No more excuses! Do you feel you’re too old, too young, too new, too introverted to connect successfully with people who can help your career? Nonsense. Everyone needs to build a contact database. Anyone can build one.

Most jobs are found through informal networks of connections, the “six degrees of separation” that link disparate people through a chain of friends of friends. Those connections should live in a contact database. That database is ground zero for your networking strategy. Because of the symbiotic relationship between who you know and what you do, it is imperative that you pay attention to your contact list. Let’s begin.

Who Is in Your Network?

Your network should include people from:

• Your past—people you used to know
• Your present—people currently part of your world
• Your future—people you would like to know

Contacts come not only from these three points in time, but also, as diagram 1 shows, from three overlapping activity spheres: the personal, aspirational, and occupational.

Aspirational and occupational spheres are the most relevant for careers. These contacts are your links to other career paths, geographic moves, and the next steps in your current chosen field.

• Many people equate their contacts with the personal sphere. These people are your best friends, family, and other close contacts who provide backup and support. They also usually support your thinking rather than add new ideas, and so are less useful than the other spheres for the purpose of career changes.
• Your occupational sphere includes people from current and past work lives, people in complementary professions, vendors who sell to you, your clients, and your friends. Their careers and contacts lead to information and introductions.
• Aspirational ties typically represent your weakest links. This is your dream builder, the knowledge enhancer network. You find these links everywhere—at events, on social media, in reading material. They include experts in your own field, areas you want to learn more about, or fields you might consider .

People in your aspirational network can help you develop the skills and knowledge you need to succeed. They may be successful business executives or innovators. Some will teach you new hobbies or life skills. Others will be thought leaders, visionaries, and coaches. Each of them exposes you to new ideas and ways of acting that prepare you to move forward,

Weak Links

Of course, contacts should include best friends; strong ties you go to for comfort, support, and confirmation., “But if your network only includes people like you, you probably will have less access to new ideas and opportunities. . . . People who network strategically make use of both their strong and weak ties; the former for support, the latter to bring in new information.”[1]

Weak ties connect you with acquaintances or friends of friends. They are people on your holiday card list, people whose business card you kept just in case, friends of your friends: “someone you know cursorily or historically or maybe even thorough a network of friends. Someone you used to work with, someone whose kid was on your kid’s soccer team 10 years ago, a former neighbor, an acquaintance in a professional group. And strangely, it’s someone who can make a difference.”[2]

“When you look at charts showing network relationships you can see the importance of weak ties in creating linkages between pods of personal, strong networks.”[3] Weak ties bring new insights into your network.

How Do I Build My List?

Theoretically, the size of any network is infinite. If you ask any networking contact to introduce you to any close contact and if you assume that every person has at least fifty close contacts, the numbers are overwhelming.

You can make adding contacts more realistic, manageable, and effective by tying them to your career goals.

• Where are you now in your career?
• Where do you want to be in five years? Ten years?
• What do you need to know and learn to get there?
• Who do you need to know to find out the answers to these questions?

Answers to these four questions will create your path to contact list amplification. Remember: You are not necessarily looking for a greater number of strong relationships. Your focus, rather, is on expanding medium and weak links to people with new ideas and areas of influence who can introduce you to their network.

Begin by going through old business cards, address books, college directories, office personnel lists, colleagues on nonprofit boards, friends from community activities, and so on. Add speakers from saved conference agendas. Add authors you hold in high regard. Add professors, consultants, mentors, inspirational leaders. Add them all to your contacts database.

From this expanded contacts list select twenty-five names that seem most relevant to your goals. Turn to online sources to update what you know about them.

• Research online to see where they have been and where they are now.
• Check their profiles on LinkedIn and their workplace websites.
• Find the contacts whose career trajectory or current workplaces interest you.

Turn Paper Connections into Live Relationships

Create networking strategies to forge connections. Think of career networking as forming relationships with people and organizations to help you understand your career choices. Remember: These are relationships built on reciprocity. As you learn about others, you will look for ways to help them reach their goals, and they will do the same for you.

Are you thinking it will be awkward to suddenly burst upon someone you haven’t seen or heard from in years? It could be; but it’s more likely that if you frame it correctly, they will be pleased to reconnect and will be flattered that you want their advice. To begin, connect first by email to set a time to talk, make them a LinkedIn connection, and send an in-mail request for an information interview, or just pick up the phone and call.

Begin Conversations with the Truth

• With a friend from “past lives”: “I know it’s been ages since we talked. I am calling now to see how you are doing and ask you for career advice.” [Talk about how they are doing now.] “I want to move from _______ to your practice area. I hope you can help me understand what I need to do to prepare for this kind of work and what is the best way to find such a job. Could we schedule a 15-minute conversation?”
• With an acquaintance: “I don’t know if you remember me. We met _______. I was impressed with your career trajectory. Now I am looking to do the same kind of thing. I wondered if we could schedule a 15-minute call?”

Remember, please, to keep them in the loop. Thank them for having agreed to the call, and, if you act on their advice, let them know what happened.

Keep Your List Fresh

List-building is an iterative process. As your career ideas change, so too should people on the list. Make it a habit, after every networking activity, to add new names or add new information to names already on the list. For example:

• At your monthly networking group meeting, you heard that Charlie was changing firms. After the meeting, update your database and call him to congratulate him and find out more about the move. Record your action and what you learned in your database.
• After an event, add the names of the handful of people with whom you had meaningful conversations, making sure to add the specifics of where you met them, why they were there, and conversation highlights.
• Every six months, go through your list to winnow outdated contacts and identify gaps you need to fill to keep the list in line with your current goals.

Keep building and expanding the interest areas of your contacts and you will have a ready resource for wherever your career takes you.

[1] Carol Schiro Greenwald, Chapter 3, Strategic Networking for Introverts, Extroverts and Everyone in Between (ABA, LPD, 2019), p. 34.

[2]. Marc Miller, “To Get a Job, Use Your Weak Ties,” August 17, 2016, forbes.com/sites/nextavenue/2016/08/17/to-get-a-job-use-your-weak-ties/#2619254a6b87.

[3] Greenwald, Strategic Networking for Introverts, Extroverts and Everyone in Between, p. 34.

It seems each day another company is extending their work from home time. Massive enterprises like Google, Amazon Corporate, and Indeed have already postponed a return to the office until 2021, whereas others like Facebook, Twitter, Slack, and Zillow have made remote work permanent.

However, many businesses still face the decision of whether to return to the office, balancing the benefits of returning against the risk of exposure. As general counsel, you are tasked with not only helping your company find this balance, but also ensuring the company is legally compliant. Legal obligations will vary based on where your business is located and in what industry. Although it can be helpful to look at what other companies across the country are doing, keep in mind they may have different regulations to follow. 

Reopening must begin with a plan. You must decide ahead of time how you are going to keep workers safe, how you will monitor the health of employees, what you will do in case of a positive case, and what options you will offer employees. Let’s walk through the key considerations to evaluate ahead of reopening. 

