Spotlight on Public Finance, Spring 2019
Spring 2019 Newsletter
Featured Articles Attorney Spotlight
1 6 7
Attorneys in Action
8 9 9
Did You Know?
FEATURED ARTICLES Hackers Continue to Target Public Sector Entities; Credit Ratings and Infrastructure at Risk By Phil Bezanson and David Springer Over the last year, hackers have targeted state, municipal and local government entities at a seemingly unpresented rate. In an article published last spring, we highlighted our concerns that hackers were increasingly pursuing lower profile and less protected targets as the federal government and large private companies strengthened their defenses. The pace of this trend will likely accelerate through 2019 and continue to threaten budgets, credit ratings, public trust, and the functioning of physical or emergency infrastructure. The Threat In the first quarter of 2019, cyber-attack victims included the City of Akron, Ohio, Jackson County, Georgia, the Aurora City (Ohio) School District, Boston’s public legal defender service, and a massive semi-public aluminummanufacturer in Norway (among others). Most of the recent incidents appear to have been financially motivated—with hackers either holding networks hostage for ransom payments or directly stealing sensitive financial information. Although technical methods used continue to evolve, financially motivated cyber-crime still tends to fall into three threat categories: Business email compromise schemes. It is likely that the most pervasive cyber threat does not involve hacking in the traditional sense. Criminals often send emails that appear to come from an internal executive, accountant, regulator or other trusted third- party who directs an unwitting employee to initiate a bank transfer to an account controlled by the criminal (no longer just requests from a “deposed prince”). Well-meaning employees trying to satisfy urgent requests frequently fall victim to this scam, which is low-cost and low-risk for the criminal. Public entities are especially susceptible to business email scams because open records and open meetings laws and transparent operations make it easy for criminals to conduct reconnaissance on employees and transactions.
Spotlight on Public Finance | 1
Ransomware. Criminals and foreign nations continue to use malicious code that locks users out of their systems or data in an attempt to extract ransom payments. Systems can be infected by visiting a compromised website or by opening a malicious email attachment—often a spoofed email as described above. Once introduced to a network, this malware can quickly spread to other devices. Just last month, officials in Jackson County, Georgia paid $400,000 to hackers who used ransomware to take over the county’s network.1 The incident reportedly took down all online county services other than a public website and the 911 system. “We had to make a determination on whether to pay,” a county official said.2 “We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.” Ransom payments are legally or politically untenable for some public entities, and generally are discouraged by the FBI, but officials may be faced with stark realties that make paying seem like the most efficient response. Data breaches . The most familiar type of cybersecurity incident—the theft of large amounts of sensitive personal or financial data— is a significant and constant risk for public entities. In a recent, characteristic example, hackers targeted the City of Bakersfield’s online payment processing system.3 Someone inserted code into the City’s Click2Gov system, which it used to process payments for building permits, utility bills and other activities.4 The code captured payment card data and the City believed that the “information taken includes name, address, email address, payment card number, expiration date and security code.”5 Approximately 2,400 citizens were affected. Credit and Infrastructure Risks The consequences of financially-motivated cyber incidents can reverberate beyond direct losses and costs. Both Moody’s and S&P Global Ratings have recognized that cyber incidents have the potential to impact to credit worthiness. “We haven’t yet moved a credit rating due to cyber risk or a cyber event, but we see the likelihood of credit-rating impact as steadily increasing,” a Moody’s executive told CNBC.6 Similarly, a recent S&P report noted the increased targeting of the public sector and concluded that successful attacks can erode public trust to the point of impacting public trust and taxing capacity.7 Although most targeting of state, municipal, and local government entities is financially motivated, the risk of physical disruption is real. Actors who intend to disrupt tangible services or destroy of infrastructure may target such entities to gain a foothold in a network that controls systems in the physical world. For example, the City of Baltimore’s 911 dispatch system was hacked and partially shut down last spring. The hack targeted the system that “populates 911 callers’ locations on mapping systems and makes connecting them with the closest emergency responders more efficient.”8 The city was forced to fall back on a patch-work of manual workaround while the affected servers were isolated and fixed. On a larger scale, last year the federal government indicted Iranian hackers for illegally accessing the control system of a dam in Rye, New York. Further, multiple reports claim that the U.S. power grid is continually probed by a variety of actors, not entirely dissimilar from preparations for a cyber-attack that took down Ukraine’s power grid in 2015.9 Actions to Take Many in the public sector are taking the threat seriously. For example, New York City has set up its own NYC Cyber Command, a “centralized organization created by Executive Order to lead the City’s cyber defense efforts, working across more than 100 agencies and offices to prevent, detect, respond, and recover from cyber threats.”10 That is good news, but such costly measures are not a practical option for all municipal entities. Fortunately, there are some practical steps that can serve as the foundation of a cyber risk management program. • Employee training . “Human error is a major factor in breaches, and trusted but unwitting insiders are to blame.”11 Familiarizing employees with the threat their organization faces, and how to respond if an incident does occur, is probably the most important thing an organization can do. Catastrophic incidents can be, and sometimes are, avoided by employees who were trained to recognize a potential threat and know how to respond.
