Artificial intelligence and digital tools are rapidly reshaping the legal landscape, but they do not eliminate the need for lawyers to comply with longstanding professional rules. The CLE program The Great Tech Quest of 2025: Ethical Considerations in AI, Deepfakes, Social Media, Cybersecurity, and Virtual Lawyering at the ABA Business Law Section (“BLS”) 2025 Fall Meeting delivered a timely and thought-provoking exploration into the ethical, practical, and technological challenges facing today’s legal professionals.

The discussion, moderated by Jasmine Smith, Chair of the BLS Professional Responsibility Committee and Partner at Robinson Gray Stepp Laffitte, featured helpful insights from Amy Richardson, Partner at HWG LLP and Professor at Duke Law School, and Jon Garon, Associate Dean for Technology and Innovation at Nova Southeastern University’s Shepherd Broad College of Law. Exploring topics from deepfakes to cybersecurity, the panel reviewed the various ethical obligations that apply to lawyers in different technological contexts, including core themes of competence and client confidentiality.

Hyperdiligence in the Age of AI and Deepfakes

Lawyers need to be “hyperdiligent” that the information they receive is accurate and correct, particularly with the proliferation of deepfakes and other synthetic media, which are often used in schemes like falsified Zoom calls and elder fraud. According to Garon, almost $5 billion in elder fraud occurred in 2024 (for more information, see another CLE program from the 2025 Fall Meeting, Nana and Poppa Go High Tech: Digital Assets, Online Communities, and the Legal and Business Services Essential for an Aging Population). Manipulated visuals can have a profound psychological impact, even influencing jury perception. Garon explained, “When somebody sees a falsified visual image, about 85% of the time in their recall, they will remember the image without necessarily remembering the information that told them it was fraudulent.” Given these risks, “as fiduciaries, we need to be hyperdiligent for our clients, for our processes, and for our internal procedures,” added Garon. This means precautions such as internal training, requiring two-factor authentication with every sign-in to protect data, and creating code words for financial transactions.

Lawyers also have an affirmative duty to make sure their clients do not misuse synthetic media to perpetrate fraud. If manipulated content is used in legal proceedings, lawyers must alert the court and opposing counsel, mitigate harm, and investigate misconduct. If a deceptive video of a client or key witness has been shared, for example, Garon suggested going to the U.S. Copyright Office with the original deposition and leveraging the notice and takedown provisions of the Copyright Act to get the video removed from the relevant platforms.

When using tools like artificial intelligence (“AI”), particularly in litigation and client representation, lawyers should understand the information that is being shared with a tool or application, review the attendant privacy statements, be familiar with device privacy settings to protect confidential client information, and consider who is alerted when accessing information on various platforms. In certain instances, informed client consent may be necessary, such as where a lawyer decides to use generative AI to summarize a video deposition.

Lawyers’ Online Conduct

As more law firms and lawyers use social media platforms like LinkedIn and TikTok for marketing, networking, client interaction, and diligence, Smith cautioned that lawyers must remain vigilant about confidentiality and the accuracy of information shared online. Garon pointed out that online content not only implicates legal professional ethical obligations but also Federal Trade Commission rules and state laws on unfair and deceptive trade practice.

Before posting on social media, get informed consent if the post contains information that could breach client confidentiality, even if couched in hypotheticals or revealing a client’s identity. Smith clarified, “If someone can deduce what you’re talking about, you may need informed consent.” Lawyers should also be careful about posting workplace videos and photos to avoid inadvertently disclosing confidential information in the background (e.g., documents on a desk, text on a computer screen). “If in doubt, don’t post,” she said.

When promoting legal services or achievements online, lawyers should ensure claims are accurate and not misleading. For example, a claim of a 100 percent win rate without context (such as the calculation being based on a single case) would be misleading. Richardson recommended using appropriate disclaimers. This obligation applies even when a lawyer uses another person or tool to create the content. Garon reminded the audience that “use of a tool is no different than use of an agent to create misinformation.” Lawyers therefore should critically review the accuracy of any AI-generated content, as well as third-party endorsements such as recommendations and testimonials posted on a law firm site or LinkedIn, and remove any claims that are inaccurate or misleading,

Virtual Lawyering

While remote work is increasingly accepted, lawyers must avoid holding themselves out as licensed in jurisdictions where they are not admitted. This prohibition extends beyond simply maintaining a physical office in a place where lawyer is not licensed to practice; it also includes having continuous and systematic contact with that jurisdiction and creating a recurrent impact there, or holding oneself out as being licensed to practice in that jurisdiction. Exceptions include in-house lawyers or lawyers who provide services authorized by federal law (e.g., the U.S. Patent and Trademark Office, immigration court). State rules governing the practice of law can vary, so Richardson recommended that lawyers comply with local rules and refer to the opinions of the jurisdiction in which they physically sit (not barred) or where the client is located (particularly during use of cloud-based communication tools). She reminded the audience that the obligations of competence, confidentiality, client communication, and staff supervision still apply with remote work. And in cases of uncertainty, Richardson recommended that lawyers call the legal ethics hotline in the state where they sit.

Practicing Cyber Hygiene

Cyber hygiene is paramount when using digital tools. Yet, according to Garon, a 2023 ABA report revealed that only 80 percent of law firms had technology policies and less than 50 percent of firms had implemented email encryption. As a result, Garon urged lawyers to take steps to secure data, including adopting robust data security policies, continuous training, encryption, “least privilege” access, as well as vetting cloud service providers for Health Insurance Portability and Accountability Act (“HIPAA”) data security standards. “Very few firms can afford the consequences of a massive data breach or ransomware attack,” he said.

Finally, the panel warned that free AI services are inappropriate for sharing confidential information and that lawyers must understand both technical and administrative safeguards for these tools. “If you’re not paying for the product, you are the product,” Garon said.

Conclusion

This session underscored the need for legal professionals to adapt to technological change while upholding existing ethical standards. As Garon stated, “Incorporating technology into the practice of law doesn’t change the ethics of the practice.” Looking ahead, the legal profession must continue to evolve, balancing innovation with the responsibility of maintaining the highest standard of conduct and integrity in a digital age.

To learn more, view the program as on-demand CLE, free for Business Law Section members.

The recent bankruptcy filing of Tricolor Auto Acceptance, LLC (“Tricolor”) highlights collateral-related risks for lenders, providing an opportunity for banks and whole loan purchasers to assess their practices and controls to mitigate risk.

Tricolor Situation Overview

Tricolor, founded in 2007, is a “buy here, pay here” (“BHPH”) subprime auto finance company. This means that it is both an auto dealer and an auto finance company, offering in-house financing directly to its customers. Tricolor is also a Community Development Financial Institution (“CDFI”).^[1] Tricolor, which is a subsidiary of Tricolor Holdings LLC, operates over sixty dealerships, the majority of which are located in Texas and California. Subprime customers visit their locations, find a car that suits their budget, and obtain financing on the spot through Tricolor.

Over the past five years, Tricolor has been among the fastest-growing auto lenders in the United States, quadrupling in size. Earlier this year it closed two term securitization transactions, the most recent of which was Tricolor Auto Receivables Trust 2025-2.^[2] However, in mid-September, Tricolor’s rapid growth came to a halt when reports surfaced that warehouse lenders had uncovered alleged fraudulent activity, including double-pledging of collateral.^[3] Shortly after those reports were published, Tricolor filed for chapter 7 bankruptcy.^[4]

Because Tricolor operates as both a BHPH and a CDFI, its auto loan portfolio has features that differ from those of a typical subprime auto finance company. These unique characteristics should be considered when evaluating the lessons to be learned and applying safeguards to similar transactions.

While the facts and circumstances of the Tricolor case are still developing, industry participants across myriad asset classes (including consumer loans, mortgage loans, and esoteric assets) and types of transactions (including whole loan trades, warehouse financings, and securitizations) have renewed their focus on four key areas: (i) improved due diligence, (ii) updating credit agreement provisions related to pledged assets, (iii) revisiting who maintains custody of pledged assets and ensuring better control over cash flows, and (iv) evaluating the treatment of structured finance transactions under the Uniform Commercial Code (“UCC”) and in bankruptcy.

Each area is addressed below, with suggestions for enhanced practices and controls, and with callouts for considerations that may be specific to one asset class or transaction type as opposed to others. However, it is important to note that no set of controls can completely eliminate the risks inherent in third-party relationships, particularly the risk of fraud.

Due Diligence

Due diligence is the single most important step that banks and whole loan purchasers can take to protect themselves against fraud or mistake by originators and servicers. Because every company operates differently, there is no “one-size-fits-all” diligence protocol or checklist. The scope and focus of diligence should be tailored to the company and the asset class, including any aspects of its business model that are unusual or high risk, giving due consideration to the regulatory landscape and the mechanics of enforcement against the specific asset type. Given Tricolor’s unique business model as a BHPH and CDFI, lenders must carefully tailor the due diligence, focusing on how its customer base was likely more deeply subprime than usual and collateral risks inherent to BHPH companies.

