Cyber Risk in the Vendor Ecosystem

Posted on November 1, 2017 by - Uncategorized

The past several years have demonstrated a transition from enterprise-wide cyber-risk management to ecosystem-wide cyber-risk management. In enterprise-wide cyber-risk management, each individual company protects the security of its own information assets and systems. The ecosystem approach recognizes that other parties outside of the company may increase or reduce the company’s cyber-risk exposure and attempts to manage this external risk. This article provides an overview of the vendor ecosystem, addresses cyber risk assessment, and concludes with a discussion of cyber risk mitigation by contract.

I. Overview of the Vendor Ecosystem

In evaluating the cyber risks posed by a vendor relationship, the customer (Customer) should consider the entire ecosystem of the vendor (Vendor). The Customer-Vendor relationship is not binary. Rather, the Vendor is a Customer of other vendors and a contractor to its various subcontractors; it may have other relationships that could impact the Vendor’s services to the Customer or the Customer’s cyber-risk exposure.

Figure A shows the Vendor’s subcontractors and service providers on the Extended Ecosystem to the left of the Vendor. To the right of the Vendor are Customer-related parties that may interface with the Vendor or its subcontractors or service providers. These include the Customer’s subcontractor, customers, and customers’ customers, as shown.

The Vendor operates downstream from its various licensors and service providers and is dependent upon these third parties to provide services to the Customer. Consider a Vendor providing licensed software (Licensed Software) in a software-as-a-service (SaaS) environment. The Vendor grants a limited license to the Customer in the Licensed Software but retains possession of the Licensed Software and operates and maintains the Licensed Software on the Customer’s behalf. The Vendor may own the Licensed Software but has likely licensed third-party components of the Licensed Software from other owners or licensors, and has licensed other software from third parties that acts in combination with the Licensed Software to provide the SaaS service to the Customer. For these types of risks, the Vendor may be limited in its ability to select or influence its upstream service providers and in its ability to promise or pass on to the Customer certain assurances and commitments, rights and remedies, and service levels from its upstream providers.

The Vendor subcontracts various aspects of its operations to service providers. For example, in the SaaS context, the Licensed Software may be owned by the Vendor, but maintained and operated at a third-party data-processing center. This means that although the Customer contracts with the Vendor for the SaaS service, it may directly interface with the Vendor’s subcontractor that operates the data-processing center, or the data-processing center may otherwise have access to the Customer’s information or systems. In this context, the quality of the services and the extent of the cyber risk may be dependent upon the performance of the Vendor’s subcontractors. For the types of risk posed by the Vendor’s primary subcontractors, the Vendor may have greater bargaining power than in the upstream scenario and may be able to “flow down” certain requirements and performance standards to the subcontractors. The Vendor would be expected to have the ability to monitor and mitigate risks posed by subcontractors. Figure B shows how Vendor-related parties may be involved in providing services to the Customer.

The Customer may have obligations to its Customers or its customers’ customers that may impact the Vendor services and attendant cyber risk. Using the SaaS example, the Vendor’s subcontractor data-processing center may have access to consumer data owned by the Customer’s customers. For example, consider a Customer that offers payroll services to its customers, which involves consumer data of its Customer’s employees. The Customer outsources the ACH processing of the payroll to the Vendor, and the Vendor subcontracts with a data-processing center to prepare the ACH files to make payroll payments from the accounts of the Customer’s employer customers to the accounts of their consumer employees. The Customer’s customers’ responsibilities to preserve the security of employee information will be delegated by the Customer to the Vendor, which will in turn delegate that to its subcontractor that operates the data-processing center. The cyber risks to the consumer employee information may be exacerbated at each point of access to the employee information.

The Customer’s subcontractors and upstream service providers may also interface with the Vendor or provide information to the Vendor or impose requirements on the Customer that would apply to the Vendor. The Customer must consider the cyber risk arising out of contacts between these third parties and the Vendor.

Figure A: Vendor Ecosystem

Figure B: Vendor-Related Parties

Cyber-Risk Assessment in the Vendor Ecosystem

The initial cyber-risk assessment conducted by the Customer with respect to a proposed vendor arrangement may be complicated by the web of upstream service providers and subcontractors that touch the Vendor’s or Customer’s information or systems. When the Customer’s information is classified as proprietary or confidential, the Customer should first identify all information access vectors and risk exposures posed by the vendor relationship. The next step is to identify all third parties involved in those access vectors and determine whether the third parties are upstream service providers or subcontractors of the Vendor, or customers or subcontractors of Customer, or some other third party. Other third parties may include regulators, law enforcement, or other nonparties that may have access to confidential information or that may mitigate risk to the security of such information.

The information-security risk assessment regarding the third parties that operate within the Vendor ecosystem will vary depending on whether the third party is an upstream service provider or subcontractor, and to the extent that the third party has the ability to access, modify, disclose, or exfiltrate the proprietary and confidential information of or interface with Customer or Vendor systems. These types of third parties are described in the “Extended Ecosystem” inside ring in Figure A.

Consider the SaaS context described above. If an upstream third-party component of the Licensed Software infringes an intellectual property right of another, then the Customer’s liability exposure for infringement may be heightened; if the third-party licensor does not touch the Customer’s information, however, the information-security risk may be negligible. If a subcontractor of the Vendor is understaffed, and there are delays in service but no impact on Customer information, the transactional or reputational risks to the Customer may be heightened, but not necessarily the information-security risks.

Some risks may implicate a variety of service providers. For example, again in the SaaS context, if there is a widespread power outage, the access vector (interface with the data-processing center) may not be available, but there may be no ensuing risks to the Customer information if all access is suspended. If a data-processing center loses power, however, and does not have adequate back-up capabilities and resiliency, the Customer’s information that is maintained by the data-processing center may be at risk. In order to manage this risk, the Customer would likely decide to address the Vendor’s responsibilities in the event of a power outage. Power outages are foreseeable risks that may not be managed by the Customer directly with the Vendor’s subcontractor’s power company.

Steps in this assessment include:

  • identifying the types of third parties that may access the Customer’s proprietary and confidential information (whether from the Customer directly or from another third party)
  • classifying the third party as an upstream service provider or a subcontractor of the Vendor
  • identifying the specific types of risks posed by the Vendor and each third party
  • assigning a risk level posed by the Vendor or each third party for the types of risks identified
  • determining whether third-party risk requires mitigation by the Customer and/or the Vendor

Certain third parties may require direct assessment by the Customer if an entire Vendor function (or comparable access to information or systems) is delegated to the third party. For example, in the SaaS context, the Customer may engage in due diligence of the data-processing center directly and require the Vendor by contract to monitor and manage risks posed by the center.

The outer ring of Figure A identifies possible external risk factors that may serve to mitigate the cyber risks posed by the Vendor ecosystem. These include:

  • cyber insurance coverages held by the Customer or by the Vendor that would apply to certain types of risks identified during the assessment process
  • payment system rules or regulatory oversight applicable to the Vendor regarding certain cyber risks
  • external audits (like SSAE 16 or SOC-2 audits or National Automated Clearing House Association (NACHA) audits) or certifications (like PCI compliance or ISO 27001) made of the Vendor (or the Vendor-related parties) addressing the types and levels of cyber risk

Consider again the payroll processor example above. The Customer is the payroll processor providing services to its customers by facilitating wage payments to its customers’ employees. The Customer outsources the ACH debit-origination process to the Vendor; the Vendor will be bound by the NACHA operating rules and must format payments as required by the rules. This external requirement serves to mitigate certain security risks attendant in the payment process.

Similarly, if the Vendor subcontracts with a data-processing center and the center is SOC-2 audited annually, the risk posed by the security protocols and standards observed by the center should be mitigated, or at least monitored, by the SOC-2 assessment process.

The types and levels of cyber risk to the Customer posed by the extended Vendor ecosystem in the inside ring of Figure A should be mapped to any external cyber-risk mitigants, like those set forth on the outer ring of Figure A. In that way, the Customer can quantify its level of cyber risk posed by the Vendor relationship and its ecosystem, and identify any gaps that may require additional mitigation.

Mitigation of Cyber Risk in the Vendor Ecosystem

Generally, the Customer-Vendor contract should identify which contracting party is responsible for managing the specific types of cyber risk posed by the relationship. The contract between the Vendor and the Customer should address each party’s obligations regarding the cyber risks that it poses and third parties that pose information-security risk to the other party (i.e., key third parties). The types of Vendor-related parties that should be considered are shown in Figure B and are addressed in greater detail above. The Customer’s ability to mitigate information-security risk posed by key third parties will vary depending on whether the key third party is an upstream service provider or a subcontractor of the Vendor. The ability to manage these cyber risks by contract will be further dependent on the following:

  • the terms of the Vendor’s contracts with the key third parties
  • the Vendor’s bargaining leverage with the key third parties
  • the Vendor’s ability to monitor the key third parties

In many instances, the Vendor’s contracts with key third parties may be confidential. Moreover, the Customer will not likely be a third-party beneficiary of such contracts. Therefore, it is important that these risks be addressed directly in the Vendor-Customer contract or otherwise mitigated by the Customer or the Vendor (whether through due diligence, independent monitoring, reliance on other third-party monitoring, or other practical way to address key third-party risk).

The goal of the contract should be to mitigate cyber risks that are not otherwise mitigated or to incorporate external mitigants as part of the Contract. Examples of external mitigants are shown on the outer ring of Figure A and were discussed above.

Key cyber risks identified by the Customer during the risk-assessment process should be addressed in the Vendor-Customer contract. The following types of contract terms should be considered: the imposition of specific requirements, mechanisms for the Customer to monitor whether such requirements are met, and remediation in the event of any failures by the Vendor.

The Vendor-Customer contract may require the Vendor to ensure that the Vendor and key third parties comply with general contractual standards. For example, nondisclosure agreements typically require the recipient of protected information to limit any permitted disclosures to third parties who have agreed with the recipient to adhere to confidentiality requirements at least as stringent as those set forth in the bilateral nondisclosure agreement. This approach effectively requires the recipient to contract with any permitted third parties to protect the information and may require reliance on the Vendor’s assurances that such contracts are in place.

Another approach involves imposing specific security requirements on the Vendor and requiring the Vendor to specifically “flow down” certain requirements to key third parties. This method may require the Vendor to amend its contracts to ensure that they align with the specific contractual requirements. This approach is likely more feasible with primary subcontractors. Flow-down terms could be incorporated as an exhibit or appendix to the Vendor-Customer contract.

