The primary purpose of the GDPR is to provide EU citizens with greater control over how their personal data is collected, protected and used. There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

The definition of personal data under the GDPR is extremely broad and includes any information relating to an identified or identifiable natural person (e.g., addresses, telephone numbers, email addresses, bank information, credit card details, photos, posts on social media websites, medical information, and even an IP address). There is also a separate definition for “sensitive personal data” (e.g., racial or ethnic origins, political opinions, physical or mental health and criminal history) which is entitled to even greater protection.

Companies which are in compliance with the existing Data Protection Act (DPA) certainly have a head start as not everything has changed, but most companies will have to implement additional privacy protections and adopt comprehensive data protection strategies to comply with the more expansive provisions of the GDPR. The following are steps which companies should consider taking now to prepare for implementation of the GDPR.

• Data Protection Officer (DPO). The GDPR requires that companies hire a DPO if they engage in regular, systematic collection or storage of sensitive customer data. Even if not required, it would be a good idea for most companies to have a DPO with sufficient expertise to guide compliance efforts.
• Data Breach Notification Requirement. The GDPR requires that companies report data breaches to authorities and affected customers within 72 hours of becoming aware of the breach. Thus, companies should have an incident response team in place and be prepared with carefully crafted messaging.
• Train Your Workforce. The GDPR requires that companies raise awareness of and train their workforces on how to handle personal data under the new law.
• Obtain Consent and Provide Information. Organizations must obtain consent before any data are collected and provide customers (including website visitors) with detailed information on data that are collected and how the data will be used.
• Institute Procedures for Deletion of Personal Data Upon Request. Under existing law, organizations are required to delete personal data only when it causes substantial damage or distress. Under the new GDPR, an EU citizen may request that all data collected on them be permanently deleted if the information is no longer needed for the purpose for which is was originally collected or simply when consent to use the data is withdrawn.

With the enforcement date of the GDPR only seven months away, organizations should start assessing their policies and procedures so that they are not caught short when the law goes into effect. Organizations with any questions about the applicability of the GDPR to their activities or how to prepare should contact their regular Fisher Phillips attorney or any of the attorneys in our Data Security and Workplace Privacy Group.

Did you like this article? Check out these related posts:

• It’s Time to Wake Up & Figure Out How GDPR Affects You!
• Cloud Computing Crash Course: Location, Location, Location

Simply storing an employee’s name, email address and date of birth will be enough to trigger state regulation around access and disclosure of such information. For organizations handling information subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), it is even more important to understand the restrictions. Even after determining that such regulated information can be stored in the cloud, you still must make sure that the cloud provider will be HIPAA and/or GLBA compliant. For example, when deleting or disposing of information subject to HIPAA, the cloud provider must certify in writing that it was properly disposed. More importantly, upon receiving your organization’s protected health information, even if encrypted, the cloud provider will become a business associate under HIPAA. At a minimum, the cloud provider will need to sign a Business Associate Agreement, but you should conduct a thorough risk analysis to determine whether they can comply with the regulatory requirements for these types of information.

In Assessing Risk, Don’t Forget Your Proprietary Data and Intellectual Assets

Your organization may find several benefits in moving to cloud services, but before you sign up to transmit and store any of your data that is currently on premise, you should analyze your data’s sensitivity. Information relating to HIPAA or GLBA or other similar information that subjects your organization to a heightened security standard is clearly sensitive, but what about your organization’s intellectual property?

The trend for traditionally on-premise solutions to move to the cloud means that your organization’s trade secrets, unpatented inventions and other proprietary information may be stored in the cloud. This valuable information — especially trade secrets — requires protection when on-premise, so maintaining the security of such information is just as crucial when stored in the cloud. In considering whether to use a cloud application or storage solution for proprietary information, ask:

• What can your organization do to limit the potential disclosures of IP?
• What can the cloud provider do to protect your IP against outside threats?

While more than 25 percent of cybercriminals are IP spies, most IP breaches actually involve former or current employees, and the single biggest reason for IP breaches is the abuse of system access and privileges. Another prominent risk is employee negligence in handling an organization’s IP. With that in mind, the first step in protecting your IP in the cloud is to ensure that only certain people have access to confidential IP, by:

• Monitoring access for employees whose jobs require access.
• Ensuring ex-employees cannot access files, including files emailed to themselves.
• Implementing security policies and procedures to help employees avoid accidental disclosures (e.g., ensuring all files are encrypted, or reviewing your mobile device policies and procedures to ensure sensitive IP cannot be accessed).