Check Local, State, and Federal Regulations

Where your business is located will influence what policies you put in place, given that they must align with government regulations. There will be certain protocols to follow related to the maximum capacity allowed in the office, mask wearing, and how to report cases. There are various resources you can look to for learning the guidelines:

• The Centers for Disease Control and Prevention (CDC) has resources to help businesses and workplaces navigate the virus. 
• OSHA provides guidance for returning to work.
• The official government websites of your state, city, and/or county will provide state and local guidelines.
• The U.S. Chamber of Commerce provides state-by-state reopening guidelines.

Review Insurance Policies 

Many insurance companies have begun issuing regulations and requirements for businesses, such as the consent required from employees or customers. You likely already reviewed your insurance coverage to check whether you were covered for event cancellation or business interruption, but don’t forget to recheck prior to opening. Another consideration is workers’ compensation. If an employee were to contract the virus after returning to the office, he or she might seek coverage. Read up on the details of your policy to ensure you know what is and is not covered.

Create a COVID Waiver 

One of the best ways companies can manage risk and return to work is through a basic waiver for employees to review. It should outline what you are doing to keep workers safe, obtain consent by asking employees to acknowledge and agree they are aware COVID exists, and confirm, should they show up to work sick, that they could get others sick. It’s crucial that employees are allowed to review the waiver and make a decision for themselves on whether they return to work. A waiver will not be as effective if there are no options available, and forcing employees to return to work and sign an agreement will put you at risk of future class-action lawsuits. 

Think Through Additional Agreements

Beyond a COVID waiver, reopening will require several types of agreements and policies. Some of the most pertinent assessments, waivers, and consents include: daily health certifications, distancing policies, mobile symptom screening, and contract-tracing consents. Create a general policy with information such as hygiene best practices, modified work schedules, what should be done if an employee experiences symptoms, and how to handle exposure to the virus. If you plan to test employees, an informed consent is critical. States have various requirements for what the consent should include, but most incorporate these elements: 

• a description of the test
• a statement of the test’s purpose
• clarification on whether the test was ordered by a physician or is self-directed by the individual
• information on the reliability of test results 
• identification of the person(s) with whom the test results may be shared and why
• a general description of the disease or condition that is being tested

Provide New Ways to Sign Agreements 

Part of reopening is determining how to account for social distancing across your business. Many processes cannot be done the same way they were previously. A perfect example is signing contracts. In order to properly social distance, pen and paper are no longer an option. Consider the HR contracts to put in place and ask yourself: 

• Do you have a way to hire employees remotely? 
• Is there a self-service option for sales teams to issue agreements with new customers? 
• What about the return-to-work waivers? 
• Do you have a scalable way to capture consent? 

You obviously want to get all employees to participate. With daily certifications and symptom screening, you must make the process as easy and seamless as possible for employees. This means eliminating the friction of pen and paper or even PDFs and eSignatures. Employees have enough to worry about when returning to work, so you don’t want to add to that by requiring them to find a document to download, sign, and upload each day. Consider setting up your agreements as a one-click contract, where employees can take one simple action to execute the agreement. 

Store Record of Acceptance 

Not only must you have agreements in place and new methods of capturing acceptance, but you also must ensure you are keeping records. Insurance might require information on consent waivers issued to employees. If an employee seeks workers’ comp from contracting the virus at work, they must prove the infection occurred at work. Records of symptom screening and waiver acceptance will play a big role in that. Not to mention, with the potential of lawsuits from employees or customers, you want to ensure you are able to produce records at any moment.

The number-one priority is to reopen safely. Don’t feel rushed to reopen. Take time now to plan for how your business can open in a legally compliant and safe manner.

Prior to the COVID-19 pandemic, investigators relied on a proven playbook for addressing potential bribery and corruption: due diligence into relevant personnel or vendors, in-person interviews, and surveillance operations. Meanwhile, audit teams reviewed archived records, historical issues, and wider market practices to discern common techniques, missteps, or potential problem areas. This process is more complex during the pandemic. Triggers for an FCPA investigation and the possible steps to address violations have shifted, obfuscating the future of these investigations and enforcement. The following discusses practical strategies for navigating this altered landscape.

Changes in the Field

An understanding of your FCPA risk profile—your vulnerabilities, compliance history, and partners—means reduced risk and increased post-incident control. Before the pandemic, risk profiles were likely more easily assessed, with security measures set up based on known patterns of industry or geographic risks. This profoundly changed because of the pandemic. Now, a more active approach is necessary. To anticipate issues, you must devote proper attention and analysis to the aspects of your business most disrupted by the pandemic—even those aspects not historically associated with FCPA risk.

Consider supply chains: As international providers are forced to adapt at every level—from product sourcing to tax approvals, customs brokerage, or transport management—there is immense pressure to maintain the consistency that their clients expect. A dramatic rise in the use of facilitation payments is sure to follow. Already a pronounced risk, these payments are often used to streamline the supply process. Businesses returning during the pandemic may scramble to recoup the months of losses accrued during quarantines. This combined with rising unemployment and income concerns creates additional stress for employees to meet deadlines and achieve results. This also creates a heightened risk of potentially improper payments and damage to the company. As businesses continue to respond to the pandemic, additional vulnerabilities may develop that further underscore every company’s need to examine the more stressed aspects of its operations.

Changes to Your Approach

Organizations must adapt their approach to meet the new challenges of corruption during the pandemic. The reality is that some historically successful methods, particularly in-person interviews, are not currently viable. As measures against physical contact preclude in-person solutions, investigators and auditors must rely on remote or digital methodologies to address potential corruption. Now is the time to use proven methods to address current challenges: self-assessments. In our experience, self-assessments and compliance program audits are powerful and proactive tools to combat corruption risk and mitigate current exposure. These tools allow an organization to have visibility through remote review of books and records and any programmatic weaknesses.

Self-Assessments. Self-assessment forms should be sent to all parties, whether internal or at a vendor, who interface with government officials or operate in historically vulnerable regions or industries. During the assessment, the responding parties answer multiple questions designed to identify risk and provide data to evidence compliance with corporate policies, procedures, and initiatives. Compliance is then rated on a one-to-five scale, ultimately allowing the organization to make an informed decision on next steps, which could potentially include a deeper investigation. Self-assessments also help to scale audits by identifying practical risks and to limit the need for in-person procedures.

Compliance Audits. Anti-corruption program compliance audits are also critical to helping companies uncover and remediate nascent issues before those issues rise to the level of criminal activity, civil liability, or regulatory action. As part of these audits, financial information is reviewed to ensure that expenditures for government-related services are appropriate and accurately recorded in the company’s books and records. Analytics often will reveal discrepancies between expense reimbursement requests and invoices, requiring a more detailed review. Armed with this information, a company can make an informed decision about policy and procedure changes, remedial action for any employees involved, and the need for further employee training. An informed decision can also be made about whether the company self-reports to regulators.

Changes to Your Culture

Although training, self-assessments, and compliance audits are critical, proactive approaches to mitigating corruption risk, it is also essential that your overall compliance program be nimble enough to react swiftly once an issue is suspected or identified. Review your FCPA training and guidelines to ensure both employees and business partners are made aware of the communication channels available to them for reporting suspected or witnessed wrongdoing. This should include contact information for compliance officers as well as an anonymous and confidential reporting option. Efforts should include ensuring that all reports are reviewed by a trained, objective, and independent team that is well-versed in how to respond to corruption-related allegations, evaluate the issues, and determine whether an internal investigation should be initiated. 

