• 212-827-4501
30 Sep 2024
Jodi Ritter, News Permalink

How the restaurant, hospitality industries manage today’s risks

September 30, 2024
Jodi Ritter, a partner at Coffey Modica, provided her insights on common hospitality risks in a recent quote for Property Casualty 360.
Kristen Beckman| September 30, 2024

Hotels, motels, restaurants and resorts are subject to an array of perils and exposures including trips and falls, theft, alcohol-related accidents, natural disasters and cybersecurity breaches. With a multitude of people visiting and working at these properties daily, insurance is crucial, although it can be complex to navigate and represent a substantial business expense.

Like other sectors, hospitality is impacted by losses related to increased natural disasters, increased costs, a rise in litigation and the lingering impacts of COVID-19. Many insurance carriers have been evaluating their participation in the hospitality market, resulting in reduced capacity and double-digit rate increases.

“Hotels are subject to the same natural catastrophe perils as other classes of business but are often disproportionately impacted by such events due to their concentration in urban population centers and coastal areas,” says Dustin Ritch, a broker at World Insurance Associates who specializes in serving the hospitality industry on the East Coast. “Aside from natural catastrophes, water damage continues to prove a loss leader in the hotel industry due to both drain backups and bursts or accidental discharge of sprinkler systems (often when a guest hangs clothing on a sprinkler head in a room).”

Rising costs

Facing a slower expected travel environment this year, the hospitality industry is keen to manage risks and related insurance costs. In 2023, hotel insurance accounted for about 1.7% of total operating revenue, up from its long-run average of 1.2%, according to CBRE Hotels Research. Some factors driving the surge in commercial insurance premiums include the number and severity of losses due to hurricanes in Florida, fires in California and Hawaii, tornadoes in the Midwest, winter freezes in Texas, and convective storms across the country, says CBRE. Concurrently, the cost of fixing damages and replacing buildings has gone up and supply chain interruptions and lack of available labor continue to inflate construction-related costs and drive building values higher, which leads to increased premiums. Hotel size and capacity impact premiums, as does claims history and risk management practices.

“Unfortunately for U.S. hoteliers, the ability to control insurance costs is limited,” says CBRE. “On property, hotel owners can make physical ‘risk improvements’ such as flood gates and earthquake seismic shutoff valves. Owners also have the option to buy less insurance, or increase their deductible, to reduce their premiums.”

Common hospitality risks

Besides trips and falls, which are a prevalent risk across most commercial entities, one of the most obvious and common risks hotels and restaurants face is fire loss, says Jodi Ritter, a partner at New York-based law firm Coffey Modica LLP and former lead of the Sompo Global Risk Solutions program at Gallagher Bassett Services. Hotels and restaurants have strict guidelines for building and health code regulations, including fire suppression in the kitchen, hard-wired smoke detectors, sprinkler systems and fire extinguisher placements. Properly marked exits and evacuation plans to assist patrons and reduce risk of liability are also warranted, she says.

One area often overlooked in hotel coverage is pair and set coverage, noted Ritter. Since hotel furniture is coordinated and matching, if only a portion of their furniture is damaged, they may need to replace an entire set to maintain their décor.

Another common risk for hospitality is around swimming pools, she says.

“The presence of a swimming pool presents safety hazards for both patrons and staff,” says Ritter. “Lifeguards can be a good investment as they supervise and assist immediately if there is a problem. Either way, rules should be posted and some level of oversight provided in order to maintain a safe place.”

Employee theft also commonly presents a risk to the hospitality industry. This can include embezzlement as well as theft of the employer’s property, says Ritter. Communicating with employees is the first step in prevention, ensuring everyone knows what constitutes theft and fraud and that there is a zero tolerance for it. Having company oversight by managers and frequent third party audits is advisable and conducting background checks on new hires is also a relevant risk management tool, she says.

Emerging risks

One emerging legal risk unique to the hospitality sector is the increasing incidence of human trafficking in hotels resulting in lawsuits. Hotels can be held civilly and criminally liable for failing to prevent and report trafficking on their premises. Days Inn, for example, was ordered to pay a multi-million-dollar settlement to eight victims in a 2023 human trafficking case. Many policies now incorporate exclusions for human trafficking and other crimes as well as for weapons, says Ritch.

In addition, communicable disease exclusions have become a mainstay in the industry following the pandemic. “It can be found baked into virtually every commercial general liability policy at this point, particularly in the hospitality space,” says Ritch. Like many other commercial entities, hospitality also faces cyber issues, and protecting guests’ personal and financial information is mandatory, says Ritter. She also noted hotels face cyber risks related to guests using hotel Wi-Fi systems to work remotely. “Safe systems are imperative to prevent cyberattacks and data breaches,” she says.

Risk mitigation

Major types of hospitality insurance include commercial general liability insurance covering guest injuries and property damage; commercial property insurance to guard against disasters, fires and storms; commercial auto insurance for properties that provide shuttles or other transportation-related services; workers compensation insurance to cover employee injuries; equipment breakdown insurance; cyber liability insurance; dram shop insurance broadly covering liquor liability concerns; and innkeeper liability insurance.

Beyond proper insurance, proactive mitigation practices can help the hospitality industry reduce its exposures. Both Ritter and Ritch encouraged regular inspection and maintenance of properties and ensuring proper security is in place. Ritter also pointed to ensuring proper contracts are in place with third-party vendors: “If you’re a mall, a restaurant, an apartment complex and you have a cleaning company, you must have a contract with an indemnification clause that if the vendor does something negligently or omits to do something and somebody is injured as a result, then they have to provide defense and indemnification to the owner.”

Training is also key to mitigating risk in hospitality, especially because risk managers often aren’t present when incidents occur. Employees should be trained to proactively watch for potential dangers, keep guests safe during incidents, and collect information and properly fill out incident reports. The American Hotel and Lodging Association (AHLA) offers free training to employers and employees on how to recognize and respond to human trafficking through its No Room for Trafficking initiative.

Broker best practices

In the increasingly challenging hospitality insurance environment, experts say property owners and managers should start working with their broker up to 120 days before renewal and make sure the broker is aware of any recent improvements to the property. The hospitality industry is increasingly looking for and may benefit from customized coverage for unique risks. In addition, digital tools tend to appeal to hospitality insurance purchasers.