Spotlight on Public Finance | 2
• Anti-Spoofing . The FBI has said the best way to avoid being exploited by a business email compromise scheme “is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”12 Technical options are also available, including some built into standard Microsoft office products, that provide warnings to email users when a message may not be coming from who it claims to be from. Enabling such warnings is a low-cost and often effective way to alert employees to spoofed emails. • Quick action . Victims of fraudulent wire transfers generally have 48 hours to notify law enforcement to have a chance to get their money back, or at least freeze the money in place. As with many aspects of cybersecurity, quickly identifying an incident and having a plan—or at the very least knowing who to call—can go a long way to mitigate negative impact. • Basic device hygiene . Broadly, simple steps like enabling firewalls, using antivirus software, and keeping operating systems up-to-date reduce your risk.13 These steps alone will not stop a determined actor, but can cause someone looking for a target of opportunity to move on to a different victim and limit the spread of indiscriminate malware. • Reflect and disclose . SEC guidance to publicly traded companies seems to indicate that the SEC expects companies to conduct careful inward assessments that identify unique strengths and weaknesses, and that disclosures should be tailored to that assessment. Even for public entities not bound by that guidance, internal assessments and tailored cybersecurity risk disclosures may be prudent. • Insurance . Cybersecurity insurance helps organizations manage their risk, but careful note should be taken of policy exclusions. The creativity of cyber criminals makes it very difficult for an insurance policy to fully and explicitly define the bounds of policy coverage, but increasingly insurers are requiring exclusions for some known risks. One example is losses arising from a stolen or misplaced portable electronic device—a potentially high-impact incident but one that can generally be mitigated by developing and enforcing portable device encryption policies. Outside experts can assist with implementing these and other defense and response preparations. At Bracewell, we work with our public entity clients to develop and implement information security plans to reduce risks and to help insulate decision makers from the regulatory scrutiny that inevitably follows a cybersecurity incident. Bracewell lawyers routinely develop cybersecurity policies and procedures; conduct staff training; and respond to cybersecurity incidents by managing all aspects of the response, including the deployment of effective media and governmental communications to mitigate and minimize repercussions—both financial and reputational. For those interested in learning more about cybersecurity, Phil Bezanson and David Springer will conduct a webinar on May 16 to discuss how to create plans to reduce the risk for a cybersecurity incident and what to do if/when it happens. Invitations will be sent soon.
Our team is comprised of a diverse array of lawyers across a range of disciplines, including public entities. Should you have any questions related to cybersecurity, please contact Bracewell lawyers Phil Bezanson or David Springer.
