Cyber Security Challenges and Potential Uninsured Exposures

Data breaches are a serious and complex threat (see Cyber Security: Enhancing Coordination to Protect the Financial Sector, available at http://1.usa.gov/21pXTnw). Threats to the cyber security of individuals and companies may come from external sources, such as hackers directed at procuring PII or PHI for economic gain, theft of hardware (such as laptop computers) containing PII or PHI, and e-mails with virus-infected attachments. Internal threats also exist from human error, such as employee negligence (loss of laptops), or malicious activities by employees, internal inadequacies in a company's computer system, and failure to erase PII or PHI from hardware discarded by the company.

Victims of Data Breaches

Most experts agree that data breaches are so prevalent that there are only two types of data breach victims: those that have been victimized by a data breach; and those that do not realize that they have been a victim.

On a small scale, individuals may be the victims of hackers if their own computers are attacked and their PII and/or PHI is accessed, potentially subjecting them to fraudulent credit card charges, for which individuals may not be financially responsible if the fraudulent transaction is timely reported, and identify theft, which can be very costly and take years to unravel.

Individuals entrust their personal data (PII and/or PHI) to merchants and other businesses, health care providers, and professionals ( e.g. , doctors, lawyers, accountants, and others who are provided confidential information from their clients), and their data is only as safe as the firewalls of the companies/professionals with whom they entrust their personal data. A company victimized by a data breach faces liability to employees and/or customers whose PII or PHI was accessed. Shareholders and Board members are concerned about the impact of a data breach, as it may not only threaten the day-to-day operations of the company, but may also cause permanent damage to the company's reputation, brand, and stock value.

In addition to companies, corporate officers have been forced to resign due to data breaches. See, for example, the data breach at Ashley Madison, the online dating site, which was embarrassing for its customers and resulted in the resignation of its CEO on the basis that the site promised that the information would be kept confidential. Recent cyber events have also resulted in the resignation of executives from Target and Sony Pictures.

Costs of Cyber Events

A recent report by Hewlett Packard and the Ponemon Institute of Cyber Crime concluded that hacking attacks cost the average American firm $15.4 million per year, which only underscores the growing enormity of cyber event issues. See Cybercrime Costs the Average U.S. Firm $15 Million a Year, available at www.money.cnn.com. As a result of data breaches, both corporations and small businesses are exposed to significant costs, litigation, and investigation by governmental agencies:

1. The costs to respond to a data breach may include attorneys' fees to analyze the company's legal obligations to respond to the cyber event; retention of forensic experts to investigate the source of the breach and contain the breach; costs to notify its customers that their PII or PHI may have been compromised; credit monitoring for its customers; establishment of a call center to respond to customer inquiries; discounts on future products; and crisis management fees.

2. Corporations are exposed to litigation in the form of class action suits from those customers on the basis that the business did not take adequate measures to protect their PII/PHI, as well as suits against its Boards of Directors by its shareholders due to the injury to its reputation, and resulting loss of business and stock value.

3. Businesses may also be subject to investigations by state and federal governmental agencies, which may result in fines and penalties. Attorneys' fees in defending litigation and governmental investigations could be substantial.

4. Businesses may be embroiled in various contractual disputes with: 1) companies within the credit card system, including the credit card brands, banks issuing the cards ( i.e. , cardholder banks), banks contracting with the merchants ( i.e. , acquiring banks), and payment processors; 2) vendors providing hardware or software to the business over deficiencies in the products purchased from, or maintained by, those vendors; and 3) vendors that may have been harmed by the data breach through access to the business' computer network.

Traditional Policies

Cyber insurance policies may afford some relief to companies for the costs resulting from a data breach, but contain significant limitations. Further, cyber policies are relatively new, and businesses that do not have insurance expressly covering cyber risks have sought coverage under traditional insurance policies for their losses, including the following:

1. First-party “all risk” policies for any “direct physical loss or damage” from the cyber event.

2. CGL policies for third-party “property damage” or “bodily injury” under Coverage A, and for any “publication” of the information that violated a third party's privacy rights under Coverage B (“personal or advertising injury”).

3. Errors and Omissions policies in the event the insured can demonstrate a connection or nexus between the cyber event and the insured's professional services or provision of products to others.