11 Sep 2024
blog, Mostafa Soliman, News Permalink

Ethical Rules for Using Generative AI in Your Practice | Model Rule 1.6: Confidentiality

September 11, 2024
Coffey Modica’s Mostafa Soliman, Counsel, was featured by Fishman Haygood for his insights on ChatGPT.
September 11, 2024

At the risk of stating the obvious, we are still in the early days of what we believe to be an “AI Revolution” in the way that goods and services, including legal services, are and will be provided. Which means that we do not, at this point, have much in the way of formal guidance.*

With that preface, in this series we will examine some of the Professional Rules[i] and other legal requirements that could potentially be implicated by a law firm’s use (or non-use) of ChatGPT or other Generative AI (GAI). Last time, we discussed the importance of establishing, periodically reviewing, and enforcing internal policies and protocols regarding the use—and/or limitation and restrictions on use—of ChatGPT and other AI products by lawyers and other employees at the firm. One reason for this precaution is the issue of confidentiality, which brings us to our fourth rule.

Model Rule 1.6: Confidentiality

Perhaps the most serious concerns that have been raised regarding the use of ChatGPT and other AI systems surround the security of privileged and other legally protected information. Under Model Rule 1.6, an attorney is not only generally prevented from disclosing “information relating to the representation of a client,” but is also charged with an affirmative duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[ii]

Using ChatGPT to analyze a client’s legal documents that contain privileged or other confidential information can pose a risk that such information could be misused or exposed.[iii] Generative AI programs that are ‘self-learning’ continue to develop responses as they receive additional inputs, adding those inputs to their existing parameters. The use of these kinds of programs creates a risk that client information may be stored within the program and revealed in response to future inquiries by third parties.[iv]

In March of 2023, for example, there was a data leak at ChatGPT that allowed its users to view the chat history titles of other users.[v] Outside of such data breaches, chat history can be accessed and reviewed by ChatGPT or other Generative AI company employees and may also be provided to third-party vendors and affiliates.[vi]

In addition to attorney-client privileged information and/or work product, one also must be cognizant of other legal protections and requirements that might apply to client information, including:

  • HIPAA (Health Insurance Portability and Accountability Act of 1996)[vii]
  • The European Union’s General Data Protection Regulation (GDPR)[viii]
  • The California Consumer Privacy Act (CCPA)[ix] (and/or other State Privacy Laws)
  • Trade Secret Protection[x] (which may be compromised by “disclosure” to the AI service)
  • Contractual Non-Disclosure Agreements and Obligations

The Florida Ethics Opinion regarding the use of Generative AI advises that existing ethics opinions regarding prior technological advances (such as cloud computing, electronic storage disposal, remote paralegal services, and metadata) have “addressed the duties of confidentiality and competence and are particularly instructive” and generally conclude that a lawyer should:

  • Ensure that the provider has an obligation to preserve the confidentiality and security of information, that the obligation is enforceable, and that the provider will notify the lawyer in the event of a breach or service of process requiring the production of client information;
  • Investigate the provider’s reputation, security measures, and policies, including any limitations on the provider’s liability; and
  • Determine whether the provider retains information submitted by the lawyer before and after the discontinuation of services or asserts proprietary rights to the information. [xi]

The California Practical Guidance for the Use of Generative Artificial Intelligence reinforces this responsibility and further suggests that a lawyer who intends to use confidential information in a generative AI solution should anonymize client information as well as “ensure that the provider does not share information with third parties or utilize the information for its own use in any manner, including to train or improve its product.”[xii] These measures should include reviewing consulting with an IT professional as well as reviewing the program’s Terms of Use.

In the Terms of Use dated March 14, 2023, OpenAI advised that:

If you use the Services to process personal data, you must provide legally adequate privacy notices and obtain necessary consents for the processing of such data, and you represent to us that you are processing such data in accordance with applicable law. If you will be using the OpenAI API for the processing of “personal data” as defined in the GDPR or “Personal Information” as defined in CCPA, please fill out this form to request to execute our Data Processing Addendum.[xiii]

The updated Terms of Use, promulgated in November of 2023 and effective as of January 31, 2024, simply state that:

You are responsible for Content, including ensuring that it does not violate any applicable law or these Terms. You represent and warrant that you have all rights, licenses, and permissions needed to provide Input to our Services.[xiv]

ClaudeAI’s Acceptable Use Policy similarly prohibits users from “violating any natural person’s rights, including privacy law” as well as “inappropriately using confidential or personal information.”[xv]

Natalie A. Pierce and Stephanie L. Goutos of Gunderson Dettmer Law Firm note that challenges to the responsible use of GAI systems are actively being addressed by legal entities, from academic institutions to law firms, through methods such as “employee training, AI governance policies, and the formation of specialized AI task forces.” The authors emphasize the importance of recognizing existing countermeasures that aim to help mitigate risks associated with confidentiality concerns, while the framework for a lawyer’s responsible AI use continues to develop. For example, OpenAI’s April 2023 policy change allows users to disable chat history in ChatGPT. The company’s August 2023 update introduced an “enterprise-focused model that offers enhanced security protocols, sophisticated data analysis, and bespoke customization capabilities.” As the technology in Artificial Intelligence continues to evolve, Pierce and Goutos predict that a “majority of law firms and organizations will adopt custom experiences powered directly into their own applications, as well as prohibit the input of any confidential information into public GAI tools, which will substantially alleviate breach of confidentiality concerns.”[xvi]

A lawyer’s affirmative duty to reasonably communicate with his or her client is also implicated in this context. Model Rule 1.4 requires an attorney to “reasonably consult with the client about the means by which the client’s objectives are to be accomplished” and to explain relevant matters “to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” [xvii] To the extent use of ChatGPT and other AI services in connection with the representation of a client is contemplated, it is therefore important to discuss the potential risks and benefits with the client, so that an informed decision can be made.[xviii]

 

Explore Mostafa Soliman’s analysis in Navigating the Ethical and Technical Challenges of ChatGPT (2023), available through the New York State Bar Association.

