NONPROFITS MAKE EASY TARGETS IN THE EYES OF CYBER-CRIMINALS
Nonprofit organizations provide some of the most vital services in the country; in order to accomplish their mission, it takes a committed team of volunteers and donors operating on a very tight budget. Due to limited resources, cyber-criminals view nonprofits as easy prey sitting on a wealth of personal information about their support staff, donors and volunteers and the
communities they serve.
IT SYSTEMS MORE VULNERABLE THAN MOST
Many nonprofits may think they’re not big enough to be a target, but their smaller size is one of the things that makes them even more appealing to cyber thieves. Unlike large corporations, nonprofits and schools usually have fewer IT staff and
resources, making them particularly vulnerable. IT staff frequently juggle responsibilities to keep the organization’s systems running, which often means they have less time to focus on security. Cyber-criminals, however, are relentlessly focused on finding their way into computer systems through system vulnerabilities, circumventing established safeguards or by social engineering (tricking) employees into unwittingly disclosing sensitive information.
DON’T LET YOUR ORGANIZATION FALL VICTIM TO A CYBER ATTACK
A cyber incident can cause irreparable damage to your information assets and your good reputation, resulting in the loss of precious funds and donor trust. Ultimately, cyber-crime negatively impacts the community you serve. Mercadien
Technologies can help protect your organization from cyber-criminals through our Managed Security Services. To learn more, contact me at 609-689-2339 or cmangano@mercadien.com.
LATIN LEGAL DOCTRINES AND THE RISK OF LITIGATION
Community Providers serving individuals with development disabilities are vulnerable to lawsuits brought by current and former service recipients. Three reasons for this vulnerability are the legislated public policy of the State of New Jersey, and the legal doctrines of “in loco parentis” and “respondeat superior.” Familiarity with the concepts will assist agencies to appreciate the threat of litigation and take preemptive precautions to reduce the occurrence of incidents of neglect and abuse, which are among the most common allegations in claims brought on behalf of service recipients. On the public policy front, the enactment of the Developmentally Disability Rights Act (“DDRA”), N.J.S.A. 30:6D-1-12, by New Jersey’s Legislature grew out of recognition of the State’s policy of protecting the developmentally disabled from abuse or mistreatment. The State’s legislators recognized that persons with developmental disabilities are especially vulnerable, and are without the knowledge, ability, or resources to protect or vindicate their civil rights. The repercussion of the DDRA’s laudable objective of protecting the rights of the developmentally disabled is that agencies are susceptible to litigation when a violation of a right, or an incident of abuse or neglect, occurs in its facility. In addition to the State’s explicit public policy of protecting developmentally disabled citizens, Community Providers are also vulnerable to lawsuits because the agencies are recognized as institutions with in loco parentis responsibilities. In loco parentis is the legal doctrine referring to an individual who assumes the function or responsibility of a parent. Read entire article here.
Articles from the April 2019 Bulletin: Corporate
Corporate Perspective: Keeping Your House In Order
By Daniel O. Carroll, Esq., Partner Schenck, Price, Smith & King, LLP
Whether your company is looking to acquire another company, be acquired or simply maintain good corporate practices, it is essential to make sure that it undertakes certain basic activities and follows standard operating procedures on a regular basis. The following issues should be addressed to keep your company’s house in order: Establishing Authority:
- Ensure a Duly Constituted Board of Directors or Trustees (“Board”): All of your company’s charter documents should be kept up to date and reflect the company’s corporate governance needs. In order to take any corporate action, the company’s governing Board must be duly constituted. In other words, the composition of Board’s membership must be consistent with the terms of company’s certificate of incorporation and by-laws.
Ensure Board Action Is Properly Taken: For any action taken by a Board to be valid it must comply with certain requirements set forth in the company’s by-laws (or state law). For example, notice of all Board meetings must be properly made to all Board members in the manner described in the company’s by-laws consistent with state law. In order to hold a meeting and take action, the quorum requirements set forth in the company’s by-laws (or by statute) must be satisfied. Any issue being voted on by the Board should be properly vetted prior to any such vote. Any Board members participating in a Board meeting by electronic means must be able to hear and be heard by other members present at or participating in the meeting. It may be appropriate for some actions to be taken by a Board committee, however all actions to be taken by a Board committee comprised of one or more Board members (g. executive committee) is subject to statutory restrictions and must be authorized by a delegation of authority from the full Board and/or set forth in the company’s by-laws.