The upside is that a reputable cloud provider may be in a better position to safeguard your information than your organization’s traditional network servers, so long as the provider employs suitable security practices. You may ask the cloud computing provider how it plans to control access rights and whether it will create a chain of custody for every person who may touch the intellectual property. If the cloud provider can provide an audit trail to monitor all access to your trade secrets and other sensitive and proprietary information, you may be able to preemptively stop an attack, or at least catch it early. With the right cloud computing provider and a solid contract clearly defining security measures, it’s possible that a cloud provider can keep your trade secrets and proprietary confidential information more secure than your own organization could, but you must be sure. Once a trade secret is discovered, it may be too late.

Customer and Vendor Contracts

Finally, don’t forget about your customer or vendor contracts. With the prevalence of cloud computing use and seemingly never-ending data breaches, many of your vendors or customers may prevent your organization from using cloud services to store or transmit their information. Additionally, vendors or customers may even require that you receive security guarantees or other specific representations from cloud vendors who are handling their information. You must know and understand your obligations to your existing suppliers and customers in order to negotiate a sound contract with a cloud provider, so do some due diligence before signing up.

Even in an era of acute cyberawareness, we still struggle to keep our business networks and personal computers secure. And now the Internet of Things (IoT) exponentially increases our risk from hacktivists, nation states, and criminals. Today our smartTV, home security system, toaster, and heart pacemaker have a user name and password. These devices increase what the security community calls the attack surface – that is, new and novel ways for intruders to hack into your life.

Yet people must communicate, statecraft must be practiced, and commerce and money must flow around the world. Adherence to a basic cyber hygiene regiment can greatly reduce cyber risk exposure. Just like exercising, eating healthy, and getting more sleep – good cyber habits are not difficult, but they must become a routine to be effective.

If you don’t do anything else to protect your digital self, do the following:

Use a new password for every account.

Why? Hackers know people reuse their passwords. So, when a hacker obtains millions of user names and passwords he has automated tools to try these username and passwords against other websites such as banks, corporate networks, ecommerce sites, email providers, and social media sites. Think for a moment of the damage to be done if you use the same password for your work account and your bank account.

Create good passwords.

Why? Hackers know people create lousy passwords. “12345”, “password”, and “qwerty” are embarrassingly popular, as proven in every single theft of databases of passwords. Use at least eight (8) characters, upper and lower case and special characters. Avoid common words and short phrases, since there are hacker tools that test every permutation of dictionary words. Additionally, consider using a password manager which can help you create stronger, unique passwords and remember them for you.

Don’t open suspicious attachments or links.

Why? Technically there are numerous ways to access a computer illegally, but most of the high-profile computer breaches happen because one employee clicked on one single hyperlink in an email or website; that’s all it takes. You know the feeling when you’re not sure if the email is legit…trust your instincts.

Don’t use free public Wi-Fi.

Why? Free public Wi-Fi is not free. You pay a high price in security and privacy. Imagine your laptop screen is a stadium jumbotron. Every page you visit, every search term you type, every computer you connect to is on virtual display. Potentially, others connecting to the same free Wi-Fi can spy on your communications, access your computer’s data, or misdirect you to malicious websites that infect your computer/corporate network.

Don’t “overshare” on social media.

Why? Whether the watcher it’s a nation-state, cyber protester, or criminal, hackers have done their homework before they strike. If the hackers are targeting your corporation, details about travel, new projects, promotions, or office politics speak volumes on how to attack your organization or you. These details can be used to craft, for example, a phony human resources email with the “pay and promotion” attachment that is laced with malicious software. Moreover, our sharing across social medias creates a cumulative personality profile that can be used against us or our organizations. Remember – photos of the new puppy = good. Photographic evidence, locations, and commentary on the Saturday after-game exploits = bad.

In short, the potential for reputational or financial harm to your company or personnel is pretty significant compared to the relatively small amount of effort it takes to mind your cyber behavior. Survey your personal and organizational cyber fitness, and offset a major problem down the road.

