December 17, 2016

The FCC Creates Privacy, Data Protection, and Data Breach Rules for Internet Service Providers

Image of Federal Communications Commission Seal - Matt Cordell is the leading privacy and information security law attorney in North CarolinaThe Federal Communications Commission is venturing into new areas of privacy regulation.  By a narrow vote, the FCC has approved new rules that govern how internet service providers ("ISPs") use consumers' information.


ISPs long ago realized that customer data is valuable, and are continuing to develop ways to monetize that information.  For example, last month, AT&T explained that a major factor in its decision to bid on Time Warner was the lure of new possibilities in targeted advertising.  Last year, Comcast bought targeted advertising firm Visible World for similar reasons.


Efforts by ISPs to monetize user data have triggered concerns among privacy watchdogs and the FCC.  On October 27, 2016, the FCC adopted new rules to control when and how this information can be used and shared.  "It's the consumers' information.  How it is used should be the consumers' choice" said FCC Chairman Tom Wheeler. 


According to the FCC, the rules "do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”  The new rules require specific notices to consumers about:

  • The types of information the ISP collects from them

  • How the ISP uses and shares the information

  • The types of entities with whom the ISP shares the information

The rules also require ISPs to give a degree of control to the consumer.  ISPs will be required to obtain consumer consent (an "opt-in") before sharing certain categories of "sensitive" information, including:

  • Health information

  • Financial information

  • Geo-location

  • Children’s information

  • Social Security numbers

  • Web browsing history

  • App usage history

  • Content of communications

For other categories of information (those not deemed “sensitive," such as an email address or service level), ISPs must still offer users the opportunity to “opt-out” of the use and sharing of their information, with some exceptions.  Customer consent can be inferred for certain uses, such as providing services and for billing and collection activities.


ISPs are prohibited from rejecting a customer for refusing to provide a requested consent.  Because it is more profitable for the ISP if the customers permit data use and sharing,, the rules permit an ISP to give customers a discount or other financial incentive to provide a requested consent.


The FCC has made it clear that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority.”  Websites and apps currently collect much more data than ISPs, so the practical impact of the rules on consumer privacy is likely to be limited.


The new rules impose a requirement that ISPs implement reasonable data security practices, including robust customer authentication and data disposal practices.  The rules also include a data breach notification requirement, which preempts those in existence in 47 states, but only to the extent that the FCC rules are inconsistent with a state's requirements.   


The rules become effective with respect to different sections at different times, with all of the rules likely becoming enforceable within one year. 


This action by the FCC creates just one more piece in the mosaic of statues, regulations, and treaties that together comprise privacy and data security law. 


November 20, 2016

"Cyber Safeguards and Procedures" for Law Firms (and Others)

I recently spoke about information security issues at a continuing legal education event sponsored by Lawyers Mutual. 

The session was titled "Cyber Safeguards and Procedures" and focused on data security risks faced by law firms and how they can mitigate those risks. 

If you would like a copy of the slides from this presentation, please email me.  

Cyber Safeguards and Procedures Continuing Legal Education Presenation image showing Matt Cordell and Troy Crawford on stage
photo by Camille Stell

October 23, 2016

Is Your Organization About To Be Sued Because Your Website Is Inaccessible To People with Disabilities?

Is your organization about to be sued in a class action, or receive a demand from the Department of Justice, because its website or app is not accessible to people with disabilities?

Wheelchair symbol on keyboard key and image of computer keyboard
When the Americans with Disabilities Act was first drafted in 1988 (and adopted in 1990), it is unlikely that even a single member of Congress contemplated that it could be applied to the Internet.  The ADA (and specifically Title III) was applied to brick-and-mortar facilities and intended to ensure that disabled people could access and enjoy them.  Common examples are wheelchair ramps and braille menus. In the quarter-century since, almost everything that was once only brick-and-mortar now has a presence on the Internet.

