Bernstein Shur Monthly – November 2017

Bernstein Shur was Proud to Sponsor the MEbiz NEXT Awards

Recognizing ME’s entrepreneurs and business leaders whose hard work and risk taking is helping our economy and state grow.

As a 100+ year old ME law firm, we understand and appreciate what it takes to do business here and be successful in ME. We celebrate all of the honorees who have the vision, tenacity and passion to make the lives of those around them and throughout the state, a better place to work and live. We share that belief in ME’s continued growth and potential to continually reinvent itself.

Bernstein Shur is especially proud to represent several of the NEXT award winners and to have played a small part in their endeavors, including:

• Ben Waxman founder of American Roots, 100% American made customized fleece apparel
• JB Turner, President of Front Street Shipyard in Belfast, a unique full service marina and facility
• Dan Klebman from ME Beer Company which has grown from small beginnings into a landmark business operation in Freeport, and
• Jim Brady with whom Bernstein Shur has worked on multiple projects over the years, honored as President of Fathom Co. by the NEXT awards.

All of the NEXT award winners, seven in total, represent some of the best and brightest of our state’s business endeavors. Year after year the NEXT awards showcase both new and emerging talent as well as success stories decades in the making, and Bernstein Shur is glad to be able to both celebrate and participate in this ME tradition of excellence.

Top Tips on Fraud & Cybersecurity

Is your company prepared for when?

October was National Cyber Security Awareness Month, and Camden National Bank partnered with Launch Security and Bernstein Shur to offer expert advice on managing fraud and cybersecurity for local businesses. The Association of Financial Professionals (AFP) conducts an annual payment fraud and control survey. According to the 2016 survey results, published May 2017, a whopping 74% of corporate respondents reported that their company fell victim to payment fraud in 2016, making it the largest year on record. Fraudsters are continuing to succeed in their attempts to attack organizations. The main take-away: ongoing awareness and preparation are key.

Check out these top tips from Susan Giffard, Director of Treasury Management & Government Banking at Camden National Bank, Rob Simopoulos, Co-Founder of Launch Security, and Tony Perkins, Attorney and Chief Information Security Officer at Bernstein Shur.

What are the most common kinds of cyberattacks?

First, it is important to understand where cyberattacks come from and what they typically look like. Rob Simopoulos shared that phishing emails are the most common attack method, and attackers often work to disguise themselves as company employees, customers, or vendors. These emails can often be difficult to identify. According to the FBI’s public service announcement from May 2017, Business Email Compromises (BEC) and email account takeover is now a $5 billion scam that targets unauthorized transfers of funds.

Susan Giffard shared that criminals can do easy research on companies through public websites, press releases, social media, and more. Fraudsters will then look for ways to trick employees into believing emails with this information are authentic. Be on guard for payment scams—in particular, pay attention to requests that:

• Have a sense of urgency or a need for confidentiality
• Add a new supplier vendor contact representing the company
• Update a payment account
• Changes to payment instructions  or payment type (check to wire)
• A sudden change in business practice

Businesses are also seeing an increase in corporate payment fraud—primarily through fraudulent checks and wire transfers. According to the AFP’s 2016 survey, checks have been (and continue to be) the payment most exposed to fraud, but only 10% of the companies targeted incurred a financial loss as a result. Lack of positive pay and clerical errors were two primary reasons for financial loss due to check fraud. Organizations use positive pay to guard against check fraud; it is a well-established and effective method of protecting payments.

What can you do to prepare?

Susan recommends that businesses form a strong relationship with their bank – “Banks are constantly trying to stay one step ahead of fraudsters. It’s important to discuss the products and tips available to prevent fraud with your banker. Additionally, we encourage annual relationship reviews with your treasury management officer to include reviewing all online access and users, signers on accounts, email alerts and more.”

Use the most secure methods to send online wire transfers with dual controls from different computers plus multi-factored authentication Token device or Token app. Preset wire transfer limits with your bank and add email alerts to someone outside of your accounting or treasury area when wire transfers are executed. Businesses can apply the practical strategy of turning on a multi-factor authentication for all systems. Rob recommends the resource: www.turnon2fa.com to learn how to turn on this feature.

It is key for businesses to review and upgrade their service contracts with technology and service providers. For example, pay attention to contracts with the following:

• Data/document storage and “cloud storage” service providers
• Outsourced information technology service providers
• Outsourced billing and payment processing companies
• Financial institutions
• Contractors with access to offices and data and records storage facilities (for both electronic and physical records)
• Payroll and healthcare benefits processing companies

Tony Perkins advises, “These contracts should ensure that the parties responsible for the handling, processing and storage of sensitive data are both protecting data and agreeing to bear the liability and related costs in the event of a data breach due to their actions (or inaction).”

