CLIENT
MEMORANDUM
IN THE WAKE OF STORM SANDY, INSURANCE COMPANIES SHOULD ENSURE
THAT THEIR BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS
COMPLY WITH LEGAL REQUIREMENTS AND BEST PRACTICES
How do insurance companies prepare for the risks presented to their own business operations by
natural disasters such as Storm Sandy? In the immediate aftermath of Storm Sandy, insurers’
disaster response to policyholders and regulators is an immediate priority. Also important to
insurers, however, is an assessment of the risks presented to their own business operations by
such natural disasters. This client memorandum focuses on the following key aspect of insurers’
disaster risk assessment and recovery efforts: the protection of data, information technology,
business records and private medical and financial information. More specifically, set forth
herein is: (1) a summary of significant statutory and regulatory frameworks that relate directly
or indirectly to insurance company disaster recovery planning; and (2) a practical assessment of
data protection and recovery best practices that insurance companies should consider
implementing to minimize risk and maximize compliance.
I.
Key Federal and State Legal Requirements and Guidance
A.
Insurance Company Disaster Planning – Disaster Preparedness and
Response
New York-licensed insurers are expected to prepare for, and respond to, disasters as set forth in
various circular letters issued by the New York Department of Financial Services (the “NYDFS”
or the “Department”).1 Such disaster preparedness standards incorporate a Business Continuity
Plan Questionnaire (“BCPQ”) to “assure the [NYDFS] that each [insurer] has taken steps to put
in place a Business Continuity Plan that would reasonably ensure that the recovery of critical
business processes could take place in the event of a disaster.”2 The BCPQ also ensures that the
business continuity plan has been tested, is kept in a secure off-site location, and addresses all
significant business activities, including financial functions, telecommunications services, data
processing, and network services.3
Similarly, the Florida Office of Insurance Regulation (the “FLOIR”) has issued guidance to
ensure insurance company preparedness for the hurricane season.4 Such guidance addresses
1
N.Y. Circ. Ltr. 2012-1 (Apr. 9, 2012) (applicable to “authorized property/casualty insurers”); see also N.Y.
Circ. Ltr. 2012-2 (Apr. 12, 2012) (applicable to “authorized health insurers”); N.Y. Circ. Ltr. 2012-3 (Apr. 12,
2012) (applicable to “authorized life insurers”).
2
N.Y. Circ. Ltr. 2012-1 (Apr. 9, 2012).
3
See NYDFS Business Continuity Planning Questionnaire,
http://www.dfs.ny.gov/insurance/circltr/cl2012_dpr.htm.
4
See, e.g., Fla. Info. Memo. OIR-05-007M (June 8, 2005).
NEW YORK WASHINGTON PARIS LONDON MILAN ROME FRANKFURT BRUSSELS
in alliance with Dickson Minto W.S., London and Edinburgh
disaster recovery plans “to ensure company facilities are operational post-storm,” which include
reviewing functions such as backup power, backup telephone systems or call centers, backup
staffing, technology issues, system access, and contract resources for services restoration.5
B.
Risk & Solvency Assessment
Insurers’ business continuity and disaster plans are subject to regulatory examination as part of
the risk-focused financial condition examination process. For examinations beginning in 2010,
state insurance regulators have applied a revised risk-focused examination approach to better
incorporate prospective risk assessment related to insurer solvency and focus on management’s
ability to identify, assess and manage the insurer’s business risks. The NAIC Financial
Condition Examiners Handbook provides that the person responsible for “maintaining, updating
and testing the insurer’s business continuity and disaster recovery plans” should be identified and
interviewed, and that the insurer’s Chief Risk Officer “should be interviewed regarding the
company’s plan for operating in crisis/disaster—business continuity.” Confirmation that an
insurer’s disaster recovery plan has been tested is an additional element of the examiner’s riskfocused examination. It is also noteworthy that the NAIC recently adopted the Risk
Management and Own Risk and Solvency Assessment Model Act (“ORSA Model Act”), and has
proposed an Own Risk and Solvency Assessment (“ORSA”) Guidance Manual. Although
ORSA Model Act and ORSA Guidance Manual are not prescriptive, if adopted by the states,
they would require covered insurers to assess, monitor, document and report on business
operations risks.
C.