10 Aug 2024
E-bikes, Michael Mezzacappa, News Permalink

Readers sound off on Laura Kavanagh’s Legacy

August 10, 2024
Coffey Modica partner, Michael Mezzacappa, was published in the New York Daily News opinion section regarding retiring FDNY Commissioner Laura Kavanaugh and her legacy of awareness and advocacy regarding the growing threat of e-bike battery fires.
New York Daily News | August 10, 2024

Continue her legacy 

Tarrytown, N.Y.: Former FDNY Commissioner Laura Kavanagh’s relentless advocacy for lithium-ion battery safety was rightly celebrated in your Aug. 7 editorial  Laura Kavanagh’s mission continues.” Shining a light on the scourge of e-bike battery fires has not only inspired swift action on the part of our representatives at all levels of government, but it’s saved lives in the process. According to reporting in July 2024, e-bike battery fires had led to only one fatality versus 13 at the same point in 2023, no doubt due to greater consumer awareness of what to do in case of these fires. But more must be done, as the number of fires, year over year, has remained pretty much the same even as fatalities and injuries decline. Congress must pass federal safety standards that will keep improper equipment off the market and ensure that manufacturers doing business in the U.S. are traceable and insured. 

31 Jul 2024
E-bikes, Michael Mezzacappa, News Permalink

Opinion: E-Bike Battery Fires Demand Sweeping Safety Reforms

July 31, 2024
Michael Mezzacappa, partner at Coffey Modica, wrote an insightful opinion on E-Bike Battery Fires featured in City Limits.
By Michael P. Mezzacappa | July 31, 2024

The rash of lithium-ion battery fires across the country has finally sparked Congressional action with the introduction of the Setting Consumer Standards for Lithium-Ion Batteries Act (H.R. 1797), requiring the Consumer Product Safety Commission to establish product safety standards for rechargeable lithium-ion batteries used in e-bikes and other micro-mobility devices.

Such legislation merely touches the surface of a larger enforcement problem. E-bikes are here to stay, and without a multipronged approach demanding action from the business community and individual stakeholders, along with local governments, no meaningful difference will be achieved.

Since the onset of COVID-19, when home deliveries to locked-down residents became an essential service, e-bikes have become ubiquitous in major cities like New York. The lithium-ion batteries that power the bikes have become the leading cause of fatal fires throughout the five boroughs.

According to New York’s Fire Commissioner Laura Kavanaugh, in just the past two years, e-bike batteries have caused approximately 500 fires and killed 24 people, and there are no signs of this trend slowing down. H.R. 1797’s main sponsor is New York Congressman Ritchie Torres of the Bronx, which experienced three e-bike fires in the first half of May 2024 alone.

But the dangers of lithium-ion batteries are hardly an “only-in-New York” issue. Municipalities from coast to coast have seen a surge in incidents where exploding batteries suddenly go ablaze and trap those inside the affected home or business.

In California, San Francisco saw 58 fires involving lithium-ion batteries in 2022, with an additional 41 fires counted in 2023. Meanwhile, the San Diego Fire-Rescue Department reported at least 32 e-bike battery fires since mid-March 2024, in addition to 104 fires in 2023.

Data from the International Fire Chiefs Association found more than 60 battery fires in Houston, TX during 2023, and 73 lithium-ion battery fires were investigated by the Phoenix Fire Investigations Task Force between June 2023 and February 2024.

Even the DMV—the District of Columbia, Maryland and Virginia—is not immune, with 17 fires reported in Fairfax County in 2023, and eight Washington D.C. fires in the same year.

This ever-growing scourge has led to a patchwork of rules and regulations as cities and states tackle the problem with their own array of legislation, fire code changes and more. There is certainly an appetite for action on the federal level, as H.R. 1797 easily passed the House with bipartisan support. At a recent event in Brooklyn, New York Senator Kirsten Gillibrand voiced her support for the federal safety standards outlined in the bill and pushed for its inclusion in the Fiscal Year 2025 National Defense Authorization Act (NDAA).

While developing and enforcing safety standards for rechargeable lithium-ion batteries can aid the fight against the fires they spark, it is far from enough to solve the issue. More actions need to be considered to fully put these deadly blazes behind us.

E-bikes are often used by delivery workers who are independent contractors living on an hourly salary. When battery issues arise, these price-conscious drivers frequently gravitate toward the cheapest possible option, whether that is a disreputable online seller or a secondary market flooded with foreign-based goods.

While putting stringent safety standards on new e-bike batteries is helpful, lawmakers will not be able to go into people’s homes to confiscate older, unregulated e-bikes and batteries.

The fact is, however, that lithium-ion battery imports in the U.S. roughly doubled for the third consecutive year in 2022, according to S&P Global—a period when 60 to 70 percent of global e-bike production occurred in China.

Those majority-foreign-manufactured models currently dominate the market and will continue to be sold from person to person at garage sales or on sites such as Craigslist.

So, while legislators at the federal, state and city levels debate and design the structures of their own interventions, more needs to be done to spread responsibility to all involved.

Local municipalities should mandate the creation of an insurance market that can handle e-bikes. For those used for commercial purposes, the e-bikes in the delivery fleet should be periodically inspected by the public authorities that might license operators of these motorized devices.

Further measures must also be taken on the federal level, as any lithium-ion battery standards must ensure that manufacturers are traceable and insured, if they want to do business in the U.S.

When deadly fires do occur, high-level investigations should take place. Just as the The National Transportation Safety Board (NTSB) is called in when a train derails, a ship crashes or when airplane parts fall out of the sky, there must be a body to oversee and investigate incidents involving e-bikes on a national basis, ensuring that whatever went wrong is not constantly recurring.

While Congress should be applauded for recognizing the importance of this issue and making attempts to tackle some of the root causes head on, it is going to take a concerted effort from all of us to put a lid on these growing fire hazards and save lives.

Michael P. Mezzacappa is a partner and general counsel with Coffey Modica LLP. Admitted to practice in New York, New Jersey and the District of Columbia, he is a trial attorney who has represented insurers, property owners and managing agents, manufacturers, construction companies, trucking companies and other professionals in cases based on some of the largest and most high-profile litigations, including fires and explosions.

