Ideas for Businesses and Business Owners Unexpectedly Working From Home Part I

Working from home woman business owner typing and texting.

Well, here we are, at the start of Week 2 of social distancing for Iowa and Minnesota. We are facing restrictions on travel, groups congregating, and operations of businesses. We are advised to stay at least 6 feet away from other people and (say it with me) wash our hands frequently for at least 20 seconds. We are at home with our families and our pets. We have a lot of downtime on our hands—as do our employees.

There is no sugar coating it: this is going to be a very tough time for small and mid-size businesses. Unemployment is up, and sales are down. We recently posted a list of resources for small businesses, including links to a variety of governmental agencies. We will be adding new links and those linked pages will all be updated regularly, so we encourage you to check back regularly. Please also feel free to reach out to us to suggest updates to that list. At the time of this writing, the new Families First Coronavirus Response Act, Public Law No. 116-127, is not yet in effect, and the Department of Labor has not yet provided the details about how it will address the exceptions for businesses with fewer than 50 employees. We will provide information as it becomes available.

While you and your employees are working remotely is a good time to work on some of those long-term projects you’ve been putting off—both personal and business. It may help your business emerge from this crisis in fighting shape. And if you, like so many business owners, have gone online unexpectedly, there are a number of things you may not have had to consider in a brick-and-mortar state that you should start thinking about now. We’ve put together some things to consider working on over the next weeks.

For Businesses Newly Online

If you have never run your business online before, it seems pretty straightforward: build an ecommerce website or move your yoga classes to a Zoom meeting and run with it. But there are a lot of other things to consider when you move online. Here are a few:

  • Sales taxes. If you had only one location and all of your customers came to you before, you needed to pay sales tax only for that location. The calculation changes when your customers are not coming to you. If your business is based in Iowa, look for more information from the Iowa Department of Revenue. If your business is based in Minnesota, look for more information from the Minnesota Department of Revenue. Both states may have special exceptions and updated information as the crisis unfolds, so check regularly for updates. Both states also participate in the Streamlined Sales and Use Tax Agreement, which aims to simplify the sales tax process for online retailers.
  • Website Privacy Policy, Terms of Use, and Terms of Sale. A website’s Privacy Policy explains how the website owner collects and uses data, including personal data, about people who use the website. A website’s Terms of Use are an agreement between the owner of the site and the site’s users. A website’s Terms of Sale are a contract between users who order from the site and the website owner. A Privacy Policy is required by the laws of some states, most notably California, if your website is accessible to users in those states. Terms of Use and Terms of Sale exist to protect the business owner and ensure that both parties know what happens under various circumstances—especially if an item doesn’t arrive, or needs to be returned, a prospect which you may not be relishing at the moment.
  • Liability Waivers. If you are suddenly giving fitness classes online, you have no way of knowing whether the spaces your customers are using are safe. To protect your business, you will want to ensure that your customers understand that they are responsible for ensuring they are using a safe space. If you already have a liability waiver, you may need to update it to reflect the new situation.

If you need assistance with these or any other concerns relating to your unexpected foray into e-commerce, please feel free to contact us.

For Businesses Looking for Things To Do

While it is not for the best of reasons, you and your employees may suddenly have a lot of down time from your regular business work. Especially if you are and/or you have employees scrounging for things to do in the midst of the disruption, this is the perfect time to pursue some of those long-term projects. If you don’t have your own list (or you’ve already worked through it), here are some ideas:

  • Adjust to the times. If your business’s organizing documents require any kind of in-person meeting without exceptions, it’s time to amend those. If you haven’t figured out what video chat software is most compatible with your business model (either free or paid), it’s time to find it. If you haven’t figured out how to work from home with the kids present, or if you have policies in place that make it unreasonably difficult for your employees to do so, it’s time to adjust those.
  • Get organized. Complete the filing. Make sure your electronic records are all in order. If you don’t have a system for managing customers, develop one or find a vendor who supplies one. If you’ve been thinking you’re outgrowing the capabilities of a software program or a vendor you rely on, take some time to do the research and determine what vendor offers the best solution for your business and implement it. If you aren’t there yet but might get there relatively soon, familiarize yourself with the marketplace so you’ll be ready for the transition later.
  • Get ahead. If you have a blog, create some evergreen content (content that will be timely no matter what is going on in the world). If you are a website designer, create some new templates to have ready to go for customers when they are ready to buy. Now is a good time to do any kind of preparatory work that you normally try to get ahead on in the slow times.
  • Take stock of your template agreements. I’ll soon write a post on the neglected Force Majeure clause that everyone is talking about now, but for the moment, this is a great time to evaluate the form contracts you have been using. How have they been working for your business? Do they cover everything that they should? Is there a situation that comes up frequently that isn’t included? Do they match the way your business actually operates? That last one can be a big problem if you just grabbed a form from the internet or if you simply haven’t updated your contracts in several years.
  • Work on legal compliance issues. Sometimes, compliance matters can fall by the wayside, or a new law with a lot of requirements can be too overwhelming to address before it goes into effect. Sometimes, smaller businesses rely on their small size to hope that no regulators will notice their non-compliance. Now is a good time to address the General Data Protection Regulation in the European Economic Area or the California Consumer Privacy Protection Act if you haven’t already.
  • Develop or revisit your trade secret protection regime. A trade secret is a type of intellectual property that creates value for its owner because it is secret. Trade secret protection is used to protect information and/or ideas that: 1) have actual or potential economic value if they are kept secret; 2) cannot be easily ascertained by others who are using proper means; 3) are minimally novel; and 4) are the subject of reasonable efforts to maintain them as secret. A trade secret must be protected in a way that is reasonable under the circumstances—it has to be secret enough to stay hidden, but revealed enough to be useful. Trade secrets should be protected with physical, procedural, and technological means. If you have never created a systematic method of protecting your trade secrets, or if you have but haven’t re-evaluated your method recently, now is a good time to do so.
  • Consider protecting other intellectual property. Registering copyright with the U.S. Copyright Office is not difficult, but is time-consuming. If you aren’t sure how to go about it, we offer copyright registration training remotely, and we’ll get you set up to register your own copyrights going forward. If you already know how to do it, and you suddenly have a lot of free time, now is a pretty good time to get things moving. Registering trademarks with the U.S. Patent and Trademark Office generally takes a little more work and benefits from assistance from an attorney. You can learn more about the benefits of trademark registration from this blog post.

This post is plenty long, so we will stop here; Part II will include suggestions for businesses facing changes, for people contemplating starting a new business, and for helping you to help your business.

If you would like help with any of the legal issues we’ve mentioned above, or any other legal issues, remember, we’re open and able to help with legal issues businesses are facing in this public health crisis. We offer telephone and video chat consultations, including free initial 30-minute consultations. We are also able to work with businesses facing financial hardships at this time. Please feel free to contact us to discuss your business’s options.

Iowa Supreme Court Takes Conservative Approach to Airspace Hazards

Iowa farm grain elevators have height restrictions near airports

Restrictions on land use near an airport are important for obvious reasons. Tall objects create hazards to ascending and descending aircraft, and local land uses that attract large numbers of people produce a greater risk of injury if something does go wrong on take off or landing. Various methods exist to limit building height and land uses; the most familiar are local zoning ordinances. 

The Federal Aviation Administration (FAA) has also enacted rules for airports, known as the Part 77 rules. These rules help ensure the safe operation of the airport by describing “imaginary surfaces” above and around the airport that cannot be penetrated by obstructions like buildings or trees. The rules require that any proposed construction within certain distances from an airport be submitted to the FAA for a hazard determination. Until the FAA performs its assessment, construction is prohibited. The regulations permit the FAA to determine that an obstruction may not be a hazard even if it penetrates a Part 77 surface, if certain mitigating measures are taken.

The Iowa Supreme Court recently decided a case, Carroll Airport Commission, v. Danner, in which local farmers (the Danners) wanted to build a  twelve-story grain leg (bucket elevator) in the flight path of the Carroll, Iowa, municipal airport.  Unbeknownst to the Danners, the airport commission had adopted zoning regulations that limited the height of structures in the vicinity of the airport. The regulations generally match the Part 77 height restrictions. The Danners began construction before notifying the FAA or the airport of their plans. 