In general, key areas for proper due diligence include all of the following:

• Assess the company’s culture of compliance. In addition to public record searches for consumer complaints, licensing issues, regulatory enforcement actions, and lawsuits, consider on- site meetings and interviews with management, as well as a review of compliance policies, procedures, internal controls, and related training materials, to ensure alignment with regulatory requirements. Do not only include current documents, but consider how things may have recently been updated or changed. Particularly when the asset class involves subprime loans, review of each of these points at regular intervals (e.g., every six months or annually) may be appropriate.
• Understand bank-fintech partnerships. If the warehouse loans are tied into a bank-fintech partnership, enhanced due diligence is appropriate. In addition to examining the overall culture of compliance, it is recommended to review the program agreement between the bank and the fintech, paying special attention to how involved the bank is in reviewing customer-facing materials, establishing the credit policy, and reviewing consumer complaints.
• Consider independent reviews or consultants. Engaging third-party specialists can provide objective insights and detect red flags that internal teams may miss. Firms are often engaged by the company to conduct targeted reviews of loan files; lender and portfolio-level due diligence; review of servicing practices; operational assessments, including IT systems and data security controls; cash flow and liquidity analysis; and vendor oversight audits. Ideally, the reports from these reviews can be evaluated and the company can provide updates regarding improvements stemming from the reviews.
• Consider engaging third parties for ongoing review. Third-party firms may also include verification agents, valuation agents, and hot backup servicing arrangements. A verification agent independently confirms the existence of each asset and the related documentation. A valuation agent provides an independent assessment of the value of the assets, ensuring true and accurate marking as opposed to inflation of value. A hot backup servicer (especially when the primary servicer is an affiliate of the originator) provides a real-time alternative to the entity closest to the assets on a day-to-day basis. In the aggregate, these protections provide operational comfort about the integrity of the assets while deterring double pledging.
• Conduct lien searches and collateral verification. Fraud often centers on misrepresentation of collateral, making the following steps essential: (i) lien searches to identify other secured creditors of the company who have perfected their security interests and to confirm details about the pledged collateral;^[5] (ii) double-pledging controls, including reconciliation of pledged assets across facilities; (iii) electronic chattel paper controls, ensuring systems meet UCC requirements for control and include complete audit trails; and (iv) review of custody practices for both physical and electronic loan files.

The Interagency Guidance on Third-Party Risk Relationships: Risk Management^[6] provides further detail on due diligence procedures. Although the guidance addresses banks’ reliance on third-party providers of products and services, it highlights critical areas such as (i) business strategies and goals, (ii) legal and regulatory compliance, (iii) financial condition, (iv) business experience, (v) qualifications and backgrounds of key personnel, (vi) risk management, (vii) information management and security, (viii) incident reporting, (ix) physical security, (x) reliance of subcontractors, (xi) insurance coverage, and (xii) contractual arrangements with other parties.^[7]

Contract Provisions

The contracts governing asset purchases by a special purpose entity (“SPE”) and the pledge of those assets to a lender, trustee, or other secured party are essential to mitigating risk. These agreements generally address four core elements relating to the collateral, including (i) representations and warranties, (ii) covenants, (iii) repurchase and indemnification remedies, and (iv) audit and inspection rights.

Representations and Warranties. For common asset types, there is a well-developed and relatively market-standard set of representation and warranties. The Rule 17g-7(N) reports published by rating agencies for rated ABS are a good source for benchmark representations and warranties for various asset types.^[8]

For example, a whole loan trade, warehouse financing, or securitization of auto loans will typically contain the following representations or warranties, or some variation thereof, which help to establish chain of title, the creation and perfection of first-priority perfected security interests, and the physical location of the collateral:

• Each receivable (i) was originated in the United States by a dealer for the retail sale of a financed vehicle in the ordinary course of such dealer’s business and has been fully executed by the parties thereto and (ii) was purchased by the seller from a dealer and was validly assigned by such dealer to the seller.
• Immediately before the sale under the purchase agreement, the seller had good title to each receivable free and clear of any lien other than permitted liens and, immediately upon the sale under the purchase agreement, the purchaser will have good title to each receivable, free and clear of any lien other than permitted liens.
• There is only one original executed copy of each receivable.
• The receivables constitute “chattel paper” (including “tangible chattel paper” and “electronic chattel paper”) “accounts,” “instruments,” or “general intangibles” within the meaning of applicable UCC.
• Other than the security interest granted to the indenture trustee under the indenture, the issuing entity has not pledged, assigned, sold, granted a security interest in, or otherwise conveyed any of the receivables. The issuing entity has not authorized the filing of, nor is the issuing entity aware of, any financing statements against the seller, the depositor, or the issuing entity that include a description of collateral covering the receivables other than the financing statements relating to the security interests granted to the depositor, the issuing entity, and the indenture trustee under the basic documents or any financing statement that has been terminated. The issuing entity is not aware of any judgment or tax lien filings against the seller, the depositor, or the issuing entity.
• The custodian has in its possession or with other third-party vendors all original copies of the receivable files and other documents that constitute or evidence the receivables. The receivable files and other documents that constitute or evidence the receivables do not have any marks or notations indicating that they have been pledged, assigned, or otherwise conveyed to any person other than the depositor. All financing statements filed or to be filed against the issuing entity in favor of the indenture trustee in connection herewith describing the receivables contain a statement to the following effect: “A purchase of or security interest in any collateral described in this financing statement will violate the rights of the indenture trustee.”

Similar representation and warranty packages that are tailored to the particular asset type are also included in whole loan trades, warehouse financings, and securitizations of other consumer, mortgage, and esoteric assets.

Covenants. In addition to representations and warranties, transaction documents typically include affirmative (positive) and negative covenants that apply throughout the life of the transaction. Each key or material representation is generally paired with a corresponding covenant, ensuring that the stated condition remains true throughout the life of the transaction (e.g., a representation confirming perfection would be paired with a covenant requiring maintenance of perfection).

Special Purpose Covenants. In addition to the standard set of affirmative and negative covenants, financial transactions may also include special purpose covenants that are designed to keep a subsidiary legally separate from its parent. The covenants include things the company must do (e.g., maintaining separate books and records, holding itself out as a separate entity, and maintaining adequate capital) as well as things the company must not do (e.g., commingling of assets, guaranteeing the debt of others, or dissolving without the consent of an independent manager). The covenants in the aggregate are a conglomerate of bankruptcy case law, which wards against the special purpose entity being consolidated into the estate of its parent such that there is legal isolation between the assets of the company and the creditors of its parent.

Indemnities, Repurchases, and Other Remedies. When a representation, warranty, or covenant is breached, the affected party typically has notice and cure rights and, if uncured, specified remedies (e.g., indemnification, repurchase or substitution of affected assets, servicing transfer, or declaration of an event of default). Note that the representation, warranty, and covenants described above, as well as the corresponding remedies for their breach, are generally well suited to deal with the occasional breach with respect to a modest portion of the asset pool. The protections are less reliable in the case of fraud or pervasive breach, particularly where the originator or servicer is in financial distress or is otherwise unable or unwilling to satisfy its repurchase and indemnification obligations.

Note also that indemnification and repurchase obligations are unsecured corporate credit obligations of the seller or servicer. If the seller or servicer is in bankruptcy, indemnity/repurchase claims are subject to the automatic stay (and will generally be treated as unsecured claims in any bankruptcy case).

However, an important exception to the automatic stay arises in the warehouse finance context with respect to mortgage loans. The bankruptcy safe harbor protects certain participants in certain financial contracts backed by mortgage loans. In the repo context, the Bankruptcy Code permits creditors/repo buyers to terminate the financial contract, accelerate the related debt, and liquidate the related assets notwithstanding the bankruptcy of the repo seller and the automatic stay.^[9] Such actions may not be stayed or otherwise avoided by any other provision of the Bankruptcy Code.^[10] It is critical to engage skilled legal counsel to structure transactions to take full advantage of the bankruptcy safe harbor to the extent the related asset and deal participants are eligible for such protection.

Audit and Inspection Rights. Robust audit rights are a primary control for validating collateral quality, confirming continuing perfection and priority, and detecting emerging operational or fraud risks. In addition to baseline access and inspection rights, parties should push for more frequent, risk-calibrated audits—particularly in the first twelve to eighteen months of a new counterparty relationship or upon performance drift. Key elements to address are (i) broader scope and access, including unannounced visits; (ii) increased frequency and triggers; and (iii) clear logistics and cost-sharing arrangements.

Custody of Assets

Not all warehouse lending facilities or term ABS deals utilize a third-party custodian. In some cases, rating agencies, investors, and lenders may permit a well-established or highly rated seller/servicer to act as custodian of the securitized assets. In the mortgage loan repo context, however, it is market-standard to engage a third-party custodian at the start of the transaction. The triparty custodial arrangement requires a check-in process for the contents of the mortgage file, the delivery of an exception report with respect to any missing items in each mortgage file, and a checkout process for certain discrete reasons, including servicing of the loan and the review of such files by potential takeout investors. These arrangements often require any released mortgage files (including the negotiable instruments evidencing the obligation to pay) to be returned well within the date the UCC would deem the lender’s perfection by possession to be terminated.^[11] The use of a third-party custodian is another critical lender protection in the mortgage repo market that should be maintained.

