News

Living in the Cloud(s)

I wrote about cloud computing in an earlier post and discussed some of the general pros and cons involved with the idea.  For attorneys, doctors and other professionals that are regulated, cloud computing creates some new wrinkles.  For attorneys, protecting the confidences of clients is an ethical obligation.  The unauthorized disclosure of client secrets can lead an attorney to disciplinary action and disbarment.  For physicians and other health care providers, federal laws on the privacy of patient information put providers at risk for substantial fines for inappropriately disclosing patient health information (or otherwise not complying with HIPAA’s privacy and security rules).  Using the cloud for applications that might have such confidential information adds a layer of uncertainty for the practitioner.

On the other hand, cloud computing is coming to a practice near you whether you like it or not.  For example, an increasing number of attorney practice management systems are cloud-based, such as Clio.  Legal research tools like FastCase, LexisNexis, Westlaw and Google Scholar are all cloud-based systems (in the sense that the information being searched is not stored on your local network but in internet-based database repositories that you access through your web browser).  And a growing number of email providers, including Google Apps for Business, Mailstreet.com, and others have been providing cloud-based email solutions for custom domain names.

State bar ethics groups and the ABA have been working on ethics opinions about these cloud-based systems.  North Carolina’s Bar had initially proposed a restrictive rule on the use of cloud computing systems by attorneys in the state.  The NC Bar had suggested that the use of web-based systems like directlaw.com (which allows clients to complete a questionnaire online for specific legal documents which are reviewed by an attorney before becoming final) represented a violation of the state’s ethics rules.  However, the NC Bar later revised its opinion and indicated that cloud computing solutions can be acceptable, so long as the attorney takes reasonable steps to minimize the inadvertent disclosure of confidential information.  “Reasonable,” a favorite word of attorneys for generations, has the virtue and vice of being subject to interpretation.  However, given the pace of change of technology, a bright line rule that favors one system over another faces prompt obsolescence.

In the context of the NC Bar 2011 Formal Opinion 6, for software as a service providers, ethics considerations include: (a) what’s in the contract between the vendor and the lawyer as to confidentiality, (b) how the attorney will be able to retrieve data from the provider should it go out of business or the parties terminate the SAAS contract, (c) an understanding of the security policy and practices of the vendor, (d) the steps the vendor takes to protect its network, such as firewalls, antivirus software, encryption and intrusion detection, and (e) the SAAS vendor’s backup and recovery plan.

Can you penetrate past the marketing of a vendor to truly understand its security practices?  For example, Google does not even disclose the total number of physical servers it uses to provide you those instant search results (though you can learn where its data centers are – there is even one in Finland as of the writing of this article – here).  And, in spite of Google’s security vigilance, Google and the applications it provides have periodic outages and hack attacks, such as the Aurora attack on gmail that became known in 2010.  Other data centers and service providers may be less transparent concerning these security issues.  In some cases, the opacity is a security strategy.  Just as the garrison of a castle wouldn’t advertise its weak spots, cloud providers aren’t likely to admit to security problems until either after the breach is plugged, or the breach is irreparable.

What’s your alternative?  For you Luddites, perhaps paper and pencil can’t be hacked, but good luck if you have a fire, or a disgruntled employee dumps your files in a local dumpster for all to see one weekend.  For those of you that want computer system in your practice, can you maintain these systems in-house in a cost-effective manner?  Do you have the resources to keep up with the software and hardware upgrades, service contracts, backup & recovery tests, and security features to reasonably protect your data?  How does that stack with professional-grade data centers?  Are you SAS-70 or SAS-16 compliant?  Do you know how data you access is encrypted?  In functional terms, do you really exercise more effective control over your security risks if you have IT people as employees rather than a data center under a reasonable commercial contract?

There are a lot of considerations.  And the best part?  They keep changing!

Don’t Be Fooled (Domain Name Registration)

One of my clients forwarded to me an email he received regarding the renewal of his domain name.  The email had the appearance of an invoice for the renewal.  The problem?  The invoice was not from my client’s domain name registrar, but from a vendor that wants my client to transfer his domain away from his existing registrar.

How Does This Work?

If you have a web site, your web site has a registered domain name.  That name (ending with a .com, .net, or another .something) has to be registered with an authorized domain name registrar, like Network Solutions or GoDaddy.  There is an international body, ICANN, that is responsible for approving registrars for the “top level domain names.”  ICANN acts as a coordinator to make sure that a particular domain name is controlled by one responsible registrar, who is the host for translating the domain name into an IP address, which your computer needs to find each internet site that you are trying to reach.  Without such a coordination, the internet would likely stop functioning in that you would be unable to consistently find a web site when you went to visit it.