The Sarbanes-Oxley Act Of 2002: Business Continuity For Publicly Traded
Companies
The Sarbanes-Oxley Act of 2002 (“SOX”) does not directly address disaster recovery planning;
however, it does cover business continuity planning with respect to an organization’s operations
in the event of a disaster, including maintaining operations in order to prepare timely accurate
financial statements. Compliance with Section 404 of SOX requires organizations to design and
establish controls and infrastructure with the aim of protecting and preserving business records
from loss, destruction, or unauthorized alteration. This would include: (1) the establishment of a
control environment; (2) risk assessment; (3) the implementation of control activities; (4) the
creation of effective communications and information flows; and (5) monitoring.6
D.
HIPAA: Protected Health Information
The Health Insurance Portability and Accountability Act of 1996, as amended by the Health
Information Technology for Economic and Clinical Health Act of 2009, and its implementing
regulations (collectively, “HIPAA”), impose various obligations regarding disaster recovery
5
See id.
6
See Committee of Sponsoring Organizations of the Treadway Commission, Internal Control—Integrated
Framework (Dec. 2011), http://www.coso.org/documents/coso_framework_body_v6.pdf.
-2-
plans on insurance companies that qualify as “covered entities” or “business associates” within
the meaning of the law.7
As an overarching matter, HIPAA-covered insurers must establish (and implement as needed)
“policies and procedures for responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems that contain [EPHI].” The
provisions of HIPAA’s implementing regulations covering business continuity and disaster
recovery planning are established as part of the HIPAA Security Rule 8 and are located at 45
C.F.R. § 164.308 (Administrative Safeguards), 45 C.F.R. § 164.310 (Physical Safeguards), and
45 C.F.R. § 164.312 (Technical Safeguards).
As identified in the following list, some of the provisions established under HIPAA regulations
are “Required” (“R”), whereas others are “Addressable” (“A”).9 These provisions include: (1) a
data backup plan (R);10 (2) a disaster recovery plan (R);11 (3) an emergency mode operation plan
(R);12 (4) an emergency access procedure (R);13 (5) contingency operations procedures (A);14
7
8
Whether a given insurer’s activities relating to health care or health information will result in regulation under
HIPAA can be a complex question for which advice from counsel should be sought. Initially, HIPAA’s
requirements only applied to “covered entities” (essentially health plans, health care clearinghouses, and
healthcare providers), in connection with their use of electronic protected health information (“EPHI”), which is
defined as individually identifiable health information that is either transmitted by electronic media or
maintained in electronic media. However, these requirements have recently been expanded to directly cover
“business associates” as well, which are organizations that perform, or assist a covered entity in the
performance of, a function or activity involving the use or disclosure of EPHI, including claims processing or
administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit
management, practice management, and repricing. As the Department of Health and Human Services (“HHS”)
is in the process of finalizing further HIPAA rules, it is not currently enforcing these requirements against
business associates, but state attorneys general have done so, and HHS will as well when it finalizes its rules.
The Security Rule is located at 45 C.F.R Part 160 and Subparts A and C of Part 164.
9
When an implementation specification is required, a HIPAA-covered insurer must comply with the
implementation specification as written. By contrast, when an implementation standard is addressable, a
HIPAA-covered insurer has somewhat more flexibility. As a threshold matter, an addressable implementation
specification must be complied with if it is “reasonable and appropriate” for the insurer to do so. However, if a
HIPAA-covered insurer, after a risk assessment and analysis, determines that complying with a particular
implementation specification is not reasonable or appropriate, it must consider whether there is a reasonable and
appropriate alternative that accomplishes the same purpose. If the HIPAA-covered insurer determines that there
is no reasonable or appropriate alternative, it must document why it would not be reasonable and appropriate to
implement the implementation specification. Thus, in general, HIPAA compliance requires an additional level
of analysis and documentation by covered insurers.
10
45 C.F.R. § 164.308(a)(7)(ii)(A); see also 45 C.F.R. § 164.310(d)(2)(iv) (HIPAA-covered insurers must create a
retrievable, exact copy of EPHI, when needed, before movement of equipment).