The use of a third-party custodian provides several important benefits, including (i) supporting and evidencing perfection (by possession or control, as applicable), (ii) preventing double-pledging and loss of collateral, and (iii) operationalizing clear release/return mechanics. This is particularly critical for transactions secured by tangible chattel paper, electronic chattel paper, instruments, and/or mortgage notes, where perfection by possession or control has priority over perfection by UCC filing alone.

It is important to remember that the use of third-party custodian does not eliminate all collateral-related risks, particularly the risk of fraud. Indeed, a third-party custody agreement will typically provide that the custodian makes no representations as to the validity, legality, perfection, priority, enforceability, recordability, ownership, title, sufficiency, due authorization, or genuineness of any of the documents contained in any receivable file or of any of the contracts.

Control of Cash Flow

One other important lender protection found in the warehouse financing space is the control of cash flow. This is typically achieved through a triparty servicing arrangement, where the servicer acknowledges that the financed assets are now subject to the security interest of the warehouse lender and agrees to service such assets on behalf of the lender and other secured parties, particularly upon the occurrence of an event of default under the related credit agreement. Under this arrangement, all income generated by the assets is swept by the servicer into a controlled account after receipt and identification by the servicer. This construct minimizes the risk of “leakage,” meaning cash flowing outside the priority of payments in the credit arrangement (which is often called a waterfall). The involvement of the third-party servicer also wards against the risk of double-pledging, since the servicer’s acknowledgment and cash sweep mechanics make it clear that the income belongs to that particular lender, making it difficult for the borrower to double-pledge the assets to any other lender.

The Tricolor Bankruptcy Proceeding, and Risks and Protections for the Lenders

Chapter 7 Bankruptcy. Tricolor’s chapter 7 petition will result in a liquidation of the business. It is highly unusual for a case of this size and scope to file for a chapter 7 liquidation. Typically, large companies will file for protection under chapter 11 of the Bankruptcy Code, which permits reorganization and typically keeps the current directors and officers in place to run the company during the bankruptcy.

Secured Creditor Claims in Bankruptcy. Under section 506 of the Bankruptcy Code, secured creditors are granted an allowed secured claim equal to the value of the collateral. The secured creditor may also have an unsecured deficiency claim equal to the amount of the claim that is in excess of the value of the collateral, to the extent that the collateral is worth less than the amount of the claim.

To determine the value of the collateral and the security of a claim, the Bankruptcy Code authorizes debtors (and trustees) to value the collateral.^[12] If the value of the collateral exceeds the claim amount, then the secured creditor may be entitled to receive unmatured interest or any fees or charges that otherwise would have been payable to that creditor.^[13] If the value of the collateral is less than the claim amount, then secured creditors are entitled to receive an unsecured claim for any shortfall in value. Unsecured claims generally receive less than secured claims in bankruptcy cases.

However, the Bankruptcy Code affords secured creditors protections during the pendency of Tricolor’s chapter 7 case. Under section 363(e), secured creditors are also entitled to adequate protection of “any interest in property used, sold, or leased . . . by the trustee.” Adequate protection protects secured creditors from a diminution in the value of their collateral during the bankruptcy—thus protecting secured creditors’ property rights during the pendency of the case. Adequate protection generally includes periodic cash payments to the secured creditor and the grant of replacement liens to compensate for any diminution in value of the collateral.^[14]

Risks for Secured Creditors in Bankruptcy. Given the allegations concerning Tricolor’s prepetition conduct and the precipitous decline of its business over the summer, a trustee may be incentivized to pursue litigation claims to maximize value for the estate, including:

• Fraudulent Transfer Claims: The trustee may pursue claims for fraudulent transfer. There are two types of fraudulent transfer claims available to trustees for recovery. In most jurisdictions, there is a four-year look-back period to potentially unwind prepetition transactions.
  • First, under constructive fraud, the trustee may recover transfers made for less than fair consideration at a time when the debtor was insolvent. The trustee may pursue such actions to avoid payments to creditors, or to unwind certain aspects of the overall transaction (such as the liens securing any debts). However, the trustee may not recover from creditors that received the value for satisfaction of a prebankruptcy debt, provided that such creditors have acted in good faith and lacked knowledge of the voidability of the challenged transfer.^[15]
  • Second, and potentially relevant here, the trustee may recover payments or transfers that were made with the intent to hinder, delay, or defraud creditors. These are known as “actual fraudulent transfers.” Defenses to actual fraudulent transfer claims include the lack of “badges of fraud” evidencing intent to defraud creditors.
  • Notably, nondebtors are typically protected from fraudulent transfer arguments with respect to settlement payments to financial institutions in connection with a securities contract.^[16] The Bankruptcy Code also prevents the avoidance of any transfer made “in connection with a repurchase agreement” prior to the filing of a bankruptcy.^[17] Moreover, if the creditors are parties to certain safe harbored contracts (such as repurchase agreements), then certain actions taken to accelerate, liquidate, or terminate a repurchase agreement may not be avoided under the avoidance provisions of the Bankruptcy Code as noted above.^[18]
• Preference Claims: Section 547 of the Bankruptcy Code also authorizes the trustee to avoid any payments made to a creditor within ninety days of the bankruptcy filing, if such payment enables the creditor to recover more than it would if the case were in chapter 7 or the payment had not been made. As a general rule, a prepetition transfer to a fully secured creditor will not be considered preferential, because the creditor would be paid in full in a hypothetical chapter 7 liquidation.^[19]
  • Lien Avoidance: The trustee may also avoid any unperfected liens under section 544 of the Bankruptcy Code. Specifically, section 544(a) grants a bankruptcy trustee the powers of a hypothetical judgment lien creditor. The trustee may avoid any unperfected lien if, under applicable nonbankruptcy law, a hypothetical judgment lien creditor could have obtained a superior lien on any collateral subject to that unperfected lien.

Creditors therefore may potentially become targets of the chapter 7 trustee in its efforts to claw back value into the estate.

Conclusion

The Tricolor case has led to renewed focus on due diligence, credit agreement provisions related to pledged assets, the custody of pledged assets, control over cash flows, and the treatment of structured finance transactions under the UCC and in bankruptcy. Although the risk of fraud or mistakes cannot be fully eliminated, robust due diligence (upfront and ongoing), well-tailored contract provisions, and suitable asset custody and cash flow controls can reduce the probability of loss and mitigate any losses that do occur.

The authors thank Kathryn Borgeson, Christopher Dickson, Stuart Goldstein, Christopher McDermott, Lisa Pauquette, Hunter White, Thomas Curtin, James McDonnell, and Alexander Strom for their contributions to this article.

This article has been prepared for informational purposes only and does not constitute advertising or solicitation and should not be used or taken as legal advice.

1. CDFIs are financial institutions that are focused on providing credit to underbanked and unbanked populations. For more information about CDFIs, see the U.S. Department of the Treasury’s CDFI Fund website. ↑

2. See the S&P Presale Report for more information. Kelly R Luo & Sanjay Narine, Presale: Tricolor Auto Securitization Trust 2025-2, S&P Global (June 4, 2025). Tricolor has several other term asset-backed securities (“ABS”) transactions that remain outstanding. ↑

3. Amelia Pollard, Tricolor Collapse Sparks Concern About Health of US Subprime Auto Sector, Fin. Times (Sep. 15, 2025). ↑

4. An independent third-party trustee has already been appointed to oversee the bankruptcy case. The chapter 7 trustee’s role will primarily be to liquidate assets to maximize value for creditors. Those assets can include claims against the debtor’s prior officers and directors, as well as against creditors and other parties for actions taking place in the run-up to bankruptcy. ↑

5. Note that lien searches will not be effective to identify a secured party who has perfected its security interest solely by possession (in the case of tangible chattel paper) or control (in the case of electronic chattel paper). ↑

6. See 88 Fed. Reg. 37920 (June 9, 2023). ↑

7. Id. at 37929–37931. ↑

8. See, e.g., S&P Global Ratings 17g-7(N) Benchmark and Disclosure Reports, S&P Global (last visited Oct. 2, 2025). ↑

9. See 11 U.S.C. §§ 362(b)(7), 559. ↑

10. 11 U.S.C. § 559. ↑

11. Twenty days for instruments perfected by possession. U.C.C. §9-312(g). Note that there is not a parallel permission for a secured party in possession or control of chattel paper to relinquish it to the debtor for servicing; therefore, secured parties in possession or control of chattel paper will rely on filing perfection during any such release for servicing. ↑

12. 11 U.S.C. § 506(a)(1). ↑

13. 11 U.S.C. § 506(b). ↑

14. 11 U.S.C. § 361. ↑

15. 11 U.S.C. § 550. ↑

16. 11 U.S.C. § 546(e). ↑

17. 11 U.S.C. § 546(f). ↑

18. 11 U.S.C. § 559. ↑

19. See Official Comm. of Unsecured Creditors of 360Networks (USA) Inc. v. AAF-McQuay, Inc. (In re 360Networks (USA) Inc.), 327 B.R. 187, 190 (Bankr. S.D.N.Y. 2005). ↑

The Model Business Corporation Act (the “Model Act” or “MBCA”) serves as a key framework for corporate entities in the United States, frequently referenced alongside the Delaware General Corporation Law. To date, thirty-six jurisdictions have adopted the Model Act, either in whole or in part. First published in 1950 by the Corporate Laws Committee (“Committee”) of the American Bar Association (“ABA”) Business Law Section, the Model Act aroused significant interest from the business community. Over the past seventy-five years, it has been subject to ongoing review and refinement by the Committee.

