Alston & Bird Consumer Finance Blog

Covid-19

New York Governor Provides Temporary Authority for Video Notarizations

On March 19, New York Governor Mario Cuomo issued Executive Order No. 202.7, “Continuing Temporary Suspension and Modification of Laws Relating to the Disaster Emergency” (the “Order”).

The Order

Notably, effective through April 18, 2020, the Order authorizes the performance of notarial acts through the use of audio-video technology.

Specifically, the Order provides that any notarial act required by New York State law may performed utilizing audio-video technology provided:

  • If the person seeking notary services is not known to the notary, the person presents a valid photo ID to the notary during the video conference (not merely before or after);
  • The video conference allows for direct interaction between the person and the notary (e.g., no prerecorded videos of the person signing);
  • The person affirmatively represents that he or she is physically situated in the state of New York;
  • The person transmits by fax or electronic means a legible copy of the signed document directly to the notary on the same date it was signed;
  • The notary may notarize the transmitted copy of the document and transmit the same back to the person; and
  • The notary may repeat the notarization of the original signed document as of the date of execution provided the notary receives such original signed document together with the electronically notarized copy within 30  days after the day of execution.

Takeaway:

While the Order is limited to notarizing documents for individuals physically located in New York, it is still welcome news.  Hopefully other states that do not currently have remote online notarization laws in effect will begin to allow remote notarizations during the crisis.

New York Financial Regulator Requires COVID-19 Risk Assessment, Operational Planning

Last week the New York Department of Financial Services (the “Department”) issued letters to all its licensed financial institutions. Based on these letters (available here and here), all Department licensees must assess and plan for the financial risk of COVID-19 and, separately, develop operational plans for managing their response to the virus. The Department requires written responses “as soon as possible” but within 30 days in any case. As a result, impacted businesses should be actively preparing responses to the Department’s detailed request, if they have not already.

Citing the “potentially significant effects an outbreak of COVID-19 could have on your institutions,” the Department “requires that each regulated institution submit a response to DFS describing the institution’s plan of preparedness to manage the risk of disruption to its services and operations.” The Department’s letter regarding such operational preparedness indicates the topics that the Department expects to see reflected within such plans, including:

  • Impact Minimization Measures – Preventative measures to minimize operational impact on customers and business partners;
  • Scaled Strategies to Outbreak Stages – Documented strategies addressing the impact in stages, so the organizations approach may be scaled in accordance with the effects of the stage of an outbreak (with approximate deployment timeframes);
  • Facilities, Resources and Testing Assessments – Assessment of all facilities (including alternative or back-up sites), systems, policies and procedures necessary to continue critical operations and services if members of the staff are unavailable for long periods (perhaps sick) or are working off-site, including an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity;
  • Cyber and Fraud Are Contemplated in the Assessments – Any assessment should include an assessment of potential increased cyber-attacks and fraud;
  • Employee Health Considerations – An assessment of employee protection strategies, critical to sustaining the entire workforce during the outbreak, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19;
  • Service Provider Assessments – Of the preparedness of critical outside-party service providers and suppliers (at a minimum, this anticipates contacting these providers and touching base as to their capabilities);
  • Communications Plans– Development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
  • Testing, Governance and Oversight of the Overall COVID-19 Plan

In addition to operational planning, a separate letter issued by the Department requires institutions to additionally provide a plan “regarding managing the potential financial risk arising from COVID-19.” Such financial risk management plans must assess credit exposure to counterparties impacted by COVID-19 (potentially including stress testing or sensitivity analysis of loan portfolios); assess the valuation of assets impacted by COVID-19; assess overall financial impacts on earnings, profits, capital and liquidity; assess the credit risk ratings of the customers, counterparties and business sectors impacted by COVID-19; and assess “reasonable and prudent steps to assist those adversely impacted by COVID-19.”