Alternatively, the parties could agree by contract that the Vendor will require key third parties to adhere to certain laws or third-party information standards or processes, such as the NIST framework, FFIEC CAT, or ISO standards or EU Commission directives (or GDPR next year), all risk mitigants of the type identified on the outer ring of Figure A. In this approach, the contract would require the Vendor to ensure that key third parties comply with these requirements, and that any failures by key third parties trigger notice and specific remediation and liability requirements.

Yet another alternative is that the parties could rely on external certifications for or audits of the Vendor or key third parties, such as PCI compliance, SOC or ISO audits, or examinations by governmental agencies. As above, the contract would require the Vendor to comply and ensure that key third parties comply with these requirements, and that any deficiencies are reported to the Customer. The Vendor should also be required by contract to provide evidence of compliance, such as summaries or copies of such independent reports.

A key part of any contract term addressing cyber risk is the inclusion of complete, concrete requirements that may be objectively measured. “Reasonable security,” “industry standards,” and “due care” are evolving standards in this context and may be lacking depending on the level of cyber risk posed by the relationship.

Any single contract may involve a hybrid of these approaches based on the larger ecosystem. For example, in the SaaS context in which the Vendor outsources data-processing center operations, the contract could require that:

  • the subcontractor that operates the data-processing center has agreed to preserve the confidentiality of Customer information in a manner at least as stringent as the nondisclosure terms in the contract between the Vendor and the Customer;
  • the subcontractor be located in the United States (or the contract could identify the subcontractor by name and location and could provide for Customer approval or notice to the Customer in the event of any change in subcontractor or data-processing center location);
  • the subcontractor comply with all applicable law regarding the handling of Customer information (whether that be the law applicable to the information, the Customer, the Vendor, or the subcontractor);
  • specific information-security procedures that are included in the Vendor-Customer contract be flowed down to the subcontractor; and
  • the subcontractor be required to conduct annual SOC-2 compliance assessments, with concomitant reporting and remediation requirements.

In all events, the contract would include specific monitoring and reporting requirements and remedies, and the Vendor would remain primarily liable for the acts or omissions of the data-processing center.

Conclusion

The Vendor-Customer ecosystem can be quite complex. Each party will have their own subcontractors and upstream service providers. Questions to consider include the following:

  • How far into the Vendor’s ecosystem must the Customer look (Figure B)?
  • How much of the Vendor’s ecosystem must the Customer try to shore up?
  • How much negotiating power does the Customer have over the Vendor, particularly with regard to requiring changes to the other party’s third-party contracts?
  • How much bargaining leverage does the Vendor have over its key third parties?

Consider requiring the contract RFP to list all Vendor key third parties (by type if not by name) and the functions of each. The parties should consider how these risks and factors may be addressed during the RFP and contract process. For example, if there are specific flow-down terms or third-party audits that the Customer would like the Vendor and its key third parties to undertake, it may be easier to raise these specific requirements during the RFP process. At a minimum, the RFP process should require the Vendor to identify all of its upstream service providers, subcontractors, and other third parties that may have access to the Customer’s confidential and proprietary information or systems accessing or maintaining such information during the term of the contract.

The specific approach or combination of approaches that the Customer should take and the answers to the questions above will be determined by the level of risk posed by the proposed relationship and the availability of extra-contractual methods to monitor and mitigate such risk. This process requires the identification of valuable proprietary and confidential information that may be impacted, the access vectors and proposed uses of such information, and the permitted uses and disclosures by the Vendor regarding such information.

Shareholder Activism 2017: An Overview

Posted on November 1, 2017 by - Uncategorized

Shareholder activism, a catalyst for change in corporate boardrooms, is on the rise. According to FactSet’s 2016 Shareholder Activism Review, there were 519 activist campaigns in 2016. Although this represents a 16-percent decrease from the 622 campaigns in 2015, it nevertheless reflected a 22-percent increase from, and the second-highest total since, 2009.

Of the total number of activist campaigns in 2016, FactSet identified 319 as “high-impact activism,” defined as campaigns in which the objective is board control, board representation, the maximization of shareholder value, or removal of officer(s)/director(s).

This year has been a robust one for activism, as evidenced by the recent Proctor and Gamble proxy battle and ADP’s ongoing battle with Pershing Square Capital Management. Among the most recent high-impact activist campaigns in 2017, three are particularly notable: Elliott Management’s campaign against Arconic Inc.; Marcato Capital Management’s campaign against Buffalo Wild Wings, and Jana Partner’s campaign against Whole Foods Market, Inc.

Arconic Inc.

Arconic, a $12 billion aerospace supplier, found itself under pressure from activist investor Elliott Management Corporation, Arconic’s largest shareholder with an 11.6-percent stake, to cut costs and improve profit margins. Elliott, consistently recognized as one of the top ten activist investors in the United States by Activist Investing and FactSet, launched ten activist campaigns in 2016. The campaign against Arconic, launched in January 2017, called for the removal of the CEO due to underperformance as well as the addition of four, new Elliott-backed board members.

In response, Arconic indicated that nine new board members were added in the prior 16 months, three of which were proposed by Elliott. Independently, the CEO resigned in April after having sent an unauthorized letter to Elliott’s founder that the board determined showed poor judgement and that Elliott deemed inappropriate.

Proxy advisers generally supported Elliott, with Institutional Shareholder Services (ISS) recommending two of Elliott’s nominees and Glass Lewis & Company endorsing all four of Elliott’s nominees.

On May 22, 2017, just three days before the scheduled Annual Meeting, Arconic and Elliott reached an agreement whereby Elliott gained three additional board seats (one of which would serve on the CEO search committee), thereby giving it major control with a total of six out of 13 seats.

Buffalo Wild Wings

Buffalo Wild Wings, a $2.3 billion restaurant chain with over 1,200 locations worldwide and with declining sales found itself challenged by Marcato Capital Management LP. Marcato disclosed its initial 5.1-percent interest in a 13D filing on July 25, 2016. Subsequently, it expressed concerns on multiple occasions regarding Buffalo Wild Wing’s strategy and business model, specifically that the percentage of franchised stores should increase from 49 to 90 percent. On February 6, 2017, Marcato nominated four members to the board of directors. Two months later, Marcato called for the removal of the CEO.

As did Arconic, Buffalo Wild Wings noted that it had already implemented several of Marcato’s recommendations, including adding five new directors (including one of Marcato’s nominees), engaging a consulting firm, and increasing share buybacks. Not sufficient. Notwithstanding the months of discussion, unlike Arconic, a settlement was not reached prior to the annual meeting.

By May 2017, Marcato’s stake in the company stood at 9.9 percent. ISS recommended three out of Marcato’s four nominees to the board, after which shares increased six percent. Glass Lewis recommended that shareholders adopt the company’s slate of directors. At the annual meeting on June 2, 2017, the CEO announced her retirement, and shareholders voted to elect three of Marcato’s nominees, one of which included Marcato’s founder. These seats, combined with the previous gained seat, gave Marcato control of four out of nine board seats.

On June 19, 2017, the company announced the launch of its franchise initiative with 83 restaurants in multiple locations including Canada, Pennsylvania, Texas, and Washington, DC.

Whole Foods Market Inc.

Whole Foods Market, the organic food pioneer, has seen a steady erosion in sales and a decline in shareholder value since 2013. Concerned with declining sales and a failure to remain competitive by adopting new technology and data analytics in an industry renowned for low margins, Jana Partners, LLC, Whole Food’s second-largest shareholder with over eight percent of shares, and Investment Manager Neuberger Berman, with a 2.7-percent stake, independently of each other began to press the company to explore a sale in April 2017.

In May, Whole Foods announced a series of changes, including the appointment of a new CFO and a chairman of the board, as well as the appointment of five, new independent directors whose tenure would be limited to a 15-year term. Ponder whether a 15-year term represents board reform, but everything is relative.

Notwithstanding these changes, Amazon.com acquired Whole Foods in June for $13.7 billion, paying $42.00 per share and driving shares up 27 percent. In July, Jana sold its total position in Whole Foods, generating a profit of approximately $300 million.

Several themes emerge from these campaigns:

1. Activism prevails. In each campaign, the activist prevailed. Elliott Management—three additional Arconic board seats and the removal of the CEO; Marcato—three additional board seats and the removal of the CEO; and Jana Partners—sale of the business to Amazon.com.

2. Prior acquiescence and adoption of recommendations will not insulate a company from further activism. Arconic, Buffalo Wild Wings, and Whole Foods Market each adopted activist recommendations governing board composition. None were sufficient to address the fundamental issues underlying the activism: business strategy and governance.

3. Activism as a catalyst for business strategy. Fundamentally, each activist (Elliott, Jana, Neuberger, and Marcato) recognized and sought to address the company’s business model. In the case of Arconic, it was Elliott’s focus on cost cutting, operational improvements, and product focus; for Buffalo Wild Wings, it was shifting the business model to decrease corporate store ownership and increase franchises; and for Whole Foods Market, it was Jana and Neuberger’s concern about the company’s failure to be more innovative by adopting new technology to maximize sales and profits. Elliott and Jana now have a controlling board interest and concentration of power that effectively allows them to drive their agenda.

4. Settlement is the preferred option. Of the three companies, Buffalo Wild Wings did not prevail in this regard. It is ultimately in a company’s best interest to settle and attempt to negotiate an agreement with an activist shareholder rather than wage a costly and protracted proxy contest. According to Fact Set, in 2016, the median cost of a proxy fight, including proxy solicitation and consulting fees, was $1 million for a target company, almost 100 percent more than in 2015.

Given this landscape, as a matter of good corporate governance, companies are well advised to do the following:

1. Heed the directive of the Shareholder Director Exchange (SDX) Protocol. Established in 2014, the SDX Protocol arose out of “the shifting balance of power toward shareholders” and increased shareholder activism. From January 2010 through November 2015, shareholder interventions increased more than 100 percent. SDX, a blueprint for institutional shareholder-director engagement, recognizes that the power of communication prior, rather than subsequent, to an issue escalating into major public discourse or a proxy battle, cannot and should not be underestimated. Notwithstanding clear evidence of increased shareholder activism, PwC’s Governance Insights Center found that in its review of 100 proxy statements, only 28 percent disclosed a process for shareholder engagement. This is staggering and particularly critical for small-cap companies, given that 75 percent of activist campaigns last year involved firms with market caps less than $1 billion, with the median target company market cap being $249 million, according to FactSet.

At an absolute minimum and as a best practice, irrespective of market size, every publicly traded company should have a shareholder engagement policy that articulates who engages on what topics under which circumstances. A shareholder engagement policy will not insulate a company from investor activism; however, it is a risk mitigation tool that promotes communication.