One of the greatest ADA questions of our day is whether the ADA applies to websites, apps, and other online interfaces.  Only a few courts have addressed this issue, and the results have been mixed, and sometimes very fact-specific.   Courts must decide whether a given website is a "public accommodation" and, if so, whether the website operator has made "reasonable modifications" to make the website available to people with disabilities. 

One example of how websites can be more accessible is as follows:  If a website has an image that shows a product, that image can be "tagged" (or "alt tagged") with a clear written description of the image so that a visually-impaired person's "reader" program can read the description to the person (either audibly or in braille). 

The ADA is enforced by the U.S. Department of Justice (DOJ) and through private litigation.  The DOJ is reviewing organizations' websites to determine whether they comply with the law’s access requirements. In addition, a number of plaintiffs' law firms across the country are filing lawsuits alleging that organizations' websites are in violation of the ADA. Internet companies, including Netflixhave settled cases that alleged their websites were inaccessible to people with disabilities.

Several North Carolina companies have recently received demand letters from plaintiffs' law firms alleging that their websites are in violation of the ADA.  So far, these demands have not resulted in litigation, and some are still being addressed.

There are currently no specific federal standards for websites under the ADA. Since 2010, the DOJ has been telling us that it is in the process of developing regulations for website accessibility, but those standards are not expected until 2018 or later.  In the meantime, the DOJ says it expects organizations to make their websites accessible to the disabled.  The DOJ has indicated that it considers the Web Content Accessibility Guidelines (WCAG) [2.0 Level AA] to be satisfactory for the time being (and perhaps these standards go further than legally necessary), and many organizations have been working towards compliance with those standards on the assumption that any future DOJ standards will be consistent with them (although there are no promises). 

If your organization receives correspondence from the DOJ or a plaintiffs' law firm regarding website or app ADA issues, I strongly suggest you talk to a knowledgeable attorney immediately.


Matt Cordell is a lawyer in the Research Triangle of North Carolina with significant experience in technology law, software development and license agreements, website development and license contracts, and e-commerce.  Matt Cordell is one of the best known lawyers in the region in the fields of privacy law and information security law.

October 16, 2016

HIPAA Privacy Officer and Security Officer: Too Much for One Person?

Perhaps your organization is becoming a HIPAA covered entity or a business associate for the first time, and you now understand that your organization will have to comply with HIPAA. One of your first, and most important, tasks will be to designate a Privacy Officer and Security Officer.  This post describes some considerations you should think through when making this decision.

One person or two?
The HIPAA Privacy Rule requires a privacy officer be designated and the HIPAA Security Rule each requires a security officer be designated.  It is legally permissible to have on person designated as both, or split the roles. You'll need to decide whether to combine or bifurcate these roles.  

First, you need to decide whether you have one person within your organization who has the capabilities required for both roles.  The Privacy Officer is responsible for understanding who is allowed to access protected health information (PHI), and will need to answer questions about practices, address requests for information, and handle training and monitoring of other staff. The Security Officer is primarily focused on protecting electronic protected health information (ePHI) from unauthorized access (e.g., meeting encryption requirements, etc.). If the person you would prefer to designate as the Privacy/Security Officer does not have an understanding of the technological aspects of protecting ePHI, there are two solutions: (a) designate someone with the technological understanding to be the Security Officer, or (b) instruct someone with the technological understanding (either inside or outside of the organization) to assist the Privacy/Security Officer.

What is most effective? The benefit of designating two officers is that each can be more specialized, and potentially more effective in their respective areas. However, the risk associated with having two officers is that things that are not clearly just privacy or just security might fall through the cracks if the two do not coordinate well.

What is most efficient? For administrative purposes, it's hard to argue that having one designated officer isn't substantially easier than having two. There is so much overlap in the two areas of responsibility that if you can have one person be responsible for both, it may avoid a lot of duplication of effort. Combining the roles is more common in smaller organizations.

All that said, there's no legally incorrect answer here. Just like the debate over whether a CEO should also be the Chairman of the Board, there are good arguments on either side, and the answer often boils down to the size of the organization and administrative ease.