1 https://www.zdnet.com/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/ 2 https://www.onlineathens.com/news/20190308/cyber-attack-forces-jackson-county-to-pay-400k-ransom 3 https://www.bakersfield.com/news/city-of-bakersfield-announces-data-breach-from-hacked-click-gov/article_753d61ba-e6d3- 11e8-a527-8316ecef574f.html 4 Id. 5 Id. 6 https://www.cnbc.com/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html 7 https://in.reuters.com/article/usa-cyber-municipals/cyberattacks-heighten-credit-risks-in-us-public-sector-sp-idINKCN1L72AK 8 https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html 9 https://www.wired.com/story/russian-hackers-attack-ukraine/ 10 https://www1.nyc.gov/site/cyber/about/about-nyc-cyber-command.page
11 https://hbr.org/2016/09/the-biggest-cybersecurity-threats-are-inside-your-company 12 https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise 13 https://www.fbi.gov/investigate/cyber
Spotlight on Public Finance | 3
FEATURED ARTICLES Negotiating Your “Standard” Construction Contract By Phillip Sampson and Richard Whiteley
Federal, state and local governments spend billions of tax dollars every year on the construction of public projects. With public agencies being more conscientious about how public tax dollars are spent, it is imperative that construction contracts are initially developed with the most advantageous legal terms. Well-written contracts that clearly define the scope and terms of the agreement can minimize the number of claims and disputes, delays in service, and ultimately, save public agencies money. Construction contract provisions are negotiable. Remember that. Here is a somewhat common scenario. A contractor and owner come to a general understanding on the scope of a construction project and its cost. It is now time to ink the deal. The contractor provides the owner with an AIA contract. The first thing the owner notices is the prominent “AIA Document” label on top, bolded and in large font, together with the recognizable AIA symbol and various copyright and trademark protection information. The document’s title seems fitting: “Standard Form of Agreement Between Owner and Contractor.” The document appears to be on point and as standard as they come. Just fill in a few blanks with the cost and scope-specific information, and the project will be off to the races. Presuming that the contract provisions drafted by the AIA are as protective and beneficial as needed, the owner does not think about altering – or even the allowance of altering – these “standard” terms. So the owner signs the contract, and the project begins. Months later, problems on the project unfortunately arise. The owner and contractor are disputing delays on the project, entitlement to various payments, and whether certain aspects of the work are defective and need to be redone. To determine the parties’ rights and obligations, the owner pulls out the signed, standard contract and reviews the provisions in detail. At this point, the owner begins to realize that some of the contract’s standard terms could have been worded to be a bit more owner-friendly, or at least a little more in line with how the owner now would like to see the dispute unfold or be resolved. But by that time it’s too late. So, up front and early in the process, remember that construction contract provisions are negotiable, even provisions within standard AIA contracts. Of particular interest to owners may be provisions dealing with things such as dispute resolution, venue and jurisdiction, damages limitations, indemnification, and withholding payments: Dispute Resolution – The standard AIA contract allows the contracting parties to choose (i) arbitration, (ii) litigation, or (iii) “other” as the method of binding dispute resolution for claims under the contract. The contract also requires mediation as a condition precedent to binding dispute resolution. Owners should consider whether the likely benefit of conducting an early, mandatory mediation justifies the cost of the mediation process. Some owners may want to strike through the mandatory mediation provisions. Owners should also consider whether binding arbitration – with the ultimate decision ordinarily being made by industry professionals – is more beneficial than litigating in court through a trial by jury. Contractors often prefer and push for arbitration. If an owner prefers the concept of a jury trial, remember that this contract provision is negotiable, and you can insist on dispute resolution through jury trial. Owners should also consider adding “loser pays” language to the dispute resolution provision. Venue and Jurisdiction – The AIA contract requires that the any mediation or arbitration take place where the project is located, unless otherwise agreed by the parties. Depending on your preference and circumstances, consider specifying in the contract the actual agreed location for any dispute resolution proceeding, whether mediation, arbitration, or in court. If claims will be litigated, it is often very helpful to have a written agreement of mutual consent to venue and jurisdiction in a particular court. Damages Limitations – The AIA contract contains a mutual “waiver of consequential damages” provision. The provision details the types of contractor damages that are considered consequential and the types of owner damages that are considered consequential. Owners may consider trying to improve their contractual position by modifying the provision to expand the contractor damages that are waived and to reduce the owner damages that are waived. Owners should also be sure to include as many important details about the project as possible in contract’s “description of project” since items and harm specifically accounted for in the contract are arguably direct, and not consequential, in nature. The AIA contract also leaves blank the terms concerning liquidated damages. Owners should always insert a liquidated damages remedy and negotiate the most protective terms possible. Indemnification – The standard AIA indemnification provision contains language that is somewhat convoluted and restrictive concerning the scope of the contractor’s indemnification obligations. For example, the contractor owes indemnification “but only to
Spotlight on Public Finance | 4
the extent [the harm is] caused by the negligent acts or omissions of the Contractor....” Owners may consider broadening the scope of indemnity by striking through this negligence requirement. Owners may also consider expanding the scope of the indemnity obligation by modifying other language in the provision pertaining to the types of losses covered and the circumstances under which they will be covered. Withholding Payments – The AIA contract contains a detailed process through which a contractor requests payment and the owner makes payment. The “standard” requirements for invoicing and making payments are somewhat rigid. Owners may want more flexibility than is provided by the standard agreement. For example, from time to time owners may want to withhold a requested payment because of issues such as alleged delays, defective work, or excessive invoicing. In order to have a solid contractual basis for withholding payment, the terms of the standard contract should be modified to clearly provide a right to withhold payment under certain circumstances. Such circumstances may involve, for example, during a “good faith” dispute, or while the contractor is in breach of the contract’s terms, or if the work for which payment is requested is allegedly defective, or as an offset. Owners may also consider including a provision barring the recovery of interest on overdue invoices to the extent payment of the invoices has been withheld because of a good faith dispute. These are just a few of the many important AIA contract provisions that should be studied carefully when negotiating your construction contract. Provisions dealing with liens, delay claims, change orders, force majeure, contract termination, and several other topics should also be of interest to owners. Engaging experienced legal counsel to assist with negotiations is often helpful to navigating your way through the provisions and process. Suffice it to say, when heading into a large scale construction project, be sure to carefully consider how the “standard” AIA contract terms may affect your rights and obligations. Don’t hesitate to suggest changing the standard contract by modifying, removing, or adding particular language or provisions. Construction contract terms are negotiable, even in the standard AIA contract, so always keep in mind negotiating for a better contract. Should you have additional questions on construction contracts, please make plans to join Bracewell construction litigation partners Phillip Sampson and Richard Whitely on July 10, 2019 for a webinar where they will discuss provisions in your construction contracts that will dictate the confines of your construction dispute. Invitations for the webinar will be sent soon.
