Six Things You Must Do When You Start Your Own Business – Where LegalZoom, RocketLawyer And Other “Low Cost” Formation Websites Fall Short
Thanks to the Internet, starting a new business doesn't have to be an ordeal. There are many websites, like LegalZoom and RocketLawyer that will guide you through the process of incorporating or filing an LLC. But is that enough? Hardly. A primary purpose of filing is to protect you from claims against your personal property and family assets. You need some comprehensive (but not costly) legal advice that these sites cannot offer. In fact, they tell you right up front that they do not offer legal advice.
Besides the legal filings to incorporate or form your LLC, there are other important steps you can and should take to help avoid or minimize personal claims. Without them, you may be nearly as vulnerable as before.
So here are six things you should do when you do set up your new business.
- Purchase ample insurance. Every business has different exposures and risks. A manufacturer will have very different concerns than a retailer. A liquor store will have different risks than a coffee shop. But at the end of the day, if claims are made against your company, insurance can be the difference between staying in business and closing your doors. Or worse if a creditor tries to hold you personally liable. Work closely with both your lawyer and a skilled insurance agent and consider all of the issues that may result in liability.
- Follow the proper formalities. Both corporations and limited liability companies have various legal procedures that must be followed or you risk that a creditor may seek to hold you personally liable for any claims. You must file annual reports and pay excise taxes to remain in good standing with the secretary of state. Corporations are also required to hold annual meetings of the directors and shareholders and document those meetings with proper minutes. Even at a startup, there are various recommended documents beyond those needed by your state. An attorney can help you identify those procedures and create systems to be sure they are followed.
- Open separate bank accounts and keep proper books and records. Even if you are the only shareholder or owner of your company, creditors can try to make claims against you personally if you co-mingle money from your business and personal lives. Work closely with a good accountant who can instruct you on how to set up your accounts, how to maintain and document them, how to handle receipts and pay bills, etc. Any money that is moved back and forth from your personal to your business accounts should be carefully documented to avoid claims of improper co-mingling of assets.
- Document loans and capital contributions. Small businesses frequently need infusions of cash. If you are putting in your own money, it is best to document it very thoroughly. That includes distinguishing between a loan, which will be repaid, and a capital contribution, which is a permanent investment that typically cannot be recovered until the business is sold or through another liquidation event. Loans should be documented with a proper promissory note and other paperwork, and there should be a repayment schedule. If a loan is not documented properly, the money will very likely be considered a capital contribution which creates challenges for taking it back out later, especially if you are scrutinized by creditors.
- File a trade name certificate. If you are operating your business using a trade name (also referred to as a “dba” or “doing business as”), be certain to follow the requirements for registering that name. Failing to do this properly can support claims against you personally if you use an unregistered trade name.
- Prepare these other important documents. Do you have partners? Disputes between owners can paralyze or destroy a business. A written agreement between the owners is highly recommended to help minimize the impact if there are irreconcilable differences among stakeholders. Will you have employees? Will they have access to confidential information or your client lists? Consider employment agreements that contain non-compete and non-disclosure obligations. What about client contracts? These can help avoid misunderstandings and facilitate getting paid. Please click here to see an article on contracts that I wrote recently.
And here is one more important tip:
- Hire a lawyer. There are many considerations when forming your business. For instance, you can file papers in your own home state, or you might choose a different state because it has better laws. When forming the business, you will likely specify your business purpose. Often, do-it-yourselfers will choose a narrow purpose and this may limit you in the future if you want to change or expand. And what about the choice of entity? Many of these websites have charts to explain the various differences, but it is impossible to include every possible nuance. For instance, your choice may change if there are multiple owners or investors or if you plan to sell or go public at a later point. Hiring a lawyer now can save lots of money in the long run. And working with a lawyer who is skilled at helping start-ups might cost less than you think.
Do you need help starting a business? Let’s chat and I will show you how I can help. Send me an email, fill out my contact form or call the number above. It costs you nothing for my initial meeting or call.