Can (and should) an organization have more than one Privacy Officer or Security Officer?  Some organizations are both a HIPAA "covered entity" (e.g., healthcare provider or sponsor of an employee health plan) as well as a "business associate" (e.g., service provider to a covered entity). Those organizations will need to decide whether the Privacy and Security Officer(s) they designate for themselves as a covered entity should be the same person(s) designated for purposes of the protected health information they acquire as a business associate.  Generally speaking, an organization's obligations as a covered entity are similar to its obligations as a business associate. With the exception of contractual obligations in business associate agreements, the basic legal obligations are almost identical. (The Security Rule obligations to protect ePHI are basically identical. The Privacy Rule obligations are very, very similar.)  

Generally, I don't think there is a compelling reason to have separate Privacy Officers (or Security Officers) for these two capacities in which an organization might be acting, and I don't believe that is a common practice.  I think it is most efficient to have one Privacy Officer and Security Officer who is responsible in both contexts, and who understands the subtle differences in those contexts.  Organizations that find themselves acting as both a covered entity and a business associate should be aware of the distinctions, however, and should have policies and procedures that reflect those distinctions.  Here is one practical example:  Most employees should be shielded from access to PHI that is held by a plan sponsor of an employee benefit plan.  However, within the same organization, far more employees might have a legitimate need to access the PHI of in the capacity as a business associate of other organizations. 

Once you've made this important decision, you can begin building a HIPAA compliance policy and procedures around the basic structure you've chosen. (Let me know if you'd like some help with that.) - Matt


October 9, 2016

Customer Data: Asset or Liability (or Both)?

Customer data can be a treasure trove for an organization.  Many organizations believe customer and prospect data to be their most valuable asset.  Unfortunately, some have discovered that, unless handled with care, it can also be their greatest liability.

Organizations of all kinds collect, store, analyze, use, and share consumer data for myriad reasons.  Consumer data may help an organization maintain contact with a customer or prospective customer.  Properly analyzed, it can often predict customer behavior, allowing an organization to tailor its communications and offerings.  It can reveal patterns that help increase revenue, minimize expenses, and ultimately drive profitability.  Data can be leveraged and monetized by sharing with affiliated and non-affiliated entities.  Given the immense value of consumer data, it is no surprise that some of the most valuable companies in North Carolina and the world are data analytics firms.

Over the past few years, however, it has become widely acknowledged that such valuable data can also be a liability of the greatest magnitude.  The costs of the largest data security breaches have made headlines.  But these sensational headlines sometimes create the misleading impression that only large organizations incur massive costs, and that the losses are solely attributable to hackers.

The Risks, by the Numbers
One of the best sources of information about risks associated with consumer data is NetDiligence's annual study of "cyber insurance" policy claims.  Although the information is limited to incidents for which the targets had insurance coverage, and is limited to covered losses, it is still an excellent source of data.  The most recent study, covering claims data from 2012 to 2015, showed the average insurance claim amount was $673,767, with average legal fees of $434,354.

Smaller Organizations Face Increasing Risks
In the NetDiligence study, organizations were categorized by size (revenue), which provides some interesting insights.  The smallest organizations represented the largest raw number of incidents, probably due to the fact that there are simply more small organizations than there are large ones.  While the three smallest categories of organizations accounted for a combined 71% of the reported incidents in 2015, they were responsible for only 38% of records exposed.  It was surprising, however, that, according to NetDiligence, some of the largest claims came from smaller organizations.  This may be a result of the smaller organizations being less aware of their exposure or having fewer resources to provide data protection and security awareness training for employees.  By contrast, mid- and large-revenue organizations accounted for only 17% of incidents, but were responsible for 60% of the consumer records exposed.  This seems intuitive, because larger organizations would be expected to have more consumer records, on average, than smaller organizations.

