On June 14, 2022, the Minister of Public Safety of Canada, Marco Mendicino, introduced into Parliament the first reading of Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts (the “Bill”). The Bill amends the Telecommunications Act and enacts a new Act: the Critical Cyber Systems Protection Act (“CCSPA”), establishing a new cybersecurity compliance regime for federally regulated private industries and new powers for the Governor-in-Council and the Minister of Industry to order Canadian telecommunication services (“Telcos”) to take action to secure the protection of the Canadian telecommunications system, including against threats of interference, manipulation, or disruption. Noncompliance with either regime may result in high monetary penalties or imprisonment for individuals.
The Critical Cyber Systems Protection Act
The CCSPA introduces a new cybersecurity compliance regime for designated operators of critical cyber systems related to vital services and systems (“Designated Operators”). A critical cyber system is defined as a cyber system that, if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or system. Currently, the list of vital services and systems is comprised of the Canadian telecommunications system, the banking systems, and other federally regulated industries, such as energy and transportation. However, the Governor-in-Council may add new vital services and systems, and such Designated Operators will be governed by the CCSPA.
Under the CCSPA, Designated Operators must:
establish a cybersecurity program (details of which are more fully provided in the CCSPA and its regulations) within ninety days of an order being made by the Governor-in-Council;
implement and maintain a cybersecurity program, as well as annually review it;
mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties;
share their cybersecurity programs and notify appropriate regulators (namely, the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transportation) (the “Appropriate Regulators”) of material changes related to the business of Designated Operators and their cybersecurity programs;
report cybersecurity incidents to the Canadian Security Establishment (the “CSE”);
comply with and maintain the confidentiality of directions from the Governor-in-Council; and
keep records related to the above.
To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.
Telecommunication Act Amendments
The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,
prohibit a Telco from using all the products and services offered by a specified person; and
direct a Telco to remove all products provided by a specified person.
The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,
prohibit a Telco from providing services to a specified person; and
direct a Telco to suspend any service to a specified person.
Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:
prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;
prohibiting Telcos from entering service agreements for any product or service;
requiring Telcos to terminate a service agreement;
prohibiting the upgrade of any specified product or service; and
subjecting the Telcos’ procurement plans to a review process.
Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.
The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.
Information Sharing and Secrecy
The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if is necessary in the Minister’s opinion to secure the telecom system.
Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.
Recommendations
Given that the Bill has just been introduced, its passage is not guaranteed, and additional changes to the draft law may occur. However, and in the interim, if you are a provider of vital services and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:
Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.
If you are a supplier of products and services related to the critical cyber systems of Designated Operators as described in the Bill, we recommend that you consider taking the following steps:
Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and
anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.
Among Hank’s pet peeves? It was the insistence of Major League Baseball officials, along with team executives and scouts, that they really did want more African Americans in the game. While forming sad faces, those baseball folks said they couldn’t find them, hadn’t discovered how to retain them, or believed African American athletes were more interested in football, basketball, and other stuff, or they said the dog ate the homework after somebody forgot to set the alarm clock.
Eight percent. Eight percent! On the high side, eight percent represented the number of African American players in Major League Baseball during most seasons in the 21st century, and franchises often had rosters with zero African American players, including the Atlanta Braves, Hank’s team of nearly 70 years as a player and executive. In contrast, when Hank broke Babe Ruth’s home run mark on April 8, 1974, the percentage of African Americans in Major League Baseball was three times higher than eight percent. His 1974 Braves were on the low side since he was one of seven African Americans on their 40-man roster, but that was still 18 percent, and that was more than twice baseball’s 21st century average for teams.
“They’re trying to get all these people from all over the world to come here to play Major League Baseball. (Those who run MLB) don’t give a hoot, not one hill of beans, about (an African American) person. Not one thing whether we play baseball or not,” Aaron told me during a 2007 interview, revealed for the first time in the book. “This game of baseball, and you have to look at it, that this game was so, it was just folding until Jackie Robinson came in and lifted it to another playing level and trying to make it exciting for the fans—both Black and White.”
Aaron then sighed heavily and slowly raised his voice, “Terence, it is amazing how this game has changed for the benefit of how they want [the public] to perceive it to be, you know? Yeah, just keep your eye on it. Watch what I tell you about this game. I guarantee you [what I say is true].”
It was true. By the 2021 baseball season, which began three months after Hank’s death, the game’s biggest star was Shohei Ohtani, a pitching and hitting sensation from Iwate Prefecture, Japan, located 6,700 miles, a Pacific Ocean, and several times zones west of Mobile, Alabama, the old stomping grounds of an African American who became the greatest Major League player ever. Now baseball has virtually no African Americans.
Courtesy of Hank’s personal experiences as a player and as an executive in Major League Baseball since the early 1950s, combined with my 1982 research for the San Francisco Examiner on the state of Blacks in the game to commemorate the 35th anniversary of Jackie Robinson breaking baseball’s color barrier, Hank had splendid reasons to believe the game he cherished wasn’t loving African Americans as much as it claimed. This vanishing act involving African American players in baseball happened too fast, too dramatically, and too blatantly after the 1970s for The Myth to be more than a myth by the 21st century.
About The Myth: To hear many folks tell it, especially those involved with Major League Baseball, African Americans rolled out of bed one day and just didn’t like the sport anymore.
For more, check out The Real Hank Aaronby Terence Moore: “A heartfelt portrait of Hank Aaron, featuring nearly 40 years of stories plus never-before-told insights from the home run king.”
On May 10, 2022, Connecticut Governor Ned Lamont signed Substitute Bill No. 6 (the “Connecticut Data Privacy Act” or “CTDPA”) into law. The CTDPA will become effective on July 1, 2023.
By enacting the CTDPA, Connecticut becomes the fifth state in the nation to implement a generally applicable consumer data privacy law, following the California Consumer Privacy Act and California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Utah Consumer Privacy Act. While the CTDPA is similar to these other state laws, small differences between these laws can have a large and variable impact on a business’s data processing, considering data processing regulation is so fact-specific. The increase in the number of states passing data processing laws raises the stakes for businesses. Business attorneys should continue to monitor developments in other states, including regulatory developments in California related to changes to its data privacy laws set for January 2023.
The CTDPA applies to persons that either (A) conduct business in Connecticut, or (B) produce products or services that are targeted to residents of Connecticut; and that during the preceding calendar year: (1) controlled or processed the personal data of not less than 75,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The CTDPA applies to information that is linked or reasonably linkable to an identified or readily identifiable individual. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. Sensitive data also includes the processing of genetic personal data or certain biometric data, if the processing is for the purpose of uniquely identifying an individual, as well as precise geolocation data. The CTDPA employs a broader definition for “biometric data” than other state laws.
However, the CTDPA does not apply to, among other things:
financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act;
certain activities regulated by the Fair Credit Reporting Act;
de-identified data; or
certain publicly available information.
The CTDPA also does not restrict a controller’s or processor’s ability to comply with other law, engage in certain fraud prevention and detection and security activities, or engage in certain internal processing uses, among other limited activities.