09 Jul 2024
Michael Coffey, News Permalink

Boeing’s Plea Deal Shows The Importance Of Accountability After A Crisis

July 9, 2024
Coffey Modica’s founding partner, Michael Coffey, comments on Boeing’s plea deal in Forbes article.
By Edward Segal, Senior Contributor | July 8, 2024

Boeing’s plea deal with the federal government that was announced Sunday concerning issues related to the company’s 737 Max is a timely reminder for business executives about the importance of full disclosure and accountability in the aftermath of a crisis.

The failure to provide all the information that is requested by authorities about a crisis further damages the image and reputation of a company and can deepen or extend the crisis—or create a new one.

Subject To Approval

In the deal that is subject to a judge’s approval, Boeing would plead guilty to defrauding the government in a case related to the crash of two of its 737 Max planes and not adhering to the terms of an agreement with the government that enabled the company to avoid prosecution.

Boeing confirmed that it had reached an “agreement in principle in terms of a resolution with the Justice Department subject to the memorialization and approval of specific terms,” according to the Washington Post.

Another Low Point

“It is rare for a company of Boeing’s stature to plead guilty to a crime, and the moment marks another low point for the already-battered reputation of the century-old aircraft manufacturer,” the Washington Post reported.

“The plea underscores the long shadow of the deadly crashes and also comes at [a[ time when Boeing is trying to restore the trust of regulators and the flying public amid a fresh safety crisis that began in January when a panel flew off the side of a newer model Max mid-flight,” the news outlet wrote.

Ripple Effect

In addition to further damaging its reputation, the plea deal “potentially ability to secure lucrative government contracts with the likes of the U.S. Defense Department and NASA, although it could seek waivers,” Reuters reported.

“Over on-third of Boeing’s work is via government contract and [the plea] could have long ranging impact on Boeing their contracts and the lives of Boeing’s 167,000 member workforce,” Michael Coffey, an attorney and senior partner of Coffey Modica, a defense litigation firm, explained via email.

Downsides

Despite the damage the deal will have on Boeing, legal experts say it may not discourage others from similar transgressions.

Deal Lacks Teeth

“The Boeing plea deal— like others involving corporations— lacks teeth,” Wayne Cohen, a law professor at the George Washington University School of Law, said in a statement.

“The flaw here is that although individuals may go to prison for similar offenses, corporations escape with fines. This begs the question whether justice has been served. Financial penalties in civil cases are acceptable, but in criminal cases no one faces prison. That’s the problem,” he observed.

Limited Deterrence

“A criminal plea for Boeing’s misconduct is likely to have a deterrent effect on other corporations,” Jason Brown, a former Department of Justice Special Agent and a legal advisor to the FBI.

“However, if only the company pleads guilty and no individuals are held accountable, the deterrence may be limited, as individual actors might feel insulated from criminal liability behind the corporate shield. Often, the act itself isn’t enough to trigger culpability; it’s the obstruction and cover-up that lead to charges,” he noted.

Controlling The Narrative

One of the lessons to come out of the plea deal is “the importance of engaging a crisis management team and legal experts who can tactfully disclose wrongdoing while controlling the narrative,” Brown observed.

“This approach helps avoid a concealed liability that will inevitably be exposed, often through whistleblowers or other means. Business leaders should learn from this plea deal that transparency and accountability are crucial in crisis management to prevent further legal and reputational damage,” he concluded.

03 Jul 2024
Jonathan Heller, Joseph Hopkins, Maxwell Bottini, Michael Coffey, News, Robert Modica Permalink

Coffey Modica Promotes Two Partners and One Counsel in NY

July 3, 2024

Law360 | Connecticut Pulse

By Matt Perez July 3, 2024

New York litigation boutique Coffey Modica LLP announced the promotion of two attorneys to partner, including the firm’s first hire in 2021, as well as the elevation of another lawyer to counsel.

Maxwell Bottini, who joined the firm around its founding, and Joseph Hopkins have both been elevated to partner, according to a Monday statement from Coffey Modica, while Jonathan Heller steps into the counsel role. The attorneys practice within labor and professional liability law.

“Each of these talented attorneys has played a key role in the incredible growth Coffey Modica has experienced in just under three years since its founding,” said partner Robert Modica in a statement Monday. “The knowledge, dedication and integrity they bring to every client interaction is admirable.”

Bottini, who practices out of New York and Connecticut, handles labor law cases, defending both general contractors and subcontractors. He has tried over 20 cases to verdict and several more to settlement.

Before joining Coffey Modica, Bottini worked as an associate at Tyson & Mendes LLP. He began his career as an assistant district attorney with the Kings County District Attorney’s Office. Bottini earned his bachelor’s from Villanova University and his law degree from Brooklyn Law School.

“I was the first attorney hired at Coffey Modica, and it has been a privilege every day since to work alongside this top-notch team,” Bottini said in the statement. “I am grateful to all of my colleagues and mentors, especially Michael Coffey and Robert Modica, for their support and guidance, and I look forward to continuing to grow along with the firm well into the future.”

Also stepping into the partner role, Hopkins works on litigation matters related to labor law, construction defects, professional liability and casualty defense, representing developers, general contractors and real estate investment and management companies.

Hopkins runs his practice out of New York City, having joined the firm in early 2023 after previously serving as an associate at O’Toole Scrivo LLC and Wood Smith Henning & Bergman LLP. He received his bachelor’s and law degrees from Seton Hall University.

“It has been a privilege to work alongside Michael Coffey, Robert Modica and all of my esteemed colleagues, whose mentorship has helped guide my professional growth,” Hopkins said in the statement. “I am excited for the firm’s continued expansion, and I look to what the future has in store.”

Heller becomes a counsel at Coffey Modica after two years in an associate attorney role with the firm. Working out of Coffey Modica’s White Plains, New York, office, Heller also handles labor law, general liability and casualty matters. During his career, he’s represented owners, contracts and corporations across New York. He earned his bachelor’s from Queens College and his law degree from Hofstra University.

“I am thankful to the entire Coffey Modica team for their faith and trust in me to be a part of the firm’s extremely bright future,” Heller said in the statement. “I feel that every day is an opportunity to learn a better tactic or a better argument that would further assist us in getting the best results for our clients, and I look forward to further cultivating our firm’s relationships.”