Conclusion

Ultimately, the COVID-19 pandemic heightens the risk of corruption and bribery exposure even in traditionally compliant departments as employees and third parties face pressure to reverse the negative effects of the recent economic downturn. Investigators and auditors, meanwhile, can depend on trusted existing strategies to create sensible, scalable, and remote solutions.

Although the financing of consumer goods and services is not a new concept, there has been a recent, rapid evolution in the methods, means, and speed of providing point-of-sale financing to consumers. The history of consumer credit traces back to retailers permitting consumers to pay for goods and services over time. Financing of goods and services was later outsourced to banks and finance companies who took on the risk, and reward, of financing on the retailer’s behalf. As time went on, the correlation between the creditor and the retailer became closer, at times becoming difficult to differentiate between the retailer and the creditor through the sales and financing process. Despite this point-of-sale financing evolution, roughly the same disclosure regime remains in place from 40 years ago.

Existing model disclosures are built for a physical world, but exponentially more transactions are taking place electronically, with this number drastically increasing due to the recent pandemic. The devices consummating these transactions are getting smaller and more mobile. Many model forms are built for 8½ × 14 paper, yet the size of Apple’s latest iPhone is 5.78 inches by 2.82 inches. Few creditors are deviating from model forms given the regulatory safe harbors afforded. Unfortunately, this practice does not always provide for the best consumer experience. Although retailers continue to provide products and services to consumers through consumer-preferred mediums—now, primarily mobile devices—partnering creditors are unable to adopt their financing disclosure regime to meet the customer sales experience that consumers have come to expect on these retailers’ platforms.

Several options are available to creditors to reconsider their disclosures framework. First, although creditors take comfort in model forms, using model forms is not the sole method to comply with the letter and spirit of the law. Creditors may consider creating alternative disclosures that comply with the technical requirements of the disclosure mandates in a mobile-device-friendly manner. Second, creditors may engage with retailers to determine customer pain points and evaluate whether to update model forms. In addition, the Consumer Financial Protection Bureau (CFPB) has provided avenues to test new disclosures, including the trial disclosure sandbox, where creditors can improve existing disclosures and test new forms with the CFPB. Additionally, creditors may engage with the CFPB’s Office of Innovation to request a no-action letter for a CFPB-approved disclosure or process.

As financing continues to integrate further with point-of-sale transactions, it remains pivotal that consumers are aware of when they are interacting with a bank (with consumer credit disclosures being the epitome of a consumer recognizing bank interaction) and when consumers are interacting with the retailer. This distinction is critical for several reasons, including true lender and privacy purposes. Regulatory developments and cases evaluating this issue have been rapidly increasing, likely due to more point-of-sale financing agreements and the interconnectedness of retailers and financers. The Office of the Comptroller of the Currency is attempting to address bank-partnership uncertainty through proposed regulation, while states continue to evaluate true lender concerns impacting their respective residents. In addition, privacy concerns for both the retailer and the creditor include ownership of information collected and usage rights with respect to that information, including the sharing and usage of information by third parties. An understanding of these increasingly complex data flows is important to evaluate issues under federal law, including the Fair Credit Reporting Act, as well as under state law, including the newly revised California Online Privacy Protection Act.

Finally, drawing clear lines delineating the retailer’s and the creditor’s responsibility is important for regulator interactions. Defining responsibilities clearly assists regulator inquiries and examinations as well as ultimate responsibility (which many times rests with the regulated entity) if there is a problem with the program. Regulators will be evaluating both the form and the substance of point-of-sale financing programs, and parties are well served to have clearly delineated ownership lines.

Point-of-sale financing continues to evolve faster than the times and legislation itself. For long-term success in this renewed growth opportunity, retailers and finance partners must look to both ancient and novel regulations while remaining closely connected to shifting consumer needs and behaviors.

When the calendar turned to 2020, my first thought was about how futuristic the year sounded and what kind of interesting things it had in store. At that time, no one could possibly have imagined that some of those interesting things would be face masks, working from home, and wearing the same loungewear so often that you begin to lose any concept of time. Still, the COVID-19 pandemic has hammered home the point even further that technology touches nearly every facet of our everyday lives. Consider something as benign as a lamp: you can purchase it on Amazon, turn it on or off using Google, and pay for the electricity that powers it via app. Given this and the current state of the world we live in, it should come as no surprise that modern technology has even impacted financial services industries and the regulatory environments in which they operate. Through RegTech and SupTech, both industry and regulatory agencies are finding ways to modernize compliance and create a more efficient and increasingly digital regulatory landscape.

What Are RegTech and SupTech?

“RegTech” refers to technology that has been developed for industry to address regulatory challenges. Those challenges might include meeting compliance requirements, assessing risk management, and reporting data. “SupTech,” on the other hand, describes the use of technology by supervisory and regulatory agencies to improve efficiency in their duties overseeing industry. SupTech includes streamlining administrative and operational procedures, as well as utilizing automation in the supervision process. Ultimately, the combination of RegTech and SupTech ideally will lead to a more robust compliance environment through proactive monitoring by supervisory agencies, enhanced reporting from industry, and better overall oversight. An added benefit of this efficiency is lower costs for industry in complying with regulations and better allocation of resources by supervisory authorities. A true win-win.

Developments in RegTech

RegTech is a booming industry, expected to be worth over $55 billion by 2025. With such growth comes some inevitable questions. How do regulators view RegTech? Do RegTech programs have the blessing of the agencies with which they are trying to comply? Regulators at both the state and federal level recognize the impacts RegTech has on industry and are actively trying to keep up with the innovation they are seeing.

In July 2019, New York Department of Financial Services (NYDFS) Superintendent Linda Lacewell announced the establishment of the NYDFS Research and Innovation Division. The Division’s intent is to ensure that NYDFS keeps pace with innovation in all sectors of the financial services industry. NYDFS further showed its dedication to fostering and tracking innovation by joining the Global Financial Innovation Network (GFIN) in October. GFIN seeks to support financial innovation by providing more efficient ways for firms to interact with regulators to develop new products that will benefit consumers.

In an August 2019 speech, Federal Deposit Insurance Corporation (FDIC) Chairman Jelena McWilliams emphasized the growing role of RegTech, noting that the FDIC will need to step in if regulators do not agree on joint guidance regarding bank use of artificial intelligence. Banks could potentially use AI to comply with laws and regulations concerning anti-money-laundering controls and other vital compliance programs. Small banks, as McWilliams noted, are more likely to turn to technology for competitive advantages and must be sure that their attempts at innovation will not be stifled by regulatory uncertainty.

Developments in SupTech

Despite the heightened emphasis on tracking industry innovation, regulatory agencies aren’t merely sitting back and watching industry utilize technology. In fact, groups of agencies have banded together to explore SupTech initiatives that allow them to better leverage technology in supervising and communicating with industry.