Consumer Rights
The CTDPA provides consumers with a number of rights related to their personal data. Under the CTDPA, consumers have the right to:
confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
access their personal data;
correct inaccuracies in their personal data;
delete personal data that the consumer provided or the controller obtained about the consumer;
obtain a portable copy of personal data that the consumer previously provided to the controller in a format that is readily usable and allows the consumer to transmit the data to another controller without impediment; and
opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
The first five rights listed above do not apply to pseudonymous data, provided the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing such information. “Pseudonymous data” is defined by the CTDPA as personal data that cannot be attributed to a specific individual without the use of additional information provided such additional information is subject to the safeguards addressed above.
The CTDPA also requires controllers to adopt and offer, by July 1, 2025, a platform, technology, or mechanism that allows consumers to opt-out through an opt-out preference signal sent to the controller indicating such consumer’s intent to opt out of the sale or processing of personal data for the purposes of targeted advertising.
Controller Obligations
The CTDPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is (according to the CTDPA definitions) acting as a controller or a processor when engaging in any personal data processing.
Under the CTDPA, controllers must, among other things:
provide a privacy notice containing specific disclosures, including the categories of personal data processed, the purposes for which personal data are processed, how a consumer may exercise a right, the categories of personal data that the controller shares with third parties, the categories of third parties with whom the controller shares personal data, an active electronic email address that the consumer may use to contact the controller, and—if selling personal data or processing personal data for targeted advertising—a clear and conspicuous disclosure of how a consumer can opt out;
establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
not process sensitive data without first obtaining the consumer’s consent or, in the case of a child, processing the data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq., setting out specific standards for adequate consent;
provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request;
not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than eighteen years of age;
not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging the consumer a different price or rate for a good or service, or providing the consumer a different level of quality of a good or service; and
establish a process for a consumer to appeal the controller’s refusal to take action on a request to exercise the consumer’s rights.
The CTDPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of consumer harm includes:
processing of personal data for the purposes of targeted advertising;
sale of personal data;
processing of personal data for profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
the processing of sensitive data.
Processor Obligations
A processor must follow a controller’s instructions and must assist the controller in meeting the controller’s obligations, including obligations related to data security and breach notification, as well as provide necessary information to enable the controller to conduct and document data protection assessments. Persons processing personal data must also be subject to a duty of confidentiality.
The CTDPA imposes requirements for contracts between controllers and processors as well as requirements for engaging subcontractors, including requiring the subcontractor in writing to meet the obligations of the processor regarding personal data.
Enforcement
The Connecticut Attorney General has the exclusive authority to enforce the CTDPA. From July 1, 2023, until December 31, 2024, the attorney general must issue a notice of violation to the controller if the attorney general determines that a cure is possible. The controller will have sixty days to cure the violation. Beginning on January 1, 2025, the attorney general will have the authority to decide whether to grant a controller or processor the opportunity to cure an alleged violation, taking into consideration the number of violations, the size and complexity of the controller or processor, the nature and extent of the controller’s or processor’s processing activities, the substantial likelihood of harm to the public, and the safety of persons or property. A violation of the CTDPA will constitute an unfair trade practice. Penalties for engaging in an unfair trade practice include imposition of a restraining order, civil penalties of up to $5,000 for willful violations, and, in the case of private litigation, actual and punitive damages as well as court costs and attorneys’ fees.
The CTDPA does not provide for a private right of action by consumers.
After nearly twenty years, considering the increase of cyber attacks and the advent of crypto currency, the Federal Trade Commission (FTC) enacted a radically different Safeguards Rule that became effective January 10, 2022.[1] Cybercriminals choose their targets wisely because they want maximum impact and profit. Financial institutions make juicy targets for cybercriminals due to their vast and ever-growing digitally stored, sensitive, non-personal information and the undeniable transformation of financial transactions of all types being conducted online. For example, the 2017 Equixfax data breach impacted 147 million customers and, as a result, Equifax agreed to pay at least $575 million (and potentially up to $700 million) as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and fifty U.S. states and territories. The settlement alleged the credit reporting company’s failure to take reasonable administrative, technical, and physical safeguards to protect consumers’ information from unauthorized use or access caused the data breach.
The Equifax data breach was a disaster on multiple fronts. The four primary flaws that facilitated the security breach were:
The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for six months.
Equifax failed to segment its ecosystem, allowing the attackers to seamlessly access multiple servers after gaining access through the web portal breach.
Usernames and passwords were stored in plain text, which the hackers used to escalate privileges to achieve deeper access.
Equifax failed to renew an encryption certificate for one of their internal tools, which allowed the hackers to exfiltrate data undetected over a period of months.
Additionally, over a month went by before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations. This is just one of the many recent examples of data breaches that exposed millions of people’s private data.
The importance of consumer financial privacy drove Congress to enact the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA imposed both the Privacy Rule (customer notification requirements) and the Safeguards Rule (standards for safeguarding certain information) on financial institutions. The original Safeguards Rule (16 CFR part 314) became effective on May 23, 2003, and the FTC has administered the Safeguards Rule ever since.
Under the new, revised Safeguards Rule the definition of “financial institutions” has been broadened to focus on business activities that are financial in nature.[2] Moreover, “nonpublic personal information” now covers all customers who provide the covered business with such records, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. Additionally, the Safeguards Rule identifies nine elements that a covered business’s information security program must include:
Designate a qualified individual responsible for overseeing and implementing a financial institutions information security program and enforcing their information security program. Qualifications will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information that the financial institution possesses or processes.
Conduct and continuously monitor systems and data inventories.
Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest.
Implement multi-factor authentication (MFA) for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution.
Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.
Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution.
Regularly test, or otherwise monitor, the effectiveness of the safeguards’ key controls, systems, and procedures, including those used to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months.
Oversee service providers by requiring financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.
The revised Safeguards Rule has some limits. First, the Safeguards Rule applies only to financial transactions “for personal, family, or household purposes.” Second, the Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 customers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Lastly, key provisions, including the appointment of a qualified individual and conducting a written risk assessment, do not become effective until December 9, 2022.
The FTC’s strengthening of financial privacy protections is part of a larger societal and governmental awakening to the need for greater information privacy and security protections. This revision, among other changes, is a signal to all businesses that use nonpublic personal information to begin to assemble their data teams, including privacy counsel, to assess their data governance requirements and cybersecurity hygiene.
Covered financial institutions include: mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, some travel agencies, automobile dealerships, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, non-SEC regulated investment advisors, entities acting as “finders,” and other entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. ↑
The Mendes Hershman Student Writing Contest is a highly regarded legal writing competition that encourages and rewards law students for their outstanding writing on business law topics. Papers are judged on research and analysis, choice of topic, writing style, originality, and contribution to the literature available on the topic. The distinguished former Business Law Section Chair Mendes Hershman (1974–1975) lends his name to this legacy. Read the abstract of this year’s second-place winner, Nicholas Mack of Vanderbilt University Law School, Class of 2022, below. The full article has been published in Volume 30 of the University of Miami Business Law Review.