4. Directors and Officers liability insurance for claims made against them as a result of their status as directors and officers for acts, errors or omissions in that capacity, frequently for purported breach of their fiduciary duty to shareholders in the form of shareholder or derivative claims, or based upon alleged misrepresentations or omissions in public disclosures of their cyber security risks.

We address coverage under commercial first-party property and CGL policies in this article. As demonstrated by the varying decisions discussed below, insurers have generally argued that “traditional” CGL and “all risk” first-party property policy forms were not intended to provide coverage for cyber risks, although we note that some policies contain specific endorsements designed to provide limited coverage for these risks. In contrast, insureds have argued that these traditional policy forms afford coverage for cyber risks.

Litigation involving coverage disputes for cyber events, under both traditional and cyber insurance policies, is in the infancy stage, and case law is thus evolving. The determination of these issues is subject to the particular facts of the case, applicable law, and a court's interpretation of the express provisions of the policy. While there is dispute as to the extent of coverage, if any, afforded under traditional policies for cyber events, there is broad consensus from the case law in this area that insureds cannot confidently rely on coverage under non-cyber insurance policies.

Commercial First-Party Property Policies

First-party property policies generally require that there be direct physical loss of or damage to covered property caused by or resulting from any covered cause of loss. As set forth below, case law is not consistent as to whether loss or corruption of electronic data or software standing alone constitutes property damage. A related issue is whether or not loss of access to data can constitute physical damages for purposes of property insurance. This is important because the loss of data that was not actually physically “lost,” but merely accessed, calls into question whether or not the physical damage requirement has been met.

Some courts have held that the loss or destruction of data standing alone does not constitute either direct physical loss of or damage to tangible property as those terms are used in standard-form insurance policies. In Ward General Ins. Servs., Inc. v. The Employers Fire Ins. Co., 114 Cal. App. 4th 548 (Cal. Ct. App. 2003), the insured's database crashed due to human error, causing a loss of client data. The court held that “the loss of the database, with its consequent economic loss, but with no loss of or damage to tangible property, was not a 'direct physical loss of or damage to' covered property.” Similarly, the court in Metro Brokers, Inc. v. Transportation Ins. Co., 2013 WL 7117840 (N.D. Ga. Nov. 21, 2013) ruled that the hacking of a real estate broker's online banking system did not trigger the “forgery” extension and the exclusions for “malicious code” and “system penetration,” were applicable. There are, however, a number of courts that have held that the loss or destruction of electronic information does constitute physical damage as that term is used in insurance policies. In the case of NMS Services Inc. v. The Hartford, 62 F. App'x 511 (4th Cir. Va. 2003), the U.S. Court of Appeals for the Fourth Circuit held that there was physical damage to property when a software company's former employee hacked into its network and erased vital computer files and databases, even though the information only existed in electronic form. In a similar case, Landmark American Insurance Co. v. Gulf Coast Analytical Labs., Inc., No., 10-809, 2012 WL 1094761 (M.D. La. Mar. 30, 2012), a policyholder sought coverage under a property insurance policy after it lost data on a hard drive storage system that had become corrupted. The insurer argued that because the hardware storing the data was not damaged ' only the data had been lost ' there was no direct physical damage. The court disagreed, holding that electronic data has physical existence and can be observed, altered or damaged through physical interaction.

The tangible impact of software damage was addressed in Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Tyler 2003). There, the court denied summary judgment to a first-party insurer that claimed data was not “physical.” In ruling in favor of the insured, the court held that the alleged personal property losses were “physical” as a matter of law because the server fell within the definition of “electronic media and records” as it contained a hard drive, and the data lost was stored on such media.

Courts have even held that the loss of access to data can constitute physical damage for purposes of property insurance. In American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., No. 99-185 TUC ACM, 2000 WL 726789 (D. Ariz. Apr. 18, 2000), a policyholder sought coverage after it lost access to electronically stored customer and product order information caused by a power outage that prevented it from performing its customer service functions. The insurer argued that there was no coverage because the power outage did not damage any equipment. However, the court held that physical damage was not limited to physical destruction and could include loss of access or loss of use of data.