Founded in 2021, Coffey Modica has several locations across New York, as well as offices in New Jersey and Connecticut. The firm represents businesses and insurance companies in litigation defense and appellate strategy, along with consulting across professional industries.

01 Jul 2024
Jonathan Heller, Joseph Hopkins, Maxwell Bottini, Michael Coffey, News, Robert Modica Permalink

Coffey Modica Promotes Three Attorneys

July 1, 2024
July 1, 2024

Coffey Modica LLP, a defense litigation firm representing prominent business and insurance companies in liability claims, excess property/casualty, medical malpractice, nursing, and other professional industries, announced that two of the firm’s attorneys have been promoted to Partner, with a third being given the role of Counsel.

“Each of these talented attorneys has played a key role in the incredible growth Coffey Modica has experienced in just under three years since its founding. The knowledge, dedication and integrity they bring to every client interaction is admirable and it is exactly that talent that our firm hopes to continue fostering with these much-deserved promotions,” said Founding Partner Robert Modica.

Partner Maxwell Bottini has been working with Coffey Modica since its founding in 2021. Practicing out of the firm’s New York and Connecticut offices, Bottini focuses on high-exposure labor law cases, defending general contractors and subcontractors alike. He has successfully tried more than 20 cases to verdict and settled even more, achieving the most favorable results possible for his clients. Bottini began his career as an Assistant District Attorney in the Kings County District Attorney’s Office, where he investigated and prosecuted hundreds of misdemeanor and felony cases. He is a graduate of Brooklyn Law School and currently lives in Fairfield, CT.

“I was the first attorney hired at Coffey Modica and it has been a privilege every day since to work alongside this top-notch team. I am grateful to all of my colleagues and mentors, especially Michael Coffey and Robert Modica, for their support and guidance, and I look forward to continuing to grow along with the firm well into the future,” said Bottini.

Partner Joseph Hopkins focuses primarily on New York Labor Law, construction defects, professional liability and casualty. A former judicial law clerk for the Honorable John I. Gizzo, Hopkins has represented prominent general contractors and developers in Manhattan on high-value matters, and he successfully achieved a defense verdict in New Jersey on behalf of a national real estate investment and management company. He practices out of the firm’s New York City office and is admitted to the Bar in both New York and New Jersey. A graduate of Seton Hall University School of Law, Hopkins currently lives in Cranford, NJ.

“I am truly honored to be elevated to Partner at Coffey Modica. It has been a privilege to work alongside Michael Coffey, Robert Modica and all of my esteemed colleagues, whose mentorship has helped guide my professional growth,” said Hopkins. “I am excited for the firm’s continued expansion, and I look to what the future has in store.”

Counsel Jonathan Heller joined Coffey Modica in 2022 and practices out of the firm’s White Plains office, where he specializes in labor law and general liability and casualty matters. As a third-generation attorney, over the course of his eight-year career, Heller has both defended and prosecuted cases on behalf of dozens of leading owners, contractors and major New York corporations, as well as one of the largest hospital conglomerates on Long Island and a host of well-known physicians and surgeons. The Long Island native is a graduate of Hofstra University’s Maurice A. Deane School of Law and currently lives in Teaneck, NJ.

“I am thankful to the entire Coffey Modica team for their faith and trust in me to be a part of the firm’s extremely bright future,” said Heller. “I feel that every day is an opportunity to learn a better tactic or a better argument that would further assist us in getting the best results for our clients, and I look forward to further cultivating our firm’s relationships. In this new role, I hope to contribute to the passion for excellent work product that makes our firm one of the top rising law firms in the United States, and one of the best places to work in the New York Metropolitan Area.”

Coffey Modica LLP is a New York-based defense litigation firm with offices in New York, New Jersey and Connecticut, and is among the fastest-growing firms in the nation. The firm represents defendants in high-profile, high exposure matters across many disciplines and industries around the country. Known for being aggressive trial attorneys and litigators, Coffey Modica resolves matters on behalf of its clients with the most cost-effective resolutions aligned with their short- and long-term business goals and culture.

01 Jul 2024
News Permalink

HITECH Audits Return: OCR Promises Enforcement Changes for HIPAA

July 1, 2024

Joelle Duval comments on the implications of the reopening of the Health Information Technology for Economic and Clinical Health (HITECH) audit program and a new round of audits of HIPAA-regulated entities.

Healthcare Risk Management | July 2024

The Health and Human Services Office for Civil Rights (HHS OCR) has reopened the Health Information Technology for Economic and Clinical Health (HITECH) audit program and will begin audits of HIPAA-regulated entities later in 2024, according to public statements by OCR Director Melanie Fontes Rainer. The audits will focus on the Security Rule, particularly the requirements for security risk analyses and risk management.

The audits will be accompanied by other enhancements intended to promote better compliance with HIPAA. These changes will put more pressure on covered entities and require work ahead of time to avoid penalties.

The impending audits may be more of a threat to smaller institutions, says John W. Leardi, JD, attorney with the Buttaci Leardi & Werner law firm in Princeton, NJ.

“I think most institutional or large providers probably, because of how resource-intensive they are compared to others, are probably fine, right? Or at least if they’re not, there’s no excuse for it,” he says. “My concern here in terms of vulnerability is going to be medium to small practices and independent practices, not part of a health system, not part of a larger institutional system.”

Leardi notes that the HIPAA Security Rule is about 20 years old now, and OCR probably is looking to update it. The audits may provide some guidance, he says.

“Some of it has become dated. The landscape of how we maintain health information is dramatically different now than it was 20 years ago,” Leardi says. “A substantial portion of the industry now has adopted electronically based storage as opposed to maintaining manila folders in the office. There has been some chatter that it needs to be revisited and, perhaps, updated to closely align with where we are in the industry. It’s not surprising that maybe these audits are designed as much about enforcement as they may be gathering data to determine the touch points in industry that are most in need of focus in any proposed rulemaking or adjustments.”

Many covered entities will not be ready for the audits, says Jeffery P. Drummond, JD, partner with the Jackson Walker law firm in Dallas.