At the conclusion of 2020, assets under management in sustainable funds—funds typically characterized by analyses of companies’ nonfinancial environmental, social, and governance (ESG) factors—hit a record high of nearly $1.7 trillion, with Bloomberg forecasting that total ESG investments may reach $53 trillion by 2025. Investments in sustainable index funds saw record highs in the first quarter of 2020 despite the overall financial downturn caused by the COVID-19 pandemic. Sustainable funds have gained significant traction over the last few years as US ESG funds outperformed conventional funds in 2019. Further, research conducted during the COVID-19 pandemic suggests that investing in ESG-focused funds mitigates financial risks, providing for a safer and perhaps overall better investment opportunity during times of financial crisis. Moreover, companies with robust ESG policies have demonstrated resilience during the COVID-19-induced financial crisis, providing further evidence of the benefits of ESG investing. Although ESG-focused funds and companies with robust ESG policies demonstrate economic resiliency and potential for outperforming conventional funds, federal securities laws generally do not require ESG-related disclosures.
Current US law mandates disclosure of certain environmental and social information under Regulation S-K and other banking and securities acts, but the vast majority of ESG reporting remains largely optional and market-driven. Most ESG information does not reach investors, regulators, or corporate stakeholders in a company’s typical annual report or other SEC-mandated filings; instead, companies typically opt to release a separate voluntary report aimed at sustainability and other ESG initiatives, which may be subject to greenwashing due to lack of oversight and regulation. More troubling is that the select few nonfinancial ESG-related disclosure requirements hinge on materiality, which evinces a nonfinancial regulatory regime that is principles-based, rather than rules-based. This requires investors to “trust” companies to act objectively and precisely when gauging the materiality of complex ESG issues. This causes both uncertainty in reporting requirements on the discloser side and the need for private actors to draw attention to sustainability issues and enhanced ESG disclosures.
But would investors even use this information if it was mandated by the SEC? Various studies seem to think so. McKinsey & Company claims that investors and asset owners adjust their investment strategies based on corporate sustainability disclosures. Ernst & Young’s 2016 report on ESG also indicates a global trend toward an increased interest in nonfinancial information by investment professionals. Investors have shown a clear proclivity towards using ESG information in investment decisions, exemplifying the need for a regulatory framework dedicated to ESG disclosure. These claims are only amplified by an examination of the public sector. A July 2020 Government Accountability Office report on ESG disclosures found that most institutional investors seek information on ESG issues to better understand investment risks. SEC Commissioner Allison Herren Lee stated in response to the Commission’s passing of a final rule in August 2020, “It has never been more clear that investors need information regarding, for example, how companies treat and value their workers, how they prioritize diversity in the face of profound racial injustice, and how their assets and business models are exposed to climate risk as the frequency and intensity of climate events increase.” Information, survey results, and public statements from both the private and public sectors recognize the importance of ESG disclosures and the incessant use of such information by investment professionals today. So, what should be done about this?
With robust firm-level ESG policies gaining notoriety as a driver of value for a firm due to its impact on company operations and efficiency, the SEC should consider mandating an ESG-disclosure regime based around this very specific principle. The current nonfinancial disclosure regime exists as a principles-based, materiality-focused framework; any recommended solution to the lack of ESG disclosures must fit this framework for the SEC to even consider it. Thus, the SEC should adopt mandated disclosures for certain ESG factors that materially impact a company’s operations. By mandating a principles-based disclosure regime based on a very specific principle, disclosers are less likely to face uncertainty in their reporting requirements and investors are better able to pinpoint the value drivers within the firm’s ESG initiatives. This “fix” is a starting point that addresses the SEC’s repeated neglect to adopt mandated ESG disclosures by framing such disclosures in a principles-based manner—thus, conforming to the SEC’s current nonfinancial disclosure regime while supplying investors with true, accurate, and influential nonfinancial ESG information.
Companies must consider environmental, social and governance (“ESG”) factors in their mergers and acquisitions (“M&A”) transactions to achieve maximum value and monitor risks. ESG matters are becoming increasingly significant in M&A transactions as businesses are facing mounting scrutiny and pressure for transparency on climate risk, social justice, sustainability, and corporate governance.
To address ESG considerations in the context of an M&A transaction, buyers—including private equity funds and strategic acquirers—should conduct ESG-focused due diligence, allocate ESG risk in the transaction agreement, and perform post-close ESG integration. This article addresses factors contributing to the increased focus on ESG along with commentary on how purchasers can integrate ESG factors in their next M&A deal.
Importance of ESG in M&A
A focus on ESG can be a competitive advantage for companies, private equity funds, and other strategic acquirers. It assists organizations in creating value, mitigating risk, and becoming more resilient. Consideration of ESG factors in M&A transactions is undeniably rising. Bain & Company recently conducted a global survey that found 65% of M&A executives expect their own company’s focus on ESG to increase over the next three years, with 11% stating that they currently regularly assess ESG extensively in the deal-making process. Failing to account for critical ESG elements can undermine success and lead to poor business outcomes.
Reputational Risk
Shareholders and investors are becoming increasingly attuned to ESG issues. By directing their investments to companies with comprehensive and established ESG disclosures, shareholders and investors globally are a key driving force behind growing ESG disclosure. Since ESG factors overlap with core corporate values, failure to address ESG issues may have a disproportionately negative reputational impact on a business. When considering a transaction, buyers should understand all ESG matters associated with the transaction, evaluate how to mitigate any reputational risks, and ensure that processes are in place to monitor the business’s reporting method.
Fiduciary Duties
Directors have a fiduciary duty to act in the best interests of the corporation, which has generally been thought of as a duty to act in the shareholders’ interests. The duty of care requires directors to exercise the care, diligence, and skill that a reasonably prudent person would exercise in comparable circumstances. To fulfill their fiduciary duties, directors must consider what will maximize shareholder value in the long term. Businesses must account for ESG risks to achieve lasting commercial viability. Shareholders have been more vocal and involved in the governance of a business, demanding changes to leadership and the board of directors. We are starting to also see examples of shareholders successfully removing directors as a result of their discontent with the company’s approach to climate change. This surge of ESG-related activity is driving corporations to urgently transform their core strategies.
Financial Implications
Considerable shifts in consumer awareness, spending patterns, employee expectations, regulatory frameworks, and industry perception have prompted investors to reallocate a notable amount of investments in light of ESG trends. Climate change has significantly impacted the operations and value of numerous companies, and we believe this trend will continue as the frequency and scale of natural disasters continues to increase. Natural disasters have caused an estimated US$280 billion worth of losses in 2021. ESG factors pose a real risk to shareholders now that losses are tangible and quantifiable, directly impacting M&A activity. Businesses must also consider the effects of ESG on financing. Access to capital for businesses may be limited by poor ESG ratings and performance. Lenders and institutional investors have made it clear that businesses must make ESG a priority or risk losing financing.