Underneath the covers, each time you go to visit a web site, your computer asks what the IP (internet protocol) address the domain name you’ve asked for translate to.  For example, my domain, faithatlaw.com, has an IP address of 63.147.127.12.  My computer finds this IP address by asking a domain name server close to it (usually on the same local area network as my computer).  This local domain name server, in turn, asks itself whether it is an “authoritative” server for the domain name, and if not, asks a domain name server above it who is the authoritative server to tell it what the IP address for this domain name is.  Most DNS servers have a list programmed into them of “root hint” or upstream servers to ask when the local server does not know.  Ultimately, (and usually within a few seconds, which is kind of incredible, given that there are billions of computers on the worldwide internet), the local domain name server finds the address and tells my computer, 63.147.127.12.  My computer, in turn, uses this information to point my web browser to where I was trying to go.

This architecture only works if there is one authoritative domain name server out on the internet.  If there were many authoritative servers, each might have a different IP address for the same name, which would mean my question of where to go might be answered differently each time I asked it.  Talk about mass confusion.  So, if you own a domain, you registered it with a registrar.  You pay a fee to have a registration.  Usually you need to pay this fee annually.

The Problem

The problem is that for many business owners, the registration is handled by a web developer, or was done years ago (because you can purchase a web site registration for several years at a time).  It is easy, then, to forget about who you registered with when it comes time to renew your domain name.  And then, it is even easier to be fooled into sending your credit card information to “Domain Services” (the originator of the spam that spurred this posting).  One way to solve this is to setup your domain names to automatically renew with your current registrar.  You can also determine who is your current registrar by performing a “WhoIs” query on your domain name.  You can use this information to determine when your domain name is due to renew.

Be careful – the internet is a wild place.  This is but one way to get into trouble!

Lion Migration from IIS, A Novel

For the new year, we decided to take the plunge and migrate from our old friend, Windows server 2003 with IIS 6 over to Apple’s Lion Server on a shiny new Mac Mini with 8 GB of RAM and a quad processor.  The conversion from Microsoft’s to Apple’s server operating system is not too bad, though much is different between the two systems.  This article discusses some issues and resources for reference for those that are new to Lion.

MySQL

So, first off, we host web sites using IIS 6.  Some of our sites utilize WordPress, which means that we use a back-end mySQL database, and we also run php.  Neither of these applications were originally written for Windows, so both run ok there, but with issues over time.  Lion, of course, underneath is really a flavor of Unix.  This makes mySQL and php happy.  And, the nice people at Apple even have pre-loaded php onto Lion server for you.  However, you will need to install mySQL on your Lion box ahead of time for this conversion.  Here is a link to downloads for mySQL.  Here is also a very good walkthrough of installing and verifying your php, Apache, and mySQL installations.

Also note that with mySQL that there are three separate installation packages that you have to run – the main one is called mysql-5.5.19-osx10.6-x86_64.pkg (yes you want the 64 bit version of this application, not that crappy 32 bit thing you were running on your sad Windows server), but you also need to run the MySQL.prefpane and MySQLStartupItem.pkg so that you can get to this in the Preferences Pane and have it set to automatically run when you reboot).

Remote Access

Oh, but wait.  You might be wondering how you get into your Lion box in the first place to do all of this stuff.  For Windows people, we are used to the whole Remote Desktop thing (or if you are truly desperate, breaking out that spare monitor, mouse and keyboard and plugging them into your shiny new server).  Don’t worry: Apple has some tools for the sysadmin’s remote access.  If you are using, perish the thought, a Mac workstation or laptop, you can use Screen Sharing.  To connect for the first time, you authenticate to the Lion server with a blank user name, and the password is the Mac Mini’s hardware serial number.  From there, you will walk through the initial setup steps (like giving your box a network name, and the like).  Apple also shows you the other couple of options here (because, no, you are not the only person to want to access your box remotely).

The Server and Server Admin Apps

Ok, so now you have you setup the box and have installed mySQL, php and your Apache server.  In case you don’t know where Apache is (because you like to click a play button in the services applet in Windows), there is an application in Lion aptly called, “Server.”  Within that is a big “on/off” button for the web server that you can click to get Apache running.  By the by, there is a more sophisticated set of server tools called “Server Admin” that all the cool kids have downloaded to their Lion server.  (Click here to download that).  You can also do this stuff at the command line in the application called “Terminal” which is in the Utilities group of Applications.  I won’t get into the command line in this article, though there are a number of good references out there if you like that kind of thing (and sometimes, that is the best way to do something!).

Setting Up the Web Root Location

So you now have some setup choices to make, like where you are going to put your web site directories for the web sites you want to host on your Lion.  I’d say put them somewhere isolated, perhaps in their own little folder in the root where you have a way to limit access.  In Lion’s world, this will be a location where “Everyone” will have access, because, you know, the world wide web can come to your little box and see the contents.  I’d guess that putting all this stuff in the middle of your server’s system files would be a bad idea.  If you bought a server with two harddrives, and you aren’t going to mirror the one to the other, you might use the other disk to locate your web files.  Or you could create a partition from the free space and isolate your web files from the rest of the server’s files. Do what you need to do here.