The Department has issued a separate letter for institutions engaged in virtual currency activity, and requires operational and financial planning for these businesses as well. Finally, the Department issued a fourth letter on March 10 encouraging banks, credit unions and lenders to “consider all reasonable and prudent steps to assist businesses that have been adversely impacted by COVID-19,” including waiving fees, easing credit terms, and offering payment accommodations.

If you have any questions regarding the development of this alert or crafting responses to the NYDFS, please contact Jim HarveyNanci WeissgoldAmy Mushahwar, or Michael Young.

Six Practical Tips for Practicing Cyberhygiene in the Middle of a Global Pandemic

Businesses large and small are encouraging (or requiring) employees to work remotely or cancel work travel as part of the response to COVID-19. But suddenly expanding the number of employees working remotely comes with increased cybersecurity and information technology risks. A cybercriminal (including malicious insiders) will have a target-rich environment during this time since more devices will be used for company business and more company data will be sent, located, or stored outside the protections of the company infrastructure and activity logging. It will also be easier for devices to be lost, stolen, or compromised, particularly if employees are not familiar with company policies on how to securely work from home. Information Security and IT teams should consider the following practical tips as they prepare for these risks.

1. Prepare for a Strain on Existing Resources

Increasing the number of remote employees increases the number of people or devices using your remote access resources, such as virtual desktop environments and virtual private networks. Continue to actively monitor these resources to ensure that they are properly updated and resourced (bandwidth, computing power, and storage capacity). This is a unique opportunity to fully test your infrastructure and remote capabilities. Also, companies may want to reevaluate how employees will be authenticated when connecting remotely. Utilizing multifactor authentication should be the goal. The Department of Homeland Security’s recent alert on enterprise VPN security may also be a useful resource here.

Consider also expanding your help desk staffing. More employees working from home will likely result in increased calls for IT support since these employees may have connectivity or other technical issues in a remote environment. Similarly, some employees may be forced to use personal devices during this period. It will be important to have help desk staff and software resources available to ensure that antivirus software can be downloaded to personal devices and that the devices are encrypted.

2. Review and Update Business Continuity, Disaster Recovery, and Incident Response Plans

The coronavirus pandemic is unlikely to directly impact your IT infrastructure. However, it is possible that a severe outbreak will impact the availability of personnel assigned to monitor or use that infrastructure. Companies should review their business continuity and disaster recovery plans (with their related IT and Security roles and responsibilities) to ensure they appropriately cover scenarios that might arise if multiple key personnel are ill or incapacitated. Similarly, if you use Managed Security Service Providers or other security vendors for critical parts of your program, you should verify that those vendors have similar plans, redundancies, and current capacity to help (you may want to verify and secure this help now while we are still in the early stages of this crisis). Ultimately, this is the perfect opportunity to ensure that all key players have recently reviewed these plans, there is necessary expertise redundancy, and staff have engaged in tabletop simulations relating to business continuity.

Companies should also consider conducting a similar assessment for their incident response plans as well as their cyber insurance, crime fraud, technical E&O, or network interruption policies. Such policies or plans may need to be revised to include backup personnel if key personnel such as a CTO, CISO, or privacy officer are incapacitated or otherwise unavailable. Also, you may want to consider cross-training appropriate personnel in all aspects of the incident response, reporting, and claims process, including the location of core documents and notice templates that would be used in an incident. If you have not already, consider what key elements of your incident response plan could be reduced to a diagrammed flow for your team to have in front of them in a crisis.

3. Warn Employees of the Security Risks of Working from Home

In times of crisis, increased work, or nonstandard work routines, personnel are more likely to forget to use recommended cybersecurity practices, but warning them now may help with security awareness during unfamiliar times. This will be particularly true for mission-critical services since employees may feel pressure to forgo security to get work done. All employees should be reminded of the corporate resources that are available, such as cloud storage or other applications, the need for increased vigilance, and the following basic security principles:

  • Secure home wireless networks with strong passwords and avoid using unsecured public networks when possible. If using an unsecured public network, be on the lookout for any certificate errors or warnings that a site may be misconfigured.
  • Do not use personal devices for work without prior approval because these may lack the security controls that protect work devices.
  • Do not use personal email or cloud storage accounts to transfer or store business information.
  • Avoid downloading or printing sensitive information from email or other IT services to personal computers or other personal devices even if authorized to use the device for work purposes. If you must download data to personal devices, confirm with IT help desk staff that antivirus software is installed on your device and that it is properly encrypted.
  • Practice good physical document management by only taking documents offsite if necessary and ensuring all materials are returned to the office for proper destruction.