However, contracts cannot eliminate all risks of a data break or cybersecurity threat. Tony shared that businesses can also attempt to cover risk through cyberliability insurance. This kind of insurance has become more common an affordable in recent years, but the industry has not yet established standard coverage elements, and coverages can vary significantly. Working with an experienced insurance broker and a knowledgeable insurance coverage attorney is key. Sample areas of coverage include data loss, business interruption, breach notification, public relations, customer credit monitoring, and defense costs. But please remember: “one size does not fit all.”

Make cybersecurity part of your work culture. Rob advises, “All employees should receive ongoing awareness training on what to look out for. Cybersecurity should be treated as a core business function that runs through the entire organization. Business owners and executives need to lead the entire company through a change in ‘cybersecurity posture’ from top to bottom. Safety in the workplace has shifted through awareness training and HR initiatives, and so should cybersecurity efforts.” Some companies even test employees with simulated email phishing attacks in order to teach awareness and best practices.

What should you do if a breach happens?

Despite the best preparation, a breach may still occur. Tony shared that laws vary by state, but currently, 48 of the 50 states have data breach notification laws, and each is somewhat different. In general, state laws dictate what needs to happen in order to avoid liability for a failure to alert customers, clients and/or employees of a suspected data breach.

Tony recommends the following critical steps in the event of a suspected data breach:

1. Technical assessment of what occurred and steps to prevent further breach or harm
2. Appropriate team of responders – outside IT professional, attorney, C-level staff
3. Evaluate data breach notification statutes – you may need to comply with more than one state statute based on residence of customers and employees impacted
4. Appropriate notice to insurance carrier
5. Action plan based on findings, including potential notice to parties impacted
6. Potential notice to governmental officials or agencies depending on statutory requirements
7. Documentation of all steps taken and maintenance of records of all technical findings, notices and communications.

After the initial response is completed, it is important to evaluate all aspects of your data technologies, service provider contracts, insurance coverages, and employee trainings. Tony recommends repeating these evaluations on a regular basis to stay on top of best practices and legal requirements.

In the fight against fraud, a little knowledge across your entire organization goes a long way. Plan for when you have fraud attack, and be sure to keep your company’s plan up to date.

For more information, please reach out to Tony Perkins, Attorney and Chief Information Security Officer at Bernstein Shur.

Property Tax Alert: Revision to Poverty Abatement Procedures

An important new amendment to 36 M.R.S. § 841 has changed how municipal officers conduct poverty abatements for property taxes. Effective as of Wednesday, November 1, 2017 the “primary residence” for a poverty abatement applicant now means:

…[T]he home, appurtenant structures necessary to support the home and acreage sufficient to satisfy the minimum lot size as required by the municipality’s land use or building permit ordinance or regulations or, in the absence of any municipal minimum lot size requirement, as required by Title 12, section 4807–A.”

This new definition is intended to address homeowners seeking poverty abatements not only for their homestead, but for extended acreage around their home that is unnecessary to support the homestead. The revised law attempts to strike a balance between those in need of poverty abatements and the interests of other property taxpayers by limiting the abatement to the applicant’s home and the structures and property necessary to support the home.

The revised statute also eliminates the ability of municipal officers to consider an applicant’s credits from the Property Tax Fairness Credit program when determining whether the applicant can contribute to the public charge. Municipal officers should familiarize themselves with these changes, and be prepared to incorporate them into future poverty abatement proceedings.

If you have any questions regarding property tax abatements, please contact N. Joel Moser at (207) 228-7155 or jmoser@bernsteinshur.com.

Bernstein Shur’s Property Tax and Valuation Team is ready to partner with municipalities, tax practitioners, businesses and individuals on property tax matters.

Financial Disclosure Standards for Credit Enhancement Agreements

Recently, the Government Accounting Standards Board (the “GASB”) revised its financial reporting guidance for “tax abatements” that governments provide to companies and individuals. According to the GASB definition of tax abatement, in ME, it applies to what we commonly call credit enhancement agreements (“CEAs”) pursuant to a municipal tax increment financing district. A credit enhancement agreement is an agreement between a local government and a private entity whereby the government agrees to remit some future tax revenue to a particular private entity as an economic development incentive.

GASB’s position is that full disclosure of credit enhancement agreements improves the ability of third parties to assess the government’s financial health and future.  Accordingly, GASB Statement No. 77 requires governments which enter into CEAs to disclose the following information:

• Brief descriptive information regarding the CEA; including the tax amount being abated, the authority under which the credit enhancements are provided, and the types of commitments made by the credit enhancement recipient.
• The projected gross dollar amount of the foregone tax revenue during the term of the CEA.
• Commitments made by the governments, other than to provide credit enhancements, as part of the CEA.

Governments are also required to report on the CEAs or agreements of other governments that limit their ability to collect tax revenue in their own jurisdictions. The required disclosures for those types of agreements include:

• The names of the governments that entered into the agreements.
• The specific taxes being abated.
• The gross dollar amount of taxes abated during the term of the CEA.

For the ME governments which have credit enhancement agreements, these reporting requirements impose new obligations. Government finance officers should study them carefully and contact their attorneys for assistance.

Shana Cook Mueller and Zachary Brandwein