The court in Retail Ventures, Inc. v. Nat ' l Union Fire Ins. Co. of Pittsburgh, 691 F.3d 821 (6th Cir. Ohio 2012) found coverage under a computer fraud rider to a blanket crime policy for various losses resulting from a computer hacking scheme whereby credit card and checking account information pertaining to more than 1.4 million customers of 108 DSW stores was downloaded. As a result of the data breach, and the fraudulent transactions that followed using the stolen customer payment information, the plaintiffs incurred expenses for customer communications, public relations, customer claims and lawsuits, attorney fees in connection with investigations by seven state Attorneys General and the FTC, and credit card assessments and fines. The court applied the “proximate cause” standard of causation to the coverage issues, and ruled that the insured's costs (some of which the insurer considered to be third party costs) were “resulting directly from” the “theft of Insured property by Computer Fraud,” and further that none of the exclusions applied.

There are limited cases involving business interruption claims, where the insured sustained a loss of business income or incurred extra expenses associated with the discovery and scope of the data breach, identification of what data was accessed or downloaded, and securing the network against further breaches. The main precedent is Lambrecht & Associates, Inc. v. State Farm Lloyds, 119 S.W.3d 16 (Tex. App. Tyler 2003), discussed above. The policy in that case covered loss of business income caused by “accidental direct physical loss to 'electronic media and records,'” but only that income lost for either 60 consecutive days from the date of the loss or the amount of time necessary to repair, rebuild or replace other property at the premises caused by the same occurrence. The court held that the business income Lambrecht lost as a result of the virus was covered under the policy because Lambrecht suffered a loss of its “electronic media and records,” but remanded the case because the business could not prove that the loss was “accidental.”

In Southeast Mental Health Center v. Pacific Insurance Company, Ltd., 439 F. Supp. 2d 831 (W.D. Tenn. 2006), a mental health clinic sought recovery under the business interruption portion of its policy stemming from “corruption” of its pharmacy data after a power loss. The insurer argued that there was no coverage because there was no physical damage to the clinic's computer systems and therefore there was no “direct physical loss.” The court disagreed and ruled that the clinic's computers sustained direct physical damage because the loss of data rendered the computer system useless, reasoning that direct physical loss may exist where data is rendered inaccessible or cannot be used. See also Ashland Hospital Corp. v. Affiliated FM Ins. Co., No. 11-16-DLB-EBA, 2013 WL 4400516 (E.D. Ky. Aug. 14, 2013) (the phrase “direct physical loss or damage” included a loss of reliability suffered by a data storage network due to heat exposure); and WMS Indus., Inc. v. Fed. Ins. Co., 588 F. Supp. 2d 730 (S.D. Miss. 2008) (finding that fact issues existed as to whether business income/extra expense coverage could extend to hurricane-related property damage causing impairment of inter-linked electronic network for casino customers).

CGL Policies

CGL policies afford coverage for third-party “property damage” caused by an “occurrence” during the policy, as those terms are defined in the insuring Agreement of Coverage A. Coverage B affords coverage for “Personal Injury” or “Advertising Injury” sustained by a third party, as those terms are defined in the policy.

With respect to the Coverage A disputes as to whether the “property damage” requirement has been met, some courts have held that the loss or destruction of software or data does not constitute either direct physical loss of or damage to tangible property, as those terms are used in standard-form insurance policies. See State Auto Prop. and Cas. Ins. Co. v. Midwest Computers & More, 147 F. Supp. 2d 1113 (W.D. Okla. 2001) (noting that “[a]lone, computer data cannot be touched, held, or sensed by the human mind; it has no physical substance. It is not tangible property.”); and America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459 (E.D. Va. 2002) (finding that electronic data is intangible and not physical in nature). This is especially true where the policy language itself very clearly and explicitly excludes electronic data from the definition of “tangible property.” See Liberty Corporate Capital Ltd. v. Sec. Safe Outlet, Inc., 937 F. Supp. 2d 891 (E.D. Ky. 2013) (holding that “the alleged improper procurement, disclosure and use of confidential information and data on BGS's computer network system ' including its customer database, is not tangible property, thus these claims do not allege property damage”); and Union Pump Co. v. Centrifugal Technology, Inc., No. 05-0287, 2009 WL 3015076, *2 (W.D. La. Sept. 18, 2009) (finding destruction of copies of electronic drawings not covered under policy because electronic data excluded).