11
45 C.F.R. § 164.308(a)(7)(ii)(B).
12
45 C.F.R. § 164.308(a)(7)(ii)(C).
13
45 C.F.R. § 164.312(a)(2)(ii).
14
45 C.F.R. § 164.310(a)(2)(i).
-3-
(6) an applications and data criticality analysis (A);15 and (7) testing and revision procedures
(A).16 Specifications 1 and 2 above require a HIPAA-covered insurer to create procedures to
back up and be able to restore exact copies of EPHI if lost. Specifications 3-5 cover procedures
for the continuation of critical business processes to protect the security of and maintain access
to EPHI during an emergency. Specification 6 covers access to the insurer’s facilities in support
of the activities covered in the prior specifications, and specification 7 covers the need to ensure
that all of the procedures herein are reviewed and revised on a timely basis.
It is important that HIPAA-covered insurers understand that the provisions cited above are not
waived or suspended in the event of a federally declared emergency or disaster.17 Although the
Secretary of the Department of Health & Human Services may suspend certain provisions of the
HIPAA Privacy Rule in the event of a federally declared emergency or disaster, 18 the provisions
that may be suspended have no bearing on those cited above, which appear in the Security Rule.
Although the federal government may exercise discretion when enforcing HIPAA, insurers
should not be lulled into a false sense of security; a failure to comply with HIPAA’s emergency
and disaster requirements cannot be explained away by the occurrence of an emergency or
disaster.
E.
The Gramm-Leach-Bliley Act: Nonpublic Personal Information
Pursuant to Title V of the Gramm-Leach-Bliley Act (the “GLBA”), 15 U.S.C. § 6801, et seq.,
financial institutions, including insurers, must protect the security and confidentiality of
customers’ nonpublic personal information. GLBA requires that each state insurance agency
“establish appropriate standards for financial institutions subject to their jurisdiction relating to
administrative, technical, and physical safeguards — (1) to insure the security and confidentiality
of customer records and information; (2) to protect against any anticipated threats or hazards to
the security or integrity of such records; and (3) to protect against unauthorized access to or use
of such records or information which could result in substantial harm or inconvenience to any
15
45 C.F.R. § 164.308(a)(7)(ii)(E).
16
45 C.F.R. § 164.308(a)(7)(ii)(D).
17
Office for Civil Rights, Health Information Privacy – Frequently Asked Questions,
http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2005.html.
18
Pursuant to 42 U.S.C. § 1320b-5, the Secretary of HHS may waive certain provisions of the HIPAA
Privacy Rule following a presidential declaration of an emergency or a disaster. The Secretary must, in turn,
declare a public health emergency as well. Following such a joint declaration, the Secretary may
waive the following provisions of the HIPAA Privacy Rule: (1) the requirements to obtain a patient’s
agreement to speak with family members or friends involved in the patient’s care (45 C.F.R. § 164.510(b));
(2) the requirement to honor a request to opt out of the facility directory (45 C.F.R. § 164.510(a)); (3) the
requirement to distribute a notice of privacy practices (45 C.F.R. § 164.520); (4) the patient’s right to request
privacy restrictions (45 C.F.R. § 164.522(a)); and (5) the patient’s right to request confidential communications
(45 C.F.R. § 164.522(b)). These waivers exceed those disclosures already permitted by law. See Hurricane
Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, Sept. 2, 2005,
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/katrinanhipaa.pdf.
-4-
customer.”19 In New York, for example, Regulation 173 requires that “each licensee shall
implement a comprehensive written information security program that includes administrative,
technical and physical safeguards for the protection of customer information.”20 Although not
explicit, the protections required for such nonpublic personal information would reasonably
relate to disaster preparedness and recovery.
II.
Best Practices
The complex priorities of assessing, monitoring, and planning for risks in order to maintain
business operations while protecting confidential policyholder information present unique
challenges to the insurance industry. Highlights of significant considerations and best practices
in this regard are set forth below. We note that a given insurer may be subject to one or more of
the laws discussed above, and thus some of the practices below may also be legal requirements;
this is particularly true for HIPAA-covered insurers. Please consider discussing your business
continuity / disaster recovery plan with counsel to ensure compliance with such requirements.
A.
Key First Steps
The first step any insurer should take in the business continuity planning process is to analyze its
vulnerabilities. To do so, an insurer should conduct: (1) a business impact analysis; and (2) a
risk analysis. The business impact analysis is the process through which the insurer must
determine which systems and data should be viewed as critical and which should be viewed as
noncritical. The risk analysis is the process through which the insurer considers the potential
circumstances that could constitute a disaster, i.e., a threat to the critical systems and data
identified in the business impact analysis. Both steps naturally involve a cost/benefit analysis,
but an insurer must take care to go beyond a consideration of operational losses and take into
account legal costs for failure to comply with various federal, state, and local laws and
regulations that mandate specific procedures and redundancies depending on the regulatory
structure covering the insurer.