We all know how to eat an elephant. One bite at a time at a time, of course. Implementing a comprehensive data security program is no different – for many it’s a monumental task. It can only be accomplished by setting out a manageable, step-by-step plan. Easier said than done? Probably, but that doesn’t mean a process that is impossibly difficult. The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks: Develop a written information security plan (WISP); Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored; Implement security policies and procedures and train your employees Secure all paper and electronic records; provide encryption Obtain written assurances from all vendors that they are compliant Regularly monitor and review to insure compliance You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers. But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task? That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process. Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birol would caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated. Consider the learning curve required to become proficient in an area that is not a part of your core business. While security is an ongoing and continuous process, monitoring and maintaining a plan is far less cumbersome and time consuming than creating it in the first place. Most businesses will prefer the comfort and efficiency of working with outside professional assistance at least to get the plan created and implemented. Even if you hire professionals, you will still need to be involved in the process. They cannot do it without your participation and that of your senior management and department leaders. And responsibility will not stop there; security needs to be an integral part of your corporate culture from top to bottom, which means it must become the responsibility of everyone in the organization. So pull out the regulation, review it, create an action plan and start in on the list. Otherwise, hire the professionals. Either way, the time is now.
When do I have to vacate my apartment? Can I leave in the middle of my lease? Can I stay few days longer if I need time before my new space is ready? My landlord says I have to get out before noon on the 31st because he needs time to clean the apartment for the new tenants - can he do that? I am a landlord - can I start showing the apartment before my tenant’s lease is up? Do I have to give notice? Whether you are a landlord or tenant, it is important to know your rights and responsibilities when it comes to ending your lease or occupancy agreement. Under a written lease, the tenant is entitled to occupy the premises until midnight on the last day of the lease; likewise, the tenant is obligated to pay rent through that date. Setting aside various special circumstances (such as active military duty, breach of the lease or other violations by the landlord, or you are a victim of domestic violence) there is no right to leave early unless it was negotiated as part of the written lease. And there is no right to stay longer, just because it might be more convenient. If you are a month-to-month tenant at will, things are little bit different. Either the landlord or tenant can terminate the tenancy, but typically that needs to be done at least a full month in advance. Thus, notice on March 7 would not terminate the tenancy until April 30. And as with the lease, the tenant is entitled to stay until midnight on the final day of the occupancy. Generally speaking, a landlord has the right to enter an apartment to inspect, make repairs and to show prospective tenants. Except in cases of emergency, such as a water leak or fire, this should only be done during normal business hours. Also, as a matter of best practices, it is a good idea for the landlord to contact the tenant and arrange for a mutually convenient time to enter. Tenants do not like surprise visits. But tenants should also understand that there are many circumstances where a landlord cannot easily arrange a visit in advance. The best situation for both landlords and tenants is to do your best to speak with one another and coordinate the end of lease together, in advance. The landlord will want to know as soon as possible when the tenant will be out so that he can get the apartment ready for the next occupant. And tenants want to know that the landlord will not be bothering them needlessly. There is also value in having a brief walk through ahead of time to know if there is damage (even if not caused by the tenant, the landlord wants to know so that he can fix anything before the next tenancy begins), make arrangements for cleaning, trash disposal, and so forth. Of course, as with most legal issues, there are always exceptions to the general rules. For instance, all of this assumes that there are no significant problems—the rent was paid on time, the apartment was in good condition and the parties left each other alone as much as possible.
As of this past Monday, the nation’s “most comprehensive data protection law” went into effect, yet many questions remain as to how the regulation will be interpreted and enforced. The law was promulgated by the Office of Consumer Affairs and Business Regulation. While OCABR put it together, the Massachusetts Attorney General is charged with enforcement. As of this writing, I found nothing posted on the AG’s web site that addresses interpretation or enforcement. So business owners and their legal and technical advisors are left to their own best guess. More surprising, many business owners are not even aware of the new law or mistakenly believe that it does not apply to them. For instance, here are several myths surrounding the new law: Myth 1 – “Businesses located out of state do not need to comply.” This is false. The regulation applies to any business wherever located that has access to “Personal Information.” Personal Information, or PI, is a Massachusetts resident’s name in combination with certain identity or financial data, such as a social security number, driver’s license, bank or credit card account number, etc. The regulation does not distinguish between an in-state or out-of-state business. Myth 2 – “The regulation only applies to bigger businesses with several employees and volumes of Personal Information. It doesn’t apply to small Mom and Pop businesses.” This is false. The regulation applies even if you have just one employee or customer as long as you have access to Personal Information. Myth 3 – “I am in a health care or financial services business that is already regulated under federal privacy laws (i.e. HIPAA or GLBA), so we are already covered.” This is false. The federal laws are extensive but they do not perfectly overlap with the Massachusetts regulation. For instance, those laws are geared toward patients and customers, but Massachusetts also includes employees. And the requirements for the written information security plan (WISP) are not identical. That said, there are similarities in the requirements, so an organization that is already comfortable with HIPAA or GLBA probably will not have to do very much to achieve compliance in Massachusetts. In my next article I will explore additional myths.