4. Be Wary of Scams and Phishing Attacks

Scammers and cyber threat actors have always followed the headlines, using the public’s heightened fear and desire for information or solutions as leverage to gain access to systems, data, and money. The current pandemic is no different. There are reports of schemes where malicious actors are stealing credentials from remote workers by supposedly offering updated company guidance on the COVID-19 response. And cyber researchers recently discovered a website of a map showing COVID-19 cases on a global scale that contained a hidden code that could steal usernames, passwords, credit card numbers, and other data stored in the user’s browser. While the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) are working to crack down on phony COVID-19 cures and requests for “donations” from fake charities, employees must be on the lookout for scams and phishing attacks. All employees should be reminded of the following recommended practices:

  • Be careful opening attachments and links from distrusted or unknown sources. Phishing or other malicious emails can easily be disguised as alerts about COVID-19.
  • Try to use only trusted sources, for example, the CDC’s official COVID-19 website, for receiving up-to-date information about the outbreak.
  • Never respond to emails or phone calls asking for personal or financial information, usernames, or passwords.
  • Be careful making donations and reject any request for donations in cash, by gift card, or by wiring money.

This is also an excellent opportunity to remind employees of how to report security incidents within the company. Consider creating a short checklist for all employees detailing tips for how to detect suspicious activity, and what to do and who to contact if they believe they have been the victim of a security incident, scam, or phishing attack.

Additional resources from the FTC and U.S. Office of Personnel Management on working remotely and how to avoid scams and phishing attacks can be found here and here.

5. Be Aware of Applicable Industry-Specific Guidelines

Some heavily regulated industries (e.g., banking, financial services, and health) will have additional considerations at play. For example, FINRA has just released guidance that addressed telework arrangements with a section specifically related to cybersecurity risks posed by those arrangements. Additional commentary on this guidance can be found here. Similarly, HIPAA covered entities and business associates may face an increased risk of violating the HIPAA Privacy and Security rules. Best practices on how to address these risks and other HIPAA-specific guidance can be found here.

6. If Security Exceptions Must Occur Temporarily, Take Steps to Document Them

Your company may have no choice but to make security exceptions to get work done, especially if your industry is on the front lines of this crisis (e.g., health care and necessities supply chains). If this is the case, take steps to ensure that Security and IT document any security exceptions made so the company can resume its full security measures once volumes return to normal. If security exceptions are not documented, there is the potential for these items to be forgotten once the crisis passes.

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19). You can view all our work on the coronavirus across industries and subscribe to our future webinars and advisories.

Coronavirus and Securitization: Disclosure and Diligence Issues

Mortgage-backed and asset-backed securities are beginning to feel the effects of quarantines and social distancing as people spend – and earn – less money. Our Finance Group explores the basic disclosures to consider with any securitization and how best to address them during the coronavirus pandemic.

  • Four disclosure issues for securitization
  • Two key diligence issues for securitization
  • Additional thoughts

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19).  Please visit our website for the full advisory.

Alston & Bird Webinar Series: Coronavirus: What Does My Business Need to Know?

Thursday, March 12, 2020  | 11:00am ET 
For Employers: Coronavirus and Travel: A Complicated Business Decision 

The 2019 novel coronavirus outbreak (also known as COVID-19) causes respiratory illness and can spread from person to person. There have been thousands of deaths reported globally, making the coronavirus deadlier than SARS. Coronavirus infections have been reported in dozens of countries. Individuals are being extracted from and departing China and the region, and pandemic fears have also affected shipping and travel around the world. Concerns about the coronavirus have closed factories and forced quarantines throughout China – delaying and even stopping manufacturing and deliveries.