Spotlight on Public Finance | 5
Mona Cannon | Counsel, Houston Mona Cannon focuses her practice on economic development and public law matters. She represents and advises special districts and governmental entities as general counsel. She also serves as bond counsel, borrower’s counsel and disclosure counsel to cities, counties, special districts, state agencies and nonprofit organizations. Mona has a broad range of experience in transactions involving economic development and real estate matters, in which she manages the acquisition, financing, development, construction, leasing, divestment and operation of commercial real estate for clients in the public and private sector. What are your specialties within public finance? My practice focuses on representing special districts and other governmental entities in transactions that involve real estate and economic development matters. I advise clients on aspects of financing, development and construction of public projects, and assist in drafting and negotiating a variety of project development agreements, including construction agreements, economic development agreements and reimbursement agreements.
What do you like best about your practice?
I enjoy the multifaceted nature of my practice and the opportunity to work cross-functionally on a wide range of real estate and public finance projects.
How do you like to spend your free time? My family and I love to travel, but specifically to beach destinations. We, as beach lovers, believe that a trip to the seashore is the easiest way to adopt a sense of calm and relaxation. To us, the beach has a special way of renewing our perspectives and bringing us all back to our lives with clear minds. Our favorite beaches are Seven Mile Beach in Grand Cayman and Grace Bay Beach in Turks and Caicos.
What is your favorite thing about Houston?
Houston has so many great attributes, but since I am a foodie, I would have to say my favorite thing is the dynamic food scene and stellar Tex-Mex.
What would people be most surprised to learn about you?
I love Salsa dancing! Although I am somewhat of a novice and do not get to dance often, one of the items on my bucket list is to compete in an amateur Salsa competition.
Spotlight on Public Finance | 6
EVENTS Webinar - Understanding Cyber Threats to State and other Governmental Entities
Cyber criminals have targeted state and local governmental entities at an alarming rate. The threat and scale of cyber-attacks is unprecedented. Bracewell lawyers Phil Bezanson, Ed Fierro and David Springer will host a webinar to highlight the risks that cyber-attacks pose to state and local governmental entities by analyzing examples of attacks on certain municipalities in the United States. We will discuss how cyber-attacks impact budgets, financings, credit ratings, public trust and the functioning of critical infrastructure. Also, we will address how to prepare for and reduce the risk of a cyber-attack if – or when – it happens.
Thursday, May 16, 2019 12:00 p.m. – 1:00 p.m. CT
Webinar - Public Entity Construction Contracts: The Pivotal Dispute Provisions Each year cities, counties, states, municipal utility districts, school districts, park conservancies, tax reinvestment zones and other public entities spend billions of dollars on construction projects. As a result of these projects, time-consuming and costly complications such as construction project delay claims, defective workmanship, force majeure claims, lien issues, insurance issues, jurisdiction, payment issues and indemnification issues may arise. It is critical for public entities to have a firm understanding of the construction process and to implement thoughtful contract provisions. Please join Bracewell construction litigation partners Phillip Sampson and Richard Whitely on July 10 for a webinar where they will discuss provisions in your construction contracts that will dictate the confines of your construction dispute. Topics to be discussed include:
- arbitration provisions - venue and jurisdiction
- recovery of consequential damages - recovery of attorneys’ fees and costs - force majeure - indemnity obligations
- process establishing legitimate change orders - process establishing legitimate claims for delay
Wednesday, July 10, 2019 12:00 p.m. – 1:00 p.m. CT
Invitations will be sent for each webinar. If you would like to attend or have questions, please contact firstname.lastname@example.org .