2. Embrace and adhere to the Investor Stewardship Group (ISG) corporate governance principles. Scheduled for implementation in January 2018, the six ISG corporate principles enunciate what ISG believes “are fundamental to good corporate governance at U.S.-listed companies.” Key among these for the purposes of shareholder activism is Principle 3: Boards should be responsive to shareholders and be proactive in order to understand their perspectives.

Shareholder activism will continue to mount as investors seek to maximize shareholder value. The trend will not abate. One of the most effective strategies for companies to neutralize, but not eliminate, potential shareholder opposition is to engage strategically, thoughtfully, and consistently.

Litigators Must Be Mindful of Discovery Compliance under the Revised Federal Rules

Posted on November 1, 2017 by - Uncategorized

Federal courts are now handing down firm decrees, stating that althoughold habits die hard,” counsel must revise their “form” discovery responses immediately to comply with the Federal Rules of Civil Procedure. In two recent orders, courts have decried the “widespread addiction” lawyers have with the “menacing scourge” of “boilerplate” objections. Liguria Foods, Inc. v. Griffith Laboratories, Inc., 14-3041-MWB (D. Iowa Mar. 13, 2017); Fischer v. Forrest, 1:14-CV1304-PAE-AJP (S.D.N.Y. Feb. 28, 2017). Because no litigator wants to be the subject of a strongly worded discovery order, it would benefit counsel to heed these courts’ warnings. This is especially so because both make clear: “admonitions from the courts [are] not . . . enough . . . only sanctions will stop this nonsense.”

So what should counsel do? As a starting point, Rule 26 sets out the boundaries of discovery succinctly. “[T]he concepts of materiality, relevancy, and discoverability are [not] fixed,” and a party is entitled to use discovery as an “investigatory tool” to explore freely its “theories of the case . . . .” In contrast, the party subject to a discovery request cannot avoid its duty to respond through “bald assertions” of privilege or other objections. Rather, it must first object and respond to the request specifically and utilize Rule 26(c) as a last resort if the issue is pressed. Liguria Foods, at 23–27.

Within this Rule 26 paradigm, litigants should avoid a variety of discovery practices. Lawyers should immediately stop using general andboilerplate” objections. “The key requirement in both Rules 33 and 34 is that objections require ‘specificity.’” Liguria Foods, at 28. It is “simply not enough” for attorneys to assert vague and conclusory objections to interrogatories or requests to produce without specifying “how” a particular discovery request is “deficient,” and without “articulating the particular harm” that will accrue if forced to answer. Id.; accord Fischer, at 5 (stating if a party objects that a request is overbroad” orunduly burdensome,” then explain: “Why is it burdensome? How is it overly broad?”).

However, even if counsel specifically explains the basis for an objection, more must still be done. Counsel must identify whether any responsive materials are being withheld on the basis of that objection.” Fed. R. Civ. Pro. 34(b)(2)(C); 2015 Adv. Comm. Notes to Rule 34. “[S]imply stating that a response is ‘subject to’ one or more general objections does not satisfy the ‘specificity’ requirement[.] . . . [Rather,] it leaves the propounding party unclear about which of the numerous general objections is purportedly applicable as well as whether the documents or answers provided are complete . . . .” Liguria Foods, at 32–33.

In addition, privilege logs should always accompany any responses that assert a privilege. Otherwise, the objection “hamper[s], rather than facilitate[s], the timely and inexpensive determination of privilege issues.” Liguria Foods, at 31. Further, going forward, discovery responses must either (1) state that all requested documents will be produced at the time specified in the request, or (2) state “another reasonable time for production “specifically . . . in the response.” Fischer, at 2–3, 5; Fed. R. Civ. Pro. 34(b)(2)(C). Ifit is necessary to make the production in stages,” thenthe response should specify the beginning and end dates of the production.”

So what is the take-away from these opinions? Courts simply will not tolerate these practices, no matter how entrenched or harmless they may seem to be. Remember, when objecting, “specificity” is key. “[A]n objecting party does not have the unilateral ability to dictate the scope of discovery . . . .” Liguria Foods, at 32. Thus, practitioners should remove vague and conclusory objections from their discovery toolbox altogether. Counsel must also explain the reasons underlying their objections and, if objecting to a document request, state whether documents were withheld from production. Be proactive and cooperate with opposing counsel to the extent possible. If a discovery dispute arises, “request an extension of time to respond and confer on troublesome discovery requests,” or “request an ex parte and in camera review” from the judge, “who might quickly render an opinion on whether [the request] in question [is] discoverable.” Liguria Foods, at 34. Lastly, always produce your privilege log and documents at the time your responses are due, or cooperate with opposing counsel for an extension.

Secured Parties Still Must Be Aware of Patent Rights in Goods

Posted on October 29, 2017 by - Uncategorized

The U.S. Supreme Court’s May 30, 2017 decision in Impression Products, Inc. v. Lexmark International, Inc., 137 S. Ct. 1523 (2017), should provide some comfort for secured parties and the lawyers who advise them, but not too much comfort. Caution is still needed before lending against inventory manufactured pursuant to a patent, particularly if the debtor is a manufacturer.

The Lexmark case involved a claim of patent infringement against Impression. Lexmark manufactured toner cartridges.  It sold some at full price and free of restrictions on resale and reuse. It sold other cartridges at a discount but subject to restrictions on resale and reuse. The restricted cartridges had a microchip that made them inoperative if they were refilled. Impression bought restricted cartridges, allegedly with knowledge of the restriction, altered or removed the microchip, and then refilled and resold the cartridges. Lexmark sued for patent infringement.

The district court had ruled that Lexmark’s initial sale exhausted its patent rights pursuant to the so-called first-sale doctrine. The Court of Appeals for the Federal Circuit reversed. It acknowledged the existence of the first-sale doctrine, but concluded that a sale made under a clearly communicated, otherwise-lawful restriction as to post-sale use or resale does not confer on the buyer—or on a subsequent purchaser with knowledge of the restriction—the authorization to engage in the use or resale that the restriction precludes. The decision created a potential problem for secured parties. A secured party is not normally bound by the debtor’s contractual promises to third parties that limit the debtor’s rights to use or sell the collateral (see U.C.C. §§ 9‑406, 9-408). The circuit court’s decision did not alter that rule, but by preserving and extending a patentee’s patent rights in goods sold to the debtor, it subjected a secured party that knew of and violated those patent rights to statutory damages and injunctive relief, even if the patentee had no provable damages under contract law (with possible treble damages for a willful violation under 35 U.S.C. § 284).

The Supreme Court, in a near unanimous decision, reversed the circuit court. In so doing, the Court adopted an expansive view of patent exhaustion: “a patentee’s decision to sell a product exhausts all of its patent rights in that item, regardless of any restrictions the patentee purports to impose,” and “[t]he purchaser and all subsequent owners are free to use or resell the product just like any other item of personal property, without fear of an infringement lawsuit.”

The Court’s decision is welcome news for secured parties that finance distributors or retailers that have purchased patented goods. Even if the patentee has imposed restrictions on the borrower’s resale of the goods, such as by limiting sales to a specified geographic area or to transactions in the ordinary course of business, the borrower would be free—as a matter of patent law, not contract law—to ignore those restrictions. More importantly, the secured party would not, when enforcing its security interest, be bound by those restrictions. Any disposition of the inventory by the secured party that did not comply with those restrictions would not violate the patentee’s patent rights because those rights will have been exhausted by the patentee’s prior sale of the goods. Moreover, the secured creditor will not be in privity of contract with the patentee, and thus, presumably will have no contract liability for breach of the restrictions.

It bears emphasizing that Lexmark does not prohibit patentees from restricting their buyers’ resale or reuse of the goods by contract. As a result, if a borrower purchases patented goods pursuant to a contract that imposes restrictions on resale or reuse, and if the borrower breaches those restrictions, the borrower might have undisclosed liabilities that will affect its creditworthiness and, indirectly, affect the likelihood of repaying the secured lender. Nevertheless, that risk is far less significant than the risk of subjecting the secured party to patent liability if it were to dispose of the goods.

Unfortunately, related but different risks survive. The Supreme Court was quite clear that the doctrine of patent exhaustion applies only when the patentee sells patented goods. It does not apply when the patentee licenses its patent rights. As a consequence, if a secured lender is financing a manufacturer, rather than a distributor or retailer, and if that manufacturer has made goods that are subject to a patent license, the secured lender must be cognizant of the restrictions imposed in the patent license. For example, a prohibition on sale in specified geographic areas or to specified types of buyers would not only limit the borrower’s ability to sell the goods, but could also apply to a disposition of the goods by the secured lender. Any unauthorized sale of the goods will expose the seller—whether the borrower or the secured lender—to liability for patent infringement.

Moreover, the risk of patent infringement exists even if the license does not impose a restriction on resale or reuse. If the borrower breaches the patent license (e.g., by failing to pay license fees), that breach might result in the termination of the license. In such a circumstance, the borrower might lose all rights to sell the goods, such that any sale would also be an infringement of the patentee’s patent rights. Unless the secured party obtains an independent right or license directly from the patentee, the secured party’s right to dispose of the goods would be subject to the same patent limitations. A security interest in goods that cannot be sold, either by the borrower or by the secured party, is not a very valuable security interest.

Finally, secured lenders and the transactional lawyers who advise them should note that the Lexmark decision does not deal with a situation in which the borrower is the owner of the patent rights. In such a case, the secured lender should consider whether it needs a security interest in the patent itself. Irrespective of whether the patent is available as collateral, the secured lender should consider having the borrower grant the secured lender, in the security agreement, a royalty-free, noncancelable license to use the patent in connection with any post-default disposition of the goods.

Cybersecurity Issues in PPP

Posted on October 29, 2017 by - Uncategorized

A public/private partnership (“PPP”) is a cooperative arrangement between the public sector and the private sector for the delivery of a specific infrastructure project or service. The public and private sectors each have strengths and weaknesses relative to each other with regard to the performance of certain tasks. A PPP seeks to exploit those strengths while mitigating the weaknesses. Typically, the public sector sets out the goals and objectives for the project by defining the level, quality, and scope of the required service or project while ultimately retaining ownership and, consequently, a measure of oversight over the finished asset. The private sector brings its managerial, technical, and financial expertise to the venture and is responsible for delivering an output which satisfies the goals and objectives defined by the public sector.