At the recent ABA Business Law Section 2025 Fall Meeting, held in Toronto, the Committee presented a program focusing on key considerations in connection with the seventy-five years of existence of the Model Act, titled “75 Years Young: The Model Business Corporation Act and Its Relevance for Corporate Law Today.” The panel discussion, moderated by Steven Hass, Partner at Hunton Andrews Kurth, featured insights from Maureen Gershanik, Partner at Fishman Haygood; Claudia Allen, Senior Advisor at KPMG Law; Daniel Witschey Jr., Of Counsel at Bracewell; and Heyward Armstrong, Partner at Smith Anderson. All panelists are members of the Committee.

Continuous Relevance of the Model Act

The panelists highlighted the growing importance and influence of the Model Act since its inception. The discussion began with introductory observations from the moderator, Hass, who emphasized the Act’s enduring relevance, noting, “If you group up the Model Act states . . . , the Model Act is actually by far the predominant source of corporate law in this country and governs far more corporations than Delaware does.” Witschey then provided a detailed historical overview of amendments to the Act that addressed, among other things, issues relating to developments in states. He highlighted that from 1950 to the present, the Model Act has been actively maintained and subject to numerous revisions. Among the most notable was the 1974 introduction of a standard of care for directors, one of the Act’s distinguishing provisions when compared with Delaware law.^[1] During this presentation, Hass drew attention to amendments in the mid-2000s emphasizing officers’ duties to inform others of material violations of law and enabling a corporation to change the plurality voting standard in director elections to a majority voting standard. Providing background information on these revisions, and more specifically the change on plurality voting, he explained that they occurred in the wake of the financial accounting scandals of Enron and WorldCom and reflected growing demands from investors for more board accountability to enable these changes. His remarks underscored how the Model Act has evolved over time in direct response to market developments and stakeholder expectations.

Monitoring and Updating Process for the Model Act

The panelists also examined how the Committee continuously monitors legal and business developments to ensure the Model Act remains current. Allen explained that in reviewing the legal landscape, the Committee is particularly mindful of its primary constituency, which is private companies rather than large public corporations.

When the Committee determines that revisions are warranted, proposed amendments follow a three-step review process, as outlined in the Committee’s recent article The Model Business Corporation Act at 75.^[2] In response to a question about whether changes often originate from external feedback, such as reaching out to the Committee and identifying an issue in practice or forwarding a decision from a Model Act state, Allen confirmed that this occurs from time to time. She provided, as an example, the revision of the Model Act’s indemnification provision, which was prompted by an issue identified by an individual. She encouraged the public to reach out to the Committee regarding practical challenges in applying the Act, stating, “We really encourage hearing from people. We want to know if the statute works.”

On this point, Gershanik emphasized that while the Committee can move swiftly in addressing certain issues, it also follows formal protocols that take time. “We still have a deliberative process,” she noted, adding that this approach enhances the quality of the Committee’s work and ensures that revisions provide well-considered solutions to emerging issues.

The discussion concluded with an overview of defining aspects of the Model Act, underscoring the Committee’s longstanding efforts to promote clarity, efficiency, and consistency while reducing areas of dispute and litigation.

ABA Model Business Corporation Act Resource Center

Armstrong provided an overview of the resources available on the ABA website relating to the Model Act, collected in the Model Business Corporation Act Resource Center. These include the current version of the Model Act, the Model Act Enactment Toolkit, relevant ABA publications, past issues of the Committee’s MBCA Newsletter, and more. Such materials are designed to assist a wide range of stakeholders, from practitioners advising on the Model Act to states considering adopting its provisions.

The Committee emphasized its commitment to supporting both Model Act and non–Model Act jurisdictions in related initiatives and invited the public to engage with its work. As Armstrong noted, “If you are in a bar association or other organization and you are part of helping a state maybe make amendments to its corporate law, . . . please come to see me after this—I want to talk to you.”

Looking ahead, and in light of the numerous initiatives underway across the country to revise state codes, it will be interesting to observe the extent to which the Model Act gains traction in non–Model Act jurisdictions.

To learn more, view the program as on-demand CLE, free for Business Law Section members.

1. Corporate Laws Committee, A.B.A. Business Law Section, The Model Business Corporation Act at 75, 80 Bus. L. 669 (2025). ↑

2. Id. ↑

An infectious laugh. Always welcoming—and an empathy for others that created an aura of goodwill felt by everyone Juliet touched, whether they were fellow academics, ABA Business Law Section (“BLS”) members, staff, law students, or any of the countless people who crossed her path in her incredible legal career.

Professor Juliet M. Moringiello will be remembered for many, many years to come.

Her remarkable life ended on February 27, 2025, when Juliet passed away quietly from cancer. The shock and grief of her passing was quickly replaced by a torrent of accolades, heartfelt remembrances, and testimonials from her family and friends; her colleagues at the Widener University Commonwealth Law School, where she taught for thirty-one years; her fellow editors at Business Law Today; and the legal community.

“Juliet was a rare combination of elegance and accessibility, academic brilliance and earthy practicality. She was interested in the world, and in helping people on the most basic levels,” said Ted Claypoole, Business Law Section Content Officer and partner with Womble Bond Dickinson. “Juliet was a pleasure in company and deeply comfortable in her own mind. I miss learning her thoughts on everything from recent literature to the Uniform Commercial Code to the best diners in New Jersey. We were all richer for her friendship.”

The warmth of her personality was accompanied by a host of accomplishments in her legal and academic career.

Juliet was a respected educator, chosen twice by students for Widener Law Commonwealth’s Outstanding Faculty Award. In the last several years of her life, she also served as associate dean for academic affairs.

She was a pillar in the world of law reform, serving as a Uniform Law Commissioner for Pennsylvania and a member of the Permanent Editorial Board for the Uniform Commercial Code. Juliet’s keen insight and wisdom served her well in those efforts. One highlight was her key role in the drafting process for the 2022 UCC amendments to address emerging technologies, which included the introduction of the new Article 12, as vice chair of the drafting committee.

Juliet was Business Law Today’s executive editor for Internet Law & Cybersecurity since 2017, and a member of the editorial board for even longer. She was also a leader with the ABA BLS Cyberspace Law (now Cyber and Technology Law) Committee and Uniform Commercial Code Committee; an elected member of the American Law Institute; a longtime board member of the BLS Publications Board; and a prolific contributor to BLS content.

“Let me highlight something even more foundational that truly set Juliet apart: Her ability to make everyone in her presence feel as though they belong,” said Kristen David Adams, William Reece Smith Jr. Distinguished Professor of Law and Director, Dispute Resolution Board, at Stetson University College of Law. Across all facets of her career, Juliet was a mentor to countless students and professionals. “I can’t tell you how many people have told me a story about how she made them feel welcomed, how she helped them to overcome their impostor syndrome, and how she encouraged them. When Juliet welcomed someone, they felt like an insider.”

Such determination to “connect” with others made her a consummate professional in her other passion: providing skiing lessons for children and adults. She inspired a whole generation of skiers in Pennsylvania!

Without a doubt, Professor Juliet M. Moringiello leaves behind an enviable legacy that many strive for but few achieve.

As Norman Powell, Business Law Section chair, so aptly put it, “Juliet was extraordinary: brilliant, humble, insightful, and caring. She approached her tasks with intensity and an easy grace, bringing out the best in her collaborators and students.”

Further remembrances of Juliet can be found in Professor Christopher K. Odinet’s memorial article, Juliet’s in memoriam faculty page from Widener University Commonwealth Law School, and, for ABA BLS Cyber and Technology Law Committee members, the Committee’s March 2025 newsletter.

As I traveled to Toronto, Canada, for the 2025 Fall Meeting of the ABA Business Law Section, it struck me that I was navigating the delicate balance of being a foreigner among friends, which our international colleagues must traverse each and every time they cross a border, whether it’s for another section meeting, or in the pursuit of their clients’ goals. And especially for me as a young litigator, this became all the more apparent as I listened to a group of incredible panelists present the CLE program “Cross-Border Enforcement in Discovery, Including Data and Personal Privacy Considerations.” We live in a globalized world, where transactions and clients transcend traditional boundaries. Therefore, in order to most effectively advocate when litigation arises (or could arise), it is essential to understand exactly how to obtain (or protect) evidence.

This CLE, which took place on September 19, 2025, included experts who have practiced in jurisdictions around the world. First, we met Steven Barber, partner at Steptoe LLP. Moderating the panel on behalf of Judge Gail Andler (retired) was Deborah Templer, partner at McCarthy Tetrault, LLP. The third panelist was Jonathan Fitch, an international arbitrator and mediator for JAMS. Rounding out the panel was Kim Nemirow, a partner at Kirkland & Ellis, LLP.