Back in 2017, the Conference of State Bank Supervisors (CSBS) launched Vision 2020, an effort to modernize state regulation of nonbank financial companies. Vision 2020 focused on six major initiatives: (1) creating the Fintech Industry Advisory Panel, which allows industry to provide input on state regulation; (2) redesigning the Nationwide Multistate Licensing System & Registry (NMLS) with a more automated and data-driven approach; (3) harmonizing multistate supervision through uniformity in examinations and consistent best practices; (4) assisting state banking departments in recognizing weaknesses in order to perform at a higher standard; (5) enabling banks to service nonbanks by addressing the risks involved and demonstrating how to comply with state and federal laws; and (6) improving third-party supervision through support for federal legislation to amend the Bank Services Company Act to allow state and federal regulators to better coordinate supervision.

In January 2020, CSBS released its Vision 2020 Accountability Report. Prepared by the Fintech Industry Advisory Panel, the report outlines progress made on the group’s initiatives to streamline state licensing and supervision of fintech companies. The report focuses on the increased use of technology for licensing and exams. Notably, CSBS has: (1) expanded the use of NMLS across all license types for nonbank financial services, (2) developed state licensing guidelines that are consistent across multiple states, and (3) launched a new state examination system. The report also noted a more consistent and streamlined approach nationwide to the licensing and regulation of money service businesses.

As part of the Vision 2020 initiative, CSBS announced in February 2020 the nationwide roll out of the State Examination System (SES). SES is designed to allow state agencies to securely perform examinations, investigations, consumer complaint processing, and enforcement actions. The customer complaint management system—released just this past September—allows state financial regulators to input, manage, and address customer complaints electronically. Summaries of all complaints entered will be available to any state regulator using SES, allowing state regulators to identify trends and potential bad actors. Although SES is clearly a SupTech solution, it also has some RegTech elements. The goal of SES is to bring every interaction a company has with state regulators onto a single platform. Giving companies a one-stop-shop digital platform for all regulator interactions would create massive time and cost efficiencies.

Feels a little like the future, doesn’t it?

Much has been written in recent years about lawyers’ duties to preserve the confidentiality of client information under the rules of professional conduct and to take reasonable precautions to strengthen cybersecurity in order to avoid data breaches. Executing those duties has become more difficult amid an increase in the frequency and sophistication of state-sponsored and criminal cyberattacks directed at law firms and their clients. Further complicating matters for lawyers is knowing when disclosure to clients of a law firm data breach is required by the rules of professional conduct even though the threat of exfiltration or loss of client confidential data is in doubt. Below we examine opinions of the American Bar Association that offer some guidance on when client notification of a data breach is appropriate to ensure protection of client confidentiality and minimize exposure to legal malpractice liability. In addition, we will discuss the requirements of bar associations in various states and analyze law firms’ exposure to potential professional liability.

Several large international law firms have recently been hacked by foreign nationals seeking information in furtherance of an insider trading ring. A prominent Chicago law firm was sued in a class action alleging that it failed to maintain adequate safeguards to protect client confidential information. A New York entertainment law firm was subject to a ransomware attack in which the attackers claimed to have stolen privileged data about many of the firm’s high-profile clients. Panamanian law firm Mossack Fonseca was infamously hacked; the leaked documents published on the internet included the names of a number of the firm’s high-profile government clients, their shell corporations, and financial transactions, raising the specter of an alleged illegal money laundering scheme. The massive data breach and attendant unwelcome publicity coined the phrase “the Panama Papers” and inspired the Netflix movie The Laundromat, in which Meryl Streep portrayed a widow who was bilked by a client of the firm.

Against this backdrop, the organized bar has implemented guidelines, including published ethics opinions on cybersecurity, and reasonable measures to prevent data breaches—and ensuing professional liability. However, what should lawyers do when the unthinkable occurs, and their firm is the victim of a data breach or ransomware attack? What obligations do lawyers have to notify their clients that their confidential data has been or may have been compromised or accessed by a hacker?

ABA Ethics Opinion 483

In 2018, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which provides guidance on law firms’ duties to notify clients of data breaches under the ABA Model Rules of Professional Conduct. The committee wrote that, “an obligation exists for a lawyer to communicate with current clients about a data breach.” However, not all cyber episodes require client notification. Rather, Formal Opinion 483 defines a data breach as cyber episode in which “material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”

Formal Opinion 483 further notes:

[N]o notification is required if the lawyer’s office file server was subject to a ransomware attack but no information relating to the representation of a client was inaccessible for any material amount of time, or was not accessed by or disclosed to unauthorized persons. Conversely, disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.

Thus, it would appear that Formal Opinion 483 is arguably inconsistent, leading to the question: Is mere access sufficient to trigger a duty to provide notification, or must there be a reasonable suspicion of tampering with or misappropriation of the data? Some guidance is given by state ethics opinions, which, like the ABA, suggest that lawyers have a duty to investigate and disclose the existence of a data breach to clients whose material confidential information is known to have been accessed or exfiltrated by an unauthorized intruder. As will be seen, the law firm’s duty to provide client notice may exist even in situations in which the data penetration did not result in exfiltration of or damage to the client’s data.

Other Ethics Opinions

Earlier ABA Ethics Opinion 95-398 (1995) addressed a law firm’s obligation to notify a client when a third-party document storage vendor sustains an intrusion that exposes client confidential information, concluding that a lawyer may be obligated to notify the underlying client of an unauthorized intrusion which “could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal matter. . . .”

The New York State Bar Association Committee on Professional Ethics has similarly concluded that a lawyer must notify affected clients of information lost through an online cloud data storage provider. N.Y. State Bar Ass’n Eth. Op. 842 (2010). According to the NYSBA, “If the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.”

The Maine Bar Association Professional Ethics Committee addressed client notification in its Ethics Opinion 220, which determined that client disclosure was fact-specific in the event of a law firm data breach but could be triggered by mere exposure rather than actual pilfering or manipulation of client data. According to the Maine Bar:

Notification requirements under the Maine Rules of Professional Conduct arise when confidences or secrets are exposed or the breach significantly impairs or impacts the representation of a client. A cyberattack or data breach alone may give rise to a duty to notify clients, depending on the circumstances. . . . Once the scope of an attack or breach is understood, the lawyer must promptly and accurately make an appropriate disclosure to the client.

(Citations omitted.) Thus, under the Maine Rules of Professional Conduct, mere exposure of client confidential information may be sufficient to trigger a disclosure obligation.

The Michigan State Bar has recently concluded that a law firm material data breach triggers an obligation to give notice to its clients. According to the Michigan Bar Ethics Opinion RI 381:

A lawyer has a duty to inform a client of a material data breach in a timely manner. . . . A data breach is “material” if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI protected by [Michigan Rule of Professional Conduct] 1.6 or other applicable law, or materially impairs the lawyer’s ability to perform the legal services for which the lawyer has been hired. The duty to inform includes the extent of the breach and the efforts made and to be made by the lawyer to limit the breach.”

Thus, at least under the guidance furnished by the Michigan Bar Association, if the lawyer can determine which clients’ data have been compromised, then assuming that the pilfered or exposed data are material, those clients should be notified. The law firm should also promptly investigate and remediate the breach.

Professional Liability Concerns

In addition to compliance with the rules of professional conduct, there are also professional liability issues inasmuch as a disgruntled client could bring a claim that its confidential information was insufficiently safeguarded, or that it was not timely notified of the breach. In such cases, adverse publicity could be generated by the mere filing of a public complaint.