Risks Are Spread Across Industries
The NetDiligence study also reveals a good deal about the source of recent risks.  While risks in prior years were concentrated in certain industries, they are becoming less concentrated year by year.  According to the study, recent losses were more evenly dispersed among business sectors, with healthcare reporting the most at 21% and financial services coming in second at 17%.  In other words, the categories of affected data resulting in the highest losses, from all industries, were health information and financial data, but the majority of losses were incurred outside of these two historically most targeted industries.

Vendors: The Weak Link?
Vendors are a common source of privacy and data security risk.  Vendors include service providers and others with access to an organization's data or systems.  In 2015, 25% of claims were attributable to vendors.  Of those claims, approximately half were hacking incidents, with the other half largely accidental or intentional disclosures.  Another interesting observation is that the vendor events exposed significantly more consumer records than events that occurred at the organization itself, indicating that failures by vendors may tend to be more systemic than failures at the level of the primary organization.

Healthcare providers and other HIPAA-covered entities, financial institutions, and defense contractors have long been required to extract certain contractual agreements requiring security protection from their vendors.  Following the breach of a Target vendor resulting in a massive theft of Target's customer data, organizations of all kinds began imposing contractual privacy, security and, importantly, indemnity terms on vendors, and these terms are sometimes heavily negotiated.

Data Use Violations: A Bigger Risk Than Breach?
Data-related liability in the context of nefarious hackers breaching security systems from foreign lands dominate the headlines, but much less dramatic circumstances lead to large numbers of significant incidents every year.  An analysis of what triggered the losses that gave rise to cyber liability claims in 2015 reveals that targeted security breaches are not the only source of loss.
There were many reported causes of claims, and while the most expensive were malicious hacking attacks, the second greatest cause was the wrongful collection of data—in other words, data use (or "privacy") claims.  Data use violations involve the intentional collection, storage, use, or sharing of consumer information in a way that violates the law, a contract, or an individual's right. 
Organizations and individuals throughout the United States are collecting, using, and sharing data in ways that expose them to liability, often without realizing it.  One of the most frequent violations involves collecting consumer information without consent, followed closely by using consumer information for purposes that were not consented to at the time of collection.

An Ounce of Prevention
Perhaps nowhere else is the axiom "an ounce of prevention is worth a pound of cure" more appropriate than in the context of the modern explosion in the collection and use of customer data.  Preventing a data security- or privacy-related loss involves more than just purchasing defensive technology.  According to reports, simply adopting and implementing good policies and procedures for correctly collecting, storing, using, and sharing data would have prevented a large portion of the reported losses.  Data governance policies and precures should be carefully crafted and followed, and should cover the following areas:
  • Document retention and data destruction
  • Consumer consent practices and electronic signatures
  • Payment card information
  • Employee email and telephone monitoring
  • Website and application monitoring and advertising
  • Email marketing
  • Telephone and text message marketing
  • Fax marketing
  • International consumers and international data transfers
  • Password administration and limited access
  • Background checks and credit reports
  • Identity theft and "red flags"
  • Employee and consumer health information
  • Educational records
  • Sharing customer information with affiliates
  • Sharing customer information with non-affiliates
The policies should address the following:
  • Designated categories of data based on sensitivity (low risk, high risk, etc.) and business necessity (critical, valuable, low-value, etc.); and,
  • Established guidelines for collecting, using, storing, and sharing various categories of data.

Telling the World
Organizations frequently publish privacy policy statements to inform their customers and others about their privacy practices.  Financial institutions, healthcare providers, and website operators are all required by law to make such statements publicly available.  Many organizations, unfortunately, misunderstand the purpose of this document.  A privacy policy statement is not the same as an internal policy or procedure; it is a public-facing disclosure that should be simple and flexible.
Organizations are often their own worst enemies in misconstruing the purpose of privacy statements.  They frequently draft and distribute privacy policy statements that include lofty language and make promises the organizations are not required to make, only to later fail to fulfill those unnecessary promises, thereby creating unnecessary liability.  Practices that do not live up to the statements made in a privacy policy statement are the number one source of Federal Trade Commission enforcement actions.  