International Discovery: Guidelines and Considerations

While the panel primarily focused on issues and considerations in obtaining discovery in the United States and Canada, they also briefly touched on the importance of the Hague Evidence Convention in seeking discovery beyond those two borders. The Hague Evidence Convention guides the taking of discovery abroad (a voluntary process that protects sovereignty). Sixty-nine countries are signatories, including the United States.

United States international discovery is also governed by 28 U.S.C. § 1781 and § 1782, which are U.S. statutes allowing both the direct transmittal of letters rogatory (the formal request for judicial assistance to exchange discovery) between tribunals and permission for a U.S. district court to compel production of evidence from a person/entity in the court’s jurisdiction for use in a foreign proceeding or international tribunal. Therefore, when working with a client who needs to engage in cross-border discovery, it is important to note if the country in which you are seeking information is a Hague Evidence Convention signatory or not and whether you need information from within the United States. However, while the panelists did recommend having a working knowledge of the rules and considerations that guide discovery, they confirmed that the first thing to do when seeking discovery in a foreign jurisdiction is to obtain local counsel, who will be your guide through the local and/or national standards that may limit the ability to seek discovery.

Barriers to Information: Blocking Statutes, Data Privacy, and Investigations

The next key takeaway from the program was the importance of local blocking statutes, data privacy laws, and investigation considerations.

To begin, most jurisdictions have enacted blocking statutes, which protect their citizens against foreign discovery orders seeking evidence. Unless your request fits into an exception of that statute, you may have to engage in creative lawyering to obtain the information you need, as a lack of exception may lead that court to not even recognize discovery orders from your jurisdiction. Next, consider local data privacy laws and local statutory privilege issues. There may be different attorney-client privilege rules in the other jurisdiction.

Also consider what, if any, cultural differences in data sharing and attorney-client relationships exist between your practicing jurisdiction versus where the evidence is. These issues and statutes impact how, or if, one can obtain data from a third party or individual residing in that jurisdiction. Further, depending on the statutory guidance, one may not even be able to get the data out of the country; so consider that when seeking discovery.

But, what if you’re not even in litigation; you’re just conducting an investigation? That investigation could be either internal or in cooperation with a regulator, but the data is in another country. The same considerations, as previously discussed, apply.

Once again, it becomes clearer how important it is to engage local counsel—don’t engage in cross-border discovery without them.

Word Choice Is Important: Understanding How to Tailor the Discovery Request

Discovery in all jurisdictions is discretionary, but especially in Canada, which is not a signatory to the Hague Evidence Convention, where it is rooted in principles of comity and reciprocity. Therefore, to engage in cross-border practice between Canada and the United States, we now come to the panelists’ discussion of how to obtain discovery information—a practical tool for any international litigator. The importance of narrowly tailoring your discovery request, especially for letters rogatory, was heavily emphasized. As a U.S.-based litigator who has so far only found themselves in state and federal court, the discovery I’ve seen has generally been lengthy and broadly written. So as you find yourself venturing into other jurisdictions, be extremely specific in your asks.

In Canada and the United States, the decision to grant a discovery request is a two-part test. In Canada, the court begins by the statutory/jurisdictional basis for granting the request and then decides, in part two, if it should grant the request. While there are several factors, the most important is the relevancy of the information sought. Given that the common objections include (1) that the evidence is not necessary to the U.S. litigation, (2) that the evidence could be obtained in the United States through other parties, or (3) that the request is overly broad, we see why it is essential to narrowly tailor the request. If not, the Canadian court might just do it for you. This is also true of letters rogatory in the United States—when letters rogatory are used to seek information in a U.S. jurisdiction by a foreign litigant or tribunal, the information is usually limited to documents or depositions.

The U.S. two-part statutory and discretionary test examines (1) whether the person/entity from whom discovery is sought resides, or is found, in the geographical reach of the U.S. district court, and (2) is the discovery going to be “for use” in a foreign or international tribunal? This means that one doesn’t have to actually be in litigation to seek evidence located in the United States with a letter rogatory—one just has to be reasonably contemplating litigation. But for both countries, be mindful that anyone providing an affirmation to the supporting documentation for the discovery request is open to cross-examination, so choose wisely.

International Arbitration and Discovery

When it comes to cross-border discovery in arbitration, most countries are guided by the New York Convention, which enforces arbitration agreements (Article IV). However, there can be significant obstacles to obtaining discovery in arbitration. First, arbitrators have no coercive power to compel discovery, and discovery orders are not enforceable per se in the European Union. Further, provisions of the Hague Evidence Convention do not apply to commercial arbitration. Further, in arbitration, unlike in litigation, blocking statutes may not apply to discovery, though that will be dependent upon the law of the arbitration seat. One may also have to seek to have information produced based on disclosure under specific laws, so, once more, local counsel is key.

Perhaps the biggest takeaway from this informative CLE is that when engaging in cross-border discovery, obtain local counsel. They will help you narrowly frame your request so that it is granted. They will be your partner in speaking to the relevance and necessity of the evidence sought. They are essential to understanding local data privacy restrictions as well as attorney-client privilege protections or limitations. They are the essential partner to any international litigant, and obtaining them should be the first discussion with your client.

To learn more, view the program as on-demand CLE, free for Business Law Section members.

Law firms and corporate legal departments are prime targets for cyberattacks—and that’s no surprise. The legal industry manages a trove of sensitive data: client records, intellectual property, regulatory filings, case strategies, and more. Add to that the growing reliance on digital platforms, hybrid work models, and third-party vendors, and the sector’s risk profile becomes even more complex. The consequences of a breach, including financial, regulatory and reputational impacts, can be severe and far-reaching.

Yet despite this elevated risk exposure, many legal organizations continue to operate under outdated cybersecurity assumptions. Legacy security controls and well-worn practices linger, often due to institutional inertia or misplaced confidence. Unfortunately, the cyber threat landscape has outpaced these approaches, and the legal industry can no longer afford to treat security as a static checklist.

Cyber threats today are more agile, distributed, and adaptive than ever. Ransomware attacks, phishing campaigns, and data breaches dominate headlines. Insider threats and credential abuse continue to plague organizations. Sophisticated adversaries leverage automation, artificial intelligence, and the cloud to exploit gaps and scale operations with alarming speed.

In the legal market, recent incidents have been a wake-up call. For example, in 2023, an agreement was reached between the law firm Heidell, Pittoni, Murphy & Bach LLP and the New York Attorney General for the firm to pay $200,000 in penalties resulting from a data breach that compromised individuals’ personal and healthcare data. The firm, which represents hospitals and maintains private patient information, was cited for security failures that violated state law as well as the Health Insurance Portability and Accountability Act (“HIPAA”), and as part of the agreement it was required to adopt improved data security measures.

Larger firms are certainly not immune from cyber incidents. In 2024, Orrick, Herrington & Sutcliffe agreed to an $8 million settlement stemming from a data breach detected the previous year; and just recently, a class action lawsuit was filed against Kelley Drye & Warren over a breach that allegedly occurred earlier this year.

The high-profile breaches of law firms that may be handling M&A transactions or representing high-net-worth clients underscore how attractive to cyber criminals, and how vulnerable, these entities are. Compounding this are rising regulatory expectations—including updates from the Securities and Exchange Commission and the Federal Trade Commission, which increasingly scrutinize law firms’ security practices when assessing liability and compliance.

Despite this shifting landscape, many firms continue to rely on outdated defenses that leave critical gaps unprotected. The most common obsolete practices in the legal sector include:

1. Overreliance on traditional, point-based cybersecurity solutions. Many firms still depend on individual tools, such as antivirus software, firewalls, or VPNs, that were not designed to handle today’s multivector threats. These siloed solutions often lack the integration and perception needed to detect coordinated or stealthy attacks across environments.
2. Trusting endpoint detection and response (“EDR”) alone. While EDR platforms have significantly advanced endpoint security, they are no longer sufficient on their own. Attackers increasingly target areas EDR simply does not monitor, such as cloud platforms, APIs, and network infrastructure. OAuth token abuse in Microsoft 365 or lateral movement via Internet of Things devices can easily bypass EDR’s protections.
3. Reliance on traditional password policies. Many legal organizations still enforce outdated password rules that emphasize complexity (e.g., symbols, numbers, and case sensitivity) and frequent resets. These policies frustrate users, often leading to insecure practices like writing passwords down on paper and using the same password for multiple accounts. Worse, they offer little defense against modern attack methods like credential stuffing.

Despite clear evidence of obsolescence, these legacy practices often endure for understandable reasons, starting with the basics of familiarity and habit. IT teams and users alike are comfortable with tools they have used for years and averse to change. Many have budget constraints, especially in small or midsize firms, which can delay upgrades or platform migrations. Some face compliance myopia and equate passing an audit with being secure, ignoring emerging risks not yet codified in regulations. Yet others have a fear of disruption, with leaders worried that major changes could interrupt client service or raise internal resistance.

While these are valid concerns, firms should weigh them against the cost of inaction: data loss, regulatory penalties, lost clients, and reputational damage.

The good news? Effective, modern alternatives exist and can be implemented in legal environments and beyond without compromising service delivery or user productivity, both of particular concern for firm partners.