- “Ensure Corporate Action is Properly Taken: The company should ensure all company agreements, registrations, certifications and other corporate documents are signed by duly authorized officers of the company. All material corporate action and/or transactions must be reviewed and approved by the Board, unless the company’s by-laws provide the company’s executive officers with the necessary authority to take such actions without additional Board approval. All Board approvals should be clearly evidenced by appropriate Board resolutions which are kept with the Board meeting minutes.
Satisfying Fiduciary Obligations:
- Exercise Diligence and Obtaining Advice: Board committees should actively investigate, report and advise the Board on matters within the scope of their charge. When appropriate, the Board should engage external expert consultants to advise on issues beyond the experience and expertise of Board members. All committee and expert reports submitted to the Board should be properly reviewed and discussed by the full Board. All committee and expert reports should be maintained with the Board’s meeting minutes and the company’s other corporate records.
- Maintain Evidence of Board Deliberation: Board meeting minutes should be appropriately kept, reviewed and approved. Board meeting minutes should be maintained with the company’s other corporate records. Board meeting minutes should be sufficiently detailed to evidence the oversight and deliberation exercised by the Board satisfying its fiduciary role.
- Ensure Disclosure and Evaluation of Conflicts: The company should have a conflicts of interest policy and/or procedure. Any conflicts of interest involving the company, Board members and/or employees of the company must be disclosed, evaluated and properly handled in accordance with the company’s policy and procedures.
- Meeting Contractual and Regulatory Obligations:
Know Your Obligations: Corporate leadership’s awareness and understanding of the company’s contractual and regulatory obligations is essential in being able to lead and operate the company in an effective and compliant manner. The company should have a document management system or policy in order to track and ensure compliance with all contractual and regulatory obligations. All company agreements must be fully executed by each party to such agreements. Fully executed copies of all company agreements should be maintained on file with the company (e. all exhibits, attachments and amendments kept together) and readily accessible to company management. The company should ensure that the terms of all company agreements remain in full force and effective and have not lapsed. The company must make sure all notices for renewal or termination (as applicable) of an agreement are made in a timely manner in accordance with the terms and conditions of the applicable agreement. - Identify and Mitigate Risks: The company’s insurance needs should be reviewed on a regular and on-going basis and maintained at levels sufficient to at least meet all contractual and regulatory obligations. The company’s exposure to risks should identified and then minimized to the greatest extent practicable. The company’s leadership should be aware of the scope of liability and insurance obligations required under the company’s contracts.
- Educate Your Workforce: It’s important to ensure that decisions made by the Board and corporate policies adopted by the Board and/or senior management are properly carried out and followed by company personnel. Company personnel responsible for performing and satisfying the company’s contractual and/or regulatory obligations must know and understand all such obligations and how they impact their work. The keys to workforce compliance are communication and education provided in a clear manner and on a regular basis.
- Promote Safety and Quality: Adopting and implementing safety and quality assurance procedures helps mitigate operational risks and ensure regulatory compliance. In addition, the company should implement a process for responding to regulatory actions or correspondence identifying potential compliance issues.”
The most basic defense against any possible lawsuits or regulatory compliance actions is to ensure your company maintains and follows sound corporate practices and policies. Such practices help foster well-reasoned decision making and should provide a rational basis for company actions. They should also generate documentary evidence of Board members exercising their fiduciary duties. Adopting such corporate practices and policies and educating your workforce to implement and follow them will likely reduce risk of errors and shield against claims of negligence. By addressing the issues identified above you and your company will be on the right track to your house in order from corporate perspective.
8 CYBERSECURITY RISKS THAT MAY IMPACT ORGANIZATIONS IN 2019
2018 showed that a proactive approach to cyber preparation and planning paid off for the companies that invested in it; it’s expected that in 2019 the need for advanced planning will only further accelerate. “Digital Transformation” is here to stay – organizations of all sizes are embracing progressive ways to leverage technology to better position themselves within their respective industries. This movement must also be accompanied by a thorough Cyber Threat Management plan that’s updated regularly.
AON’s recent report focused on eight specific risk areas that companies may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the attack surface expands rapidly and sometimes in unexpected ways. In other words, thanks to the rapid enhancements and constant changes in technology, the number of touch-points that cyber criminals can access within a business is growing exponentially.