“I think it’s going to catch people by surprise because nobody knows what we’re being tested on. There’s no study guide,” he says. “A more explicit message from OCR saying there are 10 things here that are listed, a list of possible bad things that can happen to you, would be helpful. They haven’t really done something that explicitly. It would be better for them to say we’re going to re-audit in two years and here are the things we’re going to be looking for, here is a list of things you need to do.”

No More Checking the Box

With the announcement of the return of the OCR HIPAA audit program the days of the “check the box” risk assessments and HIPAA compliance program evaluations may be gone for good, or at least until OCR pauses the program again, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. It has long been understood that HIPAA requires covered entities and business associates to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), he says.

“But, notwithstanding entities that have fallen victim to some form of cybersecurity incident, most entities have taken this requirement as merely a quick review and response to a privacy and security questionnaire to ensure that all the requirements of the security and privacy rules are attested to for documentation purposes,” he says. “Often, this means that there is no validation of the required controls to ensure that they are operating as they should and do not need attention.”

Howard says he often has seen entities that have allowed the value of the risk assessment process to take a back seat while they focus on more seemingly pressing business matters. This is understandable to a point, he says, but clearly is not what was intended by the Rule when it was made. The announcement of the return of the federal audit should change this, he says. Howard suggests that covered entities and business associates should, at least, do the following to prepare for a potential audit by OCR:

  • Review past risk assessment results and ensure any findings were addressed or plans have been put in place to do so.
  • Conduct new risk assessments that look for validation of compliance measures being in place through pen testing, vulnerability scans, employee interviews, configuration validations, and access and control sweeps.
  • Clearly document any findings, remedial measures, and plans for moving forward based on criticality if issues are found.
  • Clearly identify any cybersecurity framework being relied on and how it has been implemented.
  • Make sure appropriate leadership is kept aware of the state of the entity’s HIPAA compliance activities.

“These are necessary basic steps that I see missed over and over again that apply to risk assessment and risk management requirements under HIPAA. It is important that these also apply equally to the security and privacy side of the house,” Howard says. “Don’t forget to review the processes and procedures for responding to patient rights requests and making sure an entity’s privacy practices are clearly communicated. This applies to privacy practices between an entity and its patients, business partners, affiliates, and vendors.”

Structured relationships are necessary to ensure compliance along the entire service chain where
(e)PHI is involved, he says. It also will be important for covered entities and business associates to remember that HIPAA requires technical and nontechnical evaluations of an entity’s policies and procedures to make sure they are compliant with HIPAA’s various requirements, he says. This is completely separate from the risk assessment requirements and can be more closely equated to a HIPAA compliance program review, Howard notes. The output of this evaluation can be used to create an audit book that can be a great resource when the auditors come knocking.

“Overall, the return of the OCR audit program returning is a good signal that it is time for regulated entities to start putting processes in place now to identify any compliance gaps they may have and develop plans for resolving the more pressing issues found through risk assessments and program evaluations,” Howard says.

OCR Sending Survey

OCR indicated in a notice published in the Federal Register that it will send an online survey consisting of 39 questions to the 207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA audits, explains Layna Cook Rush, CIPP/US, CIPP/C, shareholder with the Baker Donelson law firm in Baton Rouge, LA. OCR specifically asks for information regarding subsequent HIPAA compliance actions taken by the survey recipients as a result of the previous audits to evaluate the effectiveness of the audits and the counseling the organizations obtained from OCR in response to the audits, she says. Presumably the information gathered will be used to develop an updated audit program for future use, she says, adding that OCR has not expressly stated that the audit program will return or provide information on when audits will resume or what will be different. Because the requirements for covered entities and business associates have not substantially changed since the 2016-2017 OCR HIPAA audits, if there is a next phase of audits, OCR likely will focus on the same requirements, she says.

However, there may be an increased scrutiny on cyber performance, given the proliferation of cybersecurity incidents in the healthcare industry and OCR’s focus on technological security preparedness and resiliency, she says.

While OCR has not provided details on a new audit program, it is likely that the selection process will mimic the audits in 2016 and 2017, she says. OCR identified organizations that represented a wide range of covered entities; its sampling criteria included size, affiliations, location, and whether an entity was public or private.

The audited covered entities submitted lists of all their business associates, which OCR combined to create a pool of business associates, she says. OCR randomly selected business associates from the pool to audit.

“OCR has stated that the audit program is used to identify best practices gleaned through the audit process and to inform guidance targeted to identified compliance challenges,” Rush says. “Since the last audits, OCR has routinely published sub-regulatory guidance to covered entities on different aspects of the HIPAA privacy and security rules.”

In conjunction with the previous audits, OCR also published a comprehensive audit tool that covered entities and business associates could use to gauge compliance with HIPAA, Rush notes. The prospect of an audit and the availability of the tool resulted in many organizations reviewing their compliance posture and making positive changes, she says, and the same industry response is likely if the audit program is re-instituted.

The HITECH Act requires OCR to periodically audit covered entities and business associates for HIPAA compliance, so OCR’s failure to continue the audit program is in derogation to the requirements of the HITECH Act, Rush notes. OCR may be gearing up for another phase of audits to ensure it is complying with legal directives, she says.

“Another potential driver is the increase in security-related breaches that result from cybercrime. The audits may be a piece of the overall goal of seeing covered entities and business associates strengthen their protection of PHI,” she says. Rush notes that HHS also has recently launched new Healthcare and Public Health Cybersecurity Performance Goals to provide healthcare delivery organizations with practices that will “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.”

“It is likely that only a few organizations will be selected for audit if the program is reconstituted, but organizations that have not utilized the OCR audit protocol should consider such a review in anticipation of OCR resuming the program,” Rush says. “Covered entities should review the OCR audit protocol in anticipation of the return of the audit program. Further, covered entities should ensure that they have conducted a recent security risk assessment, instituted a risk mitigation plan in response to the assessment, and developed policies and procedures for compliance with the HIPAA Rules.”

OCR Sending Survey

The audits should not strike too much fear in the hearts of covered entities that are making a good faith effort to comply with HIPAA, says Joelle Duval, JD, an attorney with the Coffey Modica law firm in White Plains, NY. “While it goes without saying that nobody likes to be audited, least of all by the United States government through HHS or the IRS (Internal Revenue Service), covered entities that have complied, or made a valiant and demonstrable attempt to comply with the myriad of regulations and protections mandated by HIPAA, should take comfort that their efforts will shield them from violations, or substantially reduce the crushing fines that HHS is known to give for violations of protected health information,” she says.