Regulatory Compliance
Across jurisdictions, the ESG regulatory landscape is steadily evolving. Regulators along with other oversight bodies have been expending resources to monitor and create rules and guidance on ESG matters. For example, in Canada, the Canadian Securities Administrators (“CSA”) recently published guidance for investment funds on their disclosure practices as they relate to ESG factors. The CSA has indicated that it will monitor ESG-related disclosure as part of its ongoing continuous disclosure review program. The US Securities and Exchange Commission (“SEC”) is evaluating current disclosure practices of climate-related risks. Recently, the SEC issued a press release on proposed rule changes that would require registrants to include certain climate-related disclosures in their registration statements and periodic reports, including information about climate-related risks that are reasonably likely to have a material impact on business, operations, and financial condition, and certain climate-related financial statement metrics. ESG factors will be a key consideration for both the buyer and target, as various regulatory bodies continue to bring additional ESG rules and regulations into force.
ESG Considerations in M&A
ESG Due Diligence
Buyers should consider broadening the scope of their due diligence to include performing targeted ESG investigations. ESG due diligence will look different for each transaction and will depend on the nature and type of business the target is conducting and the relevant operating jurisdictions. Due diligence should go beyond a routine examination of organizational performance and consider wide-ranging impacts and dependencies across the global value chain.
The due diligence process must integrate ESG into each stage of the deal and should inform the buyer of any potential impact of the merger or acquisition on its sustainability strategy and the long-term value of the combined entity. Red flag checks may include assessing the future fitness of the target and relevant assets and media scans to understand any major ESG-related risks. Due diligence should identify any human rights violations, corruption, environmental degradation, privacy breaches, data breaches, harassment, workplace misconduct, workplace diversity, gender inequity, greenhouse gas emissions, previous instances of non-compliance, the target’s ESG ratings, the use of ESG standards, and the target’s level community engagement. This will identify potential liabilities or cultural concerns that can be investigated further. Other due diligence considerations may also flag physical and transitional risks associated with climate change.
Targeted ESG due diligence will assist buyers in identifying ESG risks that may influence a target’s price and overall deal structure. Once fully cognizant of the potential liabilities and risks of a transaction, companies may mitigate ESG risk through the transaction agreement.
Transaction Agreement
M&A transaction agreements, such as share purchase agreements and asset purchase agreements, are already reflecting the growing importance of ESG factors. Since the beginning of the COVID-19 pandemic, the majority of M&A agreements adopted provisions for COVID-19 in material adverse effect clauses and interim operating covenants. COVID-19 tested the resilience of corporations, globally, and has shown investors that ESG matters now more than ever.
Through ESG diligence, buyers can understand the potential risks and pitfalls that relate to the target’s operations and industry. The buyer can then look to address any ESG risks in the transaction agreement through specific indemnities, targeted representations and warranties addressing ESG matters, or through various pre-closing conditions or post-closing covenants of the sellers. The transaction agreement will typically contain customary representations and warranties relating to the various aspects of the operations of the business and the regulatory environment in which it operates. These customary representations and warranties may address several ESG factors. Yet, these representations and warranties should be reviewed and revised in light of specific regulations or codes of conduct that apply to the operations of the business and any ESG factors. Buyers should therefore consider and look to negotiate the inclusion of applicable ESG representations, which may include “MeToo” representations requiring targets to disclose misconduct allegations, compliance with specific codes or principles that the target has voluntarily complied with, or compliance with recommendations of applicable codes of conduct or guidelines issued by oversight bodies.
For ESG risks that are identified in diligence, buyers should consider the materiality of these identified risks and consider how these issues can be addressed. The purchase agreement should be tailored to suit the needs of each transaction. Depending on the issue identified, the vendors may be able to address the concerns pre-closing. This could include adding provisions such as special pre-closing covenants requiring detailed reporting and disclosure of any new ESG issues that may arise.
If the issue cannot be addressed pre-closing, such as non-compliance with ESG-related regulations, the buyer may wish to negotiate a reduction in the purchase price to reflect the risk assumed. In addition, the buyer may wish to consider a specific indemnity to address the risk for known ESG issues and holdback of a portion of the purchase price that the purchaser can set off against any losses it incurs due to the issues identified. The parties may also look to restructure the transaction to assist in mitigating the risk.
Post-closing Matters
Post-close, the buyer should continue its review of ESG factors while looking to integrate the target into the buyer’s operations. The integration process should aim to align the target’s ESG policies and values with those of the buyer. To ensure that the target’s ESG culture and values meet the expectations of the buyer, the buyer should confirm that the proper policies are in place and communicated to all employees, suppliers, and contractors. If the target has ESG policies that are more robust in certain areas compared to the buyer’s existing policies, the buyer may use this as an opportunity to grow and strengthen their reputation and performance.
The buyer should also develop an action plan to address any material ESG risk of the target that was identified through the due diligence process. The buyer will be better positioned to monitor and track future remedial efforts and compliance.
Conclusion
As companies, investors, and shareholders are becoming increasingly conscious of social and environmental factors, it is critical to evaluate investment opportunities through an ESG lens. For the foreseeable future, ESG-assessed M&A will be an important tool to generate growth and provide companies with a competitive edge. It will also be crucial in establishing stakeholder trust. For corporate and fund-based dealmakers, decisive steps are needed in risk reduction and long-term value generation. Organizations that take initiative and embrace ESG in M&A will be better positioned to achieve sustainable growth and adapt to constantly evolving expectations.
As the company’s information treasure trove grew, two things were clear: With more information in more places, with more value, traveling across the globe at the speed of light, something bad was eventually bound to happen. And the consequences of failing to manage information assets began to have greater implications for stock value, reputation, executive’s careers, customers, regulators, courts, and the court of public opinion.
The US Department of Justice recently updated its “Evaluation of Corporate Compliance Programs,” which guides prosecutors and courts in the adequacy and effectiveness of a corporation’s compliance program. Implicit in a good compliance program is that companies can’t babysit all their employees all day, every day. But if a company constructs an artifice to help employees comply with company policy, for example, the consequences of failure may be reduced or nothing at all. In that sense, good compliance is like insurance—you may never need it, but it provides solace just knowing it exists and is good. So, knowing the criteria a company may be evaluated against someday should help it bolster its corporate compliance programs. More specifically, this article is about information governance compliance programs that are becoming increasingly important with corporate information growing at 23% each year (per IDC), the increase in privacy regulations, and the adoption of big data projects.
We live in a world that requires companies to use data to better to understand their customers’ needs, improve products and services, reduce costs, and improve business efficiency, all while complying with laws and regulations that dictate how long information must be retained among other things. According to The Economist, data is one of the most valuable resources in the world today.
ABBYY recently polled thousands of office workers across the globe, and found that 64% of UK employees have difficulty accessing data. In fact, a quarter (27%) lose a full day of productivity every week (ABBYY).