Increasingly, information collected and/or created in connection with PPPs is being digitized, stored, and accessed from complex networks and information systems. This information is often targeted by cybercriminals, state-sponsored players, and “hacktivists” by way of cyber attacks that can take the form of, for example, advanced persistent threats (APTs), malware (including ransomware), denial-of-service (DoS) attacks, domain name hijacking, social engineering, and phishing campaigns. Given the involvement of a public partner, the incidence of these attacks is increasing, and thus special attention must be given to cybersecurity risks. Public partners can draw on the technology capabilities of a savvy private counterpart to effectively reduce cybersecurity risks for a PPP.

Associated Risks

Cybersecurity attacks can have a significant impact on any organization, whether it is a private proponent or the public partner. For example, the attackers can steal or destroy key data, such as the organization’s intellectual property (often referred as the “Crown Jewels”), and/or customers’ personal information, which can result in financial and reputational losses and years of litigation. Moreover, a significant cyber attack can cause operational disruption and compound financial losses. These risks are multiplied in a PPP, where data is contained on information systems of two different entities, particularly with one in the private and one in the public sector, making a PPP increasingly vulnerable to cyber attacks.

Concerns about the risks associated with a cyber attack on PPPs have intensified in recent years. This is in part because the information necessary to conduct business and undertake projects is increasingly digitized and stored on servers of both the public proponent and the private partner. Given the potential high sale value of the data, the media coverage related to such attacks, and the ability of attackers to leverage an attack for political or social messaging, PPPs are frequently targeted.

In recent years, projects involving medical care, including hospitals, have been hit with cyber attacks for the purpose of extracting payment to release or unlock the system or to prevent disclosure. The nature of public activity, especially its participation in privately backed enterprise, makes it particularly prone to cyber attacks, as the consequences can be more significant and the pockets deep. In addition, public partners are increasingly concerned about protecting confidential and politically sensitive information, which makes such information more intriguing to attackers. Therefore, public enterprise has been the area of most significant cyber attacks for a variety of purposes in the last decade, and it is unlikely that such cyber attacks will lessen over the coming years.

Safeguards

While purchasing cyber insurance coverage is becoming more common in PPP transactions, the amount and scope of the insurance maintained by the organization may not be sufficient to cover losses resulting from a cyber incident or to adequately compensate the organization for the resulting disruptions.

Increasingly, laws require organizations to implement security safeguards to protect this type of information from loss, theft, and unauthorized access, disclosure, copying, use, or modification. These safeguards can vary with the nature of the confidential information in question, with more sensitive information requiring a greater level of security. Protection mechanisms should include physical measures (including locked or restricted-access storage locations), organizational measures (including appropriate security clearances for employees and disclosure of personal information on a need-to-know basis), and technological measures (including encryption keys and passwords).

Individuals dealing with a PPP project and its proponents will want to ensure that the project fully considers (i) the adequacy of the security measures implemented in connection with the project, and (ii) the measures contemplated to mitigate the consequences of a successful cyber attack. Of course, individuals should always be cognizant of the information that they are sending over electronic media and consider if such information should be sent, particularly given the prevalence of cybersecurity attacks and the gravity of potential consequences.

Conclusion

Cybersecurity will need to be carefully addressed in PPPs where the project will involve the gathering and storing of sensitive information concerning private individuals or of a public commercial or sensitive nature. This risk should not be ignored when consummating a PPP transaction, and adequate safeguards, such as an adequate insurance product, should be considered from the beginning to help protect all parties involved.

A Lesson from Harleysville: Proper Planning for Technology Use Can Prevent Disclosures That Lead to Waiver of Privilege

Posted on September 28, 2017 by - Uncategorized

A recent decision from a federal magistrate judge in Virginia highlights the need for businesses—and their attorneys—to understand the technology their employees use and the risks associated with that technology, especially when confidential information is involved. The plaintiff in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15 cv 00057, 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017), used an online file-sharing service to exchange files with multiple users (including its counsel) at different times. Because the plaintiff did not limit access to the files by means of a password requirement or other control, opposing counsel was able to obtain the plaintiff’s confidential legal files. Describing the plaintiff’s actions as equivalent to publishing the files on the Internet, U.S. Magistrate Judge Pamela Meade Sargent held that both the attorney-client privilege and work-product doctrine had been waived. The court also sanctioned the defendant’s counsel for improperly accessing the unsecured files and not notifying opposing counsel of their privileged nature.

Notably, the Harleysville court indicated that both the plaintiff and its counsel should have recognized that the files were unprotected and acted sooner to preserve confidentiality. Indeed, an unintended disclosure like that in Harleysville is highly avoidable. With respect to file-sharing technology specifically, businesses should implement effective controls, such as password protections and file-availability time limits, to prevent unauthorized disclosure of confidential information. With respect to technology generally, businesses should adopt and enforce a comprehensive program of information-security policies, and then train employees on those policies. Law firms would also do well to adopt these practices, as they will enable attorneys to better meet their own confidentiality obligations and to identify risks in their clients’ practices.

Harleysville’s Failure to Limit Access to Files Results in Inadvertent Disclosure

In Harleysville, Harleysville Insurance Company (Harleysville) sought a declaratory judgment that it did not have to cover the claim of Holding Funeral Home, Inc. (Holding) for a 2014 funeral-home fire. An investigator for Nationwide Insurance Company (Nationwide), which owns Harleysville, uploaded a video about the fire damage to the file-sharing service of Box, Inc. (Box). On September 22, 2015, the Nationwide investigator sent an e-mail to a contact at the National Insurance Crime Bureau (NICB) with a hyperlink to the Box site. Although that e-mail contained a “confidentiality notice” indicating the e-mail contained privileged and confidential information and was subject to restrictions on its unauthorized disclosure or use, the file placed in the Box site was not password protected and was accessible by anyone who used the hyperlink.

Several months later, in April 2016, the Nationwide investigator used the same Box site to upload Harleysville’s entire claims file and Nationwide’s entire investigation file relating to the fire loss for the purposes of providing those files to Harleysville’s counsel. The investigator then sent an e-mail to Harleysville’s counsel with the same hyperlink he previously gave to the NICB contact.

In May 2016, the NICB responded to a subpoena from Holding by producing documents received from Harleysville, including the Nationwide investigator’s e-mail with the Box hyperlink. Holding’s counsel then used the hyperlink to access the Box site, which at that point contained the entire claims files of Harleysville and Nationwide. Holding’s counsel downloaded and reviewed those materials without providing any notice to Harleysville’s counsel.

Harleysville’s counsel did not discover the disclosure of the files on the Box site until October 27, 2016, after reviewing a thumb drive of discovery that Holding had produced in August 2016. In its initial review of that production, Harleysville’s counsel discovered it contained materials that were potentially privileged that the defendant had inadvertently produced. After contacting defense counsel and upon their request, Harleysville’s counsel destroyed the privileged documents that had been produced by the defense. For some reason, Harleysville’s counsel did not discover that the thumb drive also contained its own client’s claims file until late October. On November 2, 2016, Harleysville’s counsel requested that Holding’s counsel destroy its copy of the claims file, but by that time Holding and all of its counsel had reviewed the materials that were posted to Box. At some point thereafter, the plaintiff finally disabled the Box site.

Harleysville filed a motion to disqualify Holding’s counsel, arguing that defense counsel had improperly used the hyperlink to gain unauthorized access to Harleysville’s privileged materials. Holding opposed the motion, countering that Harleysville’s placement of the materials on Box, where it could be accessed by anyone, waived any claim of privilege or confidentiality. Although it conceded the files had been intentionally uploaded to Box, Harleysville argued that it had not waived privilege because it never authorized or intended disclosure of the files to anyone other than the NICB and its own counsel.

Failure to Limit Access to Files Available on the Internet Waived Privilege

Applying Virginia state law and precedent, the court found that, although Harleysville’s disclosure was inadvertent, it nonetheless waived the attorney-client privilege. The evidence showed that Harleysville failed to take “any precautions” to prevent disclosure of the information uploaded to Box. The court noted that the Nationwide employee had previously used the Box site and therefore knew or should have known that the information was unprotected. The disclosure was “vast” because the information was available to anyone who had access to the Internet. In addition, because Harleysville’s counsel used the unprotected hyperlink to access the information in April 2016, the court found that they knew or should have known the information was accessible on the Internet (but failed to take any remedial action until access to the site was finally blocked six months later). For similar reasons, the court also held that Harleysville had waived the work-product privilege under federal law.

Significantly, the court described the failure to password-protect the materials on Box as “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” The court found it “hard to imag[ine] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”

As a matter of public policy, the court urged businesses to exercise caution when using “rapidly evolving” technology to share information. Because a company controls the decision on whether to use new technology, it “should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

Defense Counsel Acted Improperly by Accessing Files Despite Privilege Flags

The court also criticized the conduct of Holding’s counsel, finding they acted improperly in accessing the Harleysville materials. The court assigned significance to the fact that the e-mail that contained the Box hyperlink had included a confidentiality notice that “should have provided sufficient notice to defense counsel that the sender was asserting that the information was protected from disclosure.” According to the court, Holding’s counsel should have realized, based on the confidentiality notice in the e-mail, as well as the extent of the materials on the Box site, that the materials were subject to privilege or other protection. Accordingly, they should have notified Harleysville’s counsel and sought a determination from the court regarding privilege and other protections before using or disseminating the information. Holding’s counsel had even consulted the state bar ethics hotline about the access, undermining their claims that they believed the access was proper.

Harleysville sought disqualification of Holding’s counsel, but the court found it not warranted because substitute counsel would have access to the same information in light of the privilege/protection waiver. Instead, the appropriate sanction was for Holding’s counsel to bear Harleysville’s costs to seek the court’s ruling on the matter.

Technology Provides the Problem but Also the Solution

Although Harleysville involves the pitfalls of file-sharing services, the case offers lessons that are applicable to the use of any new technology. Simple precautions can avoid, or at least mitigate the damages from, the risks that technology poses to confidential information.

To begin with, a business would be wise to require its employees to use only technology that the company has vetted and approved. The company should consider whether the service has the security features and other criteria that the business deems appropriate in light of the sensitivity of the information at issue and the threats to it as identified by the company. Because many file-sharing services operate in the Cloud, with respect to that particular technology this may include analysis of such questions as: What security protections are utilized, and how frequently are they tested and updated? Where will the service provider store the company’s information? Who will have access to the files and under what conditions? How long will the provider retain the data? How and when are backups conducted?

In addition to requiring that employees use only a company-approved file-sharing service, the company may also determine that employees’ use should be subject to certain security controls available within the service. For example, as Harleysville demonstrates, access to confidential files should be restricted (and perhaps tracked) by requiring the authorized users to enter a password or log-in information to obtain the files. Access can be further restricted by requiring multifactor authentication by which a second user-identifying factor beyond a password is necessary to gain access.