1.
Business Impact Analysis / Data Classification Policy
The business impact analysis is the first study an insurer must conduct as part of its business
continuity planning. Most insurers are already aware of which systems and data are critical from
an operational and a profit-making perspective, but this analysis must take into account any legal
requirements to which a given insurer is subject. Certain regulatory structures have explicit
requirements that state in detail which systems and data are critical. For example, insurers
covered by HIPAA are subject to regulations that classify data (e.g., as EPHI) and mandate
specific requirements in the event of an emergency. 21 On the other hand, other laws may not be
as explicit. For example, as noted above, while SOX does not have a specific disaster recovery
19
15 U.S.C. § 6801(b).
20
11 N.Y.C.R.R. 421.2; see also N.Y. OGC Opinion No. 2002-46 (Feb. 14, 2002).
21
See 45 C.F.R. § 164.308(a)(7).
-5-
requirement, the statute does generally speak to business continuity planning with respect to an
organization’s operations in the event of a disaster, including maintaining operations in order to
continue to prepare timely and accurate financial statements.
2.
Risk Analysis / Determine Threats
Once insurers, through a business impact analysis, have determined which systems and data are
critical, the insurers must next consider which possible threats exist to the security,
confidentiality, integrity, and availability of that data, and whether those threats call for specific
pre- or post-response actions. Naturally, this analysis will reflect the business judgments of a
given insurer, as some threats are more likely than others, but insurers subject to various
regulatory structures must take all reasonable threats into account. Any threat that could affect
the regulated systems or data is a potential liability for the insurer, and all reasonable threats
must therefore be considered and mitigated to the extent possible. In some cases, the regulatory
structure will suggest certain risks. For example, HIPAA contains a nonexhaustive list that
includes “fire, vandalism, system failure, and natural disaster.”22 Other authorities speak more
broadly, such as the guidance put forth by the NYDFS, which requires insurers to plan for and
protect against “damages arising from natural and man-made disasters.”23 Companies should
consider threats unique to their business model, location(s), and other particular attributes.
B.
Security Controls (Physical, Electronic/Access Control)
Many types of disasters identified through the risk analysis will challenge an insurer’s ability to
maintain the security of critical systems and data. However, it would be imprudent to assume
that noncompliance with any established sector-specific or other applicable regulatory or similar
data and systems integrity obligations would be deemed acceptable simply because a disaster is
underway or has occurred. Thus, an insurer must ensure that the appropriate data and systems
security protocols are followed leading up to and maintained during a disaster to avoid exposing
itself to legal liability.
Insurers should evaluate possible mechanisms for ensuring the security of critical systems and
data, including both physical and electronic access controls. Depending on the data at risk, this
regulatory requirement or best practice relates to both the system(s) and data recovery/restoration
process and the emergency access procedure discussed, infra. Further, as the insurer recovers
from a disaster, it should, at a minimum, ensure that the confidentiality, integrity, and availability
of systems and data are not compromised by a security breach. As part of this pre-disaster
planning and risk analysis, insurers should consider whether their established, pre-disaster access
controls should, and under what circumstances, be extended to other personnel (internal or
external) in response to an emergency.24
22
45 C.F.R. § 164.308(a)(7)(i).
23
See N.Y. Circ. Ltr. 2012-1 (Apr. 9, 2012) (applicable to “all authorized property/casualty insurers,” among
other entities); N.Y. Circ. Ltr. 2012-2 (Apr. 12, 2012) (applicable to “authorized health insurers”); N.Y. Circ.
Ltr. 2012-3 (Apr. 12, 2012) (applicable to “authorized life insurers”).
24
See Emergency Access Procedure, infra.
-6-
C.
Backup, Emergency Access, and Restoration Mechanisms
As part of the business impact and risk analyses, insurers should determine which systems and
data are critical, i.e., those that cannot, as a legal or business imperative, be compromised as the
result of a disaster. As part of this determination, insurers should employ loss prevention
measures to ensure that effective backup and restoration mechanisms are in place to ensure the
safety of the systems and data identified as critical from the threats identified as reasonable
during the risk analysis phase.
1.