I recently had the opportunity to talk with Nick Fishman, co-founder of EmployeeScreenIQ who interviewed me on the Massachusetts Data Security Regulations and what they mean to businesses. Here's a copy of the interview. Check out the EmployeeScreen blog at https://blog.employeescreen.com/ to learn more about pre-employment screening and the comprehensive methods EmployeeScreenIQ uses to ensure thorough, accurate checks to meet global risk management needs of businesses. EmployeeScreenIQ Podcast with Nick Fishman
In my previous article, I discussed the lack of guidance from the Attorney General on implementation and enforcement of the new Massachusetts data security regulation. The law is aimed at protecting residents from identity theft by requiring practically every business with employees or customers in the state to implement a written information security plan (WISP). I also began a list of common misunderstandings relating to the new regulation. Here are a few more myths. Myth 4 – “I have no employees. All payments are processed through a third party service. I never see or handle checks or credit cards so I am not required to have a WISP.” This is probably true. For instance, you could be an Ebay seller who works from home and takes payments only through Paypal. As long as you never have access to any Personal Information (PI), you would be exempt from the regulation. But just a slight change to this scenario requires compliance. A financial planner works from her home and has no employees. Her function is to advise her clients on investments, but clients make their purchases directly from the central office. She never takes any payments directly. But she does receive applications for new accounts when she signs up new customers. The application has the client’s social security numbers and other identifying information. So even if she sends those immediately to the home office, she still has “access” to PI and thus will need to implement a security plan. Myth 5 – “There are so many businesses that are subject to the law and most do not yet have a WISP. The attorney general will never know if we haven’t complied.” This may be true, but are you really willing to risk it? Penalties alone are up to $5000 per violation. You will also be obligated to pay any damages suffered by victims of identity theft. And what about the harm to your reputation? I doubt that the Attorney General or a court would have any sympathy for such a callous disregard for the law that is intentional and willful. On the other hand, a business that may have a security breach, but that can show that they were making a good faith effort to meet industry best practices will probably not be subject to the most severe penalties. According to Scott Schafer Director of the Consumer Protection Division of the Massachusetts Attorney General’s Office, the attorney general will be less likely to bring enforcement actions against businesses that can show that a breach was inadvertent and that they were striving to achieve industry best practices for data protection. Myth 6 – “Our company has implemented state-of-the-art electronic security, including firewalls, antivirus, antimalware and email encryption. Our data is locked down tight and cannot be accessed without double password authentication. Surely we have fulfilled the requirements under the regulation.” This is false. These are certainly important steps toward compliance, but the requirements of the law are much more extensive. To begin with, the regulation applies to both electronic and paper records. As well, companies are required to conduct a review of existing systems and procedures and create and implement a comprehensive written information security plan (WISP). Hopefully this list will help you understand the scope and breadth of the new regulation. If you have not yet started your compliance plan, the place to begin is a review of the regulation and consulting with your legal and technical advisors.