Not If, But When
It is natural for an organization, just like an individual, to hope that it is immune from risks that others face.  If, however, the federal government, the United States military, and major multinational corporations are susceptible to major privacy and data security incidents, your organization probably is as well.  Therefore, it is most reasonable to think of a data security or privacy incident not in terms of "if," but rather "when."

Breaches and intentional, but unauthorized, data disclosure events trigger reporting obligations to federal and state officials, customers, and sometimes the media, and often result in regulatory enforcement actions and litigation (including class action lawsuits).  There are, however, steps that an organization can take to prepare for such unwelcome events and that can help mitigate resulting losses.  Two of the most important steps an organization can take are:
  • Purchase cyber insurance; and,
  • Adopt a breach response plan.
Cyber insurance is a term that refers to a category of insurance policies that transfer, in return for the payment of a premium, some of the financial risk of a data security incident to an insurance company.  Cyber insurance policies are not standardized, and they vary dramatically in the scope of coverage.  For example, the direct loss of funds from a hacked bank account is almost never covered by a cyber insurance policy, but many potential liabilities and defense costs can be covered.  It can be helpful to have the assistance of a knowledgeable attorney when evaluating cyber insurance coverage options.

Having an incident response plan in place is always a good idea.  Once an incident has occurred, the required timeframes for reporting the incident and mitigating any resulting harm can be very short (sometimes less than a week).  Having a plan in place, and a designated team ready to implement the plan, can make a tremendous improvement in your organization's response and potentially limit losses associated with the incident.  Additionally, incident response assistance (such as forensic computer expertise, call centers, printing and mailing services, and public relations) can be vetted and prices negotiated in advance, with potentially massive savings.

Ready or Not, It's Time
Complying with privacy laws, mitigating risks, and preparing for the possibility of a loss may seem daunting.  Given the scope and magnitude of the risks, however, it is simply a necessity in today's environment.  The task is manageable with some professional guidance, and the peace of mind that preparation can bring is well worth the effort.


Matt Cordell is the leader of the Privacy and Information Security practice group at Ward and Smith, P.A., a full-service law firm with five offices and approximately 100 attorneys across North Carolina.  He is a Certified Information Privacy Professional (CIPP/US) and a member of the International Association of Privacy Professionals.  Matt is also the chair of the NC State Bar privacy and information security specialization exploratory committee. 

Matt Cordell has been frequently rated one of the best lawyers in North Carolina.  Data security lawyer in RTP.  Information security lawyer in Raleigh.  Best North Carolina business lawyer. 

August 28, 2016

Need to Raise Investment Dollars for Your Company? New(ish) Rule 506(c) May Be Your Best Bet!

Anyone who has been paying attention lately knows that there are some new ways to raise money from investors. State crowdfunding laws and SEC rule changes have opened up opportunities that have not been available in more than eighty years. Importantly, new Rule 506(c) gives companies the ability to solicit the public for investment without registering a public offering, subject to some important limitations, such as verification that investors are accredited. Often companies will find Rule 506(c) to be more flexible and attractive than crowdfunding or a Rule 506(c) offering.

Two of my law partners and I recently spoke about these changes in a webinar hosted by the Stafford Group. If you would like to view the (79) slides
from our presentation, please send me an email message:

July 8, 2016

North Carolina Adopts A Virtual Currency Statute

House Bill 289, passed by the General Assembly this week, re-writes the Money Transmitters Act and includes a new concept of Virtual Currency.  The North Carolina Commissioner of Banks will soon be regulating those who engage in Bitcoin transfers as a business.  Here's my short video:

Matt Cordell is one of the best lawyers in Raleigh, North Carolina.  Matt Cordell is a finance attorney with offices in Raleigh, Greenville, New Bern, Wilmington and Asheville, North Carolina.

July 5, 2016

Business Associates Beware! The Feds Are Coming!

