Blog

BEWARE Pension Plan Trustees: The United States Supreme Court has Reinforced Your Responsibility

2022/01/31

On Monday, January 24, 2022 the United States Supreme Court issued its much-anticipated opinion in the Hughes, et al. v. Northwestern University, et al. case. Before the Court was the issue of whether Northwestern University violated its fiduciary duty to a class of employee-investors under ERISA by allegedly including unnecessarily expensive investment options and paying excessive fees although they simultaneously offered low cost options. In short, is it a violation of Northwestern’s fiduciary duty to offer both reasonable and unreasonable investment options if they ultimately allow the employee investor to choose which plan to invest in? The District Court ruled the university satisfied their fiduciary duty and dismissed the case. The Seventh Circuit agreed affirming the lower court. The Supreme Court ultimately disagreed and reinstated the class action finding that employee choice does not cure the universities’ potentially imprudent offerings. The basis for the Supreme Court’s reversal and remand is that the lower courts’ rationale was inconsistent with the explanation of the duties owed by a fiduciary explained in Tibble v. Edison Int’l, including the duty to monitor and oversee all plan investment options and remove any deemed imprudent. 575 U. S. 523, 530 (2015). While the Seventh Circuit also based its opinion on guidance provided in Tibble, namely the duty to offer a diverse menu of plan options, it ignored the duty to remove imprudent offerings. The Court briefly touched on the Petitioners’ allegation including: 1. Northwestern failed to monitor record keeping and investment management fees; 2. Northwestern offered plan options including “retail” share classes while identical and cheaper “institutional” share classes were available; and 3. Northwestern created confusion by offering over 400 investment options. By focusing solely on the university diversifying their plan options and providing participant choice, the Seventh Circuit and District Court ignored other equally important aspects of the duty of prudence owed by a fiduciary. Read More

Log4j – Who does it impact?

2022/01/25

Takeaway:  Organizations of all types and sizes should actively manage exposure to loss due to the Log4j vulnerability. Doing so will not be easy. The Log4j program is present in so many applications that the magnitude of the issue is unlike any other. Following CISA guidance and adherence to a control framework, such as NIST CSF, are best practice for dealing with the vulnerability and avoiding civil action and penalty. The Log4j exploit, also known as the Log4Shell vulnerability, allows threat actors to take control of web-facing servers by feeding them a malicious text string. Today, we will discuss who is impacted by Log4Shell and a possible solution. Because Log4j is a commonly used Java logging library, this vulnerability could potentially impact all applications and software that implement Java.  It’s difficult to quantify the sheer number of potentially affected systems. Many experts estimate billions of affected instances.[1] Why? Because Java is embedded into many digital products and services including: Internet routers Enterprise software Microsoft, Amazon, AWS, and Twitter servers Software with Apache Log4j security vulnerabilities don’t even need to be directly exposed to the internet to be exploited. Malicious strings can even permeate to back-end software running vulnerable Apache Log4j versions, even if the internet-facing web application isn’t coded in Java. This means that even if none of the web applications and back-end software that a user is using are running vulnerable Log4j versions, third-party vendors might be, which then exposes the entire ecosystem to the potential of third-party breaches. The enormity of attack vector options and the simplicity of their compromise is fueling an exploitation frenzy amongst cybercriminals. According to Security Firm Check Point, over 60 variations of the original exploit were detected in less than 24 hours, meaning that cybercriminals are broadening their exploitation frameworks in anticipation of upcoming patches. Read More

Log4j is a Critical Threat

2022/01/20

Takeaway:  Log4j, also known as the Log4Shell vulnerability, is a critical threat, and no organization should assume it is safe. Determining exposure to Log4j, and fixing vulnerabilities, should be a high priority for most security teams. The Log4j exploit, also known as the Log4Shell vulnerability, allows threat actors to take control of web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution.[1] The Log4Shell vulnerability is triggered by attackers inserting a Java Naming Directory Interface (JNDI) lookup in a header field (likely to be logged), which links to a malicious server. After Log4j logs this string, the server is queried and gives directory information leading to the download and execution of a malicious java data class. This means cybercriminals can both extract private keys and, depending on the level of defenses in place, download and run malware directly on impacted servers. In essence, the Log4Shell vulnerability allows hackers to remotely inject arbitrary code into a target network and assume complete control of it. A technical look at Log4j To understand the cyberattack sequence, it’s important to first define data log and understand how loggers operate. Data logging is the process of collecting and storing data over a period of time in order to analyze specific trends or record the data-based events/actions of a system, network, or IT environment. It enables the tracking of all interactions through which data, files, or applications are stored, accessed, or modified on a storage device or application.[2]  Without a logger library like Log4j, information from servers is instantly archived after collection.[3] But if logged data is actively analyzed, or if certain actions in response to specific log data are required, Java software developers may use a library like Log4j to parse logs before they’re archived. Read More