Local DNS for Dev

Once you get things setup, you can then copy your files from your production IIS server over to their new location on the Lion server.  By default, Lion is running DNS for the .home domain (the equivalent of the .dom domain in Windows – local only).  However, you can’t configure DNS with the “Server” application.  Instead, you need “Server Admin” (aren’t you glad you already downloaded this and installed it?  Oh, you didn’t do that yet.  Well, come on.)  DNS lives there (or you can do your unix command line voodoo if you are in to that sort of thing).  The home domain is configured and your server is in it.  If this server is an internet DNS server, you could configure this server to run DNS for an internet domain here.  However, if you want to test your migrated web sites (why would anyone test anything before putting it into production?), you can configure your names here.

Setting up your Web Pages

Once you have done this, you can then declare your new sites in the “Server” application in the Web application.  You add a domain at a time (like test1.home, test2.home, or something lame like that), and tell the web service the location of the files for each site.  You’ll note that the service doesn’t ask you what the default document is for your web site; I think it is assuming that the default page is index.htm (or index.php if you are running php).  If you have a funny named default page, you will probably have to edit httpd.conf to modify the line for DirectoryIndex as follows (or you can just rename your page to index.php/index.htm.  I know, I know, that is too much effort):

#see below, replacing the text in square brackets 
#with your unusual default page
DirectoryIndex [yourcrazyindexpagename].[crazyextension]

Now, you are going to chuckle a bit at this point once you have added your multiple domains into DNS and you configure your multiple web sites, because Lion only will serve up one.  I don’t know why Lion ships this way.  But there is a solution.  Edit httpd.conf and add some entries for multiple domains as noted in the article.  You can also alias subdomains if you want, like http://www.  The downside to this is that if you have to change IP addresses later, you will need to edit internet DNS, add these addresses to your Lion server’s network settings, and then come back here and edit httpd.conf.  And for some reason with Lion, Apple has taken away a GUI configuration for Apache for advanced things like this.  Maybe someone out on the interweb will write one for those of us that are sad and don’t like trying to change these oddly named text files in the System directory.  Also, even more sadly I note that the Snow Leopard version actually had a GUI to do this and Apple took it away from us sysadmins.  I now wander alone in the desert, cast out by Apple.

Ok, I’m out of cheese so I will stop whining.  Needless to say, Apple has its problems too.  If they had everything figured out, we wouldn’t know what to do with ourselves and would probably not have a fabulous  job in IT.

FTP

By the by, you might want to configure ftp access to your web server.  Here is an article to do that.  (If you are going to allow ftp access, this is yet another reason to isolate your web files from the rest of your server files).  FTP access might be helpful if you are going to upload and download files from the web server periodically, and you can stop and start the service if you want to further limit access.  Probably best to also not use root as the user to access files by ftp (or just post your social security number, date of birth, license number, bank account numbers, and all your passwords to all of your accounts to the internet – you know, whatever).

Setting up new MySQL Databases

So, just a few more things to do in order to get your web sites up and running.  If you are using WordPress, you will want to export the tables in your production mySQL database to your new Lion mySQL database.  Ahead of this, you can get ready by creating blank databases on the Lion mySQL server with the same names as in production.  This can be done by logging into mySQL from Terminal, and running the commands:

create database [databasename];
grant all privileges on [databasename].* to
"[webusername]"@"localhost" identified by "[password]";
flush privileges;

In addition, if you have already copied the web files to your Apache server, and configured Apache to serve up these pages, you should be able to run the initial WordPress setup on your Lion box (won’t impact production), and you should be able to get into the wp-admin section and check out your plugins and themes to make sure they are good before importing your data into your mySQL database.  This will create blank tables with the default data of a default WP install – these will all get overwritten in the next step below.

Export/Import MySQL Database Tables

Happily, mySQL for Windows comes with an application you can use to export your database into a single .sql file that you can then execute in mySQL to import the tables and their data.  In Windows, the program is called “mysqldump.exe” and it is installed in Program FilesMySQLMySQL Server 5.0bin.  You run this program at the dos prompt.  With the proper syntax, it will create a .sql file where you tell it to, which you can then use to import all of your data and tables into your fresh mySQL install on Lion.  Here is an article on the syntax for using this function.

Once you have your .sql file for your database, and you have copied it to your Lion server, you can use mysqlimport from within the Terminal application in order to import these tables and data into the appropriate shell database you have for your WP site.  I’ve found that this process works better than using the Export/import features within WP admin, particularly if your site has custom tables for a particular widget or plugin.  My site, for example, had a customized menu that didn’t work in the new site until I just exported all of the data and tables and imported into the Lion install.  You can also simply execute a command at Terminal to process the .sql file that is created by exporting using mysqldump that looks like this:

mysql -u root -pYourPasswordHere NameOfYourDatabase <
/locationofyourMySqlExportFile.sql

Once you run that command, mysql will import and overwrite whatever is in the shell database that you have on your new mysql server.  Of course, if you have anything in there that you want, it will be overwritten.