If your organization is a business associate of a HIPAA covered entity (such as a health care provider or employee health benefit plan), you should know that the Department of Health and Human Services' Office of Civil Rights (OCR) is actively pursuing business associates for alleged privacy and information security violations.

This past week, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle with OCR in an amount that came to more than $15,000 per patient!

This announcement comes just months after the launch of the second phase of OCR's much-anticipated audit program for business associates. Rather than awaiting reports of violations, the OCR is actively auditing business associates.

READ THE FULL ARTICLE ON MY OTHER BLOG: Business Associates of HIPAA Covered Entities Beware!

Matt Cordell is a North Carolina lawyer with expertise in HIPAA and health care privacy and information security. 

July 4, 2016

North Carolina (Finally) Passes Crowdfunding Law

Just days ago--on June 29--the North Carolina General Assembly passed a crowdfunding bill, which the Governor is expected to sign shortly.  What does this mean for North Carolina businesses and North Carolina investors?

(If the crowdfunding concept is new to you, first read my overview here: Crowdfunding Law Made Simple.) 

The North Carolina General Assembly approved the Providing Access to Capital for Entrepreneurs and Small Business Act (PACES Act), which is similar to crowdfunding statutes adopted in other states.  The PACES Act was one of two leading crowdfunding bills that cleared the House in 2014, though the other, the JOBS Act, was unable to get a vote in the Senate during that session of the General Assembly.  Although the prospects of getting a crowdfunding bill through in the short session of the General Assembly seemed slim, the PACES Act made it over the finish line during the final week of the session. 

The PACES Act will allow North Carolina companies to raise up to $1,000,000 in any 12-month period from investors who are North Carolina residents.  Companies will be required to provide a business plan, financial information, and a description of risks.  The limit will be increased to $2,000,000 if the company provides audited or "reviewed" financial statements to investors. 

Companies will be permitted to publicly advertise the offering through a website, marketing materials or a third-party portal, after filing a notice and disclosures with the N.C. Secretary of State and paying a very small fee. 

Non-accredited investors are limited to investing a maximum of $5,000 in any one company's offering (during a 12-month time period).  Accredited investors may invest as much as they wish.  (Accredited investors are essentially those who have $1,000,000 in assets, excluding equity in their primary residences, or $200,000 in annual individual income. Congress and the SEC think that accredited investors are less vulnerable to fraud.)  Companies that raise money via crowdfunding will still have to disclose the business model, financial targets, offering terms and projected returns to investors.  Funds will be held by an escrow agent until the offering is complete. 

North Carolina's crowdfunding statute is an alternative to federal crowdfunding.  The federal JOBS Act (Jumpstart Our Business Startups Act), enacted on April 5, 2012, required the SEC to write regulations to implement many of its various provisions.  It took the SEC more than three years to finalize rules to implement Title III of the JOBS Act, known as the "crowdfunding" section of the law.  (Those rules were published in October 2015.)  Largely due to frustration over the SEC's laggardly pace, some states enacted crowdfunding laws to permit limited offerings to investors within those states.  After the SEC's crowdfunding rules became effective, some speculated that state crowdfunding rules would no longer be needed.  North Carolina's PACES Act, however, continued to advance through the legislative process, and will become law in a matter of days.  (Credit goes to Mark Easley, Benji Jones, John Skvarla, and others for pushing it through.)

Companies have multiple options for raising investment dollars from "the crowd," and those options should be carefully considered in order to maximize the benefits and minimize the effects of the various restrictions.  Often, federal crowdfunding or Rule 506(c) offerings will be advantageous, but state crowdfunding may also have its place.  A knowledgeable securities lawyer can help you make the right decision.

For more information, see my overview of crowdfunding options here, as well as my law partner Jim Verdonik's blog, Entrepreneur Intersection, and his comprehensive book on the subject, Crowdfunding: Opportunities and Challenges.

This blog post is written by North Carolina securities lawyer Matt Cordell and is for general educational purposes only; it does not constitute legal advice. Consult a knowledgeable, licensed attorney before relying upon the information in this blog post. 