I’d like to think that it’s common knowledge that credit card receipts can be a prime opportunity for identity theft. However, too many of us simply crumple the receipts and throw them in the trash without a care. If the receipt shows your full credit card number and expiration date, this is an invitation for a criminal to go on a shopping spree at your expense. Federal law is intended to help protect against this problem. A few years ago, congress amended the Fair Credit Reporting Act 15 U.S.C. 1681 to require all merchants to truncate credit card numbers on the receipts that they give you at the register. This means that the receipt you receive should not show more than the last 5 digits of the card number. The remaining digits and the expiration date should be unreadable. Even if you threw out this receipt, it would be impossible for an identity thief to use the information. Although this law went into effect in 2006, I occasionally receive receipts that are not in compliance. These are usually the two-part variety – white on top and yellow below, but it can happen even on the type that print out two separate receipts at the time of purchase (one that you sign and return and the other you keep). Earlier this month, I had the pleasure of taking my eldest son on the big college tour – 10 schools in five days. Visiting the schools and the time with my son were terrific; the lengthy drives and staying at a different hotel each night not so much. What was interesting was the receipt I received from one of the major hotel chains where we stayed outside of Washington, DC. To my surprise, this nationally recognized chain provided me with an illegal credit card receipt, showing my full card number and expiration date. Needless to say, I did not toss that one in the trash, but kept it until I got home and could shred it. But imagine how many patrons think nothing of it or simply tell the clerk to just throw it out? I came to learn hotels are apparently the biggest offenders when it comes to data security. Being a maven of sorts on the topic, I happened to see in the March 18 Wall Street Journal that data breaches are heaviest at hotels. According to their sources, 38% of breach investigations in 2009 involved hotels, twice as high as the next highest category. The culprit is typically the point of sale software used to accept payment, much of which is not compliant with Payment Card Industry (PCI) standards. I have sent a complaint to the hotel chain. They are currently investigating my concern. Let’s see what happens.
As cyber-thief extraordinaire Alex Gonzalez is sentenced to twenty years in prison, I find it ironic that his brilliance is outweighed by his stupidity. Gonzalez pleaded guilty to the massive theft of credit card numbers by hacking into TJX, BJ’s and many other payment servers. Certainly some amount of talent was required to perform these acts. And yet he was caught because he couldn’t keep his mouth shut. He apparently left quite a trail of breadcrumbs on the Internet when he bragged about his conquests to friends on line. While the new data security regulation in Massachusetts is designed to curtail this sort of sensational crime, the problem we face in trying to stop identity theft is lacking focus where perhaps it is needed most. Small businesses are considered significantly more vulnerable than any other segment. And to me this makes sense. I don’t imagine that the local hardware store, pizza shop or hair salon has too much security built around their employee records that are probably stuffed into an unlocked file cabinet in the back room. And their credit card processing and email are only as good as the bargain basement companies that have sold them the services. Certainly the regulation is aimed at, and applies to, even these small businesses. It is a sweeping and comprehensive piece of legislation that will clamp down on all but the most determined of thieves—but only if it is followed. The problem lies in the difficulty of obtaining compliance. I’m guessing that most small business owners are not even aware of the regulation (at least those with whom I have spoken are not). And those that are aware of it will not likely take the time and spend the money needed to prepare and implement a WISP (written information security plan). I analogize this problem to the modesty panels in the public restroom – they cover up most of what might be seen, but there is a big gap at the bottom. Someone who wants to peek in certainly could. While it should not be necessary to hire a lawyer skilled in compliance issues to prepare and educate the store owner on their WISP, the reality is different. I have some ideas on improvements that will help small businesses. Look for these in future articles.
This year, Earth Day heralds a surprise for home owners who live in housing built before 1978. On April 22, the Renovation, Repair and Painting Law (RRP) takes full effect, imposing new compliance burdens for any contractors who work in older homes, and higher costs for the owners. Any project that disturbs painted surfaces must be performed by a certified contractor following rigid procedures aimed at minimizing contamination from lead found in older paint. Lead paint presents serious health hazards particularly for young children and infants. Small amounts of lead that are ingested or inhaled can impair brain development and cause other serious nervous system and other disorders. Use of lead paint in residential dwellings was banned in 1978, but homes built earlier are at risk of containing lead paint. Contractors who may disturb painted surfaces on older homes must be certified by the EPA in the safe handling of dust and debris that is generated by the work. The regulations require that the areas affected by the work be completely sealed off and contained so that any dust or debris that may contain lead will not contaminate soil or spread through the air. After the work is completed, the worksite must be thoroughly cleaned and the waste generated must be properly stored and then removed from the site. This is no small task. Anyone who has lived through any renovations at their home knows how much dust is created and how difficult it can be to contain. The new law is very comprehensive, although numerous challenges remain. One of them is insuring that contractors are aware of, and comply with, the new law. As of March 6, less than 2% of licensed contractors in Massachusetts had received the necessary certification to be in compliance. Another is forcing homeowners to absorb the substantial added costs of work area containment. But perhaps topping the list is determining how exactly the EPA plans to carry out enforcement –with many recent regulations, there simply is not the necessary manpower or budget to insure that the law will be followed. What are your thoughts about the new law? How will the new EPA rule affect you? Please share by leaving your comments.