So that’s it.  Ha ha.  This is not a thing you do in a half an hour, even for an experienced sysadmin.  But this is a perfectly reliable way of hosting web sites.  Lion’s not bad, mostly because you are just running Apache, php and mySQL, all of which work pretty well and have been around for quite a while.  But Lion is cute and cuddly.  For the most part, as long as you avoid those fangs, claws, and don’t get squished under the command line.  Happy computing!

Spam Spam Spam Spam Spam Spam Baked Beans and Spam

“18” year old virgins have recently found online resellers of non-prescription viagra for Magic Jack users that want cheap ski vacations that need health insurance, iPads and Dyson vacuum cleaners at rock bottom, knock off prices!  And all of these thousands of emails have been sent to my account online so that I can help a gentleman from Nigeria move $55 million in money from an African bank account into the U.S. and I can charge a humble $5 million fee to help.  I just need to send my social security number, credit card numbers, street address, and a sample of my signature to a person I’ve never met by email, deposit the bogus cashier’s check in my trust account, and then immediately write a check off the account the next day, well before the bogus check is returned by the collecting bank.

I feel as though I have ended up in the 21st century Monty Python skit about the restaurant that only seems to have “spam” on the menu.  I hear this problem continues, with more than 70% of all email amounting to spam, according to a 2011 article from Symantec (though there was a time that more than 90% of email was spam, so there has been some improvement since those dark days in 2009).  Progress has been made with some service providers that have waged a counter war against spam.  Gmail, for example, group-sources and marks messages as spam based on all messages identified by users as spam across the gmail platform.  This is a surprisingly effective strategy.  My experience has been that there are few false positives.

Previously, email systems were implemented that would check if a message was sent from a known, blacklisted IP address based on a series of independently maintained blacklist databases on the internet.  There have also been other improvements in the background, including the use of special DNS entries, and email gateways that pre-filter messages before reaching the mail server (Symantec had a product it had acquired from Brightmail; Google Apps includes a single-domain license for Postini, which is also generally effective at cutting down spam).  Spam messages often include phishing links, virus-laden email attachments, and other nefarious attacks on users.  Reducing spam makes sense for service providers that are paying, ultimately, for the bandwidth and storage space to process and deliver this junk to users.  We clearly have a way to go to reduce this problem for users.  Until then, if you need male enhancement medicine, are missing out on a $1,000 transfer to your bank account, want to help a political refugee move his family fortune to the U.S., need a usurious student loan, or want to work from home – I’m your guy!

Entertainment Contracts for Businesses

Entertainment businesses operate like many other business enterprises: ultimately, the business must make a profit in order to survive.  One way to help sustain and protect an entertainment business is to document the business relationships through written entertainment contracts between parties that participate in the providing of services to clients.

Ownership Contracts
For example, if several people are business owners, having a written agreement between those owners is an essential ingredient to the business’ success.  Such an agreement will vary based on the business entity, but generally, the agreement should describe each owner’s ownership interest, how management decisions are made, how owners join and depart from the organization, and how the business finances will be managed.

The forms of these agreements will vary based on the kind of business.  If the entity is unincorporated and there are two or more owners (“partners”) who share in the profit or loss of the business, the entity is likely a general partnership and would be governed by a partnership agreement (and, in its absence, state law for partnerships).  If the entity is an incorporated limited liability company, the owners (“members”) would typically enter into a membership agreement.  If the entity is a corporation, the owners (“shareholders”) would enter into a shareholders agreement.  The absence of such written agreements can make things much more expensive later should disputes arise among the owners.

Agency Contracts
For entertainment businesses that act as a booking agent for performers, having a written agency agreement with the performer is an important document.  This contract would clarify the procedures for scheduling and booking performances, might determine whether the agent is exclusive for the performer, what geographic area the agent would book the performers within, how the agent is compensated, among other considerations.

Performer Contracts
Also important to an entertainment business are the individual performers that work for the entertainment business.  Whether or not these performers are employees or independent contractors is an important distinction with substantial legal and tax implications for the business.  Employers understand that an independent contractor can potentially be less expensive than a full time employee because employers can avoid paying certain payroll taxes for independent contractors (shifting the tax burden to the contractor).  However, if the business mistakenly determines a staff member to be an independent contractor, the business may quickly face some very costly back taxes and penalties.

Independent Contractor vs. Employee
Determining whether a performer is an independent contractor or employee is highly fact specific.  There are a series of factors that are used to determine this distinction; these factors may vary by state and by the regulating entity.  However, at its roots, an employee is a person over whom the employer controls both the results of the work performed, and the methods and tools to achieve the result.  According to IRS Publication 1779, the IRS looks at three basic areas to determine if a staff person is an employee or independent contractor: (a) behavioral control, (b) financial control, and (c) the relationship of the parties.

Generally, the more control the business exercises over how the job is done (not just what results are expected), the more the staff person is likely to be viewed as an employee.  With regards to financial control, if the staff person can incur a profit or loss from his/her activities, you have a significant investment in the work that you do, and/or you pay your own business expenses, you are more likely to be viewed as an independent contractor.  And on the relationship of the parties, if the business pays benefits for you (like health insurance, pensions, and paid time off), and there is no written agreement between the parties, the IRS is more likely to view you as an employee.[1]  Independent contractors typically are able to work for several businesses providing similar services within their field.