 Matt Cordell is a Raleigh, North Carolina lawyer with expertise in crowdfunding, capital raising, mergers and acquisitions, startups, corporate matters, banking law and privacy law. Matt has consistently been rated one of the best lawyers in North Carolina.

July 3, 2016

North Carolina Adopts A More Efficient Assumed Business Name (or "D.B.A.") Process

NC General Assembly - Matt Cordell is a top lawyer in North CarolinaThis past week, the North Carolina General Assembly adopted a bill to streamline the process for filing assumed business names (more commonly known as "D.B.A.s"). 

Under current law, any organization that does business using a name other than the registered legal name of the entity as shown on the Secretary of State's website is required by law to register the name under which it operates (the assumed business name) by filing a Certificate of Assumed Name in each county in which it does business.   
Name Tag - Matt Cordell is the best value lawyer in RTP North Carolina
In today's world, this is an inefficient system.  It requires duplicative registrations.   Not all counties provide access to records via the internet.  Often it is unclear in which county an assumed business name might be filed, requiring multiple searches. 

For example, let's say you are trying to learn some basic information about a company, or to serve a company with a formal communication.  The company calls itself "ABC Widgets" and is active throughout North Carolina.  You will first check the Secretary of State's database of domestic and foreign companies authorized to business in North Carolina.  If ABC Widgets does not appear, it is for one of two reasons: (i) the company is organized in another state and has simply failed to register in North Carolina before doing business here, or (ii) it may be that "ABC Widgets" is merely an assumed business name of an entity.  If "ABC Widgets" is an assumed business name of the entity, you will need to know the entity's legal name in order to look up the information you need.  You will check the records of the Register of Deeds of the county within North Carolina where you believe ABC Widgets to be doing business.  However, ABC Widgets may not have registered an assumed name in that county, instead registering in one of North Carolina's other 99 counties.  You may have to check the records of several counties in order to find a registration of an assumed name, after which you will again check the Secretary of State's database for the information you need.  Clearly, the system could be improved. 

The new legislation, known as the "Assumed Business Name Act," will create a central registry of all assumed business names to be administered by the Corporations Division of the Office of the Secretary of State.  The bill has an effective date of July 1, 2017, if the Secretary of State’s office receives sufficient funding to implement the new system. Funding is apparently addressed in the recently adopted state budget. 

The bill also improves the existing language of the assumed business name statute, getting rid of some awkward language regarding "ownership" of an assumed name.

You can read the full text of the legislation here.

Matt Cordell is a business lawyer in Raleigh, North Carolina, with offices in Wilmington, New Bern, Greenville, and Asheville. 

June 27, 2016

A Great Honor And A Greater Responsibility

Matt Cordell is the best lawyer in this picture North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern

Matt Cordell is the best lawyer in a tuxedo North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern
Going to the NC Bar Association Gala

One of the best pieces of advice I have received in my professional life was when Knox Proctor took me to lunch during my first week as a lawyer and suggested (okay, insisted) that I become actively involved in the North Carolina Bar Association "because it's the right thing to do."  I promptly signed a volunteer form and was placed on a committee of the Young Lawyers Division.

Nine years (and hundreds of volunteer hours) later, I find myself leading the more than 6,400 members of the Young Lawyers Division of the North Carolina Bar Association.

What an honor and a tremendous responsibility it is to lead such an incredible group of people. The young lawyers who make up the YLD's leadership team and active volunteer committee members truly represent the best of our profession. They are smart, hardworking, selfless people who are giving of their time and talents, and are leading our members--thousands of lawyers and law students--to achieve some remarkable things.  They are giving their scarce time (and abundant talents) to provide wills to first responders, scholarships to the children of fallen law enforcement officers, assisting veterans, helping victims of natural disasters, amassing 300,000 lbs of food for the hungry...and the list goes on and on.