Data Breach Lessons from Recent Robinhood Lawsuit

2021/12/08

Takeaway: For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections. Robinhood, a stock trading platform, was recently sued in connection with a significant data breach. When high profile companies like Robinhood experience loss to data breach, the glare of scary headlines is only a shadow of the cost to the company. Increasingly, companies are subject to litigation risk and the corresponding damages caused by a breach. According to a class action lawsuit filed in Federal District Court in the Eastern District of New York, over 7 million individual records were revealed in the Robinhood breach. The lawsuit alleges negligence, breach of contract, breach of fiduciary duty, and other violations of state and federal law. Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years. Plaintiffs claim that Robinhood had a duty to secure their personal information. That duty – plaintiffs allege – stems from users’ relationship with the Robinhood service and is actionable based on the Federal Trade Commission Act (FTC Act), which prohibits unfair practices in or affecting commerce, and New York’s SHIELD statute. Plaintiffs say that Robinhood failed to implement adequate policy, procedure, and technical safeguards, as recommended by the FTC and SHIELD. If those laws create an affirmative duty and obligation for implementing a reasonable security plan, then Robinhood – and others – can be found liable and assessed damages for failure to do so. What is a “reasonable security plan”? According to Plaintiffs, a reasonable plan includes: data encryption employee training technological tools to defend systems against invasion But what’s really recommended under SHIELD and FTC, and is that guidance enough to protect companies? Read More

Custody: Can I relocate with my child?

2021/10/29

Whether it is your job, a new relationship or for any other reason, relocation is a tricky issue. Pennsylvania has a stringent relocation statute, 23 Pa.C.S.A. § 5337, which creates a protocol to follow in order to accomplish a relocation. The first step is to determine whether the move constitutes a relocation. A relocation is defined as change in residence of the child which significantly impairs the ability of a non-relocating party to exercise custodial rights. Obviously, a move from Pittsburgh to Seattle would have a strong likelihood of filling into this definition. However, courts have found that local moves can also fall within the definition. Consider the case of a 50/50 schedule with both parents having equal opportunity to having the child before and after school. A move from Upper St. Clair to Butler could have the effect of impairing the other party’s custody rights. If your move is a relocation, you cannot move without permission from the other parent or the court. You are required to give the other parent 60 days’ written notice of your move.  The notice is in the form of an affidavit including information such as your new address, reason for the move, and proposed custody schedule after the move. What if the other party objects? In that event, the court will decide. The party proposing the relocation has the burden of establishing that the relocation will serve the best interest of the child as shown under the factors. One important factor is the integrity of the purpose of the move. If the court believes that you are moving just to be further away from the other parent, it will hurt your chances. The court will also consider (1) the impact on the child; (2) the child’s family ties where they are and at the proposed location; and (3) the well-reasoned preference of the child given their level of maturity. Read More