For more intelligence analysis and insights, follow iJET on Twitter where we share regular updates on risk management issues impacting global organizations and the security of their people and operations.

The NIST guide is divided into five basic categories (identify, protect, detect, respond, and recover) and provides useful worksheets to help identify important types of data. We have reviewed NIST’s guide and supplied an overview of the takeaways:

1. Know the Risks

Hackers and cyber criminals pose one kind of threat to data security, but environmental incidents and equipment failure can be equally devastating to the security of business information. Security threats can come from personnel within a business as well, so vet employees and provide security training.

1. Identify Data

The first step in any risk management plan is to identify what data needs to be protected and understand what vulnerabilities exist. Create a list of all the information a business uses (e.g. customer names, e-mail addresses, banking information, employee information, etc.) and know who has access to such information. Additionally, it is important to identify any vulnerabilities in a business’s systems. It is highly recommended that companies engage an outside consultant to conduct a mock attack to identify any system vulnerabilities.

1. Protect

NIST’s guide provides excellent recommendations on the use of encryption, securing wireless access points and installing network firewalls. However, the easiest and most often overlooked recommendation is to train employees on security policies and establish clear guidelines on how they can best protect business information.

1. Detect

While some security events are easily detectable, many are not. Businesses should consider implementing anti-virus software that is designed to detect intrusions. Additionally, it may be worthwhile to use a program that keeps a log of daily activity that occurs on the network. These logs may show trends that indicate an intrusion has occurred. An outside consultant can be a valuable tool in interpreting these trends as there may be a more serious problem that is not readily apparent.

1. Respond

It is critical that every business develop a response plan to be followed after a security event has occurred. Appoint a person who will implement the plan, include the contact information of all internal personnel who should be notified, as well as directions on how to quarantine infected systems, if necessary. Furthermore, many states require customer notification after a security event. Thus, it is important to know state notification laws and how to properly comply.

1. Recover

After a security event, it is important to evaluate the response procedures. Assess any weaknesses in the plan and make adjustments as needed. If possible, restore backed up data or implement a backup procedure for business data. Companies should also consider cyber insurance as part of any risk management plan.

The full guide can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.

Authors

Matthew J. Siegel
Matthew J. Siegel works in the Global Insurance Department, focusing his practice in the areas of insurance coverage, cyber and technology risks, electronic discovery, construction litigation, and commercial litigation. He also co-chairs the firm’s Privacy, Data and Cybersecurity Industry Team and is a… more

Email:msiegel@cozen.com
Phone: (215) 665-3703
Philadelphia

Taylor P. Widawski
Taylor is an associate in the firm’s Seattle office. Taylor’s practice focuses on litigation with an emphasis on technology and privacy related matters. Taylor has experience defending against consumer class actions as well as litigation involving software licenses and general business disputes. She… more

Email:twidawski@cozen.com
Phone: (206) 224-1285
Seattle

Benefits for Employers

Enhancing company security and employee safety. Implanted chips can’t easily be lost, stolen or loaned, making facilities more secure from outsiders. If they track location, chips can provide accurate employee location information to help resolve theft or misconduct investigations or to find employees in the event of a weather emergency or other workplace safety incident.

Refining time clock procedures and wellness programs. Chips could help ensure that employees are being paid for all time worked, because they could be more accurate than standard time clock or “badging” payroll approaches. Badging technologies leave open the possibility “tailgating” — entering a facility through a secured door by closely following someone who has “badged in” — which hinders accurate payroll information and attendance tracking. Properly used, the chip could offer employees feedback on health metrics as an enhancement to a company wellness program.

Improving recruiting competitiveness. Offering chip alternatives may enhance companies’ reputations and recruiting opportunities if candidates view them as being on the leading edge. In particular, tech-comfortable millennials may be drawn to the idea of entering facilities, paying for food in a company cafeteria and conducting other transactions without carrying separate badges, credit cards, etc.