For example, in March 2020, a lawsuit was filed by Hiscox Insurance against law firm Warden Grier for breach of contract, breach of fiduciary duty, and malpractice. Hiscox accuses the law firm of failing to notify it of a major data breach in 2016, in the course of which client confidential information was penetrated by an intruder, posted on the dark web, and held for ransom, which the firm paid. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP (2020). According to the complaint, the law firm learned of the data breach in December 2016, but did not notify clients for over 16 months that their personal identifying information (PII) had been accessed by the “Dark Overlord” intruder and posted to the dark web. Julia Weng, Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid, Data Breaches.net, July 25, 2020. In July 2020, a federal district court denied Warden Grier’s motion to dismiss Hiscox’s complaint, ruling that the complaint provides a cause of action for breach of contract and breach of implied contract, reasoning that the carrier’s litigation management guidelines constituted a binding contract that required the law firm to take specified precautions to protect the security of clients’ PII. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. Jul. 23, 2020). The law firm did not move to dismiss the negligence cause of action, which remains intact.

In 2016, a former client of Chicago law firm Johnson & Bell filed a class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity. The class action alleged that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security by failing to properly encrypt an online attorney time-tracking system and by the use of a virtual private network. The purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration.

Regulatory Issues

In addition to professional liability concerns, law firms should be mindful of statutory obligations imposed on all businesses. For example, Massachusetts enacted a pioneering data-protection law in 2010 known as Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls to protect sensitive consumer information. The Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that is written in one or more readily accessible parts.” It also contains safeguards to protect and encrypt confidential consumer information.

Lawyers who represent insurance companies in particular should take note of cybersecurity regulations promulgated in 2017 by the New York Department of Financial Services (DFS), which regulates the insurance industry. These new cybersecurity rules, which apply to all entities under DFS jurisdiction, including insurance companies, insurance agents, and banks, require encryption of all nonpublic information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer, who must report directly to the board of directors and issue an annual report setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.

Of particular interest to law firms that represent financial institutions or are retained by insurance companies is section 500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” See . Thus, insurance companies that provide access to PII to third-party vendors must certify not only that their own information systems are adequate, but also that the information security systems of vendors, presumably including law firms with whom they do business, are also secure and protected. In other words, law firms who do business with regulated financial service companies are expected to comply with the cybersecurity standards of their represented clients.

Conclusion

As explained above, the rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has about the breach, and the materiality of the improperly accessed data. The consensus of the organized bar, as exemplified in the ethics opinions discussed above, recommends client notification of a data breach affecting clients’ confidential data that are material and reasonably suspected to have been accessed, disclosed, or lost.

The materiality of the data and their importance to the client are fact-specific. For example, if the intruder accessed the first draft of a brief filed 18 months ago in a closed case, ABA Ethics Opinion 483 probably would not require notice. On the other hand, a nonpublic client’s private financial statement, current merger plans, misconduct by the client’s CFO, or a nonpublic sexual harassment complaint would probably be the sort of information that a corporate client would reasonably consider material and expect to be notified about in the event of a breach. However, lawyers should ensure that they comply with clients’ litigation management guidelines, which may require notifications in situations broader than those required in bar association ethics opinions.

Law firms should proactively prepare for a future cyber intrusion and mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, undertaking a prompt and thorough investigation, and employing third-party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.

Jennifer Goldsmith is vice president, professional liability claims, at Ironshore Insurance, an attorney at law, and a graduate of The George Washington University Law School. David Standish is a graduate of New York Law School, at attorney admitted in New York, and an assistant vice president and cyber/tech claims manager at Ironshore Insurance. Barry Temkin is a partner at Mound Cotton Wollan & Greengrass in New York, an adjunct professor at Fordham University School of Law, and immediate past chair of the New York County Lawyers’ Association Committee on Professional Ethics. The views expressed in this article are the authors’ alone and do not reflect the views of Ironshore Insurance, Fordham University, or the New York County Lawyers’ Association.

The foregoing information is for informational purposes only. It is not a substitute for legal advice from a licensed attorney, nor does it create an attorney-client relationship. The authors disclaim all liability arising out of this resource.

October 2020 was the 75th observance of National Disability Employment Awareness Month (NDEAM), annually administered by the U.S. Department of Labor as part of its efforts to ensure that employers include and accommodate workers with disabilities in the workplace. This year’s NDEAM is especially noteworthy given its coincidence with the 30th anniversary of the signing of the Americans with Disabilities Act. It also carries deeper significance in light of the COVID-19 pandemic and the ongoing national reflection on issues of diversity, opportunity, and social justice.

According to the Centers for Disease Control and Prevention, more than one in five Americans lives with a disability, and although Title I of the ADA legally prohibits employers from discriminating against people with disabilities, disabled workers remain severely underrepresented in the workforce. Although employment statistics for people with disabilities have gradually improved in recent decades, the pandemic has reversed many of these gains, in recent months driving the unemployment rate for disabled workers to nearly double the national average, according to Bureau of Labor Statistics data.

Despite the pandemic’s hardship for so many American workers and for workers with disabilities in particular, its upheavals have also presented opportunities for change and greater inclusion in the labor market as the nation recovers. Out of necessity in recent months, vast numbers of people have transitioned to working from home. As a result, many have discovered something of the access barriers and logistical challenges that have long confronted workers with disabilities. In turn, ensuring workplace accessibility has quickly become a priority for a much broader segment of the American workforce in an effort to reduce the disruptions posed by the virus and physical separation.

This newfound commitment to accessibility among nondisabled workers can ultimately benefit workers with disabilities as well. The proliferation of people working from home and connecting remotely has helped more individuals from diverse backgrounds to access work environments that might previously have been off limits. For example, working from home may present opportunities for people with mobility or visual disabilities who might otherwise have difficulty traveling to a distant office. Likewise, an employee with a speech or hearing disability may thrive in meetings held via online platforms, using chatboxes to more easily ask questions and communicate with colleagues.

With workplace routines changing, savvy employers will realize that anyone with the right setup and environment is able to do the work required, and that in many cases physical presence in an office may no longer be an essential job function. Companies may reconsider outdated practices and routines and recognize that jobs are not necessarily made harder by people performing them a bit differently. Particularly in these challenging times, employers may better appreciate the determination and creativity that people with disabilities bring to their work. Indeed, disabled workers are innovative by nature, routinely improvising solutions and workarounds in order to meet the demands of the workplace and of life in general. Workers with disabilities can bring the sort of creative thinking and unique perspectives that can help businesses be more productive and competitive in an uncertain environment.

This underscores a broader point understood by many companies: workplace diversity is not simply a matter of social responsibility or obligation, but an asset that makes businesses stronger. Companies looking to attract and advance more workers with disabilities can leverage practices from their diversity and inclusion programs in order to do so. This can include expanding recruiting efforts, a cultural commitment to inclusion, promoting disability awareness to enhance trust and communication for workers with disabilities, and consistently prioritizing accessibility to ensure that employees with disabilities can make full use of their talents. Any inconvenience or expense that a company may incur in maintaining barrier-free spaces or accessible technology is typically minimal and vastly outweighed by the blessings of a diversely talented workforce. Companies that thoughtfully and consistently furnish their workers with the tools and accommodations they need create a win-win situation , as individual employees can rise to their full potential and can collectively help their companies to achieve a marketplace edge.