DOJ’s Recent Civil Cyber-Fraud Initiative and What it May Mean

2021/10/26

Takeaway: The Department of Justice will use the False Claims Act as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk. The Department of Justice (DOJ) is getting aggressive with cyber fraud. Lisa O. Monaco, the DOJ’s Deputy Attorney General over the Department’s Civil Cyber-Fraud Initiative (Initiative), announced recently that the DOJ will actively pursue companies who receive federal funds through federal government contracts, when they fail to follow cybersecurity practices.  This type of fraud is all-too-common throughout the federal government’s supply chain. Civil penalties resulting from the DOJ’s new Initiative should be a deterrent for bad actors/contractors who refuse to invest in cybersecurity planning and risk management. The DOJ will use the False Claims Act (FCA) as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk. Under the FCA, companies can be held liable if they knowingly cause a false claim to be submitted. The standard for knowing is defined as: Actual knowledge, Deliberate ignorance of the truth or falsity of the information, or Reckless disregard of the truth or falsity of the information. Notably, , whistleblowers who come forward and provide information about a violation are protected under the FCA, and even allows for the whistleblower to participate in the reward following recovery of a claim. The purpose of the Initiative appears to be two pronged: Encourage companies and individuals to disclose cybersecurity incidents and breaches. Recover federal funds from contractors who are not following certain cybersecurity standards. Those two prongs were emphasized in President Biden’s May 2020 Executive Order (EO) on cybersecurity. The EO promises to “bring to bear the full scope of its authorities and resources” to protect the Country’s cyber infrastructure and assets. Read More

Beyond Pots & Pans

2021/09/01

There’s an age-old misconception that Family Lawyers do little other than divide up “pots and pans.” Even a casual review of our website will reveal that our practice goes far beyond that. With that being said, what do we do with the furnishings and personal property, sometimes referred to as “personalty,” that couples accumulate over the years? For starters, it depends upon what comprises the contents of the home and whether the furnishings and items of personal property are of such a nature that warrant expert valuation. Despite whatever sentimental value an item may have to you, the Pennsylvania Courts will value your personal property items at “fair market value.” Fair market value is not the insurance replacement value, nor is it necessarily what a party paid for it. Simply put, fair market value is what a willing buyer will pay a willing seller without any pressure to buy or sell it. We first need to determine what is in the home. Is an item from a big box retail store or carefully curated from an antique or specialty shop? For the big box variety, I frequently counsel my clients to attempt to negotiate between themselves. The moment that “expensive” bedroom suite leaves the store, it loses value. Clients are frequently unpleasantly surprised to find out their $15,000 dining room set might only be worth $2000 when the parties separate. Conversely, if the parties have contents of a particular vintage, they should consider hiring a personal property appraiser to come to the home to inspect and value some or all of the contents, which could include the furnishings, fine China, rugs, crystal, and flatware. Similarly, though the value of most vehicles can be obtained from the NADA or Kelley Blue Book guides, parties might consider engaging the services of a specialized appraiser to assist them in valuing Great Aunt Bessie’s mint condition ’65 Jaguar XK-E. Read More

Who Gets the Engagement Ring if the Relationship Ends?

2021/08/19

Ward of the Rings Who Gets the Engagement Ring if the Relationship Ends? For many people, it’s the one time in our lives when we’re almost guaranteed a romantic moment. After a successful courtship, one of you takes the big step and proposes marriage. In an instant, you’re transformed from the world of dating to engaged. And in many cases, there’s a ring involved. An expensive one. According to the 2021 WeddingWire Newlywed Report, the average cost of an engagement ring is currently $5,500, and 18 percent of engaged couples will spend more than $10,000. So its kind of a big deal when one of the parties breaks off the engagement. Who gets the ring? Or, if the relationship survives the wedding day but ends in divorce, who owns the ring then? Both good questions, and surprisingly, both have been decided by the Pennsylvania Supreme Court. In a 1999 case, Pennsylvania’s highest court found in Lindh v. Surman that an engagement ring is more than simply an expression of love and affection. It’s a “conditional gift,” given in contemplation of a marriage. That means that while the ring is certainly a gift, there is an expectation of a marriage to follow. If the relationship fails and the couple goes their separate ways before the wedding, the “condition” of marriage is not met. Hence, the ring should rightfully belong to the “donor,” or the party giving the ring as a gift. So far, so good. But what if the condition of a marriage is met, the couple exchange marriage vows, are legally married, and decide to divorce later? What becomes of the engagement ring then? In Lindh, the Court found that once the marriage takes place and the “condition” is met, the engagement ring is no longer a “conditional gift,” but rather a “completed gift,” meaning it rightfully belongs to the recipient. Read More

Bitcoin, Cryptocurrencies, and Civil Litigation: Seminal Case Summaries and Key Takeaways