Another potential security control is to limit access to folders within the service to persons designated as authorized users. Separate folders can be established for specific target users. As to external users, this can limit permitted users to viewing only that information to which they are intended to have access. On an internal basis, limited access can serve to enforce ethical walls and need-to-know policies within the company. As a further precaution, the business can require that confidential information be encrypted before it is placed in a file-sharing service. That way, only intended recipients who have been given both access to the folder within the file-sharing service and the encryption key can access the sensitive information.

Beyond the need for password protections, Harleysville also illustrates the risk in making files accessible for a longer period than necessary. That risk can be reduced by ensuring the online file-sharing service does not become a long-term repository for sensitive information. A business can implement policies that prescribe how long files can remain posted in a file-sharing service, or even impose settings that automatically delete files after a specified period. The person sharing the file can implement security controls within the service to limit the time the file is accessible to designated users, as well as the number of times a file can be downloaded. Some services will also permit an organization to claw back documents after having been downloaded, so that a person accessing the file has only a temporary copy of the document.

Policies and Training Are Also Important in Data Protection

Although technology is certainly an important component of a company’s overall data-protection program, having effective policies in place is another key element. A company should strive to have a comprehensive scheme of policies that is tailored to address its specific needs in terms of protecting confidential information. Depending upon the company’s goals and the categories of information at issue, the policies may address such matters as limiting access to information based upon an employee’s need to know for his or her job role, mobile-device use and bring-your-own-device programs, remote network access, secure destruction of data kept in electronic and paper format, and monitoring of employee activity within the company’s network (including infiltration and exfiltration of data to and from the network and via other technology platforms, such as file-sharing services).

However, it does little good to adopt policies if the company does nothing to enforce them. A strong first step toward enforcement is education. Employees must be trained on the company’s policies. Ideally, this will be accomplished through a company-wide program that provides security-awareness training for employees at all levels of the company, from the executive suite to the lowest-ranking staff. A company may find it is effective to have different types of events and outreach, from in-person presentations by outside consultants, to e-mails with information-security tips, to online training exercises. It is also important that employees know who to contact with questions or concerns about policies and information protection. The goal is to ensure that employees know how the company expects them to handle confidential information and to enable them to identify and respond appropriately to matters that threaten the preservation of confidentiality.

Technology controls and security training could have gone a long way toward avoiding the Harleysville scenario. The opinion did not discuss whether the Nationwide employee was authorized to use Box as a file-sharing service, with or without password protections or other controls. Nor did it discuss the Nationwide employee’s previous use of Box in detail, although the court assumed that his previous use meant he was familiar with the site and the features available to protect information on it. That may have been true (or not), depending on how often he utilized the site and how frequently it underwent updates that changed its features. In any event, the opinion suggests there were less than adequate controls and training in place. In addition, the waiver of privilege surely has a detrimental effect on Harleysville’s success in the underlying coverage litigation, but a company could find itself in a worse position if the information improperly disclosed by an employee includes that of third parties who have entrusted it with their sensitive or legally protected information. In that instance, the company may find itself having to comply with federal or state laws that require notification when certain personally identifiable information is disclosed and potentially may face litigation over the disclosure.

Harleysville informs us that law firms likewise would bode well to employ technology controls and training programs. The court signified that plaintiff’s counsel should have realized the unprotected status of its client’s files because counsel itself used the unprotected link to access the files. In doing so, the court struck at the heart of an attorney’s ethical obligation of competency, which as adopted in most states includes having knowledge concerning the risks and benefits of relevant technology. Unless Harleysville’s attorneys had previous exposure to file-sharing services and their features, the attorneys likely would not have appreciated that access controls were not in place. Likewise, if the attorneys had a subordinate employee (such as a paralegal) access the files, the attorneys would be dependent on the subordinate to realize the risk to confidentiality and raise it with the supervising attorney. A firm-wide training program could help both attorneys and staff develop their technology competence and skills in spotting vulnerabilities that threaten the confidentiality of their clients’ sensitive information.

The Harleysville court afforded great significance to the confidentiality notice in the e-mail that was used to initially forward the Box hyperlink, but the case demonstrates how ineffective that type of notice is for protecting sensitive information. It is common for businesses (attorneys especially) to include a confidentiality notice at the bottom of their e-mails. Typically, such notices are boilerplate, automatically appended at the very end of an e-mail, following the confidential message they are meant to protect, and often ignored as part of the “wallpaper effect.” Technology provides much more effective methods for protecting confidential information, such as password protection and encryption. As a lesson from Harleysville, businesses and attorneys would be well served to educate themselves about those alternatives and the pitfalls of and best practices for using them.

Supreme Court Restores Order to Bankruptcy Claims Process

Posted on September 28, 2017 by - Uncategorized

Bankruptcy law is provided for in the U.S. Constitution under Article I, Section 8, Clause 4 and has existed in some form or another since the Bankruptcy Act of 1800. See Cent. Va. Cmty. College v. Katz, 546 U.S. 356, 370 (2006). Its primary purpose has long been to “relieve the honest debtor from the weight of oppressive indebtedness and permit him to start afresh free from the obligations and responsibilities consequent upon business misfortunes.” Local Loan Co. v. Hunt, 292 U.S. 234, 244 (1934). In the context of a Chapter 13 case, it furthers the fundamental purposes of the Bankruptcy Code system to adjudicate and conciliate all claims with respect to a debtor in her bankruptcy case. Universal Am. Mort. Co. v. Bateman (In re Bateman), 331 F.3d 821, 828, n.6 (11th Cir 2003).

The Bankruptcy Code provides an incredibly broad definition of “claim,” which includes a “right to payment whether or not such right is reduced to judgment, liquidated, unliquidated, fixed, contingent, matured, unmatured, disputed, undisputed, legal, equitable, secured, or unsecured.” 11 U.S.C. § 101(5). The broad definition of “claim” is intentionally broad. 11 U.S.C. § 101(5) and 1978 Legislative History (“By this broadest possible definition . . . , the bill contemplates that all legal obligations of the debtor, no matter how remote or contingent, will be able to be dealt with in the bankruptcy case.” H.R. Rep. No. 595, 95th Cong., 1st Sess. 309 (1977), S. Rep. No. 989, 95th Cong., 2d Sess. 21–22 (1978), as reprinted in 1978 U.S.C.C.A.N. 5787 at 5807–08 and 6266).

The Fair Debt Collection Practices Act (FDCPA) was enacted in 1977 due to “abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors [that] contribute to the number of personal bankruptcies . . . .” 15 U.S.C. § 1692(a). Congress made its purpose in enacting the FDCPA explicit: “to eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.” Owen v. I.C. Sys., Inc., 629 F.3d 1263, 1270 (11th Cir. 2011) (quoting 15 U.S.C. § 1692(e)).

For many years both the Bankruptcy Code and the FDCPA existed peacefully in separate jurisdictions. Attempts to inject FDCPA claims into bankruptcy cases were rare, and when attempted were often rejected by the bankruptcy courts themselves. Back in 2001, the Ninth Circuit Court of Appeals held that an FDCPA claim based upon an alleged violation of section 524 of the Bankruptcy Code was precluded by the Code itself because “while the FDCPA’s purpose is to avoid bankruptcy, if bankruptcy nevertheless occurs, the debtor’s protection and remedy remain under the Bankruptcy Code.” Walls v. Wells Fargo Bank, N.A., 276 F.3d 502, 510 (9th Cir. 2001). Several years later, the Bankruptcy Appellate Panel for Ninth Circuit specifically held that the Bankruptcy Code precludes application of the FDCPA in the bankruptcy claims process. B-Real, LLC v. Chaussee (In re Chaussee), 399 B.R. 225 (9th Cir. B.A.P. 2008). Specifically, the panel found that “in our opinion, the debt validation provisions required by FDCPA clearly conflict with the claims processing procedures contemplated by the Code and Rules. Simply put, we find that the provisions of both statutes cannot compatibly operate.” The Second Circuit expanded on this reasoning in Simmons v. Roundup Funding, LLC, 622 F.3d 93, 96 (2d Cir. 2010) when it held that “the FDCPA is designed to protect defenseless debtors and to give them remedies against abuse by creditors. There is no need to protect debtors who are already under the protection of the bankruptcy court, and there is no need to supplement the remedies afforded by bankruptcy itself.”

Simmons and Walls were rather broad in their preclusion of all FDCPA claims in bankruptcy cases, whereas other circuits began to take a more analytical approach to whether there was a conflict between the portion of the Bankruptcy Code at issue and the FDCPA provision at issue. See, for example, Randolph v. IMBS, Inc., 368 F.3d 726 (7th Cir. 2004) and Simon v. FIA Card Servs, N.A. 732 F.3d 259 (3d Cir. 2013). Although the Third and Seventh Circuits would permit FDCPA claims under certain situations, one thing remained constant: no court would permit an FDCPA claim based upon the filing of a proof of claim. See also Owens v. LVNV Funding, LLC, 832 F.3d 726 (7th Cir. 2016); DuBois v. Atlas Acquisitions, LLC, 834 F.3d 522 (4th Cir. 2016); Nelson v. Midland Credit Mgmt. Inc., 828 F.3d 749 (8th Cir. 2016).

That all changed with Crawford v. LVNV Funding, LLC, 758 F.3d. 1254 (11th Cir. 2014). According to the Eleventh Circuit, “A deluge [had] swept through U.S. Bankruptcy courts of late. Consumer debt buyers—armed with hundreds of delinquent accounts purchased from creditors—are filing proofs of claim on debts deemed unenforceable under state statutes of limitations.” Unlike cases before it, Crawford likened the filing of a proof of claim to the filing of a lawsuit. Crawford reasoned that because the filing of a lawsuit on a debt that was beyond the statute of limitations violated the FDCPA, so too would the filing of a proof of claim on that same debt.

After Crawford, a new deluge swept through U.S. bankruptcy courts, but the new deluge was that of debtor’s attorneys filing FDCPA complaints against debt collectors for filing proofs of claims on debts that were subject to a statute-of-limitations defense. The Crawford case itself did not make it to the U.S. Supreme Court and, ironically, was ultimately dismissed on summary judgment because Crawford’s own FDCPA claim was barred by the one-year statute of limitations set forth in the FDCPA. One of the cases in the new deluge was Johnson v. Midland Funding, LLC, 823 F.3d 1334, 1336 (11th Cir. 2016), another case from the Eleventh Circuit. Like Crawford before it, the bankruptcy court and district court held that the filing of the proof of claim did not violate the FDCPA, and the Eleventh Circuit reversed. However, unlike Crawford, Midland specifically addressed the argument whether there was an irreconcilable conflict between the FDCPA and the Bankruptcy Code’s claim-filing process.