Updated cybersecurity solutions for law firms and legal departments to consider include the following:

1. Replace Point-Based Solutions with Integrated Security Architectures.

Adopt a layered, defense-in-depth model that includes:

• Extended detection and response (“XDR”) for unified perception across endpoints, networks and the cloud.
• Cloud security posture management (“CSPM”) tools to monitor misconfigurations and exposures in software as a service (“SaaS”) and infrastructure as a service (“IaaS”) platforms.
• Network detection and response (“NDR”) to detect lateral movement and anomalous behavior at the infrastructure level.
• Security information and event management (“SIEM”) systems to correlate data from across your ecosystem and surface real-time alerts.

Outsourcing some functions to managed detection and response (“MDR”) services or 24/7 security operations centers (“SOCs”) can help firms gain enterprise-grade protection without building everything in-house.

2. Move Beyond EDR.

Continue using EDR, but recognize its limits. Pair it with solutions that monitor identity usage, cloud logs, and API behavior. Prioritize observing trust relationships between systems and accounts, and monitor service accounts and federated logins closely.

3. Adopt Modern, NIST-Aligned Password Practices.

Shift from complexity to length and usability—a change aligned with password guidance from the U.S. National Institute of Standards and Technology (“NIST”). Key changes include:

• Require long passphrases (15 or more characters) rather than cryptic strings.
• Eliminate periodic password resets unless there is evidence of compromise.
• Screen new passwords against known breach datasets.
• Mandate multifactor authentication wherever possible.
• Provide and encourage use of password managers for storing credentials securely.

These practices reduce human error and improve both security and user experience.

4. Make the Case for Change.

Legal technologists must frame cybersecurity upgrades in terms of business and regulatory risk. Use concrete scenarios, such as a ransomware breach shutting down client files for days, to highlight what is at stake. For example, in early 2023, Cadwalader, Wickersham & Taft acknowledged a cyberattack that required the wiping of hard drives and taking several key systems, including the firm’s document management system, offline—in some cases for weeks. The same year, Troutman Pepper experienced a cyberattack that shut down the firm’s email and other networks, causing disruption to basic operations and client service.

Emphasize how modern security enables continuity, protects the firm’s reputation, and aligns with clients’ expectations of due diligence.

5. Facilitate Adoption with Strategic Change Management.

Security doesn’t have to be disruptive if it’s introduced with empathy and education.

• Roll out new tools with clear training and support.
• Engage firm leadership early to gain buy-in.
• Pilot changes in small teams before scaling up.
• Communicate benefits in nontechnical terms that resonate with lawyers and staff.

The legal industry cannot afford to treat cybersecurity as an afterthought or assume yesterday’s tools will withstand tomorrow’s threats. The cost of inertia, whether measured in breached data, regulatory fines, or lost client trust, is simply too high. Modernizing cybersecurity practices starts with acknowledging what no longer works: overreliance on point solutions, blind faith in EDR, and outdated password policies. From there, legal organizations must embrace a layered, integrated security model aligned with today’s risk realities.

By leading this evolution, legal technologists can elevate their organizations’ resilience, safeguard their clients, and contribute to a legal sector that takes cybersecurity as seriously as it takes privilege, confidentiality, and compliance. For those seeking practical frameworks and guidance, resources such as NIST’s Cybersecurity Framework and the Center for Internet Security (“CIS”) Controls, as well as groups such as the Legal Services Information Sharing and Analysis Organization (“LS-ISAO”), offer valuable support.

The threats are real, but modern solutions are available. Now is the time to evolve.

Although legal practice is governed by complex rules and nuanced statutes, the American Bar Association Business Law Section’s recent Fall Meeting program, “Yogi Berra Does Legal Ethics: A Legal Ethics Presentation in Nine Innings,” proved that even the most challenging ethical obligations can be grounded in common-sense wisdom.

On Friday, September 19, 2025, the Business Law Section’s Professional Responsibility Committee, in partnership with the Consumer Financial Services and In-House Counsel Committees, organized a panel highlighting an array of ethics issues encountered by in-house counsel and retained outside counsel.

Utilizing the unconventional wit of baseball legend Yogi Berra to delve into the ABA Model Rules of Professional Conduct, the panel provided essential lessons for both in-house and outside counsel navigating entity representation. The program drove home the idea that ethical practice requires proactive vigilance, reinforcing its supplemental materials’ warning: “If you don’t know where you are going, you might wind up someplace else.”

The Expert Lineup

The discussion, moderated by attorney Sanford “Sandy” Shatz, Of Counsel at McGlinchey Stafford LLP, featured expert insights from a distinguished lineup. The leadoff hitter was Amy Richardson, Chair of the ethics and malpractice group at HWG Law and a professor at Duke Law School. She was joined by Bridget M. McCormack, President and CEO of the American Arbitration Association-International Center for Dispute Resolution, and the cleanup hitter, A.J. Singleton, General Counsel and Member of Stoll Keenon Ogden PLLC.

Defining the Client and the Scope of Representation

The opening innings highlighted the foundational rules that define corporate legal work, beginning with the client’s primacy.

1st Inning: Clients (Rule 1.2)—“So I’m ugly. I never saw anyone hit with his face.”

The program started with Yogi’s famously humble quote. This was used to stress that under Rule 1.2, the client is the one who sets the goals and makes the material decisions. Richardson highlighted the crucial distinction between a client’s objectives and the lawyer’s means to achieve them, clarifying where the lawyer’s authority lies: “When it comes to the objectives of the work that they’re doing for the client, that is the client’s call. . . . But when it comes to the means, we as attorneys have providence over that.”

2nd Inning: Organization as Client (Rule 1.13(a))—“I’m a lucky guy, and I’m happy to be with the Yankees. And I want to thank everyone for making this night necessary.”

This segment focused on the core principle of entity representation: The entity itself—not its employees or officers—is the client. Singleton detailed the duty to “report up” under Rule 1.13(b) if a lawyer discovers that an action or inaction by a constituent will cause substantial injury to the organizational client. Singleton affirmed that in this situation, the lawyer is “required to take into account the best interest. . . of the organizational clients and report up.”

3rd Inning: Client-Lawyer Relationships—“Pair up in threes.”

Yogi’s contradictory grouping set the theme for the discussion of complex relationships, such as the Insured-Insurer-Attorney triangle. The key takeaway here was the importance of the Upjohn warning and maintaining a clear boundary, ensuring nonclient constituents do not mistake the lawyer for their personal counsel.

Core Duties: Confidentiality and Conflicts

The program then moved to the bedrock duties of loyalty and preservation of information.

4th Inning: Duty of Confidentiality (Rule 1.6(a))—“I don’t know (if they were men or women fans running naked across the field). They had bags over their heads.”

Tackling one of the most misunderstood rules, the panel used this quotation to discuss Rule 1.6(a). This rule prohibits a lawyer from revealing “information relating to the representation of a client” unless explicitly authorized or permitted by a narrow exception. Singleton clarified that even information filed in a public court pleading is not automatically exempt from the ethical duty of confidentiality.

McCormack offered her view from the business side, affirming her confidence in the bar’s commitment to the rule: “I do not worry about confidentiality. . . . I still feel pretty confident that the bar is going to meet its requirements here.”

5th Inning: Conflicts (Rule 1.7(a))—“He hits from both sides of the plate. He’s amphibious.”

The discussion of concurrent conflicts was introduced by this memorable, if slightly inaccurate, observation. Rule 1.7(a) governs concurrent conflicts and applies strictly to all business lawyers. Richardson stressed the high risk when representing startups, particularly when personal guarantees are involved. She advised, “I think it’s even more important to be really clear with founders of a small business that you have this ethical duty to the business.” Singleton added that while certain conflicts are waivable, the waiver must be in writing.

Maintaining Integrity and Managing the Endgame

The latter half of the program shifted focus to the lawyer’s personal duties of self-reflection and candor, and professional closing procedures.

6th Inning: Owning Up When You Make a Mistake—“We made too many wrong mistakes.”

The panel introduced the topic of remedial duty using this candid, if confusing, quote. The discussion focused on ABA Formal Opinion 481 and Rule 1.4, which together require a lawyer to inform a current client if the lawyer believes they may have materially erred. An error is material if a disinterested lawyer would conclude it is reasonably likely to harm the client or cause the client to consider terminating the representation.

7th Inning Stretch: Not Making False Statements (Rule 4.1)—“Half the lies they tell about me aren’t true.”

Candor was championed with this Yogi quote, which introduced Rule 4.1. Rule 4.1 prohibits lawyers from knowingly making false statements of material fact or law to third persons. The rule serves as a constant reminder that integrity is nonnegotiable in all professional dealings.

8th Inning: Dealing with Unrealistic Expectations (Rule 1.4)—“Making predictions is hard to do, especially about the future.”

The critical importance of managing client expectations was highlighted by this prescient quote. The discussion reinforced the lawyer’s obligation under Rule 1.4 (Communications) to clearly explain matters and advise the client on the probability of outcomes, particularly when predicting future litigation or transactional results.

9th Inning: Professional Misconduct (Rule 8.4(c))—“The towels were so thick there I could hardly close my suitcase.”