2021/07/06

In our first article, we introduced the subject of Bitcoin and cryptocurrencies in litigation. This article discusses several of the hottest recent cases involving Bitcoin and cryptocurrencies. Cryptocurrency litigants often accuse their opponents of being scoundrels, thieves, or pathological liars. These cases—arising in the divorce, commercial litigation, partnership, and law firm dispute contexts—involve all of the above. Some have reached a resolution or conclusion, while others remain pending in this developing area of the law. Divorce California, being a community property state, treats all property acquired during a marriage by either spouse as presumptively owned in community by both spouses. In In re Marriage of De Souza, 266 Cal. Rptr. 3d 890-94 (Ct. App. Aug. 10, 2020), the husband Francis bought certain Bitcoins after the filing of divorce but, contrary to California law, failed to disclose his purchase to his wife Erica. Accordingly, those Bitcoins were not initially included in the marital estate subject to division. Upon learning of the failure to disclose the Bitcoins, the court held that the failure to disclose material information was a breach of Francis’s fiduciary duty. Erica moved for an emergency order compelling Francis to immediately transfer her full interest in the community Bitcoins. Although Francis argued that “even if he failed to disclose material information, his disclosure caused no impairment to Erica’s community interest because . . . the bitcoins ‘earned millions of dollars for the community, thereby greatly enriching, not impairing, the community estate,’” the court found that this was irrelevant and indicated that “the financial success of one undisclosed investment does not erase the harm to the community estate, and Erica, occasioned by a separate undisclosed transaction.” The Court Ordered Francis to pay the wife $22,500 in cash and transfer 249.445 additional bitcoins as well as to pay Erica’s attorney’s fees. Notably, the value of the Bitcoins rose from $45,000 at the time of their purchase in April 2013 to approximately $8,000,000 near the time of the court’s transfer order in December 2017 – January 2018. Read More

Bitcoin, Cryptocurrencies, and Civil Litigation: Courts Reckon with the Dawn of an Emerging Asset Class

2021/06/15

Bitcoin and cryptocurrencies have emerged in the wake of the coronavirus pandemic as assets held by institutional, corporate, high net worth, and retail investors alike. While other articles have covered the tax, securities, or estate planning implications of buying bitcoin and other cryptocurrencies, we focus on the considerations of civil litigants and fiduciaries when it comes to these assets. As Bitcoin and other cryptocurrencies gain further acceptance in the portfolios held by persons, corporations, trusts, and estates, fiduciaries and civil litigants must be aware of how courts will handle claims when the ownership or stewardship of these assets becomes disputed. Despite the proliferation of Bitcoin among investors and in the news, case law regarding Bitcoin in civil litigation is sparse, and even more so in the context of estates and trusts.   Brief Background on Bitcoin and Cryptocurrencies Bitcoin is a digital currency that was created in January 2009. Unlike fiat currency, bitcoin is created, distributed, traded, and stored with the use of a decentralized ledger system, known as the blockchain. Physical bitcoins do not exist, rather balances are kept on a public ledger accessible to all. Bitcoins are not backed or issued by any government, central bank, or business entity. Bitcoin’s history has been turbulent thus far, with wide swings in price sometimes happening day-to-day or hour-to-hour. Bitcoins are registered to Bitcoin addresses in the blockchain. Creating a Bitcoin address requires the creation of a random valid private key and the corresponding Bitcoin address. This computation can be done in a split second. Uncovering a user’s private key, however, is currently not feasible given present computing standards. Users can tell others or make public a Bitcoin address without compromising its corresponding private key. To be able to spend their bitcoins, the owner must know the corresponding private key and digitally sign the transaction. Read More

News & Events

Related News

27 Pietragallo Lawyers Named in 2025 The Best Lawyers In America and Ones to Watch
August 15, 2024
Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 27 lawyers have been named as 2025 The Best Lawyers in America® and Ones to Watch. Read More
Chambers USA Recognizes Pietragallo as a 2024 Leading Law Firm in Pennsylvania
June 6, 2024
Pietragallo Gordon Alfano Bosick & Raspanti, LLP has been recognized by Chambers and Partners USA in its 2024 Guide in the areas of False Claims Act (Band 2) in USA-Nationwide, White Collar Crime & Government Investigations (Band 2) in Pennsylvania, and General Commercial (Band 3) in Pennsylvania: Pittsburgh & Surrounds. Read More
View More News & Events