 A local airport commissioner saw the Danners’ construction taking place. The commission then told the Danners that the grain leg violated airport zoning regulations and would not be approved. The commission also asked the FAA to perform a hazard evaluation under Part 77. Though the proposed elevator leg exceeded the Part 77 height limits, the FAA made a “no hazard” determination “on the condition the farmer paint it and place blinking red lights on top.”  Despite the “no hazard” determination, the commission refused to grant a variance from its zoning height restrictions and sued to require the elevator leg be torn down as a nuisance. The Danners defended the suit on the basis that, once the federal agency made a “no hazard” determination, that ruling took precedence and the commission was preempted from enforcing a more rigorous requirement.

The Iowa Supreme Court had to decide whether the local airport zoning could be enforced even though it was more exacting than the FAA’s determination. This raises the question of when a federal government action preempts local regulation. The answer implicates the Supremacy Clause of the U.S. Constitution:

This Constitution, and the laws of the United States which shall be made in pursuance thereof; and all treaties made, or which shall be made, under the authority of the United States, shall be the supreme law of the land; and the judges in every state shall be bound thereby, anything in the Constitution or laws of any State to the contrary notwithstanding.

Article VI, Clause 2, United States Constitution

The Supremacy Cause makes federal law the supreme law of the land, which controls over conflicting local law. This leaves open the possibility that local law is enforceable where it does not conflict with federal law. After analyzing the federal regulations, case law, and Iowa law, the Iowa Supreme Court determined there was no conflict between federal and local law here and, in fact, the federal laws contemplated that local rules could be more restrictive. In conclusion, the Court upheld the commission’s finding that the grain leg was a nuisance and a hazard to air navigation and ordered the structure removed.

You Detected a Data Breach. Now What?

You have detected a data breach. Alert!

You are the CEO of a mid-size company. As you are going about your day, minding your business, you get a call from your security department. It’s a call you really didn’t want. Security has detected suspicious file movements and wants your directions about what to do next. You have likely suffered a data breach.

Now what?

Ideally, you will go to your shelf and pull out your executive copy of the company’s data breach plan. But what if you don’t have a plan?

As with most policies, the time to develop your data breach plan is “before you need it.” In this case, it’s important for two main reasons. First, the law requires you to have a plan if you have Massachusetts customers (as part of a Written Information Security Plan, or WISP) or are in one of any number of regulated industries. Second, odds are high that your business will suffer a data breach sooner or later.

If you don’t have a plan yet, you are not alone. About 20% of companies have not yet developed a plan, according to a 2015 Ponemon study. If you do have a plan but aren’t totally confident in it, again, you are not alone. About 2/3 of companies with a plan weren’t confident in their plans in the same study. If you don’t have a plan, or if you do have a plan and wonder whether it covers everything it should, this post is for you.

Your company’s data breach plan should include each of these important elements:

    The Right Crowd. When you develop your plan, you should include at minimum your security, technology, legal, customer service, and PR/communications folks, as well as representatives from any areas specifically affected. For example, include someone from HR when developing policies about handling HR data. Depending on the size of your organization, this group might include anywhere from 2 people to 20. In final form, your plan should include the roles and responsibilities of people from all of these groups as well. If you don’t have the right people in the room from the start, you face the very real possibility of chaos when a data breach occurs.

    Administrative, Technical, and Physical Safeguards. Your plan should cover how you are going to keep your data as safe as possible. You may not be able to prevent every breach, but you can reduce the number and severity of breaches by taking some basic cybersecurity steps. Administrative safeguards have to do with people’s behaviors and knowledge. Examples include policies about access to and use of data, hardware, and software; background checks; agreements; and training. Technical safeguards have to do with preventing access electronically. Examples include encryption, separating identifier and content data, roles-based systems access, and regular logging and auditing of access to systems. Physical safeguards have to do with preventing physical access to sensitive information. Examples include locked filing cabinets, secure workstations, video surveillance, biometric locks, and ID badges.

    Business Continuity. Your plan should tell you how to keep your business running if you do not have access to your computers or files. This may or may not be included in your normal business continuity plan, so be sure to check. A natural disaster that takes out one of your two locations will play out very differently from a ransomeware attack that ties up your entire network.