Organizations are generating as much as 7.5 septillion gigabytes of data per day, which is why laws and regulations that govern the management of data are increasing. To put that in context, we create roughly the data equivalent of 50,000 years of continuous movies every few hours, all day, every day. Now more than ever you should consider creating or reviewing your information governance policies and practices to ensure they address the information your organization generates, receives, and manages. This might sound like a daunting task, but it doesn’t have to be.
Let’s start with defining information governance: It is the management, retention, and disposition of information that an organization creates and collects. Information is the lifeblood of most companies today and should be managed as a valuable asset. Given the overlapping influences of contractual obligations, preserving customer trust, and laws and regulations, companies can’t afford to ignore information governance.
Many confuse information governance with records management, but there is a huge difference. Traditional records management compliance programs typically had policies that outlined the official records (purchase orders, personnel files, contracts, etc.) that needed to be retained in accordance with laws and regulations and business needs. Typically, most programs had “minimum” retention periods established to ensure records were not disposed of too quickly in case a regulator wanted to inspect them. Addressing official records by imposing a minimum retention is no longer considered reasonable or good enough. Instead, companies must govern all information that the organization generates, receives, and manages regardless of the medium or storage location (e.g., onsite, AWS, SAS provider, mobile device) and if it is the official record or not. For most organizations, a vast amount of information that is under their management may not have any law or regulation mandating its retention or disposal and may have short-term business value. This vast amount of information requires governance and management, too. It must have a predictable end of life, especially if it contains high-risk data.
Over two decades ago, the Kahn Consulting firm developed the Seven Keys to Information Management Compliance based on Federal Sentencing Guidelines. The Seven Keys takes the Federal Sentencing Guidelines and adapts them for the information space. The Department of Justice guidance to prosecutors can be used as a roadmap to implement or validate the key components of your company’s information governance compliance program. Summarized below is a roadmap to implement or augment your compliance programs, focusing specifically on information governance.
Summary of Roadmap
1. Risk Assessments
A compliance program’s key components should consist of a risk assessment process to identify, analyze, and address particular risks. This process should be documented and consist of metrics that will be used to address compliance. Based on the risk profile, there should be resources, funding, and scrutiny allocated appropriately based on the level of risk. Risk assessments should be conducted routinely and based upon operational data.
Actions taken to address risk (policy modifications, training, etc.) should be documented and monitored. The risk assessment process should incorporate lessons learned from actions taken within the company and other companies with similar business profiles. As it relates to information governance, a risk assessment should include structured information, unstructured information, third parties storing information, outsourced business processes that have an information component (i.e., benefits, 401(k), retirement), communications and messaging environments, end user productivity environments such as Microsoft 365 and Google Workspace including collaboration and meetings, robotic generated data, etc.
2. Policies and Procedures
Policies and procedures must be part of a well-designed compliance program. Policies and procedures should address identified risks and directives that must be followed, as well as strive to establish a culture that promotes compliance. The company should have a policy management process in place that dictates how corporate policies should be designed, approved, published, implemented, and maintained over time. Information management policies and procedures should address the retention of information (records and non-records), disposition rules, preservation obligations, and protection of specific classes of information.
3. Training and Communications
A key component of a well-designed compliance program is the training of employees and the communications used to integrate the policies within the company. Training and communication messages should be tailored for specific audiences. High-risk areas may require more training and/or more detailed examples during training. The training should take into consideration the form and language(s) that are used. Training should be an ongoing activity and incorporate lessons learned from past noncompliance events. Communications should include the leadership’s position on misconduct or non-compliance (i.e., warning, termination, discipline). Training and communications should provide guidance for employees to identify when they should seek assistance and where they can get that assistance.
Information management programs should have an annual required training program, and periodic communications should be sent out from senior leadership reminding the organization of the value of information and the potential risk of non-compliance with policies and procedures. Furthermore, training and communications should be targeted for specific audiences such as application owners, Google Workspace users, network/fileshare users, email users, third-party contract business owners, etc. The messages and training must be specific to the actions that are required. For example, if the company’s policy is to purge email after one year, define the specific action that must be taken in the rare event that an email would rise to the level of a record requiring longer retention.
4. Confidential Reporting Structures and Investigation Processes
Confidential reporting structures and investigation processes are essential in compliance programs. Employees must be able to report non-compliance and misconduct anonymously and confidentially. The company’s culture and processes should promote and measure the workplace environment to ensure that fear of retaliation doesn’t exist. Processes need to route issues quickly to a few, appropriate people so they may be dealt with in a timely manner. Employees must be made aware of how to report non-compliance and what happens once they report it. There should be a robust process including metrics, to investigate, manage, and discipline non-compliance.
The information gathered during non-compliance should be tracked, analyzed, and used for lessons learned. Information governance non-compliance can have serious consequences to the organization. The over-retention of private information can have reputational damage and financial consequences. Destruction of potentially relevant information that has been placed on a legal hold may not only cause fines and penalties but may also impact the outcome of litigation or a regulatory investigation.
5. Management of Third-Party Relationships
Third-party relationships should include a strong risk-based diligence process. The diligence should be appropriately aligned with the level of risk. As part of the risk assessment, sub-contractors to the third party should be assessed, and contract terms and conditions should be reviewed. Ongoing monitoring of the third-party relationship should be documented, audited, and tracked. Specifically related to information governance, any third party storing, managing, or accessing information on behalf of your company should have a risk assessment completed. Third parties with personal information, highly confidential information, or IP should have additional scrutiny and corresponding controls established.
Real actions and consequences need to take place when non-compliance exists. Follow up to non-compliance is required to ensure that the third party has addressed the issues. As it relates to information governance, all contracts should clearly identify the third party’s roles and responsibilities as they relate to retention, disposal, and preservation of information, including the redaction or anonymization of personal information.
6. Mergers and Acquisitions
Mergers and acquisitions need to be included in a well-designed compliance program to ensure timely and orderly integration of any acquired entity into the company’s compliance regime. Divestitures need to be evaluated to ensure the appropriate compliance activities are moved to the acquiring company in a timely manner. There should be a due diligence process, integration process, and implementation plan prepared prior to the actual transaction taking place. Information governance responsibilities need to be clearly outlined so the segregation of information can take place, claw-back clauses can be incorporated into contracts as necessary, and information related to open litigation, audits, or investigations can be addressed. Identification of all the information that is impacted by an acquisition or divestiture is becoming more complex as it relates to big data projects, privacy laws, and the expanding number of third parties storing the information.
7. Adequate Resources and Empowerment
Companies must adequately resource and empower their compliance programs. Issuing policies is no longer good enough. Compliance programs must have implementation plans to ensure appropriate staffing is in place to audit, document, analyze, and continuously improve compliance programs. This key component can be time-consuming when it comes to information governance compliance programs.
A few examples of areas requiring automated or manual plans for managing information are: applications, third parties managing information on the company’s behalf, end user information storage locations, communication systems, and off-site storage boxes. You should automate as much as you can, but there are realities where rules cannot be automated and will require manual intervention. Implementation cannot start until the company develops and enacts a documented retention schedule that outlines the rules for retaining specific categories of data. The retention schedule needs to be based on up-to-date legal research for each jurisdiction where the company conducts business. It must also address the business value of the information.