As companies continue settling into new work environments and business patterns, their law firms and legal departments are being asked to step in on a variety of fronts. In many cases, these legal advisers are reinforcing their own teams with contract attorneys to help them address not only immediate issues triggered by the coronavirus pandemic, e.g., shoring up expertise gaps in areas such as employment and cybersecurity, but also longer-term matters related to contract breaches and corporate restructurings.

Some of the areas of expertise in particularly high demand are discussed below.

Employment experience. When employees were sent home to work due to the COVID-19 pandemic, businesses scrambled to get everyone set up with the technology and security they needed. If they remained open, they needed to look at their workplace through the lens of protecting their employees from potential physical harm. In each of these cases, employment policies and protections have come under intense scrutiny. Sound legal counsel is essential to getting it right.

Among other tasks, employers have amended or replaced their employee handbooks to reflect new protocols for work schedules, and approved equipment and security procedures as well as flexible solutions for employees who now hold caregiving responsibilities at home. Companies with a continuing on-site presence must also incorporate appropriate health screening measures and set out standards for workplace safety and hygiene.

These companies are calling in lawyers with employment expertise to help them rewrite their policies and handbooks; review, draft, and negotiate staffing agreements; and manage claims filed by employees. What kind of claims? Workers’ comp, OSHA, CARES Act—you name it. In fact, here is a partial list of the types of claims we are seeing in the employment space:

• COVID-19 exposure, such as workplace safety and health, and OSHA whistleblower claims
• WARN Act and EEOC claims related to terminations or furloughs
• Labor law claims with the NLRB
• Coronavirus Aid, Relief and Economic Security (CARES) Act and Families First Coronavirus Response Act (FFCRA) claims for paid sick/emergency family leave
• Retaliation claims
• Disability accommodation claims
• Wage and hour claims related to working from home
• Claims from nonessential workers who have been required to come to work
• Wrongful death and injury claims

The speed with which employers have had to adapt their businesses and policies has left many open to labor and employment litigation. Lawyers who can help them sort it all out are in tremendous demand.

Cybersecurity, SaaS, privacy and GDPR expertise. Working remotely has created a sea of security challenges for businesses, which are tasked with putting systems and processes into place to protect their data, networks, and employees.

For starters, as employees are now required to conduct business virtually, they are using communication technologies that may be new to them. They need guidelines for using these technologies securely and understanding any potential for data breaches or other cybercriminal activity. Without the stringent security protocols of their corporate offices, these employees may become far more vulnerable to scams such as phishing, which aims to trick them into exposing sensitive company data. Attorneys with knowledge and experience in cybersecurity, privacy, and GDPR law are in high demand as new policies and agreements are put into place.

Software as a service (SaaS) agreements have become a hot-button issue as well. Companies are increasingly turning to SaaS solutions to satisfy their software needs, and drafting these complex agreements to protect client interests requires specialized knowledge.

Niche experience. Fallout of the pandemic looks different depending on the industry, and so lawyers with niche experience are in high demand. In the financial industry, for example, companies are seeking additional help from lawyers versed in drawing up market data, credit and securitization, and consignment agreements. Law firms are looking for experience in investment management, private funds, asset management, and bankruptcy law.

Beyond these industry-specific needs, demand for complex commercial litigators is ramping up as breach of contract and other disputes are arising based on companies’ inability to fulfill certain obligations. We might also expect to see a growing need for real estate litigators as companies strive to renegotiate their lease agreements, and for M&A attorneys as strategic transaction opportunities arise in the wake of the pandemic.

Of course, in addition to offering support in these specialized areas, contract attorneys must also be technologically proficient. Automation plays an increasingly pivotal role within the law firms and corporate legal departments who engage such attorneys. Digitization helps organizations streamline processes and rein in costs; attorneys must be able to navigate databases and systems as part of their daily work. Tech-savvy contract lawyers will continue to be in demand for the foreseeable future.

Regardless of the legal challenges brought about by the COVID-19 pandemic, contract attorneys can provide businesses with a viable, cost-conscious approach to bolstering their knowledge, expertise, and experience.

In late September, California enacted the California Consumer Financial Protection Law (“CCFPL”), which renamed the California Department of Business Oversight (now the California Department of Financial Protection and Innovation) and granted the department broad authority “to regulate the offering and provision of various consumer financial products or services under California consumer financial laws” and to “exercise nonexclusive oversight and enforcement authority under California consumer financial laws and, to the extent permissible, under federal consumer financial laws.”[1] Modeled off of the federal Consumer Financial Protection Bureau (“CFPB”), some have dubbed the newly named Department of Financial Protection and Innovation (“Department”) a “mini-CFPB.”

In addition to granting the Department broad oversight and enforcement authority, the CCFPL makes it unlawful for a “covered person” or “service provider” to engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (“UDAAP”) with respect to “consumer financial products or services.”[2] The CCFPL gives the Department extensive rulemaking authority to implement the new law. For example, the Department may by rule identify acts or practices that the Department deems unlawful, unfair, deceptive, or abusive in connection with any transaction with a consumer for a consumer financial product or service.[3] In the provision giving the Department UDAAP rulemaking authority for consumer financial products or services, the CCFPL requires the Department to interpret the terms “unfair” and deceptive” in a manner that is consistent with Section 17200 of the California Unfair Practices Act[4] and case law thereunder.[5] The CCFPL adopts the broad definition of “abusive” acts or practices that appears in Title X of the Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd–Frank Act”) and instructs the Department to interpret the term “abusive” in a manner that is consistent with the Dodd–Frank Act.[6]

The aforementioned UDAAP rulemaking provision and most of the other rulemaking provisions in the CCFPL permit the Department to promulgate rules applicable to persons involved with “consumer financial products or services,” defined, in relevant part, as “a financial product or service that is delivered, offered, or provided for use by consumers primarily for personal, family, or household purposes.[7] Despite the law’s name and the scope of its focal provisions, the CCFPL gives the Department the authority to identify by rule UDAAPs in connection with small business financing products and to require data collection and reporting on small business financing products. Specifically, the CCFPL permits the Department to:

Define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing, as defined in Section 22800(d), or other offering or provision of financial products and services to small business recipients, nonprofits, and family farms. The rulemaking may also include data collection and reporting on the provision of commercial financing or other financial products and services.[8]

The CCFPL incorporates the definition of “commercial financing” from the relatively new California Commercial Financing Disclosure statute, which term covers a host of small business financing products such as merchant cash advances, asset-based lending, commercial loans, commercial revolving credit, and lease financing. [9] These products typically do not meet the definition of “consumer financial products or services” in the CCFPL and persons involved with these products should not be “covered persons” or “service providers” subject to other provisions of the CCFPL.

The Department’s “surprise” UDAAP and data collection rulemaking authority for small business financing products does not directly affect all small business financing providers. The CCFPL exempts a number of regulated entities including, but not limited to, banks, California-licensed finance lenders and California-licensed finance brokers.[10] However, a future rule could apply to merchant cash advance providers, unlicensed (but legal) loan brokers, and other non-exempt vendors that provide services in connection with the offering or provision of small business financing products. Because vendors supporting small business financing products could be subject to a future UDAAP or data collection rule by the Department, exempt entities may be indirectly affected by a future rule.