Other courts have applied a broader definition of physical damage. See Retail Sys. Inc. v. CNA Ins. Cos., 469 N.W.2d 735, 737 (Minn. Ct. App. 1991) (the court found that “data on [a] tape was of permanent value and was integrated completely with the physical property of the tape,” and held that both “the computer tape and data are tangible property,” and, therefore, loss of computer tape containing valuable data fell within scope of liability policy); and Computer Corner, Inc. v. Fireman's Fund Ins. Co., 46 P.3d 1264, 1266 (N.M. Ct. App. 2002) (noting the district court's unappealed ruling that computer data stored on a hard drive is tangible property).

As there is limited case law, courts construing CGL policy wording have relied on first party cases, as mentioned above. See, e.g., American Guarantee & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 WL 726789 (D. Ariz. Apr. 18, 2000) (concluding that computer system that lost stored data and functionality was physically damaged).

One court even found coverage where the policy contained an express exclusion for “electronic data.” See Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. Minn. 2010) (the court held that the insurer was obligated to defend because the complaint alleged “loss of use of tangible property that is not physically injured” and concluded, “The plain meaning of tangible property includes computers, and the [underlying] complaint alleges repeatedly the 'loss of use' of his computer.”).

Another common issue is whether or not the accessing of PII by hackers constitutes “Personal Injury” under Coverage B, which is defined in the policy form to be “oral or written publication of material that violates a person's right of privacy.” This frequently arises when private credit card information has been accessed by hackers and third parties. The question is whether the accessing of the PII by a hacker constitutes a “publication” and whether the policy requires that the publication be made by the insured or the hacker.

The “publication” necessary to trigger “personal injury” under Coverage B was addressed in the recent prominent case, Zurich Am. Ins. v. Sony Corp. of Am., 2014 WL 3253541, Index No.: 651982/2011 (N.Y. Sup. Ct. Feb. 24, 2014). The trial court ruled that Zurich American Insurance Co. had no duty to defend or indemnify its insured, Sony Corporation, in connection with class-action lawsuits relating to the 2011 data breach of Sony's PlayStation Network, which had resulted in the unauthorized access of the personal information of millions of Sony's customers. The CGL policy at issue included coverage for “personal and advertising injury” arising out of the “oral or written publication, in any manner, of material that violates a person's right of privacy.” Zurich argued that the coverage was limited to purposeful and intentional acts committed by Sony rather than acts by third-parties. The trial judge found that Sony did not publish the information, and correspondingly declined to find coverage in favor of Sony. Sony appealed the trial court's decision, but settled the case while the appeal was pending, leaving the trial court's decision to stand on its own. Although the court's decision has no precedential value, it will nonetheless be persuasive given the current dearth of case law and the high profile nature of the case.

Cases have also addressed what constitutes “publication” where hacking was not involved. In Recall Total Info. Mgmt., v. Federal Ins. Co., 317 Conn. 46 (Sup. Ct. May 26, 2015), a third party-storage vendor physically lost data tapes containing unencrypted PII for 500,000 former and current IBM employees when the tapes fell out of the back of a van while in transit. The vendor reimbursed IBM for its costs, including notification to the affected employees, credit monitoring and restoration, and an establishment of a call center. The vendor sought coverage under its CGL policies, the insurers denied coverage, and the vendor commenced suit against the insurers. The Connecticut Supreme Court, in relying upon the appellate court's opinion, ruled that “loss of the computer tapes did not constitute a 'personal injury' as defined in the policies because there had been no 'publication' of the information stored on the tapes resulting in a violation of a person's right to privacy.”

The Fourth Circuit, in Travelers Indem. Co. of America v. Portal Healthcare Solutions LLC, No. 14'1944, 2016 WL 1399517 (4th Cir. Va. Apr. 11, 2016), recently affirmed the district court's opinion (35 F. Supp. 3d 765 (E.D. Va. Aug. 7, 2014)) in a declaratory judgment action filed by the insurer, that the exposure of confidential medical records to online searching is a publication. The insured had contracted with a hospital to electronically store and maintain confidential medical records. The underlying class action complaint alleged that the putative plaintiffs conducted Google searches of their respective names, and the first link that appeared was a direct link to their respective medical records at the hospital. There were no allegations of hacking or breach of data; simply that the insured failed to secure a server so that the medical records were accessible to unauthorized users on line.