The panel closed the regulation innings with one of Berra’s most famous observations. This was used to discuss Rule 8.4(c), which prohibits conduct involving dishonesty, fraud, deceit, or misrepresentation, reinforcing the fundamental ethical mandate that lawyers must not deceive others, even via exaggeration.

Extra Innings: Declining or Terminating a Representation (Rule 1.16(d))—“It ain’t over ’til it’s over.”

The final, crucial lesson came in the form of possibly the most famous Yogi-ism. This lesson focused on Rule 1.16(d), which mandates that a lawyer must take reasonable steps to protect a client’s interests upon termination. The panel stressed the vital role of the “close-out” or disengagement letter. Shatz emphasized the value of this documentation.

To learn more, view the program as on-demand CLE, free for Business Law Section members.

2025 is poised to be one of the strongest years thus far for cyber mergers & acquisitions (“M&A”). Although there have been relatively fewer deals than in recent years, deal value has spiked thanks to the comeback of megadeals, with deals announced this year including the $32 billion acquisition of Wiz, Inc. by Google LLC and the $25 billion acquisition of CyberArk Software Ltd. by Palo Alto Networks, Inc. The cyber industry—encompassing cybersecurity software, managed security services, threat intelligence, and related technology—has become a focal point for M&A activity as digital transformation accelerates and cyber threats proliferate. It has rapidly evolved from a niche technology vertical to a core pillar of enterprise risk management and digitization. As cyber threats escalate in frequency and sophistication, and as regulatory scrutiny intensifies, the M&A market for cybersecurity companies has become one of the most dynamic and strategically significant in the global deal landscape. The sector retains outsized strategic importance even as overall global M&A volumes fluctuate. As the value and risk profile of cyber assets differ markedly from those in other sectors, deal terms in cyber M&As have evolved to address unique challenges. This short article aims to offer a glimpse at some of the more distinctive considerations behind the contractual provisions shaping cyber industry deals, highlights key trends, and offers a forward-looking perspective for the last quarter of 2025 and beyond.

I. Cyber M&A Risk Profile

Unlike many other sectors, cybersecurity M&A is defined by the centrality of cyber risk—both as a value driver and as a potential deal-breaker. Cyber companies present a unique blend of opportunities and risks. Their value is often tied to proprietary technology, intellectual property (“IP”) assets, sensitive data, and the ability to maintain trust in the face of evolving threats. Buyers are acutely aware that the value of a cybersecurity target is inextricably linked to its own security posture, the integrity of its products, and its ability to withstand regulatory and reputational scrutiny. Unlike more traditional manufacturing or service businesses, cyber targets may have:

• highly intangible assets (e.g., algorithms, threat databases, proprietary code)
• ongoing obligations to protect customer data and comply with a patchwork of global privacy laws
• exposure to latent liabilities from past or undetected breaches
• a customer base that is acutely sensitive to security incidents and regulatory scrutiny

These factors drive a different approach to diligence, risk allocation, and post-closing integration, which is often reflected in the deal terms negotiated by parties. Ultimately, cybersecurity M&A stands apart in that the very risk it seeks to manage lies at the core of the transaction itself.

II. Distinctive Aspects of Cyber M&A Purchase Agreements

A. Diligence and Disclosure Schedules

Cyber deals feature more extensive and technical disclosure schedules. In addition, a tiered approach to diligence is usually introduced, ranging from external vulnerability scans to intensive, tech-facilitated assessments of a target’s systems, codebase, and incident history. This is far deeper, more technical, and more rigorous than the standard diligence applied in most other tech or industrial deals. Sellers are expected to provide, among other things:

• detailed inventories of data assets, security certifications and compliance reports
• lists of all past and pending security incidents or breaches, regardless of materiality
• descriptions of third-party vendor relationships and their security postures
• documentation of software development practices, including open-source software (“OSS”) usage and vulnerability management

This level of disclosure is usually less common in non-cyber deals, where diligence may focus more on financial and operational matters. Simply put, the presence of unresolved vulnerabilities or a history of data incidents can materially impact valuation or even scuttle a deal.

B. Enhanced Representations and Warranties

In cyber M&A, certain representations and warranties (“R&Ws”)—particularly those addressing information technology (“IT”) and privacy and data protection, which are becoming much more prevalent in other deals as well—are receiving heightened attention and expanded scope. These provisions often address:

• compliance with applicable data protection laws (most notably, the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and sector-specific regulations)
• implementation and maintenance of “industry best practices” or “industry standard” security measures
• absence of material data breaches or unauthorized access incidents

Cyber transactions frequently go further, demanding detailed disclosure and rigorous scrutiny of past incidents, third-party security audits, penetration-testing results, information on unresolved vulnerabilities, bug-bounty reports, incident response protocols, and remediation timelines. This level of specificity has become standard for significant cyber targets, and it often becomes a central point of negotiation given the risk of concealed vulnerabilities.

C. Indemnification

1. Survival Periods and Carve-Outs

Given the potential for latent cyber liabilities, buyers often negotiate longer survival periods for key nonfundamental R&Ws, such as those regarding IP, IT, and privacy and data protection—usually extending well beyond the customary twelve to eighteen months for general R&Ws.^[1] In tech and cyber deals specifically, it is increasingly “market” to see “fundamental” rep treatment for those R&Ws, with survival periods at times matching those for due organization, authority, and tax matters. Carve-outs from indemnification caps for breaches of IP, IT, and privacy and data protection R&Ws are also more prevalent, covering undisclosed breaches, material unremediated vulnerabilities, and OSS license infringements, among other issues.

2. Special Escrows and Holdbacks

Data shows that parties are moving toward more surgical risk finance—smaller general escrows, plus targeted escrows and/or R&W insurance.^[2] Buyers in cyber M&A tend to require a separate escrow or holdback specifically for data breach or privacy claims, with carefully calibrated escrow sizing that is more tightly linked to known risk items.

D. Post-Closing Integration and Talent Retention

Successful integration of cyber targets requires not only technical alignment but also retention of key personnel. The global shortage of cybersecurity professionals—estimated between 2.8 million and 4.8 million in 2025—remains a key challenge for both buyers and sellers. Buyers are purchasing not just technology, but also teams with deep domain expertise, making retention and integration strategies critical to deal success. Deals often include bespoke retention packages, noncompete clauses, and pre-closing as well as post-closing covenants to maintain research and development talent and other key employees.

III. Emerging Trends

A. Increasing Regulatory Scrutiny and Globalization

The regulatory environment for cyber companies is becoming more complex, with new laws in the United States, the European Union, and other jurisdictions imposing stricter requirements and higher penalties for data breaches. High-value cyber targets (or those with customers in critical infrastructure or government) face elevated regulatory scrutiny, including antitrust reviews and national security processes. Buyers often layer conditions precedent and “long-stop” dates around such reviews or offer reverse termination fee structures to hedge regulatory risk. The increasing national-security sensitivity around identity, secrets management, and infrastructure protection means counsel must factor regulatory timing into both the purchase agreement and the integration timetable.

B. Escalating Threat Landscape

The frequency and sophistication of cyberattacks continue to rise, with ransomware, supply chain attacks, and zero-day vulnerabilities making headlines. The rapid adoption of artificial intelligence (“AI”) and machine learning in cybersecurity tools is creating new opportunities—and new risks. While advances in AI enable streamlining threat detection and accelerating incident response, they have also empowered cybercriminals to deploy increasingly sophisticated, multistage attack strategies. Buyers are responding by requesting “materiality scrapes,” demanding more granular disclosure of security incidents, and requiring third-party cyber risk assessments, OSS audits, and general source code scans as closing conditions.

C. Continued Consolidation

Strategic buyers are continuing bolt-on consolidation—consolidating capabilities across key domains, such as cloud security, exposure, and identity management. This is driven by enterprise demand for integrated security stacks and AI-enabled controls, presenting such buyers with the opportunity to position themselves to meet evolving enterprise needs and capitalize on cross-platform value. Expect larger platform builds through 2026, which will mean more complex purchase agreements focused on customer-assignment mechanics.

D. Supply Chain and Third-Party Risk

Recent high-profile supply chain attacks have underscored the importance of third-party risk management. Buyers are increasingly scrutinizing the target’s vendor relationships, contractual protections, and incident response capabilities. Expect to see more:

• R&Ws and covenants addressing third-party risk management frameworks
• indemnification carve-outs for breaches arising from vendor failures
• post-closing integration plans focused on supply chain security

Conclusion

Although cyber deals still look like tech deals on paper, the bargaining levers are increasingly cyber-native. The industry’s unique risk profile is reshaping M&A deal terms, with enhanced and special R&Ws, bespoke indemnification structures, targeted escrows, and rigorous diligence becoming the norm. Counsel who anticipate those items—and who can translate technical evidence into crisp contractual mechanics—will be the ones who close deals cleanly and preserve value for clients. As regulatory scrutiny intensifies and the threat landscape evolves, parties must stay agile, adapting contractual provisions to address emerging risks, from AI to supply chain vulnerabilities. For deal lawyers and other legal practitioners, understanding these trends and the data behind them is essential to navigating the world of cyber M&A—a dynamic, high-growth sector driven by structural demand, platform consolidation, and continuous innovation—in 2025 and beyond.