On the federal level, the Federal Trade Commission (“FTC”) has asserted its broad jurisdiction under the Federal Trade Commission Act and other laws “to stop deceptive, unfair and other unlawful practices by small business financing providers and their marketers, services or collectors.”[11] In mid-September, the CFPB released and sought comments on an outline of proposals to implement Section 1071 of the Dodd–Frank Act, which requires financial institutions to collect select data in connection with credit applications by women-owned, minority-owned, and small businesses and to report the data to the CFPB annually.[12] Whether and to what extent the FTC’s use of its unfair or deceptive acts or practices authority and the CFPB’s promulgation of a small business data collection rule will impact the Department’s use of its rulemaking authority for small business financing remains to be seen.  Of course, as a populous, individual protections-oriented state, California’s use of its UDAAP and data collection rulemaking authority could influence the actions of federal agencies with similar authority and other states. The Department’s use of its new rulemaking authority for small business financing is a development to watch. The CCFPL becomes effective on January 1, 2021.

[1] Cal. Fin. Code § 90006(a).

[2] Id. § 90003(a).

[3] Id.

[4] Cal. Bus. & Prof. Code § 17200.

[5] Cal Fin. Code § 90009(c)(1).

[6] Id. § 90009(c)(2)-(3).

[7] Id. § 90005(e)(1).

[8] Id. § 90009(e).

[9] Id. § 22800.

[10] Id. § 90002.

[11] Strictly Business:  A Staff Perspective, Fed. Trade Commission (February 2020), https://www.ftc.gov/system/files/documents/reports/staff-perspective-paper-ftcs-strictly-business-forum/strictly_business_forum_staff_perspective.pdf/.

[12] Consumer Financial Protection Bureau Releases Outline of Proposals Under Consideration to Implement Small Business Lending Data Collection Requirements, Cons. Fin. Protection Bureau (Sept. 15, 2020), https://www.consumerfinance.gov/about-us/newsroom/cfpb-releases-outline-proposals-implement-small-business-lending-data-collection-requirements/.

A few weeks ago, we launched a series of articles on the commitments and contributions of business to racial justice and equality.[1] As this is written, almost five months have passed since the death of George Floyd, and the world is awash in public statements by businesses and their leaders, many of which were issued just days or weeks after Floyd’s death. If someone wanted to say something, he or she should have said it by now. Nonetheless, it is important to consider the process of “taking a stand” since words will be closely scrutinized and serve as foundational guidance for all the actions that follow. 

Whether or not to take a public stance on political or social issues and on events such as those that have played out following Floyd’s death is often a difficult decision for companies, many of which are concerned about alienating certain groups of customers by associating their brands with “controversial” positions on sensitive issues that are dividing society. However, pressure from employees, consumers, and investors has been building in recent years for business leaders to explain where they stand and how their values are being incorporated into the decisions they are making about products, messaging, their treatment of their workers, and community relationships. 

While there is a risk of losing those who may not agree with their positions, companies argue that taking a stand is a moral imperative and that the overall health of the business will improve over the long term as a result of building a stronger personal connection with employees and customers. Floyd’s death and the protests that followed marked a tipping point for many companies, pushing them to go on the record regarding racial injustice. As Netflix explained on Twitter: “To be silent is to be complicit. Black lives matter. We have a platform, and we have a duty to our Black members, employees, creators and talent to speak up.”

Unfortunately, we can be reasonably certain that the events surrounding George Floyd’s death will not be the last time that business leaders need to consider whether to “take a stand” and how it should be done. In those situations, businesses are understandably under pressure to respond quickly. However, it is important to avoid being too reflexive and making public statements that are not supported by solid research and thoughtful dialogue with the company’s own stakeholders. A good deal of the debate and dialogue on what governments, police departments, communities, and businesses should be doing in the wake of George Floyd’s death was focused on systemic racism and racial injustice. A review of the news makes it clear that these are, and will remain, much debated and highly contentious concepts in America. It is also apparent that there are political leaders who concede that Floyd’s killing was wrong while denying that systemic racism exists or is a problem. 

While business leaders can, like any other citizen, weigh into that debate, their first obligation is to do the research on their own that is required for them to understand the potential flash points. The landscape is quite broad. Consider one well-known definition of systemic racism offered by Joe Feagin and used in sociology:[2]   

Systemic racism includes the complex array of anti-black practices, the unjustly gained political-economic power of whites, the continuing economic and other resource inequalities along racial lines, and the white racist ideologies and attitudes created to maintain and rationalize white privilege and power. Systemic here means that the core racist realities are manifested in each of society’s major parts . . . each major part of U.S. society—the economy, politics, education, religion, the family—reflects the fundamental reality of systemic racism.

Additional arguments and empirical support for the existence of systemic racism and its adverse impact on people of color can be found in a wide range of sources, including surveys compiled by Balko and Cole.[3] Moreover, according to a poll published in June 2020 by Edelman, a public relations firm, nearly two-thirds of Americans, including 57 percent of whites, were “very” or “extremely” concerned about systematic racism. In addition, big majorities of both blacks and whites expressed hostility toward “performative activism,” or posturing in which companies made floury statements but failed to take meaningful actions. The respondents also made it clear that silence was not a good option: Over half of the whites surveyed expected brands to take a stand on racial justice, and over two-thirds of the Republicans who answered said a company’s response to the protests following the George Floyd killing would determine whether its brand kept or gained trust.[4] A June 2020 Harris Poll found that 82 percent of Americans thought that it was either “very” or “somewhat important” for companies to work on making a positive difference on racial equality, and sizable numbers of the respondents called on companies to incorporate their views into advertising, speak out on racial equality, do business with others that share similar standards when it comes to combating racial inequality, and contribute to organizations that combat racism. However, only 21 percent of the respondents to the Harris Poll felt that companies had actually made a “very positive” impact, and many in the survey called out companies for failing to do enough to increase diversity in their leadership or for making meaningful efforts internally to address racial equality.[5]

However, contrary views should also be sought out and considered in order to anticipate objections to actions that may be proposed by political, community, and business leaders. For example, in an essay on lessons for talking about race, racism, and racial justice, The Opportunity Agenda listed several “counternarratives” that commonly appear in discussions regarding racism: “racism is ‘largely’ over or dying out over time,” “people of color are obsessed with race,” and “civil rights are a crutch for those who lack merit or drive.”[6] An op-ed piece published in the Wall Street Journal on June 2, 2020, which was widely circulated on social media, agreed that police officers should be held accountable for using excessive force, but argued that there was no evidence of widespread racial bias.[7] Business leaders should not get too bogged down in arguing each of these points, but they do need to be mindful of what some others might be thinking as they set out to engage in meaningful conversations to develop responses that can be implemented with broad societal support. No statement will be universally accepted, since independent and scientifically based polling continuously identifies different perspectives and experiences between the members of different racial groups and disagreements among them regarding preferred policy solutions.[8]