The eight risks include:
- Technology – While technology has revolutionized the way organizations today conduct business, broader and wider-spread use of technology also brings vulnerabilities. From publishing to automotive, industries are facing new, evolving services and business models. These new opportunities however, bring a radically different set of risks, which organizations will need to anticipate and manage as they continue the digital transformation process.
- Supply Chain – Two prevailing supply chain trends will heighten cyber risks dramatically in the coming year: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT). The other trend is companies’ growing reliance on third-party—and even fourth-party—vendors and service providers. Both trends present attackers with new openings into supply chains, and require board-level, forward-looking risk management to sustain reliable and viable business operations.
- IoT – IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don’t securely manage or even inventory all IoT devices that touch their business, which results in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the current worldwide rollouts of cellular IoT and the forthcoming transition to 5G. Effective organizational inventory and monitoring will be critical for companies in the coming year and beyond.
- Business Operations – Connectivity to the Internet improves operational tasks dramatically, but increased connectivity also leads to new security vulnerabilities. The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organizations need to be better aware of, and prepared for, the cyber impact of increased connectivity.
- Employees – Employees remain one of the most common causes of breaches. Yet employees likely do not even realize the true threat they pose to an entire organization’s cybersecurity. As technology continues to impact every job function, from the CEO to the entry-level intern, it is imperative for organizations to establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cybersecurity policies throughout the organization, and implementing effective access and data-protection controls.
- Mergers & Acquisitions (M&A) – Projections anticipate that M&A deal value will top $4 trillion in 2019, which would be the highest in four years. The conundrum this poses to companies acquiring other businesses is that while they may have effective cybersecurity for themselves, there is no guarantee that their M&A target has the same approach in place. Dealmakers must weave specific cybersecurity strategies into their larger M&A plans if they want to ensure seamless transitions in the future.
- Regulatory Compliance – Increased regulation, laws, rules and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019.
- Board of Directors – Cybersecurity oversight continues to be a point of emphasis for board directors and officers, but
recent history has seen an expanding personal risk raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber incident, but also proactive preparation and planning.
New Jersey Paid Family Leave Law – What You Need to Know
On February 19, 2019, New Jersey Governor Phil Murphy signed legislation (A.B. 3975) revising the state’s family leave law. Under the revised law, the state’s paid family leave program has been modified in several ways.
How has the Definition of a Covered Employer Changed?
As of June 30, 2019, the definition of a covered employer would include those with 30 employees, as opposed to 50 employees, for each calendar day of 20 or more calendar workweeks. Employers with 30 or more employees are now subject to the non-discrimination and non-retaliation provisions of the law, and must reinstate employees upon returning from leave.
How Has the Length of Time Employees Can Take Changed?
Beginning in July 2020, the number of weeks for Family Leave Insurance (FLI) and Temporary Disability Insurance (TDI) double. Employees can take up to 12 consecutive weeks of paid family leave or temporary disability insurance during any 12-month period. Currently, employees are only able to take up to six weeks of FLI or TDI in a 12-month period. Workers may take up to 56 days of intermittent leave within a 12-month period.
How Has the Weekly Benefit Changed?
The weekly benefit increases and individuals may now receive 85 percent of their weekly wage, with the maximum possible benefit going up to 70 percent of the statewide average weekly wage.
Who is Eligible for the Benefit?
Employees may take paid family leave to care for siblings, in-laws, grandparents, grandchildren, other blood relatives, and any other individual who can be shown to have the equivalent of a family relationship to the employee. Also, an individual who is a victim of domestic or sexual violence may take family leave for themselves or to care for a family member who was a victim. This includes family temporary disability leave for medical attention, counseling, or legal assistance or proceedings arising out of domestic violence or sexual violence.
What Protections do Employees Have Who Use This Benefit?
Anti-retaliation provisions prohibit covered employers from retaliating or discriminating against an employee because he or she took family leave.