Communicating With Employees

Before deciding whether to receive a chip, employers should clearly communicate:

• That implantation is voluntary and those who do not participate will have the same employment privileges and conditions
• When and how the chip will be implanted
• How the chip could be removed (voluntarily) if the employee leaves the company and whether employees can ask for removal at any time, at company expense
• Exactly what the chip can monitor and how information will be used
• Security measures being taken to prevent outside access to data collected
• Any health risks and whether to consult a health care provider first

Privacy Concerns

A chip program would need to address employees’ reasonable expectations of privacy. Employers should be forthright about whether and what monitoring would take place outside of work hours and activities, especially if the chips track location.

Medical information that chips could collect is a key privacy concern. The Americans With Disabilities Act (ADA) prohibits employers from making post-employment medical exams or inquiries without a specific, well-documented and job-related business necessity, so employers should not monitor individual medical information from chips. Even for purposes of employer-sponsored wellness programs, employers may only view employee medical information in aggregate form that does not disclose individuals’ identities. If the wellness program is part of the employer’s group health plan, Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification protections apply.

Other Employer Liabilities

In addition to data privacy concerns, including the possibility of data breaches, employers using such chips face the risk of knowing too much. If the chips collect data that is not relevant to employment decisions, and then actually or allegedly misuse that data, it could lead to discrimination claims. Microchipping could hurt recruiting if potential candidates perceive the company as a “big brother” employer. Employees who consent to implantation may later say they felt pressured to do so against their will or were not properly informed about the risks – and claim coercion.

The chips also present possible medical issues, such as infection or fear of cancer, as well as technological risks. How will an employer deal with chip malfunctions or technological advances that make the chips obsolete?

Alternative Options

Before jumping on the microchipping trend, employers should consider less invasive alternatives such as fingerprint recognition devices, “smart” badges that employees keep with them at work (which could also be used for wellness program activity tracking) and vehicle GPS tracking for field personnel.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

Cloud Is Different

The National Institute for Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resourcesthat can be rapidly provisioned and released with minimal management effort or service provider interaction.” In laypersons’ terms, the cloud is a model of computing that utilizes shared computer processing and storage resources, usually provided by a third party, which are accessible via the internet on demand from anywhere; examples to many consumers include Dropbox, Gmail and Apple’s iCloud. Convenience, ubiquity, and on-demand availability and scalability are built in to the very concept. While this is, generally speaking, a feature rather than a bug—and no doubt has contributed to the rise of the cloud as a standard approach to business computing—it carries with it certain risks that are new or heightened in the cloud age.

The most concerning of these dangers from a compliance and risk-mitigation perspective stem from the facts that: unsophisticated individuals, including employees and staff of a law firm or its client, can put data in the cloud completely unbeknownst to those in the organization with responsibility for managing information related risk; and using a cloud services provider can create the temptation to let down one’s guard, believing that the third-party provider is handling the “hard stuff,” including data security and compliance.

This article was originally published by The Legal Intelligencer. Click here to continue reading.

The 2016 Trustwave Global Security Report has found the hospitality industry to be the second-most vulnerable to security breaches behind the retail industry. The reliance on point-of-sale (POS) terminals is unavoidable for both industries, because of the nature of their business transactions, but this contributes heavily to the risk.

Add to that a large number of booking partners and online platforms for the hospitality industry, and it’s clear this threat is not going to go away anytime soon. Setting up and implementing threat intelligence and intrusion detection services will go a long way to make their security management systems robust.

Major travel and hospitality brands like American Airlines, United Airlines, Park ‘N Fly, Hilton and Starwood Hotels have reported some kind of data breach over the last year. This shows cybercriminals have evolved. They have now moved on from the financial institutions and retail sectors to other businesses that can fall easy prey to information security risks.

This is particularly true of the business travel segment where corporate spending and credit limits are high. The end of 2014 saw the Dark Hotel attacks flooding the news. This was sophisticated malware that tricked high-value targets like business executives who had checked in as hotel guests and logged into the Wi-Fi. As important data was siphoned off, the problem was further aggravated by the fact that most antivirus software couldn’t detect a trace of the malware during this breach or later.

According to Computer Weekly, cybercrime costs the global economy about $445 billion per year. While direct losses come from data breaches, the loss of personal security and funds stolen, cybercrime also has indirect effects like downtime or lost productivity, which can be costly as well.