In its guidance on talking about race, racism, and racial justice, The Opportunity Agenda counseled leading with shared values, including justice, opportunity, community, and equity, all of which are aspirations that should be universally acknowledged regardless of race. The purpose of this approach is not to avoid difficult discussions regarding race, but rather to focus on potential solutions. The Opportunity Agenda also recommended describing how racial bias and discrimination is a problem for everyone in society and prevents society from realizing its full potential. According to surveys cited by The Opportunity Agenda, eight in ten Americans believe that society functions better when all groups have an equal chance in life. Another way to increase engagement with the issues surrounding racial injustice is to remind others of instances in which they may have felt excluded. This is a powerful approach given that there is evidence that six in ten Americans have reportedly felt discriminated against at one time or another on the basis of race, ethnicity, economic status, gender, sexual orientation, religious beliefs, or accent.[9]

In his advice to CEOs and directors on how they can lead on racial injustice, Scott pointed out that, while words alone were not a sufficient response to the situation, a company’s stakeholders, from employees to customers to community members, expect that its leaders will speak out and clarify the company’s position. The tone and content of the messaging will vary, but it should be made clear that the company supports racial justice and is committed to taking tangible and measurable actions to embed equity and diversity into its organizational culture and the actions to be taken with respect to operations and relationships with stakeholders. Like others, Scott argued that statements from company leaders are important cues to everyone in the organization as to what will be expected of them and how they should act.[10]

Although business leaders certainly need to look inward to their own experiences and values while working on the company’s public position on racial injustice, and must settle on a statement that is aligned with their personal values, they need not work in a vacuum. The actions that the company ultimately takes in furtherance of its position will necessarily be a collective effort involving everyone in the organization. The CEO should create a special working group to develop the company’s initial action plans relating to racial justice, ensuring that there is diverse representation in the group who can understand the concerns raised by stakeholders and identify and implement solutions that will truly be seen as responsive by those who have been most pained by past experiences. In addition, leaders should reach out to others who can help them understand the underlying issues and provide feedback on the steps that might be taken in formulating and executing the company’s commitments. Scott recommended that business leaders (i.e., directors and CEOs) seek advice on handling racial inequalities from their peers at other companies, perhaps borrowing from initiatives that those companies have already launched to address the issues the company is facing. Companies should also be prepared to turn to qualified and experienced outside consultants and advisors to assist in the process, recognizing that existing internal expertise may not be sufficient.

The leaders’ initial public statements regarding the company’s position on racial injustice should be amplified in a series of internal events that allow leaders to meet face to face with people from all parts of the organization to discuss the stated position and solicit input on specific initiatives the company should take to fulfill its commitments. These events create an opportunity to reinforce the company’s position, providing employees with ideas about how they should act and the factors they should consider when making decisions during their day-to-day activities. This will also give employees a sense of participation in the process. Employees should be encouraged to share their own experiences of racial injustice, both inside the workplace and outside in the world they live in. However, because many employees may be uncomfortable holding these conversations in a group setting, it is important that the company develop processes that employees can use to share their experiences anonymously. Including people of color as spokespersons for the company’s racial justice initiatives lends credibility to the efforts. Yet, they should not be asked to defend or justify past missteps, nor should they be prevented from explaining their own pain and discomfort.

At the same time as leaders are meeting with employees, engagement should be continued with external stakeholders who can provide insights into how the company has been handling situations in which racial justice issues might arise. For example, consideration should be given to how the company has treated customers (e.g., have there been complaints of racial discrimination against customers, either in how products and services are provided or in the ability of people of color to readily access the company’s products and services?). Dialogue should be undertaken with legitimate representatives of community groups to understand how the company is perceived by those who live and work in the neighborhoods where the company operates. Investors should be consulted and are increasingly likely to insist that their portfolio companies establish and report on specific targets relating to diversity and inclusion. Business leaders should also reach out to partners up and down their value chains to understand their responses to the situation. There might be opportunities to collaborate with these partners on racial justice initiatives. Moreover, companies also need to be certain that they are not exposed to reputational damage from affiliation with businesses that engage in practices that undercut diversity and inclusion.

[1] Alan S. Gutterman is the Founding Director of the Sustainable Entrepreneurship Project (www.seproject.org), a California nonprofit public benefit corporation with tax-exempt status under IRC section 501(c)(3) formed to teach and support individuals and companies, both startups and mature firms, seeing to create and build sustainable businesses based on purpose, innovation, shared value, and respect for people and the planet. Alan is also currently a partner of GCA Law Partners LLP in Mountain View, California (www.gcalaw.com) and a prolific author of practical guidance and tools for legal and financial professionals, managers, entrepreneurs, and investors on topics including sustainable entrepreneurship, leadership and management, business law and transactions, international law, and business and technology management. He is the co-editor and contributing author of several books published by the ABA Business Law Section, including The Lawyer’s Corporate Social Responsibility Deskbook, Emerging Companies Guide (3rd Edition) and Business and Human Rights: A Practitioner’s Guide for Legal Professionals (Forthcoming Fall 2020). More information about Alan and his work is available at the Project’s website and his personal website at www.alangutterman.com. This article is adapted from the chapter on Racial Equality and Non-Discrimination recently released on the Project’s website: https://seproject.org/wp-content/uploads/2020/07/EDI-_C1-Racial-Equality-and-Non-Discrimination.pdf.

[2] J. Feagin, Racist America: Roots, Current Realities, and Future Reparations (New York: Routledge, 2010).

[3] R. Balko, There’s Overwhelming Evidence That the Criminal-Justice System Is Racist. Here’s the Proof, THE WASHINGTON POST (April 10, 2019), https://www.washingtonpost.com/news/opinions/wp/2018/09/18/theres-overwhelming-evidence-that-the-criminal-justice-system-is-racist-heres-the-proof; and N. Cole, Definition of Systemic Racism in Sociology, ThoughtCo. https://www.thoughtco.com/systemic-racism-3026565.

[4] The Great Awakening?, THE ECONOMIST (June 13, 2020), 49.

[5] Americans to Companies: Do More for Society (The Harris Poll), https://theharrispoll.com/americans-to-companies-do-more-for-society.

[6] Eight Lessons for Talking about Race, Racism and Racial Justice, The Opportunity Agenda (June 2020), https://www.opportunityagenda.org/explore/resources-publications/lessons-talking-about-race-racism-and-racial-justice.

[7] H. McDonald, The Myth of Systemic Police Racism, WALL STREET JOURNAL (June 2, 2020), https://www.wsj.com/articles/the-myth-of-systemic-police-racism-11591119883. See also R. Merry, What Is “Systemic Racism,” Really?, THE AMERICAN CONSERVATIVE (June 8, 2020), https://www.theamericanconservative.com/articles/what-is-systemic-racism-really.

[8] Poll: Americans’ Views of Systemic Racism Divided by Race (University of Massachusetts Lowell, September 23, 2020), https://phys.org/news/2020-09-poll-americans-views-racism.html.

[9] Eight Lessons for Talking about Race, Racism and Racial Justice, The Opportunity Agenda (June 2020), https://www.opportunityagenda.org/explore/resources-publications/lessons-talking-about-race-racism-and-racial-justice.

[10] M. Scott, Practical Tips: How CEOs and Directors Can Lead on Racial Injustice, CHIEF EXECUTIVE (June 5, 2020).