Based solely upon a comparison of the allegations in the underlying class action complaint with the policy wording (known as the “Eight Corners” Rule in Virginia), the district court held that the complaint “at least potentially or arguably” alleged a “publication,” even though there was no evidence that the information was viewed. The court reasoned that “any member of the public with an internet connection could have viewed the plaintiffs' private medical records during the time the records were available online,” and further that publication occurs when the information is “placed before the public” and not when “a member of the public reads the information placed before it.” Accordingly, the Fourth Circuit affirmed the district court's ruling that the insurer had a duty to defend the insured in the underlying class action suit.

In Netscape Comm. Corp. v. Federal Ins. Co., 343 F. Appx. 271 (9th Cir. Cal. 2009), the U.S. Court of Appeals for the Ninth Circuit found that AOL's internal dissemination of its user's online activities for advertising purposes constituted a breach of privacy, thus triggering “personal injury” coverage. In so holding, the court noted that the policy at issue covered disclosure to “any” person or organization, and therefore covered claims alleging that AOL had made known material that violated the person's right of privacy.

Preventive Measures and Cyber Insurance

Preventive measures are an important first line in addressing cyber threats, but if the worst does happen, cyber insurance may be critical to a business' reaction to, and recovery from, a cyberattack.

Be Proactive!

As mentioned above, cyberattacks can result in some form of loss to the insured's property, result in loss of business income, and subject the insured to litigation from multiple sources. The best defense, as the saying goes, is often a good offense, and is extremely important in the context of cyber threats. Effective cyber defenses are critical to preventing and deterring cyber threats, or at least minimizing the impact of a cyberattack. A sound risk management strategy, a pragmatic and necessary element of doing business in the cyber age, should incorporate the best available technology given the fiscal ability of a business, such as effective antivirus software and firewalls to monitor and protect a business' hardware and software, and monitoring software used to ensure it is authorized. Financial and healthcare institutions frequently encrypt their data and segregate it, but it may be more challenging for smaller organizations, which have limited resources, to similarly protect themselves and their employees and/or customers' data from security breaches.

Unfortunately, current cyber security technology is generally highly reactive, and not proactive. In other words, the usual scenario is that hackers find their way into a computer system, the business reacts to the security breach, the business modifies its security protocols (assuming the business is even aware of the breach), and hackers then seek to find another way to breach the business' cyber security measures. As cyberattacks are becoming more invasive and sophisticated, one technology-oriented article advocates an alternative to the traditional review of historical data, i.e., computer logs of past transactions: “If we are to defend ourselves, to offer true cybersecurity defense capabilities, we must be in front of these microsecond attacks ' not just historically analyzing and sharing the information post-attack. We must move from reactionary cybersecurity methodologies to real-time proactive technologies. ” Cybersecurity: Taking a Proactive Approach is Key, available at http://www.digitalcommunities.com. (Emphasis added.) The cost of such real-time proactive technologies is quite high, and some question whether or not it is really necessary. Furthermore, it is only a realistic option for governments, and business entities with substantial financial resources, and is out of reach for small businesses.

Technology is not the only component in an effective, and offensive, risk management strategy. A business should also consider: 1) monitoring employees (as internal fraud can be a significant factor in cyber threats); 2) protecting computer hardware (most notably laptop computers) from theft of the hardware and the information contained on the computer hardware; and 3) maintaining (and periodically updating) an inventory of devices connected to the business' network (such as servers, workstations, laptops and remote devices). See generally Top 5 Priorities for Proactive Cybersecurity, available at http://www.symantec.com.

Get Coverage!

As a result, insurance for cyberattacks should be an integral part of a company's cost of doing business because traditional policies, as addressed above, were not intended to cover cyber events/data breaches. Cyber insurance can afford a business protection from potentially significant financial losses and provide guidance as to how to respond to the cyberattack, including support from the insurer's data breach and crisis management professionals.