Strangely enough, despite increasing instances of high-profile breaches, a large number of business owners and managers still assume their businesses are safe. They are clearly unaware of the scale of the problem, but the truth of the matter is this: If you are online, you are at risk.

The latest biennial Global Economic Crime Survey conducted by PricewaterhouseCoopers (PWC) shows cybercrime is up 20 percent since 2014. It is the fastest-growing economic crime in the last two years, with an increase of 38 percent in U.S. organizations, 28 percent in Chinese organizations and close to 55 percent in U.K. organizations.

Compared to the traditional forms of economic crime, which include procurement fraud or asset misappropriation, this could be even more dangerous since perpetrators could have access to more data now and easily. It is imperative that businesses minimize these risks through robust policies and compliance programs as well as rigorous fraud risk assessment.

But it’s not just an external threat. SilverSky (now BAE Systems) reported that while 98 percent of employees claim to be secure in their business correspondences, 51 percent have received unencrypted emails and 21 percent sent confidential and sensitive corporate information without encryption.

Businesses, therefore, have to train their teams in their email habits and contain not just data loss but also their reputational loss. Basic training should include these pertinent points from Milwaukee Business News:

• Check domain name of sender and open attachments only when familiar or are verified by senders
• Avoid websites and links that seem unfamiliar since malware is easily be embedded in malicious sites
• Ensure that all suppliers and customers exchange information through encrypted message
• Immediately shred all customer and confidential company information right after they are used
• Use unique passwords and multifactor authentication for email accounts

If hospitality businesses are still wondering why this is important, they have not been paying attention of the open risk for their systems and are setting themselves up for the fall. As Tracey Groves of PWC put it, cybercrime is not just a matter of compliance but also of company culture.

Fraud risk assessment has to be blended with a strict code of conduct, which in turn needs to be backed up with regular training and employee engagement. Robust data analytics and internal audits are as important for the travel and hospitality segment as is antivirus software.

Click here for the original article.

Do you know the pitfalls and technical measures that you should take to protect your intellectual property? Startup or not, these tips from Buchalter Nemer provide a valuable checklist to help protect your IP. Explore the nuances of California’s laws around the ownership of intellectual property and be sure you have a thorough understanding of California’s laws regarding competition. A few topics covered in this article are:

• Using Confidentiality Agreements
• Including “Trade Secret” Information in Confidentiality Agreements
• Pay Attention to Labor Code Provisions
• Know the Pitfalls of Employing a “Bring Your Own Device” Option

Most importantly discover what leads to most data theft and know your options for protection.

Read the article here.

In the realm of hospitality and gaming risk management, “securing data against unauthorized and unintentional disclosure continues to be elusive” and consistently presents itself as a problem. It is important to emphasize the need for a “strategy that includes careful contracting, quality insurance coverage, and cyber security due diligence” to fight against hacks.

“One federal court of appeals reinstated class action litigation against a large retailer that had been hacked. Another federal appeals court affirmed the Federal Trade Commission’s power to police business’ cyber security for consumer information.Reading the tea leaves, 2016 does not promise to be any better.”

Joshua Gold and Marshall Gilinsky highlight the importance of risk management and insurance coverage. They explore FTC requirements, key steps to take in order to secure data, insurance coverage focusing on “cyber-losses”, and examining your coverage.

Read the full article here.

Allen P. Pegg & Gabriella Morello

Keeping Soiled Laundry Out of Public View: How Arbitration Provisions Can Help Preserve Image and Value

For any company, brand image is king.  After all, image reflects on all aspects of the business, from reputation to service to attitude to culture. For one industry in particular, however, image is inherently linked to the business’s core identity and ability to attract repeat clientele – in other words, to survive.   That industry is hospitality.  For those operating in that segment, public brand image can directly and significantly influence the business’s relationship with its customers, vendors, and management groups. While prevalent across the industry, this is perhaps most apparent for owners and operators of boutique hotels, whose livelihood as competitors in the hospitality market is inextricably tied with their reputation and word-of-mouth among consumers and the media.