Backup Procedures
The backup procedures an insurer should implement will vary based on operational needs and
any legal requirements to which the entity is subject. The type of data backed up should at least
include that which was determined to be critical under the business impact analysis, supra. For
example, HIPAA-covered insurers are only explicitly required to “create and maintain
retrievable exact copies of [EPHI].”25 However, a HIPAA-covered insurer must take into
account the nature of the EPHI it holds, including the frequency with which it changes, to ensure
that backups are sufficiently regular so as to avoid running afoul of HIPAA’s data integrity
requirements.26 As an example of a more general requirement, as part of an insurer’s business
continuity plan, the NYDFS asks insurers to ensure their “[business continuity] plan contain[s] a
list of critical computer application programs, operating systems and data files.”27 Other statutes,
such as SOX, may have additional backup requirements.
2.
Emergency Access Procedures
During or in the aftermath of a disaster, but before a full restoration via backup, certain insurers
will be required to maintain or immediately resume access to their critical systems and data as
identified by the business impact analysis. To the extent required by any regulatory
requirements to which the insurer is subject, insurers should ensure that they are able to do so.
For example, HIPAA requires “procedures for obtaining necessary [EPHI] during an
emergency.”28 This could potentially require the redundancy of critical systems that provide an
alternate access path in the event that primary systems become unavailable due to a disaster or
other emergency situation. Furthermore, it could require changes to access controls in the event
that alternate personnel (e.g., internal IT technicians or other external IT forensics specialists) are
needed to retrieve or otherwise ensure access to critical systems or data. Similarly, the NYDFS
asks insurers whether, in drafting a business continuity plan, the insurer has “developed adequate
25
45 C.F.R. § 164.308(a)(7)(ii)(A).
26
See, e.g., 45 C.F.R. § 164.312(c).
27
NYDFS Business Continuity Planning Questionnaire, http://www.dfs.ny.gov/insurance/circltr/cl2012_dpr.htm.
28
45 C.F.R. § 164.312(a)(2)(ii).
-7-
manual processing procedures for use until the electronic data processing function can be
restored.”29
Insurers should carefully evaluate any such access changes made in the event of a disaster and
implement procedures to ensure the confidentiality and integrity of critical systems and data.
Although legal provisions may impose a requirement for ongoing access to the systems and data,
any decision to relax documented security controls to facilitate such access should be directed
and controlled by senior supervisory personnel. If such deviations from established security
controls are deemed necessary to comply with law or business imperatives, supervision and
monitoring would likely need to be heightened to maintain the confidentiality and integrity of the
affected systems and data, both to ensure that no breaches occur during the disaster and to ensure
that once the disaster is resolved, normal security controls are restored.
3.
Restoration Procedures
Data restoration procedures will similarly vary based on operational needs and any regulatory
requirements to which the insurer is subject. Some laws may contain explicit requirements. For
example, HIPAA requires “procedures to restore any loss of [EPHI] data.”30 However, the
question is broader than the mere restoration of data, as the data must be restored to an available
system that is actually accessible. To that end, the insurer’s risk analysis (see supra) should
anticipate this need and be guided in this regard. If possible disasters include environmental
ones such as storms that could have a severe region-wide impact, the entity should consider a
restoration plan that involves more secure, off-site facilities outside a given region. For example,
as part of an insurer’s business continuity plan, the NYDFS asks whether an insurer has an
agreement in place to use “a specific alternate site and computer hardware to restore data
processing operations after a disaster occurs” and whether “the site [has] a backup generator in
place in case of local power outages, a fire detection and suppression system and moisture
sensors in place under the raised floor.”31 Moreover, the NYDFS asks whether an insurer’s
business continuity plan “contains a list of supplies that would be needed in the event of a
disaster, together with names and phone numbers of the suppliers.”32 The NYDFS stresses the
importance of an insurer “undertak[ing] steps in managing [its] supply chain” as part of its
business continuity plan.33 Similarly, the FLOIR suggests that insurers, when considering a
disaster recovery plan “to ensure company facilities are operational post-storm,” address physical
resources such as “office space, back-up power . . . back-up telephone system . . . technology
29
NYDFS Business Continuity Planning Questionnaire, http://www.dfs.ny.gov/insurance/circltr/cl2012_dpr.htm.
30
45 C.F.R. § 164.308(a)(7)(ii)(B) (emphasis added).
31
NYDFS Business Continuity Planning Questionnaire, http://www.dfs.ny.gov/insurance/circltr/cl2012_dpr.htm.
32
Id.