Cyber policies may afford coverage for replacement of the insured's computer software and hardware, various costs associated with a data breach (including crisis management fees, forensic investigation, publication expenses to notify potentially affected customers, identity restoration services, fraud protection, and credit monitoring), business interruption, regulatory fines, and cyber extortion. The policies may also respond to suits, for example, from customers with respect to disclosure of their PII/PHI, or governmental entities, such as the FTC, for failure to maintain reasonable data security for the PII/PHI. See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), and may afford coverage for defense costs and indemnity coverage for damages, settlements, and judgments from third-party claims arising out of a data breach.

However, not every cyber-related suit triggers coverage. In Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., No. 103 F.Supp.3d 1297 (D. Utah 2015), the court ruled that the claim asserted against the insured, which was in the business of processing, storing and transmitting electronic data, did not fall within the insuring agreement of a cyber insurance policy, which included “errors and omissions liability coverage.” The court ruled that the insurer had no duty to defend the insured in a suit brought by a customer alleging the failure to effect a transfer of data, on the basis that the insured intentionally withheld the information, and did not constitute an error or omission.

In addition, as noted above, cyber policies may contain significant limitations and exclusions, which can greatly vary by policy form. Some cyber insurance policies may not cover breaches caused by a third-party contractor, such as a billing company or a cloud provider. Common exclusions apply to losses caused by network and systems interruptions, power loss, seizure by governmental authority, failure to ensure that a computer system is reasonably protected by security practices and systems maintenance procedures, foreseeable loss, acts of terrorism, wear and tear on computer systems, employee actions, harm to reputation, software infringement, and contractual liabilities. Some policies also require the use of pre-approved vendors when responding to a potential data breach.

Many costs associated with data breaches, such as forensic analysis and customer notification costs, may fall below the deductibles in the cyber insurance policies. Furthermore, costs can vary greatly between small and large corporations, so the particular coverage should be tailored to the needs and size of the business. Policy sublimits can also restrict the amount of the insured's recovery. For example, the U.S. District Court for the Eastern District of Louisiana, in New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd's of London , 2:16-cv-000061, is considering whether the “payment card industry fine” endorsement containing a $200,000 sublimit is applicable instead of a $3 million coverage limit. Those Certain Underwriters at Lloyd's, London who subscribed to the policy are seeking to enforce the policy's international arbitration agreement, and the other insurer involved, Eutis Insurance Co., has filed a third-party complaint against the wholesale broker upon whom Eutis Insurance Co. relied in the placement of the policy, inasmuch as it had no expertise in cyber insurance and relied upon the wholesale broker's cyber coverage team.

While cyber insurance can greatly mitigate losses arising from data breaches, as with any standard insurance policy, an insured must carefully review the coverage offered, including the limitations and exclusions, in order to ensure that the level of desired coverage is procured.

Other Sources of Recovery

A company should also consider other sources of potential recovery, such as the existence of indemnity agreements with vendors and other entities with which the company does business. In addition, the company may also determine if it is an additional insured under the vendor's policy, for example.

Conclusion

No one is immune from the impact of cyber events. Individuals, professionals, small businesses and sophisticated corporations have all been victims of data breaches. Adequate precautions and protections are key, and businesses that do not make a sufficient good-faith effort to guard their computer data, as well as the data received from their employees/customers, may be subject to suits from their shareholders, consumers, and regulatory agencies.

All companies, regardless of size, should have an incident response plan to promptly and effectively respond to the data breach. Prompt discovery is critical to defending against cyber events. Those companies that either do not timely discover the attacks or effectively respond to cyber events may suffer damage to their brands. CEOs and other officers of companies that are victims of cyber events may be required to resign from their positions.

Case law involving insurance for cyber claims, under both traditional policies and cyber policies, is evolving. Coverage under traditional insurance policies, which were not designed with the cyber age in mind, is uncertain and highly dependent on the particular facts of the case, the applicable law, and a court's interpretation of the express provisions of the policy. While cyber insurance policies afford much-needed coverage in this cyber age, they contain significant exclusions of their own, which should be carefully reviewed by the prospective insurance buyer.

Ann Marie Petrey and Eric Leibowitz practice at White, Fleischner & Fino LLP. This article is written for educational purposes only and does not constitute legal advice or reflect any advice given by White Fleischner & Fino LLP to its clients or the views and opinions of any clients of the firm .