Duval suggests that these covered entities should even be proud to be among those selected for audit by HHS to demonstrate to other comparable covered entities that compliance is possible and slip-ups forgivable to a large degree — “even if, just like the one student that always sat in the front row of the class and raised his/her hand for every question, they are ‘hated’ for passing the course and always knowing the answer.”

For those entities that have not made the effort, the audits will be problematic. “Those covered entities who have ignored the regulations, by choice or necessity, such as perhaps lacking resources to keep up with the privacy and security rule regulations, sadly there is little advice to give them other than to say that the dice they have been rolling have just hit snake eyes,” Duval says. “Quite simply, there are few excuses covered entities can have that HHS would likely accept as mitigation to identifying violations and breaches during an audit. In fact, I cannot think of one viable excuse to suggest. Even a comet crashing to earth and knocking out the power grid would have HHS asking the covered entity about what safeguards were in place should there be a complete loss of power.”

HIPAA and its privacy and security rules have been in effect too long, and reports of data breaches, identity theft, and data ransoms are too widespread to the general population for a covered entity to be unprepared to stand up to HHS scrutiny, Duval says.

Whistleblowers Encouraged?

An unexpected effect from the reemergence of random HIPAA audits may be the encouragement of whistleblowers, she says. Covered entities often maintain a smiling public face touting their lack of any tolerance for HIPAA violations, Duval says, proclaiming “if you see something, say something” or “report and you will be supported” or “HIPAA violations will not be tolerated here.” But the actual internal practice is really one of punitive retaliation against employees reporting violations, she says. It is surprisingly common but seldom recognized, Duval says, that some of the largest private and public covered entities are the most punitive to those internal personnel voicing legitimate concerns regarding negligent data practices and the routine practice of turning a blind eye.

“HIPAA violations happen, most often inadvertently, but at times negligently. HHS recognizes this reality, and covered entities facing violations or breaches can mitigate their damages,” she says. “But, regardless of how an adverse event happens, covered entities who have made it a regular practice to bury their heads in the sand or sweep violations and reporters under the rug rather than acknowledge — by reporting when obligated to do so — and attempt to rectify the situation will find themselves in a much deeper hole than underneath the sand.”

Therefore, covered entities should be prepared for HHS to come knocking at their door by not only examining its compliance practices under HIPAA, but also looking at its actual internal practices of compliance, including how employees are received when they voice legitimate concerns to protect HIPAA, and the covered entity, Duval says.

“It should not be surprising, therefore, for a random audit by HHS to stir up unrecognized and illegal state and federal employment practices,” she says. “And those covered entities [that] have taken a punitive approach or turned a deliberate blind eye to employees reporting actual or suspected HIPAA violations may find themselves under the dual scrutiny from both HHS; state and federal Departments of Labor; and, most frightening, plaintiff attorneys.”

Weak Risk Analysis?

A crucial element of the HIPAA Security Rule is conducting risk analysis, something that historically has been a weakness for many organizations, notes Michael Parisi, head of client acquisition with Schellman, an information technology compliance and cybersecurity firm in Tampa, FL.

“Poor risk analysis practices are major contributors to the increase in breaches we’ve seen in past years,” he says. “In fact, more than 90% of the OCR HIPAA settlement actions regarding ePHI breaches involved an insufficient risk analysis or risk management program.”

With the news that OCR is reinvigorating its HIPAA audits, it is important for organizations to take a look at when their last risk assessment was — if ever — and what actions they have taken since then, Parisi says. From there, they need to identify if they acted on making the appropriate security updates to address identified vulnerabilities and whether they have maintained those practices.

Parisi highlights these pitfalls many organizations face when it comes to HIPAA risk analysis and risk management:

  • Skipping the step of threat analysis, which should happen even before the risk assessment. Organizations need to look through all potential existing threats, identify which are relevant to them, and have those threats reflected in the risk assessment.
  • Not including all systems that touch ePHI in the risk analysis/management program and what threats are relevant to the organization. Overlooking these places leaves them vulnerable to attack and vulnerable to penalties.
  • Inadequate risk analysis. Organizations should look to existing resources like the OCR Guidance on Risk Analysis Requirement or NIST SP 800-30 Guide for Conducting Risk Assessments for help when conducting analysis.
  • Neglecting to reassess on a specified basis and not performing updated analyses when a change in the environment introduces new risks.

Being caught out of compliance can mean significant financial penalties, as well as reputational damage, Parisi says. Prioritizing these risk requirements not only preserves HIPAA compliance, but also mitigates risk for a breach or cyberattack.

One suggestion is for organizations to package up their “‘HIPAA story,” he says. Instead of having a risk assessment in one place and policies and procedures in another, it behooves the company to pull everything together with a cover page that tells the story of their HIPAA compliance journey and gives OCR everything they need in an easy to access bundle, he says.

“This movement of bringing back HIPAA audits is a step in the right direction from OCR in the efforts for a more secure healthcare system,” Parisi says. “It is, however, just a first step, and I think we can anticipate seeing continued movement from the OCR and HHS to implement additional standards and requirements beyond HIPAA, especially in light of recent breaches.”

22 May 2024
News Permalink

Graceland foreclosure sale halted as Presley estate’s lawsuit moves forward

May 22, 2024

Coffey Modica partner Paul Golden provided expert insight on the halted Graceland foreclosure sale in a recent article from The Associated Press.

(The article has been syndicated across the AP network, appearing in CT Insider, the Atlanta Journal-Constitution and Yahoo News, among others.)

BY  ADRIAN SAINZ, May 22, 2024

MEMPHIS, Tenn. (AP) — A judge on Wednesday said Elvis Presley’s estate could be successful in arguing that a company’s attempt to auction Graceland is fraudulent as he halted a foreclosure sale of the beloved Memphis tourist attraction.

Later Wednesday, a statement from someone who appeared to be a representative of the company said it would drop its claim, which the Presley estate has argued is based on fake documents. Online court records did not immediately show any legal filings suggesting the claim had been dropped.