8. Commitment from Senior and Middle Management
For a compliance program to be successful, senior and middle management commitment and messaging is a necessity to foster a culture of compliance within the company. The C-suite and the board set the tone for the rest of the organization by messaging the importance of compliance and by demonstrating adherence. All leaders in the company need to take ownership and accountability for their employees when it comes to monitoring and checking for compliance with policies. When management finds non-compliance, management needs to address the matter and perhaps use it as a teaching moment for the rest of the staff.
9. Autonomy and Effective Resources
Program autonomy and effective resources are essential in a well-designed compliance program. Compliance programs need to have day-to-day oversight, and those responsible for that oversight must have adequate autonomy authority, seniority, and access to the Board of Directors. Team members should have the appropriate experience to address non-compliance issues. Internal audits should also be conducted to ensure that compliance personnel are in fact empowered and positioned to detect and prevent non-compliance. As for information governance programs, there should be a governance board that is represented by Legal, IT, Security, Privacy, Compliance, Audit, and select business units.
10. Incentives for Compliance and Disincentives for Non-Compliance
Implementation of a compliance program should consist of incentives for compliance and disincentives for non-compliance. Clear disciplinary procedures should be in place, consistently enforced across the organization, and commensurate with the violations. Communications from senior leadership should inform employees that unethical conduct and policy violations will not be tolerated and will have consequences. A company can consider implementing an incentive system that rewards compliance and ethical behavior. Information governance programs should be treated as equally as important as other compliance program.
11. Proof that the Compliance Program Works in Place
A compliance program should have the ability to prove that is it working, and more importantly, that it was working when a violation occurred. Documentation and evidence of actions taken is important—always document how a misconduct was detected, how the investigation was conducted, what resources participated in the investigation, and the remediation efforts. The compliance program should also document how the program has evolved over time and maintain an audit trail of changing risks and continuous improvements to the program to address new risks or non-compliance issues. The following should be part of a well-designed compliance program to prove that the program was working at the time of a non-compliance event:
Continuous Improvement, Periodic Testing, and Review: An effective compliance program must have the ability to improve and evolve.
Internal Audit: Internal audits must have a rigorous process that is followed and routinely conducted.
Control Testing: Testing controls should be established, and collection of compliance data must be routinely collected and analyzed, and necessary actions taken.
Evolving Updates: Risk assessments, policies, procedures, practices should routinely be improved to reflect the current risk profile and based on lessons learned.
Culture of Compliance: Companies should routinely measure their culture of compliance through all levels of the organization.
12. Investigations of Misconduct
All examinations of allegations and suspicions of misconduct by the company, its employees, or third-party agents must work effectively and be appropriately funded to ensure a timely and thorough investigation that includes a documented response of its findings, disciplinary actions, and remediation measures. Investigations must be conducted by an objective party. For information governance compliance, automating monitoring for non-compliance should be considered. As an example, monitoring the volume of data leaving your organization can be an indication of an employee transferring data to a private account outside of the company. You can use tools such as MS 365 to both automate compliance and detect non-compliance. After evidence determines a questionable act, people, process, and technology should be in place to assess the alleged infraction and take necessary action.
13. Analysis and Remediation of Any Underlying Misconduct
Lastly, a well-designed compliance program that is working in practice must have a thoughtful root cause analysis of misconduct, and the company must timely and appropriately take action to remediate the root cause. Root cause analysis should consider what control failed (policy, procedure, training, etc.), the amount of funding provided, what vendors were involved, any prior indications of failure, what prior remediation efforts were taken to address a similar compliance issue, and any failures in supervision of employees. Information governance compliance often finds failures in generalized “off-the-shelf” training programs. Training programs must be 100% aligned with policy directives, practices, and procedures. Employees need to clearly understand where they are allowed to store certain types of information and how disposal of the information will happen in accordance with policy and business unit or IT practices and procedures.
Summary
Now more than ever, companies need to make an honest effort to do the right thing and comply with laws and regulations. However, in the event that employees or third parties managing data on your company’s behalf inadvertently (or intentionally) violate a law or regulation, a well-designed information governance compliance program can be used to demonstrate “reasonableness” and the company’s good faith efforts to comply with laws and regulations, which ultimately may be the difference between winning and losing.
In September 2021, Rohit Chopra was confirmed as the third Director of the Consumer Financial Protection Bureau (CFPB). After receiving his bachelor’s degree from Harvard as well an MBA from Wharton, Director Chopra worked in management consulting with McKinsey & Company, previously served as a Federal Trade Commission (FTC) Commissioner, and was the CFPB’s first Student Loan Ombudsman. Senate Banking Committee Chair Sherrod Brown (D-OH) praised Director Chopra as a “bold and experienced” nominee who would return the agency to its “central mission.” Senator Elizabeth Warren (D-MA) offered similar comments, hailing Director Chopra as a “terrific” pick to lead the CFPB. Accordingly, Director Chopra is widely viewed as an assertive regulator who will seek to leverage the full authority of the CFPB, and he has assembled a leadership team that includes several CFPB alumni and veterans.
The early days of the Chopra CFPB have been especially active, with the agency issuing marketing monitoring orders to several Big Tech players about their payments businesses and inquiries directed to leaders in the rapidly growing “Buy Now Pay Later” space. The agency has also issued research reports on overdraft fees and a Request for Information on so-called “junk fees” charged by financial institutions. However, fair lending issues are widely perceived to be on the forefront of Director Chopra’s policy priorities.
In that vein, and consistent with his focus on Big Tech, data privacy, and algorithmic bias at the FTC, Director Chopra has made crystal clear that fair lending—and in particular, algorithmic discrimination—and other practices that adversely impact communities of color will be a top agency priority. For example, in remarks announcing the settlement of a traditional redlining case, Director Chopra focused largely on “digital redlining.” He specifically called out companies that gather “massive amounts of data and use it to make more and more decisions about our lives, including loan underwriting and advertising” and encouraged data scientists, engineers, and others with “detailed knowledge of the algorithms and technologies used by those companies and who know of potential discrimination or other misconduct” to report potential fair lending violations to the CFPB. These comments have led many to believe that Director Chopra may potentially pursue new or novel fair lending theories related to artificial intelligence, machine learning, and related underwriting with algorithms.
Similarly, the Biden Administration’s focus on racial equity and the racial wealth gap could lead Director Chopra to focus his efforts on a variety of fair lending concerns, including collections and services issues, foreclosures, evictions, and credit reporting, or issues specifically stemming from the pandemic, such as potential discrimination in the issuance of PPP loans. And many industry observers believe the CFPB will pursue somewhat controversial “disparate impact” theories to pursue fair lending violations.[1]
Indeed, Director Chopra has also made clear that the agency will focus on large companies and market players, seek to pursue a broad range of remedial measures—including individual liability where appropriate—to redress consumer harms, and partner closely with state authorities in enforcing consumer financial protection laws. The latter likely includes exploring ways to expand the CFPB’s authority to enforce federal consumer protection laws and access remedies such as the civil monetary penalty funds authorized under the Consumer Financial Protection Act.