Writing for a 5–3 majority, Justice Breyer closed Pandora’s box and ended the new deluge almost three years after it began. Taking a practical approach, Justice Breyer examined the purposes of the FDCPA and what it intends to prevent: “false, deceptive, or misleading” statements and “unfair or unconscionable” collection practices. Midland Funding, LLC v. Johnson, 137 S. Ct. 1407, 1410–11 (2017). The court reasoned that a proof of claim cannot be false, deceptive, or misleading if, on its face, it indicates that the relevant statute of limitations has run. Given that a claim under the Bankruptcy Code is a “right to payment” which is determined by state law, the expiration of the statute of limitations did not extinguish the debt—the creditor still has a right to payment. The court rejected the debtor’s attempt to read the word “enforceable” into the definition of “claim,” noting that the word does not appear anywhere in the statutory definition. Rather, consistent with the text of the statute itself, the opinion notes that the definition of “claim” is extremely broad and even includes disputed claims.

Moving on to the unfair or unconscionable claims, the majority examined the purpose of a bankruptcy proceeding filed by the debtor and distinguished it from a collection lawsuit filed by a creditor, reasoning that the “features of a Chapter 13 bankruptcy proceeding make it considerably more likely that an effort to collect upon a stale claim in bankruptcy will be met with resistance, objection, and disallowance.” The court also rejected Johnson’s attempt to transfer the statutory burdens set forth in the claims process, noting that untimeliness is an affirmative defense. Ultimately, the majority determined that the differing purposes of the Bankruptcy Code and the FDCPA were at odds here, and applying the FDCPA would upset the “delicate balance” between the two. In the end, because Chapter 13 trustees and debtors have always had the burden to examine claims for potential defenses, the Supreme Court was not willing to try to craft a new exception to those well-established rules.

Unlike the majority, Justice Sotomayor’s dissent likened the filing of a proof of claim to that of filing a lawsuit. After spending a considerable amount of time discussing the debt buying process in general, the dissent also disagreed with the majority’s holding that the Chapter 13 trustee and the process itself will provide adequate protection to the debtor. Given the lengthy introduction, it appears that the dissent’s issue lies not only with the filing of proofs of claims for the older debts, but also with their collection at all. This, too, represents a fundamental disagreement between the two opinions, given that the majority views the filing of the proof of claim as a part of the process to discharge debts, whereas the dissent views it as an end run around a forbidden practice.

In the end, the majority held that “filing a proof of claim that is obviously time barred is not a false, deceptive, misleading, unfair, or unconscionable debt collection practice within the meaning of the FDCPA.” This opinion restores order among the circuits and requires the Eleventh Circuit to fall in line with the Second, Third, Fourth, Seventh, Eighth, and Ninth Circuits when it comes to the application of the FDCPA to proofs of claim. One thing that the majority did not do, however, was issue a broad holding that the FDCPA simply does not apply to bankruptcy cases like the Ninth Circuit in Walls or the Second Circuit in Simmons. On the other hand, the majority also did not necessarily endorse the irreconcilable-conflict analysis like the Seventh Circuit in Randolph or the Third Circuit in Simon. Nevertheless, the Midland opinion is obviously a welcome respite from the deluge for debt buyers and debt collectors.

Blockchain: Tapping Its Potential and Insuring Against Its Risks

Posted on September 28, 2017 by - Uncategorized

Blockchain is the distributed ledger technology (DLT) behind Bitcoin, Ethereum, and other cryptocurrencies. Blockchain is widely believed to be a game-changing trend for global business across sectors. Blockchain has been described by the creator of Bitcoin as a “peer-to-peer network using proof-of-work to record a public history of transactions” and by Forbes as “a distributed and immutable (write once and read only) record of digital events that is shared peer to peer between different parties (networked database systems).” In other words, Blockchain is a record of peer-to-peer (P2P) digital transactions categorized into blocks by a decentralized network of computers. Each transaction is time-stamped, encrypted, and linked to its preceding block, creating a “blockchain.” Each new block added to the chain must be validated by a consensus among the network of participants.

“Disruptive” Potential of Blockchain

The potential disruptive uses of blockchain technology in the marketplace have been compared to that of the Internet. The possibilities of blockchain are said to be endless across all industries, including fintech, health care, analytics, retail, energy, manned and unmanned vehicles, insurance, and the sharing economy. Over time, corporations using blockchain combined with artificial intelligence (AI) and the Internet of Things (IoT) will likely be able to better integrate their business partners and suppliers into the network, giving them a complete view of the supply chain and enabling them to conduct all transactions inexpensively, transparently, and securely through blockchain.

In June, a number of international banks selected a multinational technology company to use blockchain technology to build an international trading system called Digital Trade Chain. According to an Accenture and McLagan report, blockchain may “reduce infrastructure costs for eight of the world’s 10 largest investment banks by an average of 30 percent, translating to $8 billion to $12 billion in annual cost savings for those banks.”

A major automobile manufacturer has partnered with MIT’s Media Lab and others to identify the uses of blockchain technology in the automobile industry. A global retailer teamed up with a multinational technology company and recently announced the results of a test using blockchain technology in which it traced a food product from farm to shelf in seconds, as compared to the days-long process without blockchain technology.

The Blockchain Insurance Industry Initiative B3i, which includes global banks and financial services companies, is exploring the application of blockchain technology in the insurance sector. In June, a major insurer and a major multinational technology company announced a successful pilot program of a blockchain-powered “smart insurance policy.” Such smart insurance policies would be designed to execute the contract terms when specified conditions are met, provide for data continuity, trace the origin of a risk, and reduce fraud, among other benefits. In addition, numerous startups are marketing their blockchain-based platform to health care companies.

Security of Blockchain?

Because changes to a blockchain are displayed in real time and no central user controls the record, blockchain is said to be much less susceptible to hacking than a traditional database. For instance, if hackers wanted to modify information in a blockchain, they would first need to hack into both the specific block and all of the preceding and ensuing blocks in the blockchain across every ledger in the network at the same time. Because consensus among the network participants is required, the hackers’ change would likely be rejected as it would conflict with the other ledger entries on the network. Many observers believe this leads to an unparalleled level of security.

However, blockchain technology, like the Internet before it, will likely lead to unforeseen risks and exposures. For example, in 2013, Mt. Gox, a Bitcoin exchange handling 70 percent of all Bitcoin transactions at the time, suffered a technical glitch resulting in Bitcoin’s temporarily shedding a quarter of its value. That technical glitch was a fork in the blockchain, which resulted from the use of differing versions of the Bitcoin software. In 2015, Interpol identified an opening in blockchain used for cryptocurrencies that hackers could exploit to transfer malware to computers. In addition, blockchain is only as secure as its entry points. If the access systems used for blockchain are vulnerable to attack, the technology’s security may be undermined. In sum, blockchain is not risk-free and may not be hacker-proof. Given the value and potential high profile of transactions that may take place using blockchain technology, hackers will have incentives to invent new ways of using the technology for malicious purposes despite its protections.

Insuring the Blockchain

Because blockchain technology is not risk-free, companies should consider how their insurance policies, especially their cyber insurance policies, can protect against risks arising out of the use of blockchain technology—and whether they include provisions that could be used to deny coverage for claims with a connection to blockchain technology. For instance, one insurer’s cyber insurance policy form insures against disclosure of personally identifying information that results from unauthorized access into a system owned by either (a) an insured; or (b) “an organization that is authorized by an Insured through a written agreement to process, hold or store Records for an Insured.” Because blockchain is peer-to-peer, the insurer may argue it is not owned by any insured or any other “organization.” Thus, a policyholder experiencing losses due to the disclosure of personally identifying information arising out of the use of blockchain technology may face a coverage dispute with its insurer.

As another example, another cyber insurance policy form provides coverage for the “failure or violation of the security of a Computer System,” and defines “Computer System” to include “cloud computing” and “other hosted resources operated by a third-party service provider.” It is not clear whether the insurer would consider blockchain technology to fall within this definition, particularly because blockchains are peer-to-peer networks not operated by a central administrator. Policyholders also should review exclusions in cyber policies carefully, including those for accessing unsecure websites, self-inflicted losses, terrorism, and others.

Finally, policyholders should consider whether coverage for blockchain-related risks remains available under their traditional policies, such as technology professional liability policies, commercial crime policies, and specialty coverage forms. They should specifically review cyber, computer or technology, and data-related exclusions.

Conclusion

As the use of blockchain technology grows, cyber policies will adapt and begin to incorporate language addressing blockchain technology. However, the complexity of the technology, the lack of understanding of it, and the scarcity of data about its use may impede the development of the market for insurance covering operations or transactions involving blockchain. Nonetheless, as insurers increasingly conduct blockchain scenario analyses, follow developments in blockchain and related technologies, and improve their own understanding and analysis of blockchain’s risks, policyholders can expect them to offer new policies covering such risks. In the meantime, policyholders looking to conduct business using or involving blockchain should consider consulting experienced coverage counsel and carefully reviewing the policies they buy to ensure that those policies provide the insurance protection they need.

The Importance of Cybersecurity Due Diligence in M&A Transactions

Posted on September 28, 2017 by - Uncategorized

Most enterprises today are almost totally dependent on digital data and network systems. Virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders in the event of a security breach.

Accordingly, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.

As recent security incidents have made clear, intruders can operate from anywhere in the world, and by stealing, changing, or destroying critical corporate information, or exploiting access to a company’s systems to harm and disrupt its operations, they have been able to inflict significant damage on numerous businesses. No enterprise is immune from cyberattacks; none are impregnable. Virtually all enterprises have been breached and have had at least some of their sensitive information compromised.

In FY 2006, federal agencies reported 5,503 information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). In FY 2014, the reported incidents totaled 67,168—an increase of 1,121 percent. Given that corporations are loathe to report cybersecurity breaches and may not detect successful incidents, the number of reported incidents probably represents only the “tip of the iceberg” of cyber attacks and intrusions.

Over the past three years, the consequences to organizations affected by such security breaches have been significant, and in some cases near catastrophic. One need only consider the injury suffered by organizations such as Target, Home Depot, Sony, and Yahoo!, or to victims of the recent “Petya” ransomware attacks such as Federal Express, DLA Piper, and A.P. Moller Maersk to realize the significance of such events.