In Maryland, the Department of Labor and Licensing also considers whether the business retains the right to discharge the staff member, and whether the business provides the tools, materials and the place to work for the staff member.  Typically, the independent contractor would have his/her own tools and materials, and would work from his/her own office or location.  DLLR also indicates that independent contractors are usually in a business that is different from the hiring business; professionals like lawyers, dentists, and public accountants are commonly independent contractors in business for themselves.

There may be other factors to consider besides the ones noted above.  In the entertainment business, musicians are may be independent contractors because they (a) have their own tools (e.g., instruments), (b) they may work for more than one business or band, (c) they typically have a fair amount of time and money invested in their education and equipment to be musicians, (d) the business they work for tends to exercise control over the result (the performance), rather than the specific methods of how the work is performed, and (e) typically organizations that schedule or coordinate performances are in a different business from the performers.  In some cases, performers take a percentage of ticket sales, and won’t get paid if either no one shows up for the event or if the event is canceled.  In those cases, a performer is more likely to be viewed as an independent contractor.

However, there are also factors that might tend to make a performer an employee: (a) benefits for the performer like paid sick or vacation time or health insurance, (b) the exercise of control by the busiess over practice times and location and how a particular musical piece is performed, and (c) the lack of a written agreement between the parties, suggesting that the business may terminate the relationship at will with the performer, without further obligation.

If you aren’t sure if the performer is an independent contractor or employee, you can request that the IRS provide a private letter ruling through filing Form SS-8.  An attorney in your state may also be able to advise you on the state-specific factors and your circumstances.

Other Contracts
There may be other relationships for an entertainment business (such as licensing and royalty agreements for the licensing of copyrighted works, contracts with merchandise distributors, record label and publisher agreements, venue agreements, just to mention a few).  The more that can be documented, the more likely it is that you will get paid and the less likely it is that parties will have disputes.

Documenting relationships in the form of formal, written agreements at the beginning of the relationship can help save headaches and costly mistakes down the road.  Consulting with an experienced attorney can help you to craft effective and binding agreements.


[1] In close cases, the written agreement may determine that the staff person is an independent contractor.

Estate Planning in the Digital Age

One event remains certain for all of us, our inevitable end.  Planning for this eventuality is generally a good idea because you can help ensure that the people that survive you will be able to keep on keeping on.  This is why people have, for generations, written wills, powers of attorney, health care agent appointments, living wills or advance directives, and other legal documents.  All of these documents help to explain who is supposed to get what, and how your affairs should be closed out after your death.  The 21st century, however, has created a new set of problems with the rise of technology and the information age.  What happens to your online life when you die?  And how will your heirs access all of these things?

First off, computer security people have drilled into all of us to not share our passwords with others.  Besides having to change these passwords all of the time, users of most commercial information systems are used to having a password personal to them, which sometimes acts as a digital signature authorizing the commercial vendor to do certain things (for example, to trade stocks, post information, or to pay bills from a bank account).  In addition, security experts have also drilled that we should not write down our passwords, or attach them as post-it notes underneath our keyboards.  Furthermore, we have been taught to have different passwords for different services (so that, in the event of a password loss, the damage that might result would be limited to one or a few systems).  As a result, we probably keep a lot of passwords to a substantial number of systems, but we usually don’t tell anyone what these passwords are.  So what happens when we die?

For myself, I am just thinking about the computer passwords that I use on a regular basis: (a) one for my laptop, (b) one each for online banking at several different banks, (c) a passcode for my iPhone, (d) a passcode for my iPad, (e) passwords for blogs that I maintain online, (f) passwords for my web server, (g) passwords for online web sites that I use like amazon.com, ebay.com, iTunes.  I mean, I even had to create an account in order to update the software that programs my remote control for the T.V. at home!  I’m sure that if I sat down and thought about it, I would be able to write an even longer list.  Without help, I doubt my wife or any of my relatives would be able to access much, if any, of this.  Moreover, if I simply wrote out the whole list, I would have to periodically update my passwords for those systems that require that I regularly update (a growing percentage of my online accounts).

There do appear to be some subscription-based services available online today to help address this conundrum.  Dead Man’s Switch is one such service.  Another is called Death Switch.  There may be other services available.  Obviously, you would want to give some thought to what you are providing to the service, and what security is employed by the service that you sign up to use, given that you may end up leaving with it sensitive information to forward to people that you have designated.  I have not used either of these services.  If you are a user, please feel free to post comments to this post on your experience to date.

The Struggle Over Privacy Online

More and more data is being collected and stored in more and more data centers all over the world as the use and functionality of the internet expands.  Sites like Facebook now have in excess of 800 million users, half of which are active in any particular day.  An almost countless amount of information and data is shared with the public internet on a daily and hourly basis.  In addition, many businesses are using cloud-based services (like Google’s gmail or Google Apps, Salesforce.com, Amazon marketplace, and a host of other solutions) to provide services and products to customers and manage their businesses.  As a result, we keep inventing names for the units of measure to calculate how much data is available throughout the world wide web (I mean, how many people do you know that use the term “exabyte” in conversation, really?).  The problem posed is what in the world all of this data is really being used for.