Additionally, comments by the CFPB at an industry fair lending conference in November of 2021 restated its goals of using its authority to narrow the racial wealth gap and ensure markets are clear, transparent, and competitive. In addition to the areas noted above, the comments indicated an intent to specifically focus on:
Appraisal bias in home valuation;
Special purpose credit programs or “SPCPs”;
Small business lending and the implementation of Section 1071 of Dodd-Frank;
Limited English Proficiency consumers; and
Unfair and discriminatory practices, including illegal practices outside of the ECOA and the HMDA.
If his initial actions and related commentary from the CFPB are any indication, Director Chopra will pursue a bold new approach to CFPB rulemaking, supervision, and enforcement in the areas of fair lending and beyond.
At the ABA Business Law Section’s 2022 Hybrid Spring Meeting, the CLE program “There’s a New Sheriff in the Beltway: Potential Areas of Focus of Director Chopra’s Fair Lending Regulatory Agenda” (now available for viewing as on-demand CLE) identified and discussed Director Chopra’s fair lending and anti-discrimination priorities and how they may impact financial services providers of all stripes, from traditional financial institutions to fintechs and Big Tech players. A panel of experts offered their views on Director Chopra’s priorities in this space, including their predictions for supervisory, enforcement, and rulemaking activity on AI-based underwriting, digital marketing, fair lending compliance in the PPP program, and small business lending; opportunities for collaboration with state and federal authorities; and potential legal headwinds and opportunities.
This article is based on a CLE program that took place during the ABA Business Law Section’s 2022 Hybrid Spring Meeting. To learn more about this topic, view the program as on-demand CLE, free for members.
In November 2021, ASTM International (formerly known as the American Society for Testing and Materials) published its E1527-21 (-21 Standard), its 2021 update to its Standard Practice for Environmental Site Assessments: Phase I Environmental Site Assessment Process. The -21 Standard is intended to satisfy the requirements of the Comprehensive Environmental Response, Compensation and Liability Act (CERCLA)’s All Appropriate Inquiries Rule (AAI). The ASTM submitted a formal request for the Environmental Protection Agency (EPA) to reference the -21 Standard as compliant with AAI.
On March 14, 2022, the EPA published both a preliminary rule and a direct final rule setting forth the EPA’s intent to amend AAI to permit use of the -21 Standard in satisfaction of the AAI. Had the EPA not received adverse comments on the rule, the direct final rule would have gone into effect on May 13, 2022. The EPA did, however, receive adverse comments and, therefore, withdrew the direct final rule on May 2, 2022. It now intends to address adverse comments in a subsequent final action.
Of the adverse comments received, the majority objected to the rule permitting the -13 standard to remain as an acceptable alternative to comply with AAI. In other words, under the proposed rule, Phase I studies conducted under either the -13 standard or the -21 standard would be deemed sufficient to satisfy AAI. Because ASTM’s -21 standard improves upon the shortfalls of the -13 standard and brings the practice in line with “good commercial and customary practices,” as required by AAI, permitting the continued use of the historical (-13) standard does not make a great deal of sense. As noted in the comments, EPA attempted this method when it proposed the -13 standard as complying with AAI by providing that the then-current standard (E1527-05) would also be sufficient to satisfy AAI. After similar adverse comments, EPA eventually removed its reference to the -05 standard. Given this, it is likely that EPA will remove similar reference to the -13 standard in its final regulation.
Updating “Good Commercial and Customary Practice”
In developing its published -21 Standard, the ASTM sought input from users and environmental consultants nationwide. One of the ASTM’s primary goals in crafting the -21 Standard was to ensure production of quality Phase I Environmental Site Assessments (ESAs) and their resulting reports. The ASTM’s objectives in crafting the -21 Standard were threefold:
Clarify and improve existing language
Update the standard to reflect current customary practice
Strengthen the deliverable (report)
The ASTM has clearly met these objectives.
What Are the Significant Changes from E1527-13?
The -21 Standard contains revised and new definitions, making the requirements stronger and clearer than those in the 2013 version, such as:
Rewording the definition of Recognized Environmental Condition (REC). The prior definition of REC covered three examples, two of which used the term “likely,” without defining it, leaving it to a wide array of interpretations. The -21 Standard now defines the word “likely” to mean “that which is neither certain nor proved, but can be expected or believed by a reasonable observer based on the logic and/or experience of the environmental professional, and/or available evidence, as stated in the report to support the opinions given therein.”
Clarifying that Historical Recognized Environmental Conditions (HRECs) and Controlled Recognized Environmental Conditions (CRECs) are only those conditions that affect the subject property, and that current regulatory standards be considered to determine whether the controls meet those standards as concerns unrestricted use.
Replacing E1527-13’s use of the broader term “property use restrictions” (which was not previously defined) with the term “property use limitations,” to capture a wider variety of risk-based mitigation end points.
Providing a definition of “significant data gap,” which E1527-13 required to be identified, but failed to define.
The -21 Standard includes clearer emphasis on property identification, specifically by:
Providing that the subject property is defined by its current boundaries (boundaries commonly change throughout the years).
Pointing out that properties may be different in use, size, configuration, and/or address than in the past.
Providing that research of additional addresses may provide further information to meet objectives.
The -21 Standard also specifies two methods users may employ to satisfy their responsibility to search for environmental liens and activity and use limitations:
Method 1 provides that a user may satisfy its requirements by relying upon customary title insurance documentation such as preliminary title reports or title commitments.
Method 2 provides an alternative process, whereby a user may rely upon title search information reports such as condition of title, title abstracts, and activity and use limitation/environmental lien reports as long as the information identifies environmental covenants, environmental easements, land use covenants and agreements, environmental liens, and other environmental land use restrictions and controls. Search information reports must review land titles records dating back to 1980. If judicial records are not reviewed, the report must include a statement that the law of custom of the jurisdiction at issue does not require a search for judicial records in order to identify environmental liens.
Further, the -21 Standard:
Requires that the subject property’s use be more specifically identified. For example, if the subject property’s purpose is retail, industrial, or manufacturing, additional standard resources must be reviewed if they are likely to identify a more specific use and are reasonably ascertainable.
Provides additional clarity with respect to identification of RECs and discusses the multi-step process for identification of CRECs and HRECs. The -21 Standard includes a helpful appendix that breaks down their definitions and provides a flowchart diagram and simple examples.
Requires more specific information in connection with historical research of the subject property, adjoining properties and the surrounding area. This puts a clearer emphasis on current property identification, more specific information on property use, etc.
Requires review of aerials, topographic maps, fire insurance maps, and city directories, if reasonably available, and if not, requiring a reason for that omission.