It should be critically important to a prospective acquirer of a target enterprise to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack. Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporation information and IP assets. Otherwise, the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers. In short, it will not comprehend the potentially devalued nature of the assets it is acquiring, nor the magnitude of liabilities it may incur at closing.

Cyber Threats to M&A Deals

M&A practice may at times overlook the significance of the cybersecurity risks facing target enterprises, including the risk that cyber attacks could already be devaluing the digital assets of a target without the target’s awareness and without the acquirer’s knowledge. By December 2014, such risks had become widely reported, as demonstrated by the following bleak recap by Nicole Perlroth in The New York Times:

In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers, and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. . . . But the value [of stolen credit cards during this period] . . . which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of the United States corporations, universities and research groups by hackers in China—so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. . . . Most large organizations have come to the painful recognition that they are already in some state of break-in today.

Most recently, numerous businesses, organizations, and governments found their digital data imperiled by a world-wide dispersal of two waves of malware. The first wave, a ransomware attack dubbed “WannaCry,” began on May 12, 2017. Globally, it infected “230,000 computers in 48 hours,” locking down the computers it infected, and encrypting and rendering inaccessible all of their stored data. The WannaCry worm caused kinetic effects—“paralyzing hospitals, disrupting transport networks, and immobilizing businesses.” WannaCry should make people treat cyber-crime seriously, The Economist, May 20, 2017.

The second wave of malware, called “Petya,” began on June 27, 2017, and severely disrupted operations of “some of the world’s largest companies, including WPP, Roseneft, Merck, . . . AP Moller-Maersk[,] . . . Saint-Bobain and the DLA Piper law firm.” Global groups hit by fresh ransomware cyber attack, Fin. Times, June 28, 2017, at 11. For example, one day into the Petya attack, integrated global transport and logistics company A.P. Moller-Maersk “tweeted” on June 27, 2017, that the malware had brought down its “IT systems . . . across multiple sites and select business units.” By the second day, Maersk had “shuttered many of its ports around the world.”

WannaCry and Petya vividly demonstrated the vulnerability of many companies to a crippling cyber attack, and the experience of Target Corp. provides insight into the costs of a major breach. In 2014, Target Corp. experienced a breach of its networks affecting 40 million credit- and debit-card numbers and personally identifiable information for up to 70 million individuals. The remediation costs had a material impact on the company. Target eventually reported that it “incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million.”

Despite the ubiquity of cyber incidents, and the cost and disruptive impact of cyberattacks, such risks appear to remain “below the radar,” underestimated, or belatedly addressed in many M&A deals. Yet with the value of so many enterprises dependent upon the condition of their high-value digital assets, and with so many of those assets vulnerable to cyber attack, consideration of adding a cybersecurity due diligence review would seem a good and prudent precaution at the start of any proposed M&A deal.

Illuminating the Impact of Cyber Incidents on M&A Deals

The cybersecurity experiences of two companies involved in recent M&A transactions demonstrate the critical importance of cybersecurity due diligence.

Neiman Marcus

Luxury department store Neiman Marcus experienced, unawares, a cyber incident that began as early as July 16, 2013. The incident involved injection of malware into the retailer’s customer payment-processing system, ultimately compromising data on about 350,000 customer payment cards.

Several weeks later, on September 8, 2013, as the intruders operated undetected within the retailer’s networks, Neiman Marcus agreed to be acquired by a group led by Ares Management and a Canadian pension plan. On October 25, 2013, the acquisition of Neiman Marcus closed. Five days later, on October 30, 2013, the card-scraping activity of the malware inside the retailer ceased. No report of the incident suggests that Neiman Marcus or its acquirers knew, as of the closing, that the digital assets of the retailer had been compromised by intruders.

On December 17, 2013, Neiman Marcus received the first of several reports indicating fraudulent use of customer credit cards at its stores, and on January 10, 2014, Neiman Marcus publicly disclosed the incident. Shortly thereafter, affected customers filed class-action complaints alleging the retailer failed to protect them adequately against the breach and to provide them timely notice. Although Neiman Marcus sought to dismiss the suit by arguing that there was no harm to the plaintiffs, and thus no standing to sue, the Seventh Circuit allowed the case to proceed, holding that:

[i]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.

In so holding, the Seventh Circuit pointed to the continuing risk, noting that: “stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” In March 2017, Neiman Marcus entered into a settlement with the class-action plaintiffs and agreed to create a settlement fund in the amount of $1,600,000 to cover claims, legal fees, and other litigation-related expenses.

Apparently, neither the buyer nor the seller knew that Neiman Marcus digital assets had been compromised as of the closing, nor did they foresee the future risk of harmful use of such data. As the Neiman Marcus incident illustrates, there is a growing need to assess a target’s cyber vulnerabilities and the potential repercussions from incidents so that they can be given their appropriate weight in the negotiations of a deal.

Yahoo!

In late 2014, senior officers and legal staff of Yahoo!, Inc. learned that unauthorized access to its computer network had been gained by what Yahoo! identified as a “state-sponsored actor.” Yahoo! did not, at that point in time, publicly disclose the incident. Yahoo!’s board apparently did not receive a report of the incident or learn of it until almost two years later.

On July 23, 2016, Yahoo! and Verizon Communications Inc. entered into a stock purchase agreement by which Verizon agreed to acquire “one or more subsidiaries of Yahoo holding all of Yahoo’s operating businesses, for approximately $4.83 billion in cash . . . .” The acquisition of Yahoo! was “expected to close in the first quarter of 2017.” Verizon Communications Inc., Form 10-Q for the period ending June 30, 2016, filed Jul. 29, 2016, at 10.

Around the time that Yahoo! and Verizon signed their agreement, “a hacker claimed to have obtained certain Yahoo! user data. [T]he Company could not substantiate the hackers claim [but] . . . intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.” Yahoo, Inc., Form 10-Q for the period ending September 30, 2016, filed Nov. 9, 2016, at 40.

Thereafter, Yahoo! issued a statement to the U.S. Securities and Exchange Commission (SEC) that said it had no knowledge of “any incidents” of “security breaches, unauthorized access or unauthorized use’ of its IT systems.” Yet less than two weeks later, in September 2016, Yahoo! disclosed to Verizon, and shortly thereafter to the public, that a “copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the First Security Incident).” After disclosing the incident, Yahoo! began notifying potentially affected users, regulators, and other stakeholders.

On December 14, 2016, five weeks after Yahoo! filed its Form 10-Q with the SEC that addressed the First Security Incident, Yahoo! disclosed on its website and in a Form 8-K that analysis of data by Yahoo!’s outside forensic experts convinced Yahoo! that a separate cyber incident involving almost 1 billion accounts had also occurred (the Second Security Incident).

After further negotiations and as a result of the two cyber incidents, Yahoo! agreed with Verizon to modify the terms of the deal as follows:

As the cyber incidents at Neiman Marcus and Yahoo! demonstrate, cybersecurity now deserves to be an integral part of M&A due diligence, and to be done properly, it must begin at the earliest practicable time in the transaction. Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.

Assessing a Target’s Cybersecurity Defenses

Assessing the quality of a target’s cybersecurity defenses and its experience with cyber incidents poses a challenging risk assessment for an acquirer, and one quite different from other risk assessments in an M&A deal. How does an acquirer’s counsel evaluate the target’s cybersecurity program or inquire into its probable experience with cyber incidents? How does counsel assess the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited? How does counsel determine the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise?

Cybersecurity due diligence might not yield a precise and exact picture, but it has the capability to provide an acquirer with a far closer approximation of the actual condition of the target’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets. Knowing such facts, the acquirer’s counsel will be in a better position to structure the definitive acquisition agreement to mitigate the risks identified.

To accomplish its goal, the acquirer’s M&A cybersecurity due diligence process should address six categories of topics, as follows:

  • identify the target’s high-value digital assets and evaluate the relative importance of those assets to the target’s business;
  • evaluate the target’s internal cybersecurity program to protect those high-value digital assets, e.g., whether it is appropriate for the business; whether it is complete, etc.;
  • assess the target’s cyber-risk-management efforts as they relate to third parties on which the target depends for goods, services, data, outsourced business functions, and joint business initiatives;
  • identify the target’s prior breaches and assess its incident-response capabilities;
  • evaluate the status of the target’s cybersecurity regulatory compliance, i.e., identify applicable compliance requirements, determine whether the target is in compliance with its cybersecurity legal obligations, and evaluate the risks posed by any failure of such compliance; and
  • consider and evaluate the target’s overall resilience and general ability to withstand a direct cyber attack on its digital assets.

Evaluating a Target’s Cyber Incident Experiences

In cases where the target company has experienced a recent security breach, it is important for M&A cybersecurity due diligence teams to assess whether a target company has the means to know five fundamental facts about the target’s experience with any cyber incidents.

First, what data might the attackers have gained (or still be gaining) access to? Did they read files? Did they change permissions so that they could log in and appear authorized? Did they make copies of customer lists? Or worst of all, did they modify data? It is important that the target have the answers to such questions.

Second, what data might the attackers have viewed and exfiltrated copies of? It is possible the attackers saw something they wanted, such as the company’s password file or key product designs. Knowing what data was taken is key to evaluating the scope of the damage done, as well as the potential for future damage.

Third, what data might the attackers have changed? This is often the real bugbear. Did the attackers modify data contained in certain files and, if so, what changes did they make? This can be far more difficult to determine than whether the attackers accessed or removed a copy of a file’s data. For example, in the case of a defense contractor, the attackers might not only have removed a copy of the manufacturing design for a stealth fighter’s aileron, but also modified the target’s copy so that further use of that design data will embed defects or flaws that were not in the original design. No one at the target will know that has happened unless they are extraordinarily familiar with the data and happen to make a close comparison of the currently active file with a back-up that is reasonably good, i.e., that the attackers did not alter. Given that sophisticated, stealthy attacks may continue undetected for months or years, however, how far back does a target’s personnel have to go to obtain a reasonably good and reliable back-up in order to ensure the copy is of the original design and not of the design as modified by the attackers? Even small, seemingly insignificant changes to critical data can have catastrophic impact on products and on users.

Fourth, what defenses of the target did the attackers force the target’s system to reveal? Attackers now have tools that can force a target’s system to “reveal secrets that are relied upon for security.” Such a tool works analogously to the flying of aircraft towards or extremely close to an adversary’s border (or even crossing it briefly and departing) in order to prompt the adversary to turn on its most sophisticated air-defense radar, thereby revealing its location, signature, strength, and other features. In cyber attacks, as with probing air defenses, the prospective attackers want to determine what actions will cause the defensive measures to be activated, or “turned on,” and when it counts, what actions will not cause the defensive measures to “turn on” and enable the attackers to bypass them. Not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyber attacks than the target (or an acquirer) may realize. It may also cause the target’s officers to become overconfident or complacent about their company’s cybersecurity.