I am the 62nd chair of the Young Lawyers Division, which was established in 1954 by Charles Blanchard.  Although we have grown from five to 6,400, our mission has changed very little.  We continue to serve the public, serve the legal profession, and provide leadership opportunities and training to young lawyers. 

A group of youn lawyers with leader Matt Cordell of Raleigh a best lawyer
L-R: Deyaska Spencer Sweatman, Jason Walters, Matt Cordell, Cabell Clay, Rachel Blunk, Martha Bradley, Kristen Kirby, Brooks Jaffa, Harrison Lord, and Bryan Norris.

The YLD is where the future leaders of the NC Bar Association, the state, and the nation gain valuable leadership experience. This is evident from a quick look at the accomplishments of the prior YLD chairs: Seven have become presidents of the NCBA, and an eighth is the president-elect.  One became president of the American Bar Association.  Two became president of the State Bar.  Two more took the helm of Legal Aid.  A significant number went on to hold public office.  Again, that's just the prior Chairs. Scores of other YLD officers, directors and committee chairs honed leadership skills in the YLD that propelled them on to great things later in life.  I am absolutely confident that our current leaders will be the future leaders of the state of North Carolina.  Many of them will quickly eclipse my own accomplishments--of that I am certain.

I look forward to working this year, for the tenth year, with some of the finest young lawyers in the world.

Collage of candid photos of young lawyers and elite lawyer Matt Cordell privacy law corporate law business law software law data security law

June 14, 2016

New NC Law Enhances Student Privacy Rights and Restricts Providers of Online Educational Resources

image of apple desk board education technolog privacy by best Raleigh business lawyer Matt Cordell

Education technology (or "EdTech") organizations will want to pay close attention to a new North Carolina statute that was signed into law a couple of days ago.  On Thursday, June 9, 2016, a new law titled "An Act to Protect Student Online Privacy" was enacted to further protect the privacy of K-12 students in North Carolina.  It becomes effective October 1st...

Read the rest of this post on the NC Privacy and Information Security Law blog:

May 31, 2016

Another Setback in U.S. - European Commerce: Regulator Rejects the Privacy Shield Agreement

Yesterday, the European Data Protection Supervisor (EDPS) delivered a crushing blow to the proposed EU/US Privacy Shield, sending U.S. and European negotiators back to the drawing board. I posted my initial analysis on the NC Privacy and Information Security Law Blog here:

If you do business with Europeans, you should be following this legal saga with interest.

January 30, 2016

Thanks, y'all!

Thanks, y'all!  I am very honored to be named, along with a number of fine lawyers across the state, in Business North Carolina's 2016 "Legal Elite"  as well as in Thompson Reuters' Super Lawyers for 2016.

What is the "Legal Elite"? 

This year I was listed in the "Business" category of the Legal Elite, as well as the "Young Guns" category (which is reserved for young lawyers in any practice area).  Each year, Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories of law?"   The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

What is "Super Lawyers"? Super Lawyers' uses a rigorous method that is intended to create a credible, comprehensive listing of outstanding attorneys in each state.  Super Lawyers compiles its list each year using 
peer nominations from lawyers around the state, peer evaluations, and independent, third-party research.  Each candidate receiving sufficient nominations from across the state is evaluated on 12 criteria of professional achievement.  The selection process for the "Super Lawyers--Rising Stars" list is the same, with one exception: to be eligible for inclusion in Rising Stars, a candidate must be 40 years old or younger or in practice for 10 years or less.  The idea is that it is very difficult for young lawyers to develop a significant statewide reputation within the first ten years of practice, so a separate process is used for them.  While up to 5 percent of the lawyers in the state are named to Super Lawyers, no more than 2.5 percent of eligible lawyers are named to the Rising Stars list.

I am so very blessed to have worked with so many exceptional lawyers across North Carolina, and I appreciate each of you who participated in these and similar peer review processes.  I sincerely appreciate your friendship and trust.  I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included but were inexplicably absent from the lists).   May this new year bring each of you the success and recognition you have earned!