Articles from the March 2019 Bulletin:
Maintaining client records is an important obligation requiring substantial resources including employee time, physical space, and digital storage and equipment. Although service recipient records belong to the Division of Developmental Disabilities (DDD), the duty to maintain client records falls to the individual licensed facilities. The importance of records maintenance is not limited to supporting continued client care, but is also critical should the licensed facility face allegations of abuse and neglect leading to litigation. In addition to witness recollections, written records provide the foundation for defending a licensed facility in a lawsuit initiated on behalf of a client. Missing or incomplete records may result in a court imposing severe sanctions against a licensed facility at the time of trial. It is therefore imperative that licensed facilities take all necessary measures to maintain individual records. The New Jersey Administrative Code provides a specific but non-exhaustive list of the documents comprising an individual’s records:
- Eligibility determinations and supporting documents;
- Applications for services;
- Medical examinations and reports, medication administration records, and prescriptions;
- Evaluation reports or Comprehensive Functional Assessment (CFA);
- Individual Habilitation Plan (IHP), Individualized Family Service Plan (IFSP), Individual Educational Plan (IEP), Essential Lifestyle Plan (ELP), Self-Determination Plan (SDP) and Individual Service Plan (ISP);
- Progress notes and internal communications relating directly to the individual’s condition or service decisions;
- Communications to or from parent or legal guardian;
- Legal guardianship documents;
- Individual financial records; and
- Health information regarding family members.
The State’s Administrative Code requires maintenance of a client record for a minimum of 10 years after the death or most recent discharge of the service recipient. For discharged minors, the Code requires maintenance of records for 10 years, or until the minor reaches the age of 23 years, whichever period is longer. Electronically kept records are subject to the same maintenance requirements. Finally, in a situation of anticipated litigation where a licensed facility has knowledge of the likelihood of litigation, a licensed facility is obligated to preserve records until the completion of the lawsuit even though the retention period has ended. It is not uncommon for a client to receive services spanning years or even decades, resulting in a client record that runs thousands of pages. However, despite the challenges presented by maintaining voluminous records, the accuracy and completeness of the individual record is vital to defending a lawsuit. Peter A. Marra is a partner at Schenck Price Smith & King, LLP and certified as a civil trial attorney by the State of New Jersey. Benjamin A. Hooper is an associate at Schenck Price Smith & King, LLP. Mr. Marra and Mr. Hooper provide litigation counseling and regularly defend providers of services to the intellectually and developmentally disabled.
Articles from the February 2019 Bulletin:
NOW IS THE TIME TO PREPARE FOR THE NEXT WEATHER EVENT: DUSTING OFF THOSE CONTINGENCY PLANS
By: Deborah A. Cmielewski, Esq. Partner, Schenck Price Smith & King, LLP
Winter is the time of year that many of you simply dread. Let’s face it: as you wade through the challenge of converting to fee-for-service, the last thing you want to worry about as a provider is a winter storm that could threaten your operations. Winter is one of those times of the year when contingency planning becomes extremely relevant to all of you. What’s more, as providers who are subject to HIPAA, you are legally required to have contingency plans in place in case of a disaster. The HIPAA Rules require you to have a data backup plan, a disaster recovery plan and a plan to ensure continuity of operations. What does this really mean? You need to have steps in place that will enable you to respond to an emergency without missing a beat. You should be able to maintain critical operations with minimal downtime. Literal translation: if you wake up tomorrow morning with three feet of snow on the ground, you should know how you are going to deliver services to the vulnerable population that you serve.
Below are just some of the steps you should be taking, as we head toward the worst part of storm season:
- Identify the systems and data that are critical to your operations
- Back up data at regular intervals
- Store your backups in safe and secure locations
- Have a plan to restore any data that is lost
- Test your plan and address any deficiencies that arise in testing
- Make sure the plan is written in plain language, so employees can understand it
- Share the plan with all employees
- Discuss expectations of all employees in case of disaster
- Store the plan offsite with key employees who will need to activate it
Now is the time of dust off your contingency plan if you have not done so recently. If you do not have a plan (or have not thought about it), the time to develop one is now. Schedule an in-service so that your workforce is ready to face the next weather event. Communicate with your workforce as weather events are predicted to eliminate confusion and loss of time in implementing your disaster recovery plan.
NONPROFIT & HUMAN SERVICES GROUP
New Accounting Standards Updates (ASUs)
Implementation Guides for Nonprofit Clients
In our continual efforts to assist our clients, and as follow-up to several seminars we recently presented on this topic, we provide for your use the below 2 implementation guides on 3 key new ASUs – related to financial accounting and reporting changes – that will impact most nonprofit organizations this year. Safely click on the pdf links to read, print or save them.
Mercadien Nonprofit ASU Guide 2016-14.pdf
Mercadien Nonprofit ASU Guide 2014-09-2018-08.pdf
If you would like more information or have any questions or concerns about transitioning under the new guidance, please don’t hesitate to contact us at 609-689-9700 or solutions@mercadien.com, or via our website at Mercadien.com.