Fifth, did the attackers gain entry by breaching a layer of the target’s system that did not have the same defenses as other layers? Many target companies are unaware of the fact that a protection system is only “reliably effective against attacks” that occur “at the same system layer in which the protection system” has been implemented—and that at some of a target’s computer-network system layers there may be fewer or different protections than at others. As a result, the cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer, just as attackers in medieval warfare could get past a deep moat and insurmountably high castle wall by tunneling beneath and past both of those defensive layers.

A target’s exposure to cyber intrusions will be a function, in part, of how well prepared it is with tools to address those five features of a cyber incident.

Unfortunately, the means for discovering vulnerabilities, closing gaps in defenses, detecting intrusions, figuring out what has been accessed, what has been done to it, and what awful things may happen at a time and place of the cyber intruder’s choosing, are the trailing-edge technologies. Methods of cyber intrusion, of conducting exploits, and of postponing their detection with stealth continue to outpace any improvements in defenses. A victim’s first knowledge of an attack may come only when the damage or misuse of digital assets becomes conspicuous or is reported by third parties. As a result, “companies often do not discover a data breach” or compromise of their digital assets “until an extended period of time after they have been hacked.” Clifford G. Tsan & Michael D. Billok, Cybersecurity Insurance: Facing Hidden Risks and Uncertainty, N.Y.L.J., May 2, 2016.

For an acquirer there are actually two risks of breaches of the target that may initially be difficult to distinguish from each other. In one kind, the target remains unaware of the attacker’s intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. In the other kind, the target may have discovered the breach months or years before the start of the acquisition, but for various reasons postpone from disclosing it to the acquirer until the definitive agreement has been signed and due diligence may be quite advanced.

Conclusion

Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them. In light of the transactional difficulties that cyber incidents can create, as observed in the Neiman Marcus and Yahoo!/Verizon deals, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognized as essential to protecting an acquirer’s interests.

What Can Structured Negotiation Offer the Business Attorney? A Lot!

Posted on September 28, 2017 by - Uncategorized

Have you ever paid an expert bill and cringed? Have you ever dreamed of brushing aside the procedures that bog down litigation, and instead quickly get to the real issues that brought your client to court? Have you ever represented a party who had a legal claim and wanted to preserve its relationship with the party it was forced to sue?

If you answered “yes” to any of these questions, Structured Negotiation is a dispute-resolution process that might be able to help.

What Is Structured Negotiation?

Structured Negotiation is a dispute-resolution method that happens without a lawsuit on file. It is a strategy to resolve legal claims that focuses on solution and encourages relationships between parties—and their counsel. Structured Negotiation trades the stress, conflict, and expense of litigation for direct and cost-effective communication and problem solving.

Structured Negotiation avoids the negative publicity that can accompany litigation and replaces expert battles with respected joint experts. It substitutes round-table discussions for contentious depositions, and it gives clients a seat at the table and a meaningful role in resolving claims.

With roots in the disability-rights movement, Structured Negotiation has potential application to many types of civil claims handled daily by business lawyers.

How Did Structured Negotiation Develop?

Structured Negotiation grew out of the blind community’s quest for financial privacy and access to financial technology. In 1995 my co-counsel and I wrote letters to Bank of America, Citibank, and Wells Fargo on behalf of three groups of blind clients and an advocacy organization. The issue was ATMs: not a single one in the United States talked, which meant that not a single blind person could use one.

We wrote those letters as an alternative to filing lawsuits under the Americans with Disabilities Act. We offered to negotiate with each financial institution about the development of “talking ATMs” and other services and technology for blind customers. Four years later we had negotiated comprehensive settlement agreements with each bank that produced some of the earliest talking ATMs in the world, compensated our clients, and provided for our attorney’s fees as allowed by civil rights laws. No lawsuit needed.

Joint press releases, beginning in the fall of 1999, heaped praise on each institution and resulted in an avalanche of positive press. Strong monitoring language and a commitment by our negotiating partners resulted in smooth implementation of each agreement.

Buried in the Bank of America 2000 press release was reference to the bank’s agreement to develop and design its online banking platform so that blind people could bank independently on the web. It was the first settlement in the country to address the disability community’s need for accessible websites. (Seventeen years later, on June 12, 2017, a blind shopper of the Winn-Dixie grocery chain won the very first web accessibility trial under the ADA.)

We used a mediator to help us in each of those early cases, but never had to file a lawsuit. The banks saved untold amounts of money, and relationships were built that continue to this day. Had it just been luck? Or had we stumbled on a way to practice law that avoided conflict, saved money, focused on solution, and preserved relationships?

The 18 years since those first agreements have proven that it was not just luck. As my colleagues and I named the process “Structured Negotiation” and began to use it across the country, some of the largest organizations in the United States said “yes” to a new a dispute-resolution process.

Walmart, Anthem, Inc., Major League Baseball, Target, E*Trade, Charles Schwab, and others have worked with my clients in Structured Negotiation to resolve claims under the ADA and related laws. Structured Negotiation with the City and County of San Francisco, the City of Denver, and Houston’s transit agency demonstrate the method’s usefulness in claims against government entities. A Structured Negotiation settlement with the American Cancer Society shows how the process can benefit nonprofit organizations.

These cases involved the civil rights of disabled people to access information and technology in the 21st century. Many of them were about web (and later mobile) accessibility. Today, digital access is a hot-button issue, with a significant number of new court filings and judicial rulings monthly. Structured Negotiation has been helping some of America’s largest companies make their digital content available to everyone since that early Bank of America commitment in 2000. No lawsuits, bad publicity, or run-away costs required.

Why Structured?

In 1999, after the early successes with Wells Fargo and Citibank, we named the process Structured Negotiation to emphasize that it was a robust alternative to filing a lawsuit. We knew our early negotiations had been successful because they had a structure, and for the past two decades the elements of that structure have been refined through practice. Those elements are listed here. Elaboration of each element, with stories from cases, can be found in my book about the strategy, Structured Negotiation, A Winning Alternative to Lawsuits.

  • A conscious decision by clients and their attorneys to pursue claims resolution without filing a lawsuit.
  • An opening letter that invites participation. The language change is deliberate: the first correspondence is not a demand letter in the traditional sense. It can (and often should) even say something nice about the recipient while calmly describing the legal and factual basis of the claims.
  • A period of uncertainty when all counsel begin communications about both the claims and the dispute-resolution process, and would-be defendants determine whether to participate. This period includes both waiting for a response and evaluating a response that might be laden with legal jargon and still leave room for negotiation. Without skillful handling of this element, a Structured Negotiation can fall apart before it begins!
  • A ground rules document signed by all parties that identifies negotiating topics, preserves confidentiality, protects statutory rights to damages and attorney’s fees, and tolls applicable statutes of limitations.
  • A period of information sharing involving written documents, meetings (live, virtual, and/or by phone), and site visits when needed. Meetings take a “show don’t tell” approach with a constant subtext of forming and maintaining relationships. They allow clients to have a meaningful seat at the table and are the cornerstone of the most successful Structured Negotiations.
  • Sharing expertise (most often via joint experts and client participation) in a manner that avoids expert battles and run-away costs and values client contributions.
  • Taking baby steps toward resolution. Pilot programs, interim measures, and partial agreements before final resolution have been key to many successful negotiations.
  • Recognizing and dismantling fear through honest conversation and effective listening practices.
  • Drafting the settlement, a process that begins cautiously and with joint acknowledgment that the time is right to formalize commitments.
  • Negotiating about money, an aspect of Structured Negotiation to be undertaken with particular care because it is easy to slip into traditional adversarial lawyering when the subject is money.
  • Use of a mediator when appropriate to guide parties around points of conflict. Although used in all three of the first cases, as I learned to be a better negotiator I found I needed third-party help less frequently. Structured negotiation has been referred to by one of my big-firm negotiating partners as “mediation without the mediator.” Most often direct communication in a collaborative environment is all that is needed to get to the finish line, but parties should not be afraid to use a mediator when third-party help might be useful.
  • Settlement monitoring, a task made easier by positive relationships developed during the process. Skillful and direct communication among parties and counsel typically make court enforcement unnecessary even when implementation does not go as planned.
  • Media strategy that avoids negative press releases in favor of jointly issued positive statements.
  • Use of collaborative language. Structured negotiation avoids terms that detract from an environment of problem solving. Why call someone a “defendant” if you do not want them to defend past practices? Why say “opposing counsel” if you do not want opposition?
  • Development and maintenance of the Structured Negotiation mindset. This might be the most important element of all and maybe the trickiest for most lawyers. Without patience and trust, operating in the absence of the safety net of a filed case can lead to frustration and failure. Grounded optimism, equanimity, and empathy give Structured Negotiation participants needed tools when the going gets tough. In my experience, when appreciation and friendliness infuse interactions, parties can more quickly reach resolution.

Can Business Lawyers Use Structured Negotiation?

Although I have never been a business lawyer, I pose the question: Why not?

  • What is the downside of trying a dispute-resolution method that saves tremendous amounts of money? If Structured Negotiation proves ineffective, the litigation route is still available. In my book I quote a litigation partner in a national law firm: “I found Structured Negotiation to be fairer to my client than litigation. I like the process because it gives my client the opportunity to do the right thing and avoids costly litigation. And if the negotiation does not succeed, my client has not waived the right to engage in an aggressive, strategic defense.”
  • What is the downside of seeing if relationships can be preserved while working out disputes?
  • Is your case likely to settle “at the end?” Why not at least try to settle early?
  • Would you rather give up control and prove to a judge that your client is right, or put aside legal differences and get to the heart of the matter?

It is critically important to preserve the litigation system in the United States, and many times filing a lawsuit is the best and most effective tool for our clients; however, when all you have is a hammer, everything looks like a nail. A filed lawsuit is a hammer. Structured Negotiation is another tool in the tool box.

I hope that business lawyers will find Structured Negotiation a tool worth exploring in appropriate cases. Along with other early dispute-resolution strategies such as pre-suit mediation, Structured Negotiation can speak to a host of client needs. It can offer a winning alternative with a 20-year track record to a public craving litigation alternatives that are cost-effective and preserve relationships. It holds the promise of a strategy that avoids conflict and minimizes stress, encourages trust over fear, and even kindness over anger.