    Specific Steps. A data breach plan should ideally cover exactly who does what, and when. In the heat of the moment, your employees may not be thinking clearly; your plan should guide them so that they avoid panicked mistakes. In creating the plan, your organization should spend some time figuring out what its greatest vulnerabilities are and how it will address a resulting breach should it occur. (Ideally, of course, you will find ways to reduce these vulnerabilities during the course of developing your plan, but we live in the real world where time and budget are always constraints.) A data breach plan should cover these specific steps:

    • Escalation: When do you contact your internal and external security team and lawyers? When do you contact your Chief Information Officer? CEO? Your board? If there is any indication of a major incident, your first call should be to your data forensics consultant; the consultant will help you avoid accidentally harming your own systems or destroying any evidence. Beyond that, your next calls will depend a great deal on your organizational structure and preferences.
    • Investigation. If your business can afford it, you should enlist outside help with a data breach; legal, PR, and data forensics consultants will have experience that you may not have internally. They will also be able to give you perspective in a stressful situation. It is important to know who you will contact for outside help ahead of time. Be sure to keep their contact information in your breach plan. During the course of investigation, no matter who is conducting it, it is most important that you avoid destroying evidence, notify law enforcement, and ask the right questions: What specifically was compromised? What can we do to prevent further damage? Can this system be quarantined? What data can be salvaged? What data can we still trust? Can we trace who did it? And perhaps most importantly, is it a data breach as defined by law?
    • Most laws and regulations define “data breach” slightly differently from one another. Generally, though, a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector.

    • Responses/Reporting. If you determine that your incident is a data breach under applicable law, you will need to report the breach. The law or regulation that applies to your situation will tell you who you need to contact. Most of the time, you will need to tell law enforcement and the people whose information was affected by the breach. You may also need to tell investors, state attorneys general, regulators, credit reporting agencies, or the media. In order to expedite reporting, you should consider having template versions of communications to these parties in your data breach plan.
    • Remediation. First, protect your customers from further damage. Make sure that any information that has been placed on the web is removed, including information on cached sites. Second, make sure that your company is protected for the future. Ideally, the same kind of incident should never happen to the same company twice. After the excitement has died down, evaluate what happened. Follow any steps recommended by your data forensics consultant. Consider whether you need to revamp any contractor relationships, contracts, technology, training programs, or physical safeguards.
    • Re-Evaluation and Practice. Take a look at your breach plan. How well did it perform? Would you do something differently next time? If so, amend the plan. If the plan worked well, practice it. You should run internal and external drills regularly, so use this opportunity for another run-through.

And now? If you already have a plan, great! You should make sure it contains all of these elements, then practice it this week. If you do not have a plan, don’t panic! Gather the folks in your company who need to be involved and develop one. This week.

Does your company have a plan? Do you trust that it will work if you need to implement it tomorrow?

What Should I Put in My Company’s Social Media Policy?

Privacy & Data Security

It seems like someone is in the news for getting into trouble on social media almost daily. Many companies have adopted social media policies as part of their employment policies to help guide their employees’ behavior and prevent embarrassing mishaps. If you are considering a social media policy, here are some things to think over and include.

Trust your employees. You wouldn’t have hired them if you didn’t think they were reasonably intelligent adults. Don’t over-do your social media policy, particularly if you go into detail about rules for external communications elsewhere. One of my favorite social media policies is Best Buy’s: short, sweet, and to the point. You don’t want to anger or alienate your employees.

FTC regulations. There are a lot of them, but the ones most relevant to social media policies have to do with privacy (don’t disclose information that doesn’t belong to you) and disclosure of relationships (do disclose a relationship when you could have something to gain from your comments).

NLRB rulings. The National Labor Relations Board has been extremely active in regulating social media policies for the past few years, all on the theory that certain provisions might discourage protected activity. Make sure your policy doesn’t run afoul of any of these rulings.

Public companies. Social media is a must for public companies these days, but public companies are subject to special rules about what they can tell people and when. Remind your employees to think about those rules when posting on social media sites. A single thoughtless comment about what an engineer is working on at work can reveal a great deal more than s/he intended.

Regulated industries. If you are in a regulated industry, social media is not exempt from the requirements for your company’s communications. Remind your employees of this fact and make sure that you have the technology in place to support any documentation requirements.