1. See, for example, the American Bar Association’s 2023 Private Target M&A Deal Points Study and SRS Acquiom’s 2025 M&A Deal Terms Study. ↑

2. Id. ↑

This is the tenth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.

A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”

Special Committees of the board of directors serve an important governance function by preserving the integrity of the decision-making process when potential conflicts of interest arise or a director’s independence may be compromised. The effectiveness of Special Committees depends on appointing the right directors and establishing a thoughtful process. Here are ten tips to think about when forming a Special Committee.

1. Purpose. Special Committees are often formed when there is a potential conflict of interest or for matters that require a specialized focus. Composed of a subset of the board, these committees assume special duties for a limited duration, with the goal of creating an unbiased decision-making process. Example topics addressed in Special Committees include transactions involving a controlling shareholder, investigations of management’s conduct related to violations of the company’s code of conduct, or an unplanned CEO succession.
2. Formation and Authority. Special Committees are typically formed through delegation by the board in accordance with state corporation laws, organization bylaws, and other corporate governance documents. Responsibilities should be properly delegated and memorialized. Note that there are certain responsibilities that are nondelegable under state law, including authorizing dividends, issuing stock, and amending or repealing bylaws.
3. Who, When, What. Three threshold topics to consider with forming a Special Committee are (a) who should be on the Special Committee, (b) when they should meet, and (c) what will be discussed. These three considerations are interconnected. The right committee members will influence the meeting structure; the meeting structure will depend on the anticipated discussions; and the anticipated discussions will inform who should be included on the committee, with independence as a critical consideration. Strategic alignment across these three dimensions is crucial for the committee’s effectiveness and credibility. A Special Committee related to CEO succession will likely require a more significant time commitment than one focused on a related-party transaction.
4. External Advisers. Depending on the topic, it’s common for Special Committees to retain external advisers, including financial experts, outside counsel, and public relations firms. Independence is also a critical component when selecting advisers. While prior relationships with the company or the company’s directors and officers can be helpful in general engagements, it may be harmful when looking for an unbiased perspective.
5. Intentional Process and Recordkeeping. Actions of a Special Committee are often heavily scrutinized. Given this, it’s imperative to be intentional in the process of setting up the committee, ensuring proper communications, thoughtful materials, and independent advice. Be sure to keep not only records of the committee meetings (in the form of minutes) but also records related to committee membership determination, committee communications, and vetting of external advisers.
6. Committee Competence. Courts consider the composition of a Special Committee to be of central importance. Remind committee members that they have the same director fiduciary responsibilities when they sit on a Special Committee as in the rest of their board service. In fact, decisions made by a Special Committee can have a higher risk of being subject to litigation. Committee members should have relevant expertise and experience related to the matter at hand, so their participation is not questioned. And don’t discount the importance of good working relationships: mutual respect among the Special Committee members is essential to foster open dialogue, constructive debate, and collaborative decision-making.
7. Compensation. Consider the time and effort both during the Special Committee meetings and the homework required throughout the process. It’s common to provide directors with additional fees above their regular director compensation, either in the form of flat fees or meeting retainers. The chair of the Special Committee may receive additional compensation given the additional leadership responsibilities. It’s helpful to discuss compensation consideration with outside advisers to minimize any appearance of conflict.
8. Standard of Review. Decisions by the board of directors are typically reviewed under the business judgement rule where the assumption is that they acted in good faith, on an informed basis, and in the best interest of the company and shareholders. Courts have applied a higher standard of review, the entire fairness standard, if it appears that a director is conflicted in the decision-making process. However, creating a Special Committee in which the conflicted director is excluded from the process can shift the standard of review back to the more deferential business judgment rule.
9. No Charter, Typically. Unlike standing committees of the board, Special Committees of the board do not often have charters. Instead, the rules and responsibilities are determined by the board through delegation, and the members of the committee are appointed by the board through a formal approval process ensuring consideration of any conflicts. The delegation of authority should also provide clear direction on the use of external advisers and additional compensation.
10. Communications and Interactions. Provide clear guidelines related to interactions among the members of the Special Committee, its advisers, and the board to protect the independence of the Special Committee. The Special Committee should avoid interactions with conflicted directors or members of management on matters in the purview of the Special Committee unless necessary. These guidelines should be communicated to all participants in the process. Maintaining clear boundaries in communications and interactions protects the decision-making process by ensuring objectivity.

The views expressed in this article are solely those of the authors and not their respective employers, firms or clients.

This is the second installment in a series on damages available for intellectual property (“IP”) claims, focusing on patent damages. Understanding damages is essential for two reasons: it highlights the potential rewards of building a robust IP portfolio, and it offers a benchmark for assessing risk when facing an IP claim. Our previous article addressed trademark damages.

Patent Infringement

Patent infringement is an unauthorized act that relates to the making, using, selling, or importing of an invention for which a patent has been issued, as stipulated by the Patent Act.^[1] Section 271 of the act delineates several types of infringement, including direct infringement and indirect forms such as inducement and contributory infringement. Enforcement of these provisions has been influenced by the Leahy-Smith America Invents Act (“AIA”), which also introduced new post-grant proceedings affecting infringement disputes.

Patent Damages

Under the Patent Act, patent owners may seek to recover damages adequate to compensate for infringement.^[2] The court may allow damages in the form of recovery for (1) lost profits, (2) reasonable royalties, and (3) treble damages (in cases of willful infringement). The Patent Act provides that a court should award a successful claimant damages “adequate to compensate for the infringement, but in no event less than a reasonable royalty for the use made of the invention by the infringer, together with interest and costs as fixed by the court.”^[3] The Patent Act does not limit damages to certain types, and a judge can award other types of damages that may be appropriate under the facts of the case.

Damages are a question of fact; thus, juries can decide damages, but judges will do so if the case is not before a jury. Courts have significant levels of discretion when it comes to applying the above methods and determining how much to award in damages. Nonetheless, courts have developed equitable methods in an effort to balance compensating a successful plaintiff for losses while simultaneously avoiding windfalls.

Lost Profits

Damages for lost profits compensate a patent holder for profits it would have made had its patent not been infringed. Being awarded damages for lost profits requires a plaintiff, with some degree of specificity, to show a nexus of causation between sales lost and the infringement, meaning that the plaintiff must show that the infringement was the cause of the decline in sales.

For years, the lost profits calculation has been based on the four Panduit factors, delineated in Panduit Corp. v. Stahlin Bros. Fibre Works.^[4] The four factors are the (1) “demand for the patented product,” (2) “absence of acceptable noninfringing [alternatives],” (3) capacity to exploit the demand, and (4) amount of profit the patentee would have made.^[5]

Under the second prong, a patent owner may rely on proof of its established market share rather than proof of the lack of an acceptable noninfringing substitute. A showing under Panduit permits a court to reasonably infer that the lost profits claimed were in fact caused by the infringing sales, thus establishing a patentee’s prima facie case with respect to “but for” causation. A patentee need only show that there was a reasonable probability that the sales would have been made “but for” the infringement. The burden then shifts to the infringer to show that the inference is unreasonable for some or all of the lost sales.

Reasonable Royalties

A reasonable royalty is an amount that would have been paid to a patent holder had the patent holder given the infringer a license to sell the patented item. A common approach used to calculate a reasonable royalty is the “hypothetical negotiation,” which attempts to ascertain the royalty upon which the parties would have agreed had they successfully negotiated an agreement just before infringement began.

Often, reasonable royalties are calculated when the patent holder cannot prove the elements necessary to establish entitlement to lost profits. Courts look to several factors, as outlined in Georgia-Pacific Corp. v. United States Plywood Corp.^[6] These factors include past and present royalties received by a patent holder for the patent at issue, the rates paid by the infringer for the use of similar patents, a patent holder’s policies and practices regarding the grant of licenses to its technology, the commercial relationship between the two parties, the patent’s profitability, the patent’s usefulness as compared to older models of similar technology, and the extent to which the infringer used the patented product and the value of that use. These factors, among others, are often established by expert opinion.

Treble Damages

Treble damages are designed as a punitive or vindictive sanction for infringement that is willful, wanton, malicious, bad faith, deliberate, consciously wrongful, flagrant, or the like. In these instances, under the Patent Act, a court may increase the damages up to three times the amount found or assessed.^[7] Courts tend to award the maximum amount only when the infringement is egregious.

To prove treble damages, a plaintiff needs to show clear evidence of willful conduct by the infringer. Even if a plaintiff proves willful infringement, enhanced damages are not guaranteed; such a decision is at the discretion of the court.

Summation

Patent infringement damages are designed not only to compensate a patent holder for actual harm but also to deter willful violations of patent rights. By tailoring awards to the nature and severity of the infringement, courts strive to strike a balance between fair compensation in the face of infringement and the promotion of innovation.

* * *

Please tune in next month for part three of our series, in which we will discuss copyright damages.

1. 35 U.S.C. §§ 1–376. ↑

2. Id. § 284. ↑

3. Id. ↑

4. 575 F.2d 1152 (6th Cir. 1978). ↑

5. Id. at 1156. ↑

6. 318 F. Supp. 1116 (S.D.N.Y. 1970). ↑

7. 35 U.S.C. § 284. ↑