Spotlight on Public Finance | 7
ATTORNEYS IN ACTION Upcoming Events Government Finance Officers Association (GFOA) Paul Maco will participate on a 15c2-12 panel at GFOA’s 113th Annual Conference on May 19-22, 2019 in Los Angeles, California. University of Texas (UT) Law Victoria Ozimek and Brian Teaff will be presenting at the UT Law 2019 Higher Education Taxation Essentials conference on June 2, 2019 in Austin on a panel titled “Tax-Exempt Bonds Essentials.” The Workshop (formerly known as the Bond Attorneys Workshop or BAW) presented by NABL Victoria Ozimek will present on the “Tax Diligence and Documentation” panel and Ed Fierro will present on the “Understanding the Role of Municipal Advisors” panel at The Workshop in Chicago, Illinois on September 11-13, 2019. Past Events National Association of Health and Educational Facilities Finance Authorities (NAHEFFA) Jonathan Leatherberry spoke at the NAHEFFA meeting on the topic of Texas law related to conduit issuers on March 27, 2019 in Austin, Texas. Texas Association of School Board Officers (TASBO) Jonathan Frels spoke at the TASBO “2019 Bonds, Buildings & Beyond” in Sugarland, Texas on March 26-27, 2019 in a session titled “Calling a Bond Election.” International Municipal Lawyers Association (IMLA) Paul Maco served as a panelist at the “Understanding the Roles of Attorneys in Municipal Finance Deals & Sailing Through the Storm— What to do When the Government Calls” session at the IMLA 2019 Mid-Year Seminar held March 29 – April 1, 2019, in Washington, DC. Government Treasurers Organization of Texas (GTOT) On February 25, 2019, Jonathan Frels and Ed Fierro presented at the GTOT Annual Conference in San Antonio, Texas on a panel called “New World of Disclosure – Preparing for the Amendments to Rule 15c2-12.” The Institute (formerly known as TSLI) presented by NABL There were three Bracewell speakers on the agenda at The Institute on March 7-8, 2019 in Bonita Springs, Florida. Barron Wallace participated on the “The Life of Disclosure Counsel” panel, Brian Teaff participated on the “Advanced Tax Topics Regarding Qualified 501(c)(3) Bonds” and “Opportunity Zones and You” panels and Ed Fierro participated on the “Living with the 15c2-12 Amendments” panel.
Spotlight on Public Finance | 8
UPDATES Since our last newsletter, our public finance team has distributed a number of federal securities and tax law updates as well as announcements and attorney commentaries. If you missed them the first time or would like to refresh your memory, we have compiled the most recent of our team’s updates here.
Spotlight on Public Finance: Rule 15c2-12 Amendments January 8, 2019 Paul Maco and Ed Fierro
It’s Official! Final Public Approval Regulations Now Reflect the 21st Century January 3, 2019 Victoria Ozimek and Brian Teaff Sophisticated International Hackers Continue to Target the Public Sector December 4, 2018 Philip Bezanson and David Springer How Governments Can Help Put the “Opportunity” in Opportunity Zones November 6, 2018 Brian Teaff , Victoria Ozimek and Barron Wallace
Disclosure Training Webinar November 13, 2018 Jonathan Frels , Paul Maco and Ed Fierro
DID YOU KNOW?
• 51% of all internet’s traffic is fake. Humans make up 49% of traffic; bots and spamming software make up the rest. • The term “hacker” originally meant someone who cuts wood with heavy blows in an irregular or random fashion. In the 1950s, the term began to be applied to people who like fussing with machines. It later took on a negative connotation in popular usage, but many in the computer security community maintain that the term is not inherently negative. • According to the American Institute of Architects (AIA) website, the AIA Documents Committee is comprised of 35 professionals in the fields of design, construction, law and insurance. Together, they work on the nearly 200 forms and contracts that are used as the industry standard for design and construction projects.
Bracewell LLP makes this information available for educational purposes. This information does not offer specific legal advice or create an attorney-client relationship with the firm. Do not use this information as a substitute for specific legal advice. Attorney advertising.
Bracewell is a leading law and government relations firm primarily serving the energy, finance and technology industries throughout the world.
Our industry focus results in comprehensive state-of-the-art knowledge of the commercial, legal and governmental challenges faced by our clients and enables us to provide innovative solutions to facilitate transactions and resolve disputes.
Spotlight on Public Finance | 9
Made with FlippingBook - Online catalogs