To answer that question is not simple.  A fair amount of what governs the protection, use and backup of data on the internet are private agreements between the service provider and the person or business who is putting data online.  When’s the last time you stopped and read one of those online “click-through” agreements?  I can’t say most are much fun to review (with an exception for the Sharebuilder user agreement, which took smoke breaks periodically and made entertaining chatter in between paragraphs of heavy-duty legal writing).  Commonly, these agreements (for services designed for consumers) severely limit the site operator’s liability, disclaim any and all warranties regarding the service, and few offer that many protections for your data or your privacy.  (See, for example, Second Life’s Privacy Policy which provides some limitations on data provided to the service, but your ability as a user to control access to your information is relatively limited in comparison to what Second Life may do with information about you.  Google’s Privacy Policy is somewhat more limiting on what Google might do with your data, but you will notice that there is some variation in policies based on the specific product you might be using).

There are also governmental regulations that may govern your privacy.  Facebook recently entered into a consent order with the Federal Trade Commission because of allegations of privacy invasions by Facebook.  Presumably, other nations or international bodies may have jurisdiction over some of the larger companies that operate on the internet.  And, just like other international intellectual property rights may vary by country, privacy regulation also is likely to vary (with some nations like Germany with more data protections than others, for example).  Ultimately, our privacy interests in part have taken a back seat to having “free” applications available to us all the time.  Google’s original product, web search, has historically been free to use by anyone connected to the internet, but only because advertisers have been willing to pay for click-through advertising.  As google continues to dominate the web search market, so has it also benefited from the many advertisers that are able to cost-effectively run ads alongside the web search engine’s results.  These ads are effective because they usually attempt to match up what a user is searching for with a product or service that might be relevant to the keywords.

Facebook (and other social media technologies) have, as well, informed our cultural disinterest in privacy, by providing a forum to post all sorts of the mundane, outrageous, or controversial information and graphics, and quickly disseminate this information to “friends” or the general public.  However, there has not yet emerged a “facebook” for health data (though, perhaps, the rise of health information exchanges and online personal health records may result in such an application).  Lawyers and accountants don’t (at least not intentionally) publish their client’s secrets online.  Our government has in recent years labeled many more documents as secret (and therefore, not as easy to obtain) following 9/11.  There remain islands of privacy in the sea of unfettered information access that is the internet.  If you value your privacy, you may need to pay more to preserve it, or be more discerning in the products and services you contract to purchase.

 

Common Will Problems in Maryland

A will is a document that describes how its author (the “testator”) wishes his or her assets to be distributed to others at death.  Wills are a practical necessity for people that own real or personal property.  These documents, when properly drafted and executed, provide for an orderly distribution of property to survivors of a testator.  In the absence of a will, the law of the place where the person has died will generally determine how that person’s property will be distributed.  Having no estate plan, or an estate plan that is incomplete, can lead to surprises, challenges for survivors, and litigation, making the grieving process that much more difficult for survivors.  Having a plan is a good plan.  Here are a few common problems that you can avoid while you are planning for your estate.

No Will

Not having a will is a common problem for many people.  The next best thing to not having a will is having a will that you have not properly executed (which, in Maryland, generally requires that the testator sign the will, and that there be at least two witnesses that were present and signed the document themselves; see Maryland Estates & Trusts § 4-102).

Also, the Maryland probate process requires that the original will be filed with the Orphan’s Court in order to prosecute the estate.  A copy will not do.  If the original will cannot be found, the court may follow the estate plan described in a prior, original will, or the intestacy statute if there is not a prior will.  This may end up as a surprise for the expectant heirs if the testator changed his/her estate plan late in life.

A third variation on this theme is that the will describes beneficiaries that have died, or that otherwise fails to properly address all the property owned by the person making it.  Some wills lack a “failure of beneficiary” clause which describes how assets should be transferred in the event that there are no beneficiaries based on the remaining bequests in the will.  This can also create a case of surprise for the survivors.

A fourth, less common variation on this theme is that a person’s will was drafted in another state or country, but doesn’t meet the statutory minimums to be recognized in Maryland.  The other dilemma with this is that the will does meet Maryland’s requirements, but the will is challenged here and the witnesses cannot be found to testify as to the veracity of the signature on the document (or the witnesses have died and therefore cannot come to court to testify).

Out of Date Will

Estate plans change over time.  For example, a young person that enlists in the military would have a different estate plan (which might primarily benefit his/her parents) than a married person that has recently had a child.  However, it is not uncommon for the living to write a will and forget about it for a period of time.  People also may write a will when they have fewer assets, and then subsequently prosper (or buy a life insurance policy to cover a major debt, like a mortgage), but not update their will to match these changes.