Use during working hours. Companies approach this one in many different ways. Employees can use social networking as a valuable tool for creating and maintaining working relationships; or they can dither away time watching videos of cats. There can be some overlap there, too; finding that one has a shared love of cat videos with an important customer can solidify a working relationship. You need to take a look at your own company’s culture in deciding whether to restrict use of social media during working hours and on company equipment. Some common approaches are 1) the outright ban, blocking access from work computers (though you cannot physically/technologically prevent people from using mobile devices, without blocking all mobile signals); 2) the partial ban, allowing access only to selected sites or by selected employees who use social media as part of their jobs; or 3) the “use responsibly” policy, allowing employees to choose whether and when to use social media during working hours and on work machines, within reasonable limits.

Intellectual property. One area that your average employee likely does not have to deal with extensively in the normal course of business is intellectual property. Furthermore, the ways in which photos, videos, and so on, are shared on sites like Facebook, Twitter, and Pinterest has eroded the public sense of what is or is not acceptable practice under the law. Your policy may need to spell out the intellectual property practices of your organization, depending upon how and how often your employees have reason to come into contact with them.

Special concerns. You know your company. You know your industry. There are very likely one or two things that should be in your policy that are unique. You know what they are.

What does your company have in its policy? What else do you think a company should include in its policies?

7 Things You Must Know Before You Text Your Customers

Working from home woman business owner typing and texting.

Texting has become a more and more popular mode of communicating with business customers and potential customers. Texts are fast, easy, convenient, and your customers may even initiate the conversation. But there are many traps for the unwary lurking in the texting relationship. Here are seven things to consider before the next time you text with your customers.

You may have to have permission. The Federal Communications Commission has rules prohibiting unsolicited commercial text messages by auto-dialer. That’s quite a lot of jargon, so in translation: you cannot send text messages automatically to many people (let’s call those “mass texts”) that each customer did not give you permission to send. If you are trying to convince the people you are texting to purchase something (e.g., notifying them of a sale), that permission has to be in writing. If you are not trying to convince them to purchase something (e.g., notifying them that you have shipped their order), that permission may be either oral or in writing. The exception is emergency situations, when you may send mass texts without permission.

Emails sent to cell phones as texts are subject to CAN-SPAM. The Federal Trade Commission has rules governing commercial email messages that are sent to cell phones as text messages. You may not have even known that this was possible, but it is, and there are rules about how to do it right. You have probably already heard of the CAN-SPAM regulations. They say that if you send an email that is commercial (as opposed to informational or transactional), you must:

  • Not use false or misleading information about who sent the email.
  • Use subject lines that accurately reflect the content of the email.
  • Identify the message as an ad.
  • Provide a valid physical postal address.
  • Provide information about how to opt out of receiving future emails from you.
  • Honor opt-out requests within 10 business days.
  • Monitor what others are doing on your behalf—you are responsible for your vendors.

Emails sent as text messages must comply with both the FTC’s rules about content and the FCC’s rules about permission. Importantly, CAN-SPAM applies no matter how many email messages you send. Even a single email you send directly to an existing customer as a text message would be subject to the CAN-SPAM rule.

You have to include certain information. For plain old mass texts of the non-email variety, you should provide information about who is sending mass text messages and about how to stop receiving them. For emails sent as texts, all of the elements of CAN-SPAM compliance have to be included.

Direct texting is less complicated, legally speaking. If you are sending a text to a specific customer with information about something you are doing for the customer, the regulations discussed above do not apply, at least for now. Texting is a communication tool, and you can generally use it as a communication tool. This is true whether your customers are other businesses or individual consumers. That said, you may want to let your customers make the first move when it comes to texting; not everyone appreciates this mode of communication.

Texts can be saved forever. As with all written communication, consider that texts can be saved forever. Be conscious about what you put in writing.

Consider your timing. There are the obvious courtesies of not sending texts to your customers outside business hours unless they have initiated the conversation. Beyond that, make sure you do not send text messages at a time when you know your customers might be doing something where texting could be dangerous, such as driving. Bad timing could cause a tragedy.

Charges to your customers. Although cellular plans with unlimited texting have become ubiquitous, not everyone has this feature. Make sure you aren’t sending so many texts that you could cause a problem for customers who still use older plans. You don’t want to annoy or alienate them.

Updated to add Bonus #8: Beware misdirection. As with email, be very careful not to send a message to the wrong person.

What do you think? Do you text with customers? Has it been a good experience?