you.

The California Consumer Privacy Act (CCPA) was barely a month old when the first private lawsuit was filed under the law. The action against a children’s clothing company and Salesforce Inc., the giant developer of CRM software that hosted the retailer’s customer data, was filed in federal court in early February 2020.

The details of the lawsuit are not as important as the reality that it highlights the need for companies of all sizes and types to do two things. They must ensure they are taking proactive steps to prevent data hacks and leaks and know what will be required to defend themselves against allegations made by consumers and the state.

The state attorney general says his office will not launch enforcement actions against companies until July 1, 2020, as long as they can show they are taking steps to comply with CCPA’s requirements. Yet as the lawsuit underscores, there is nothing stopping individuals from seeking damages as a result of alleged leaks and hacks well before mid-year.

Offense is Defense

In 2018, a 15-year-old, self-taught, ethical hacker named Marcus Weinberger terrified a packed hall at a technology conference by having attendees call out the name of their firm. Using the laptop he takes class notes on and some things he bought with his allowance at the mall, he hacked into every organization’s data in under 15 minutes.

This proves that companies must begin to acknowledge that what can get hacked will get hacked, deliberately or leaked by accident, carelessness or error.

The first line of defense is to ensure that identifiable or personalized information is thoroughly encrypted. In fact, the CCPA specifies this as a possible safe harbor against fines or a lawsuit. One technology company went so far as to set up its software so that it could be downloaded only onto an encrypted stick it licensed to its users. Non-users could not acquire it.

But there are additional steps that must be taken by businesses to prepare themselves to defend against CCPA complaints.

Another vital move is to prepare and document a plan that will detect and stop a breach, whether from a potential hacker or because an employee made a mistake, and know how to notify people whose data may have been compromised. The CCPA requires prompt notification. Being able to show a court or a state tribunal that this was done and the company had taken proactive steps to limit the damage can be a strong defense.

Limit the number of people who have access to customer data to only those that need the customer data to do their job. For instance, an ERP software system will likely contain an enormous amount of identifiable information about customers. An employee responsible for the supply chain or one who is involved in the production process may not need to have access to data about specific customers. The fewer people who can accidentally or deliberately expose this information, the lower the risk of a breach.

If employees use their own devices for work – perhaps because they travel for their job – check these devices regularly for any malware or viruses. When Barack Obama was elected president, he did not want to give up his beloved Blackberry. So, the NSA spent a week making sure it was clean and installing safeguards to prevent it from being hacked in the future. Businesses need to do something similar with the phones, tablets and laptops carried around by people who use them to remotely access customer data. It may not need to be as stringent as needed to protect a president’s communications and data, but sufficient to safeguard a company’s customer information.

Likewise, every company needs to remind all employees at every level in the organization that data security is their job and not merely the responsibility of somebody in IT.

CCPA Can Be Costly

The CCPA creates statutory damages for any business that collects and stores a customer’s personal data. The penalties range from $100 to $750 per customer, per incident or the actual damages – whichever is greater. The law states the breach itself is a damage.

A breach involving 10,000 individuals or households could result in a fine of $7.5 million and unleash a torrent of individual and class action lawsuits around minor and major breaches because the plaintiffs do not have to prove actual damages.

In fact, the law instructs judges to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, over how long the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.

For a large corporation, the award could be in the hundreds of millions of dollars and a smaller, privately owned business might be forced into bankruptcy.

As data security and privacy lawyers, we have helped companies establish internal procedures, policies and rules around protecting the data they hold. If you are a general counsel or executive and want to ask questions about what programs your organization can implement to head off CCPA sanctions from the state or lawsuits, please call or email us. We’ll be happy to share what we know about the law and what other companies are doing.

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Contrary to popular belief, paying a criminal’s ransom demand does not guarantee that you will get access back to your computers and data. The FBI does not advocate paying a ransom because in some cases, victims who paid a ransom were never provided with decryption keys to unlock their computers and data. Indeed, in a recent federal court case in Maryland, an embroidery company that was the victim of a ransomware demand paid the ransom and the criminal reneged. The company then had to hire a security firm to replace and reinstall the company’s software and install protective software on their computer system, but some software was lost forever. In the end, the computer system lost efficiency because the protective software slowed the system, and the company’s computer expert testified that there were likely dormant remnants of the computer virus on the system that could re-infect the entire system.

The State Auto business owners’ insurance policy appeared to cover the damage. But because the computer system was still operable, State Auto denied the claim. The case turned on the policy language that the insurer would pay for “direct physical loss of or damage to Covered Property,” where the term “Covered Property” included software and data stored on the computer. The court, citing other cases, held that “physical damage” was not restricted to the physical destruction of the computer, but included loss of access, loss of use, and loss of functionality. The court also rejected the insurer’s argument that the policy required an utter inability to function. Instead, the court reasoned:

The more persuasive cases are those suggesting that loss of use, loss of reliability, or impaired function demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” policy language. Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.

In the end, the court granted summary judgment for the embroidery company allowing it to recover more than $300,000 to replace its computer server, software, and data. The case is National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).

A list of the FBI’s cyber defense best practices can be found here.

The U.S. Food and Drug Administration (FDA) issued a press release on March 3, 2020, to inform patients, health care providers and manufacturers about a newly discovered cybersecurity vulnerability. A vulnerability set referred to as “SweynTooth” affects wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices, as well as other devices, such as consumer wearables and Internet of Things (IoT) devices. Microchips using BLE may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps), or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices). The SweynTooth vulnerabilities may allow an unauthorized user to wirelessly crash a device, stop it from working, or access device functions normally only available to the authorized user.

The FDA said it is not aware of any confirmed events related to SweynTooth, but noted that software to exploit the vulnerabilities is publicly available. Medical device manufacturers are currently assessing potential affected devices and are identifying risk and remediation actions.

In addition, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of affected devices, see this ICS Alert from the Cybersecurity Infrastructure Security Agency.

The FDA has asked manufacturers to communicate to health care providers and patients which medical devices are affected by SweynTooth and offer ways to reduce the risk.  Patients should talk to their health care providers to determine if their device is affected.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

Companies making and selling any sort of connected devices, particularly medical device companies, need to be vigilant in addressing the security issues inherent in their products. If you are an executive or general counsel and have questions about what you need to do to address potential cybersecurity issues, please contact us.

With the stock market dropping 3,500 points last week, panicked over the latest coronavirus scare, COVID-19, public companies should expect plaintiff class action securities lawyers to pounce on any material misstatements or omissions made in their press releases and public disclosures, including misstatements about supply chain difficulties.

According to Thomas Insights, 60% of U.S. manufacturers have been impacted by COVID-19 in their production facilities and supply chains, with 46% of suppliers reporting that their shipping and logistics have been disrupted, 35% reporting incidents of offshore factory suspension and production restrictions, and 8% reporting that the outbreak has caused the costs of goods to surge. Given these difficulties and a declining market, company executives may feel compelled to quell investor panic about their supply chain difficulties.

To read the full Taft law bulletin on this topic, click here.