Major life changes like getting married or having children also changes how your estate will be distributed if you have no will.  Spouses are also treated in a special way by the law if you have excluded your spouse from your estate as a spouse has the right to an “elective share” of your estate under Maryland Estates & Trusts § 3-203 and applicable Maryland case law.

Beneficiary Not Blood Relative

As you know, as of 2011, there is no gay marriage in Maryland.  As a result, gay partners that wish to protect their partner but have not written a will may inadvertently leave out their surviving partner from their estate.  This can be particularly difficult on the surviving partner, both financially and emotionally during an acutely difficult time.  The law is, at best, unclear as to what effect the marriage of same-sex partners in another state would have on partners in Maryland under the intestacy statute.  Maryland may eventually recognize same-sex marriage (pending this year’s election in Maryland which has a ballot initiative on gay marriage), but in the interim, your estate plan should address this issue properly.

Math Errors

Lawyers don’t typically get a degree in math, but that’s no excuse for the math not working out properly in a will.  However, this problem happens more often than you might think if the Residuary of the estate is apportioned into shares, but the shares don’t add up to 100% of the Residuary.

Taxes

Long ago in Maryland, there was a single estate tax exemption set at the federal level which permitted a fixed amount of an estate to be exempted from both state and federal estate taxes ($600,000 prior to 1998).  This “coupled” estate tax permitted Maryland to make a claim for a portion of the taxes collected by the federal government, without the estate having liability for a separate estate tax amount to Maryland.  However, federal law changed in 2001, causing the federal exemption amount to increase to $5 million for people that died in 2010, 2011 or 2012.  Maryland, on the other hand, capped the exemption from state estate taxes to $1 million.  This means that an estate may be exempt from federal taxes, but have a state tax liability when the total value of the estate is more than $1 million but less than $5 million.  See Maryland Tax-General § 7-309.

Maryland also has an inheritance tax based on the size of the estate and whether or not the heirs to the estate are immediate family of the deceased or a more distantly related (or unrelated) person.

Estate taxation is a complex and esoteric area of the law, and therefore an easy place to cause problems for an estate.  Discussing an estate plan with an attorney can help to discuss these issues and how to manage them.

Bonds and Funeral Expenses

Absent a provision in the will, a probate court may require that a personal representative obtain a bond to serve and a probate court may cap the total funeral expenses chargeable to an estate.  See Maryland Estates & Trusts § 8-106 (requiring court approval for funeral expenses over $5,000 for a small estate and $10,000 for a regular estate).  See also § 6-102 regarding a bond for the personal representative (which can add expense to the administration of the estate, and confusion for the person acting as the personal representative).

Business Assets

A person who owns an interest in a business (for example, owns a member interest in a limited liability company, or shares in a small, private corporation) may need special advice in planning for his/her estate.  One common way to address this is to enter into a buy-sell agreement so that the deceased owner’s estate is “bought out” of the business in exchange for proceeds from a life insurance policy, held by the business entity or personally by the other owners of the business.  More information is available in this post.

No Beneficiary on Insurance Policies

Another common problem for estates is that the decedent died with life insurance, but did not designate a beneficiary for the insurance policy.  The estate may not know to file a claim to the insurance company, defeating the purpose of paying the premiums on the policy, or if there is no beneficiary, the insurance policy may pay into the estate of the deceased, leaving the insurance money to be distributed as per the decedent’s will (if any) or the intestacy statute.  This may not have been the intended result of the decedent, and may also have unintended tax consequences for the the beneficiaries of the estate.

These are just a few of the estate planning problems that may crop up.  Talking with an attorney as a part of planning for your estate can help to reduce surprises and ensure that your loved ones are taken care of as you would want them to be.

Affordable Care Act Legal Challenges

The Affordable Care Act (ACA) was passed into law in 2010.  This 906 page tome makes a substantial number of changes to the national health care law, but much attention has been focused on the individual health care mandate which is found in section 5000A (codified at 26 U.S.C. 5000A) of the law.  This section requires that “an applicable individual shall for each month beginning after 2013 ensure that the individual, and any dependent of the individual who is an applicable individual, is covered under minimum essential coverage for such month.”  If that applicable individual does not have “minimum essential coverage,” that person is subject to a penalty which cannot exceed 300% of $750 ($95 in 2014 and $350 in 2015), or $2,250 in 2016, and which will increase based on a cost of living adjustment in subsequent years.

People are not happy about this requirement to either buy health insurance or face a penalty at tax time that could eat up a family’s federal tax refund.  At least some people are not happy as there have been at least four different challenges to the Affordable Care Act filed in federal court which have made there way up the various federal circuit courts where these cases were filed.  In three of these cases, the administration (defending the constitutionality of the law) was the winner, but in the 11th circuit, the challengers of the law won (in the sense that the court in that case decided to not dismiss their challenge to the law).