The number of COVID-19 cases in the U.S continues to rise, affecting employers and employees in every industry, from hospitality to manufacturing to health care. What should employers consider in making decisions? This Alston & Bird webinar will review advice we are giving clients related to:

  • Travel, both foreign and domestic
  • Employee health precautions
  • Events and conferences
  • Office/workplace visitors
  • Remote workforce
  • Force majeure and the coronavirus

Our Speakers:

Dawnmarie Matlock regularly advises health care clients on complex regulatory issues, including Stark Law and AntiKickback compliance. She counsels clients facing government investigations and other enforcement actions to mitigate risks and help resolve active matters. She serves as Alston & Bird’s HIPAA privacy officer and counsels clients on HIPAA compliance and breach response.

Angie Burnette assists hospitals, physicians, and other providers with a variety of issues, including those involving medical staff, the National Practitioner Data Bank, mental health, surrogate births, minors, duty to warn, do-not-resuscitate orders, end-of-life issues, and refusal of blood transfusions. Angie provides general risk management and compliance advice to health care facilities, providers, and health plans. She also advises health care providers and non-health-care companies on HIPAA privacy, HIPAA security, and breach notification issues under the HITECH Act and state laws.

Christy Eikhoff will discuss force majeure in light of the coronavirus. She represents clients in significant and high-profile complex commercial litigation matters, with experience in manufacturing, media, and insurance. She is the co-chair of Alston & Bird’s Industrials & Manufacturing Litigation Team. She has handled several multimillion-dollar cases for publicly and privately held entities, with extensive experience in trial, arbitration hearings, mediation, written advocacy, settlement negotiations, and discovery management. Christy has been instrumental in helping business clients achieve resolution in litigated disputes involving claims of breach of contract, fraud, business torts, property torts, defamation, negligence, and unfair and deceptive trade practice and consumer protection statutes.

Charlie Morgan concentrates his practice in litigation and government and internal investigations, including occupational safety and health, employment and traditional labor matters. He represents Fortune 500 companies, retailers, manufacturers and privately held organizations across the U.S. in investigations and litigation involving accidents and safety issues, in class and collection actions, and in anti-union campaigns. He also develops programs and training initiatives for compliance with safety and health laws and federal sentencing guidelines.

Our Experience 

Alston & Bird has formed a working group to advise clients on the business and legal implications of the coronavirus. Our multidisciplinary team can assist and advise a broad range of economic sectors on responses to coronavirus news and proactive steps to ensure business continuity, supply-chain alternatives, data security if remote access for all employees is required, and new product development. We regularly work on coronavirus-related issues with the gamut of relevant regulatory bodies as well as congressional policymakers who are leading the response to this fast-moving event. Our team includes members with experience in regulations for employment issues, medical product development, and pharmaceuticals, as well as every type of business interruption scenario. Members of our team have previously worked for, or represent clients before, the White House, Congress, HHS—especially staff and operating divisions such as the Assistant Secretary for Preparedness and Response (ASPR) — FDA, CDC, USDA, EPA, DEA, DOD, SEC, DHS, DOS, and OSHA.

Webinar Details

Thursday, March 12, 2020

Login information will be provided to participants before the program.

Additional Programs 

Thursdays | 11:00 am ET  

March 19 – For Hospitals, Health Systems, Laboratories and Other Providers: Reimbursement issues, new codes, special employee issues, telemedicine, and how to navigate this new environment.

March 26 – For employers, health plan sponsors and insurers, hospitals, hospitality, and pharmaceutical and medical device manufacturers: What’s still pending on the legislative and regulatory front in response to the coronavirus pandemic.

CLE

These programs are provided as a complimentary service to clients and friends of Alston & Bird. CLE credit is pending for Georgia, Texas, California, New York, Pennsylvania, and Missouri. Additional states may be available upon request.

CLICK HERE TO RSVP