Shelby County Chancellor JoeDae Jenkins issued a temporary injunction against the proposed auction that had been scheduled for Thursday in Memphis, where the king of rock ‘n’ roll’s former home is located. Jenkins’ injunction essentially keeps in place a previous restraining order issued at the request of Presley’s granddaughter Riley Keough.

“Graceland is a part of this community, well-loved by this community and indeed around the world,” the judge said.

A public notice for a foreclosure sale of the 13-acre estate posted earlier in May said Promenade Trust, which controls the Graceland museum, owes $3.8 million after failing to repay a 2018 loan. Keough, an actor, inherited the trust and ownership of the home after the death of her mother, Lisa Marie Presley, last year.

Naussany Investments and Private Lending said Lisa Marie Presley had used Graceland as collateral for the loan, according to the foreclosure sale notice. A lawsuit filed last week by Keough alleged that Naussany presented fraudulent documents regarding the loan in September 2023.

“Lisa Maria Presley never borrowed money from Naussany Investments and never gave a deed of trust to Naussany Investments,” Keough’s lawyer wrote in a lawsuit.

Neither Keough nor lawyers for Naussany Investments were in court Wednesday. Keough’s attorney, Jeff Germany, said outside of court that he has not had direct contact with representatives from Naussany.

Naussany did file an unsuccessful motion asking the judge to deny the estate’s request for an injunction.

A statement emailed to The Associated Press after Wednesday’s ruling said Naussany would not proceed because a key document in the case and the loan were recorded and obtained in a different state, meaning that “legal action would have to be filed in multiple states.” The statement, which was sent from an email address listed in court documents, did not specify the other state.

“The company will be withdrawing all claims with prejudice,” the statement said.

Kimberly Philbrick, the notary whose name is listed on Naussany’s documents, indicated that she never met Lisa Marie Presley nor notarized any documents for her, according to the estate’s lawsuit. The judge said the notary’s affidavit included in the lawsuit brings into question “the authenticity of the signature.”

Paul Golden, a lawyer for New York-based Coffey Modica who handles real estate litigation but is not directly involved in the case, said that affidavit and other inconsistencies in the company’s paperwork appeared to be “extremely strong evidence” to support the Presley estate’s position.

Graceland opened as a museum and tourist attraction in 1982 as a tribute to Elvis Presley, the singer and actor who died in August 1977 at age 42. It draws hundreds of thousands of visitors each year. A large Presley-themed entertainment complex across the street from the museum is owned by Elvis Presley Enterprises.

“Graceland will continue to operate as it has for the past 42 years, ensuring that Elvis fans from around the world can continue to have the best in class experience when visiting his iconic home,” Elvis Presley Enterprises said in a statement.

11 May 2024
News Permalink

Why Donald Trump’s Lawyers Didn’t Object to Stormy Daniels ‘Explicit’ Evidence

May 11, 2024

Coffey Modica partner Paul Golden lends his legal expertise to Newsweek to explain the latest developments in Trump’s civil fraud trial.

May 11, 2024 | Sean O’Driscoll, Senior Crime and Courts Reporter

Donald Trump’s lawyers did not object to Stormy Daniels’ “explicit” testimony because they did not want the jury to believe the former president had “something to hide,” a senior attorney has said.

Juan Merchan, the judge overseeing Trump’s hush-money trial, repeatedly expressed his surprise that Trump’s legal team did not put in more objections to Daniels’ graphic evidence.

Merchan said on Thursday that he was especially surprised that Trump’s lawyer, Susan Necheles, did not object when Daniels claimed Trump did not wear a condom during sex. Trump has denied ever being sexually involved with Daniels.

“But for the life of me, I don’t know why Ms. Necheles didn’t object,” Merchan said during a hearing on a motion for a mistrial from Trump’s legal team. “Why on earth she wouldn’t object to a mention of a condom, I don’t understand.”

Paul Golden, author of Litigating Adverse Possession Cases: Pirates v. Zombies and a partner at the New York law firm Coffey Modica, told Newsweek that in the moments when Trump’s lawyers did object, Merchan largely agreed and upheld their objections.

“When Trump’s team objected, for the most part, Judge Merchan sustained those objections. However, apparently, Hon. Merchan noted that he was surprised that there were not more objections,” he said.

Trump, the presumptive Republican presidential nominee for 2024, is the first former president in U.S. history to stand trial in a criminal case. He has pleaded not guilty to 34 counts of falsifying business records. He has continually said that this case and other criminal and civil challenges involving him are politically motivated.

The prosecution seeks to prove that before the 2016 presidential election, Trump paid or discussed paying two women—adult film star Stormy Daniels and former Playboy model Karen McDougal—to not disclose his alleged affairs with them. He denies affairs with both women.

Daniels completed her evidence on Thursday after an occasionally heated cross-examination with Trump’s attorney.

Newsweek has contacted Trump’s attorney for comment outside of normal working hours.

After Daniels finished giving evidence, Merchan refused the Trump team’s motion for a mistrial.

He agreed that some of Daniels’ more graphic details should not have come out, but said that was the fault of the Trump team for not objecting.

“I agree, that shouldn’t have come out. I wish those questions hadn’t been asked, and I wish those answers hadn’t been given,” Merchan said.

Golden said that the Trump team, like any trial attorneys, are involved in a “balancing act” while objecting to testimony.

He said that if an attorney “objects too much to testimony, it may make it appear to the jury that his client has something to hide.”

“But if he does not object at the right times, then there is a danger that irrelevant and prejudicial evidence will be admitted, and an appellate court may rule that the particular issue is not preserved for appeal,” he said. “That’s because an appellate court will not consider an appeal based on a witness’ testimony unless an objection was first raised with the trial judge.

“In many cases, if an attorney does not object to testimony, and waits until the appeal to claim that the testimony was inadmissible, the appellate court will decide that it will not even address that particular issue.”

Golden said: “Are the explicit details Ms. Daniels testified about, concerning the alleged sexual encounter, of the kind that would prejudice the jury’s view of Trump to the degree that, essentially, they will be unable to fairly consider the relevant evidence? Would a typical juror in Manhattan be so outraged or distracted by such details that it would prevent that juror from being fair? These are some of the factors Judge Merchan undoubtedly considered.”