As I mentioned in my previous post, the new Renovation, Repair and Painting regulation (RRP) went into effect last week on Earth Day, April 22. The regulation is intended to help reduce the risk of lead poisoning by requiring special precautions when performing work on homes built before 1978. Property owners must hire EPA-certified contractors who have to completely seal off the areas where the work is performed (both interior and exterior), carefully remove all dust and debris, provide special handling and disposal of construction waste materials and take other steps to reduce the spread of lead-based materials that may be ingested or inhaled. For most homeowners, the requirements are likely to be both burdensome and costly. The number of certified contractors is very small. While many more are seeking certification, classes are limited in size and scheduling. Contractors who obtain the certification will be in higher demand and will have a competitive advantage which will likely be reflected in higher prices when working on older properties. As well, even a simple project will require hundreds of dollars in added materials, training, disposal and time charges in order to assure compliance. In an effort to ameliorate some of the challenges imposed by the regulation, the EPA had established an “opt-out” that would allow certain homeowners to be exempt from the regulation. Specifically, if there were no pregnant women or children under 6 years of age living at the premises, then the owners could sign a waiver that would permit them to opt-out of the new rules.
I recently had breakfast with my good friend, Cherie Hafford, and we talked about the Massachusetts Data Security Regulation and how much of a burden it creates, especially for small businesses (more on the Regulation here and here). The Regulation is supposed to be scalable – that is, the degree of compliance should be proportionate to the size of the business and its resources. But for small businesses, even the most stripped-down, basic plan will still require considerable time and money—time and money that most business owners simply do not have or will not spend. The Regulation likely affects millions of businesses around the country and perhaps the world. Read literally, the law is not confined only to Massachusetts businesses; it applies to any business wherever located that has customers or employees in Massachusetts. So if a small crafts shop in Santa Fe accepts a check from a customer in Cambridge, the shop must implement a written information security policy, or WISP. And a gas station in Orlando that accepts a credit card from a tourist who lives in Quincy would have to comply with the Regulation even if they had no idea where the customer lived. Did the state go too far? Setting aside the constitutional and enforcement challenges, was there perhaps a simpler way to achieve the goals that would not impose such a burden on small businesses that are already struggling? Here are six ideas on how to fine tune the law to make compliance easier and achieve the same objectives: Many businesses that accept credit cards never store the account numbers. They simply swipe them in a POS device and hand the card back to the customer. Why not make that activity compliant with the Regulation without the need for any written plan? Same thing with checks. Most businesses that accept checks want to get the money into their accounts as quickly as possible. How about a rule that says businesses are compliant if they deposit checks within two business days and keep the un-deposited checks under lock and key until they are deposited?3) Focus the regulations on the banks, credit card companies and the businesses that provide the POS devices and connections. Require that the data be locked down tightly and impose substantial penalties for a breach. The standards already exist – i.e. PCI (Payment Card Industry) standards. Businesses that have employees need to have their social security numbers on file for payroll, benefits and other purposes. Just as with checks, if they are kept under reasonable security and only employees with a need to know or see the information are permitted access, then this should be deemed to be in compliance without the need for any further written plan. The Regulation could set forth a simple plan that if adopted and followed will be deemed to be compliance. Work within the parameters of the Fair Credit Reporting Act to reinforce the rights of victims of identity theft. There are far fewer victims than there are businesses who need to protect the information from possible misuse. Do more to educate businesses about the various practices that reduce the risks of identity theft. For years, we have seen signs in restaurants telling employees to wash their hands before going back to work. Maybe there should be similar signs in the human resources and finance departments advocating safe practices with sensitive financial information? Of course no matter what is done, there will still be dishonest people who will take advantage of a situation and cause harm to others. This is not to excuse careless or negligent business practices –enforcement should still require a reasonable degree of caution and vigilance. But the new Regulation ignores the practical reality of small business and imposes too many requirements that may be unnecessary. Please share your own ideas on the Regulation by posting a comment below.