Image Is King

Given the impact of social media, marketing, and press attention, conflicts that arise from any one of the variety of business relationships that hospitality owners and operators necessarily have are publicly scrutinized and painstakingly explored, influencing future business and customer relations – one way or another.  For example, Miami Beach boutique hotel Eden Roc LLP was recently involved in a highly publicized lawsuit adverse to Marriot International, alleging claims for mismanagement and trespassing.  Eden Roc claimed that Marriot breached the parties’ Management Agreement and that Marriott’s “failure to meet [its] own brand and operational standards” caused Eden Roc “to suffer with the stigma and reputational injury of an abandoned, drifting and dying hotel brand.”  In response, Marriot counterclaimed for breach of contract, alleging that Eden Roc failed to effectively market the hotel and thereby caused its own cascade of money damages.  This public round of unsavory allegations made headlines in Law360, Bloomberg, and The Real Deal, to name just a few.  This was certainly not the most inviting press for customers and vendors, who as a group expect stable and reliable management during their stay (in the case of hospitality customers) or contract term (in the case of hospitality vendors).

Litigation:   An Event in the Public’s Eye

To be sure, hotel and management companies should be equally concerned about maintaining privacy and upholding confidentiality issues during all aspects of business negotiations and dealings.  Ultimately, disclosure of confidential information during the dissolution of these relationships is just as undesirable and hurtful to the business, if not more so, than when they commence.

Nevertheless, the kind of disputes described here, and their related counterparts, are not infrequent.  And for better or for worse, lawsuits often paint an image far removed from reality, leaving customers, vendors, management companies, and hotel owners alike with the incomplete impression of a business.  For this reason, among others, savvy hotel owners and management companies should seriously consider incorporating mandatory arbitration provisions in their service contracts (such as management and vendor agreements), and employment contracts, where litigation is prevalent.

Arbitration:  A Private Affair

Due to the hospitality industry’s acute reliance on brand image and reputation to lure new and bring back repeat guests, a primary benefit of arbitration is its confidentiality.  Through privately managed non-public filing and non-public proceedings, as well as non-public decisions, arbitration provides an additional back-end layer of confidentiality protection that hotels and management companies seek (or should seek) during the front-end negotiations of these business agreements. See generally Am. Bar Ass’n Section of Dispute Resolution, Benefits of Arbitration for Commercial Disputes, at 5 (“Confidentiality [of arbitration] is an important feature for many corporations, particularly when . . . there are concerns about or damage to reputation or position in the marketplace.”).

Arbitration can also address employment issues, which if aired in a public arena can significantly damage any hospitality brand’s image—and in particular a fledging or boutique brand’s image.  Although the hospitality industry has had a global presence for decades, its labor force has become increasingly diverse over the last decade. See Camille Kapoor & Nicole Solomon, Understanding and managing generational differences in the workplace, Worldwide Hospitality and Tourism Themes, Vol. 3, Iss. 4, at 308-18 (2011).  The benefits of such a diverse workforce are plentiful, though this diversity can also lead to a brand’s increased exposure to employment discrimination lawsuits, which can be particularly attractive to employees due to their jury trials and punitive and compensatory damages.  Arbitration provides a fairer and level playing field, sifting out the unsubstantiated complaints that often owners and management companies dread (so much so they often settle without considering the merits out of concern for their brand and image).  See generally David Sherwyn & J. Bruce Tracey, Mandatory arbitration of employment disputes: Implications for policy and practice, Cornell Hotel and Restaurant Administration Quarterly, 42(5), 60-71 (2001).

So What Should Industry Players Do?

All things considered, the inclusion of mandatory arbitration clauses in a hospitality owner’s or provider’s contracts can help protect brand image—and hence, the success of the business—by keeping disputes, which can unreasonably cloud customers’ and partners’ view of the business, confidential and out of the public view.

Allen P. Pegg, Counsel at Hogan Lovells’ Miami office, concentrates his practice in state and federal complex commercial litigation, arbitration, and appellate work. His broad experience includes, among other areas, matters involving contract disputes, business torts, shareholder derivative actions, shareholder and partnership disputes, professional liability claims, corporate governance and financial disputes, and commercial real estate and development issues.

Gabriella Morello is a member of the Litigation, Arbitration, and Employment practice group in the Miami office of Hogan Lovells. She focuses her practice on commercial litigation and international arbitration representing multinational entities from various countries in Latin America and the Caribbean, Guatemala, México, and Venezuela.