Adds a new section addressing historical research of adjoining properties. In particular, during research of the subject property, obvious past uses of adjoining properties must be identified to evaluate the likelihood that past uses may have led to RECs. If aerials, topographic maps, fire insurance maps, and city directories have been researched for the subject property, if they provide coverage for the adjoining properties, and if that research is likely to be useful in meeting the objective, those documents must also be reviewed for the adjoining properties.
Significantly, adds “Emerging Contaminants” to the list of non-scope considerations, the most currently significant of which are per- and poly-fluoroalkyl substances (PFAS), many of which are likely to be brought within CERCLA’s definition of hazardous substances in the near future. Given this, prudence would suggest that Phase I ESAs include assessment for PFAS and other emerging contaminants, such as 1,4 dioxane, where appropriate.
Which Standard Should Be Applied?
Of course, until the -21 Standard is officially adopted, ASTM E1527-13 remains the applicable standard. Assuming the EPA revises its proposed rule to remove reference to the -13 standard, upon its adoption of the -21 standard, the -13 standard will become a historical one. Until then, there is no requirement that the -21 Standard be employed; however, it is the author’s preference that environmental professionals use and cite ASTM E1527-13, but ensure (and note in the report) that the Phase I ESA also satisfies the requirements of the -21 Standard.
This year, the American Bar Association has chosen “a more perfect union” as the theme for Law Day. In furtherance of this theme, the Business Law Section has asked attorneys to volunteer to talk about the rule of law in some forum. I am excited to be part of this conversation and to share some perspectives from the book Law and Poetry: Promises from the Preamble, which was published by the Association earlier this year. The book is an anthology that explores the themes presented in the Preamble to the United States Constitution. The anthology includes the work of poets from around the world.
In preparing the anthology, I had the opportunity to connect with many of these poets and to learn more about them. Cecil Rajendra was one of the poets who impressed me most. Mr. Rajendra is both a poet and an accomplished human rights attorney. Below, you will find his poem “The Dark Side of Trees,” together with some introductory information and a short biographical sketch that provides a little bit more information about Mr. Rajendra. This material is reproduced from the anthology.
This poem resonated with me for the way in which it emphasizes the responsibility we as individual citizens have to hold our government accountable. We are called upon to notice—and not to turn away—when our legal system and our institutions of government are threatened. In doing so, we help to uphold the rule of law, and, ultimately, we help to build a more perfect union.
The poem below was reprinted in the June 1984 issue of the International Commission of Jurists’ journal The Review. The ICJ is a non-governmental organization, founded in 1952 in Geneva, which is focused on international human rights. Mr. Rajendra’s poem followed updates on human rights throughout the world, from East Timor, to Haiti, to Japan, Pakistan, South Africa, and Western Sahara. As you read this poem, you might consider the world-wide applicability of its themes.
~ The Dark Side of Trees
Cecil Rajendra
The truth burns so they turned their faces away from the sun . . . When small liberties began to fray . . . When their constitution was being chipped away When their newspapers were shut down . . . When their rule of law was twisted round . . . When might became right and their friends Were carried off screaming in the pitch of night . . . They chose silence feigned blindness pleaded ignorance. And now when the shadow of the jackboot hangs ominous over their beloved land they walk as zombies unable to distinguish right from wrong from right their minds furred with lichens like the dark side of trees. The truth burns so they turned their faces away from the sun . . .
Cecil Rajendra is a poet, lawyer, and human rights activist who has lived by the mantra, “Seek out the little guy and help if you can.” He was born in 1941 in Penang, Malaysia and received his formal education at St. Xavier’s Institution, the University of Singapore and Lincoln’s Inn (London) where he qualified as a barrister-at-law. Throughout his lengthy and distinguished career, he has earned numerous distinctions in poetry, law, and human rights. As an attorney, in 1980 he co-founded the Penang Legal Aid Centre (PLAC), which was the first rural legal aid clinic in Malaysia. In 2000, he created Malaysia’s first-ever mobile legal aid clinic. For this work, Rajendra earned the Malaysian Bar’s 2019 Lifetime Achievement Award as well as the International Bar Association’s 2019 Pro Bono Award. As a poet, he has published dozens of volumes of poetry and was nominated for the 2004 Nobel Prize in Literature for his collection By Trial & Terror. His work has been published in more than fifty countries and translated into a number of languages. As a human rights activist, he has initiated campaigns against detention without trial and in support of an independent judiciary. He was awarded the first-ever Malaysian Lifetime Humanitarian Award in 2004, in recognition of both his outstanding work in law and his exemplary poetry; and in 2015 was declared a Living Heritage Treasure by the Penang Heritage Trust.
From Hour of Assassins and Other Poems by Cecil Rajendra. London: Bogle- L’Ouverture Publications, 1982.
I am always struck by the universality of the images and themes that Mr. Rajendra raises in this poem. Here are a few examples that come to mind:
When small liberties began to fray . . . . In St. Petersburg, Florida, where I live, the Florida Holocaust Museum has a permanent display that I have always found to be particularly important, as a lawyer, because it reminds me that the law can be used to cause great harm. This display includes a timeline showing how the laws in pre-war Nazi Germany were changed over a period of six years to disenfranchise, restrict, persecute, and isolate Jewish people. The first wave of what would ultimately be more than four hundred antisemitic laws and regulations was focused on restricting Jewish citizens from civil service and other aspects of public life.
When their newspapers were shut down. Thomas Jefferson recognized the importance of the free press to American democracy: “No government ought to be without censors: and where the press is free, no one ever will.” Even prior to the pandemic, more than twenty percent of the newspapers in the United States went out of business during the prior fifteen years, according to an article in the New York Times. In addition, the past few months have brought attention to the serious crackdown on independent media and access to online information in Russia.
When might became right and their friends were carried off screaming in the pitch of night. Every day, we read about individuals in Ukraine being forcibly deported to Russia. In our own country, more than one hundred thousand Japanese Americans were forced to leave their homes to be incarcerated in internment camps that were euphemistically called “relocation centers” during World War II.
These images—both historical and contemporary—are so bleak and so painful that sometimes, hope is in short supply. Mr. Rajendra reminds us that our hope is in not turning away, even when “the truth burns.”
In preparing this anthology, I found—and was inspired by—a number of examples, both historical and contemporary, of what not turning away might look like. Some of these voices come from the past and are quite famous: Elizabeth Barrett Browning denounced slavery at great personal and professional cost. Langston Hughes powerfully invoked images of crushing poverty. Edna St. Vincent Millay dared to suggest that “America the beautiful” could become an America that is “beautiful nowhere” if apathy toward the American “cause” continues to prevail. Other voices may be unfamiliar to many readers but are, thankfully, still with us: Naomi Ortiz and Stephen Lightbown are strong voices in the disability justice movement. John Brandi challenges us to see incarcerated persons as persons. Dee Allen requires us to reckon with homelessness through the eyes of a person who has experienced it.
As we continue to have conversations about what it means for us to strive toward “a more perfect union,” I hope some of these voices will serve to inspire and challenge you, as they have me.
Connect with a global network of over 30,000 business law professionals