In the U.S. today, we generally take for granted that Congress can legislate as it believes it should, and the average person most likely does not think much about whether an act of Congress is constitutional.  However, in our system of government, the Congress is empowered to legislate pursuant to specific enumerated powers found in the Constitution.  The one in play in this case is the interstate commerce clause, which is found in Article I, section 8, clause 3 of the Constitution.  This clause permits Congress to regulate activities that affect commerce between states.  Section 1501 of the ACA discusses how the individual insurance mandate is related to interstate commerce.  There are a number of findings written into the law where Congress has identified:

  • how important health care, as an industry is, to the nation ($2.5 trillion in GDP);
  • that this insurance requirement will add millions of new consumers to the health insurance market across the country;
  • that half of all personal bankruptcies are caused, in part, by medical expenses (which presumably could have been avoided if the medical issue was covered by health insurance); and
  • people don’t buy health insurance when they are healthy, which causes adverse selection in the existing health insurance pool, driving up insurance costs for everyone that does buy insurance.

The challengers to this particular section of the law essentially are arguing that Congress has exceeded its authority in trying to mandate that individuals buy health insurance.  The idea that powers not enumerated to the Congress are reserved to the individual states and the citizens of the country is discussed in the Tenth Amendment and in the history surrounding the nation’s adoption of our Constitution in the late 18th century.  If individuals that purchase health insurance are not impacting interstate commerce, Congress arguably exceeded its authority.

There are Supreme Court decisions that have investigated the limits of the commerce clause.  Federal legislation based on the commerce clause probably hit its high water mark over the buying and selling of wheat in the 1940’s in a case cited as Wickard v. Filburn, 317 U.S. 111 (1942).  In Wickard, the plaintiff had sought injunctive relief against the secretary of the department of Agriculture to prevent the collection of a tax against him for growing more wheat than permitted by federal law which set, at the time, quotas for the amount of wheat a farmer might grow.  The plaintiff alleged that Congress’ attempt at regulating the amount of wheat that a farmer might grow and consume on the farm exceeded its authority to regulate interstate commerce, as this wheat for local use was not in the commerce between states, and could only indirectly affect such commerce.  The Court rejected this argument.

The market for wheat, at the time of Wickard, exceeded any single state in the union.  According to the Court, every state, but one, grew wheat, and all states consumed it.  The market the Congress attempted to regulate was, therefore, a national and not a local one.  That Congress had the authority to regulate such a market was, from the Court’s perspective, squarely found in the Constitution.  “The stimulation of commerce is a use of the regulatory function quite as definitely as prohibitions or restrictions thereon. This record leaves us in no doubt that Congress may properly have considered that wheat consumed on the farm where grown, if wholly outside the scheme of regulation, would have a substantial effect in defeating and obstructing its purpose to stimulate trade therein at increased prices.”  Id. at 129.

Since Wickard, there has been some retreat from the relatively expansive view of the regulation of interstate commerce by Congress.  Notably, the Court indicated that a federal law aimed at criminalizing the possession of a firearm on a school campus exceeded Congress’ power.  See U.S. v. Lopez, 514 U.S. 549 (1995).  However, a divided Court decided more recently that the regulation of controlled substances, even when these drugs are only used locally as in the case of medical marijuana, may still be properly regulated by the federal government pursuant to the commerce clause.  See Gonzales v. Raich, 545 U.S. 1 (2005).

The Court today faces a number of challenges to ACA which share a commerce clause challenge as to the requirement that citizens buy health insurance or face a tax penalty annually.  To claim that health care, a $2.5 trillion market within the U.S., is not a national market, simply cannot pass the giggle test.  To further claim that making people buy health care or face a penalty, in light of the fact that most health care costs are paid for by insurance, exceeds the authority of Congress also does not pass the same test.  To the contrary – the act of not buying insurance inherently means that the risk pool for those with insurance is smaller, and therefore, increases the cost of insurance to those that carry it, plainly and directly impacts the national health care market.  If there ever was an example of local activity impacting a national industry, this would be it, given that there are between 30 and 40 million people who are uninsured in the U.S.  The challenge made, then, to ACA on this ground is to just misunderstand what Congress is supposed to be doing, and misstates an entire body of law on the enumerated powers of Congress.

Reflections on 9/11, Ten Years Later

The tenth anniversary of 9/11 comes up on Sunday.  I, like many Americans, still remember where I was that morning as I watched with sadness and anxiety as the events of that day unfolded on national news.  At the time I was working downtown at a health center in Baltimore.  One of my colleagues, Scott, came into my office that morning and told me that a plane had flown into the World Trade Center.  Initially I thought it was an accident, but Scott seemed to think that something more was going on.  A number of us sat down in the conference room and watched the television news of the incident, and a second plane then flew into the other tower.  I still vividly remember watching in horror as people in the world trade center stood outside of the building on the ledge and jumped to nearly certain death as they had no other way out of the building.

Ten years have passed since this national tragedy occurred, causing the loss of almost 3,000 people.  In 2008, my girlfriend (now wife) and I visited the WTC site in New York City as work progressed in preparing the site for a new office complex.  We look forward to the completion of the new buildings to grace the skyline of one of the great cities in the world.