33
Id.
-8-
issues, computers / laptops / printers / calculators, system access, server alternatives, [and]
contract resources for services restoration[.]”34
D.
Policy Distribution Mechanism / Documentation Plan
A disaster recovery plan is only effective if an insurer’s employees are trained and aware of it.
Moreover, certain laws require covered insurers to ensure that employees have ready access to
the plan. For example, HIPAA requires mandated procedures to be in written (or electronic)
form, and for that documentation to be available to “those persons responsible for implementing
the procedures.”35 When evaluating an insurer’s business continuity plan, the NYDFS asks
whether the insurer’s “business continuity plan clearly describe[s] senior management roles and
responsibilities associated with the declaration of an emergency and implementation of the
business continuity and disaster recovery plans.”36 Moreover, the NYDFS looks to see whether
an insurer’s business continuity plan “clearly identif[ies] the general process by which the threat
will be assessed and the specific individuals who are authorized to declare an emergency.”37
Therefore, it is important for insurers to carefully consider mechanisms for ensuring that their
employees are sufficiently aware of and trained in the company’s emergency procedures, such
that they are able to adequately respond in the event of a disaster.
Access to emergency plans and policies is also critical. Thus, while an insurer may choose to
provide electronic access to copies of (or updates to) its disaster recovery plan documents, the
insurer should strongly consider regularly making hard copies of such plans/policies available to
key personnel, as a loss of power or a system failure is a common type of disaster that would be
identified in the risk analyses of nearly every company. For example, the NYDFS asks insurers
whether “copies of the [business continuity] plan [are] kept in relevant off-site locations.”38
E.
Test and Review Process
Finally, one of the most important best practices to employ is the regular testing, review, and
redrafting, where necessary, of the procedures discussed above and the documentation that
results. As part of the business continuity planning process, the NYDFS asks insurers whether
their business continuity plan is “current, based on a business impact analysis, [has] been tested
[and whether that test has occurred in the last year].”39 Moreover, the NYDFS asks insurers to
34
Fla. Info. Memo. OIR-05-007M (June 8, 2005).
35
45 C.F.R. § 164.316(b).
36
NYDFS Business Continuity Planning Questionnaire, http://www.dfs.ny.gov/insurance/circltr/cl2012_dpr.htm.
37
Id.
38
Id.
39
Id.
-9-
review the plan to ensure that it covers “all significant business activities, including financial
functions, telecommunication services, data processing, [and] networking services,” and to
ensure that “a restoration priority [has] been assigned to all significant business activities.”40
A regular review of the business impact analysis and risk analysis serves to ensure that all
necessary systems and data designated as critical are examined regularly and tested to determine
whether then-current procedures are sufficient and will work as planned. Too many companies
neglect this important step and, following a disaster, find that their procedures did not function as
planned, or worse yet, that backup, emergency access, or restoration of critical systems and data
is not achievable. Such a failure can expose insurers to serious liability. Again, insurers should
seek advice from counsel during each review stage of their business continuity plans to ensure
that they account for the most current federal, state, and local laws, regulations, and guidance, as
well as industry best practices.
***************
If you have any questions regarding this new proposal, please contact Leah Campbell (212-7288217, [email protected]), Francis M. Buono (202-303-1104, [email protected]),
McLean B. Sieverding (202-303-1163, [email protected]), Carissa M. Mann (212-7288186, [email protected]), Benjamin B. Williams (202-303-1146, [email protected]),
or the Willkie attorney with whom you regularly work.
Willkie Farr & Gallagher LLP is headquartered at 787 Seventh Avenue, New York, NY 100196099. Our telephone number is (212) 728-8000, and our facsimile number is (212) 728-8111.
Our website is located at www.willkie.com.
December 11, 2012
Copyright © 2012 Willkie Farr & Gallagher LLP.
All Rights Reserved. This memorandum may not be reproduced or disseminated in any form without the express
permission of Willkie Farr & Gallagher LLP. This memorandum is provided for news and information purposes
only and does not constitute legal advice or an invitation to an attorney-client relationship. While every effort has
been made to ensure the accuracy of the information contained herein, Willkie Farr & Gallagher LLP does not
guarantee such accuracy and cannot be held liable for any errors in or any reliance upon this information. Under
New York’s Code of Professional Responsibility, this material may constitute attorney advertising. Prior results do
not guarantee a similar outcome.
40
Id.
- 10 -