Although most of the nation has been anxiously watching the stock market and daily coronavirus updates from White House officials, some business owners have been sidetracked with captive insurance issues. For many business owners who participate in micro-captive insurance programs, and as highlighted in the March 20th issue of the New York Times, the recent cessation of business has prompted a review of captive coverages to determine whether relief can be provided in the form of a claim for business interruption.[1]

However, news coverage of micro-captives was almost immediately followed by the receipt of IRS Letter 6336 (the Micro-Captive Soft Letter) by many captive owners and their insureds. Similar to the up and down of the stock market, micro-captive owners and insureds are now wondering whether they can seek monetary relief for business interruption through their micro-captives, but are at the same time confused as to their exposure for federal and state income tax liabilities. The current environment for micro-captive owners requires examining micro-captive policies to not only determine whether relief is available, but also to avoid losing sight of any potential tax issues, including reporting requirements.[2]

Potential for Abuse. Tax law generally allows businesses to create “captive” insurance companies to cover certain risks that are otherwise unavailable or expensive to cover in the commercial market. The insured company benefits by obtaining the additional coverage and deducting the premiums paid to the captive insurer. Upon making an election under section 831(b) of the Internal Revenue Code, the captive insurer may exclude the premiums from income.

According to the IRS, in abusive micro-captive insurance structures, the relationship might lack the attributes of genuine insurance. For example, coverages might insure implausible risks, fail to match genuine business needs, or duplicate the taxpayer’s commercial coverages. Premium amounts might be unsupported by actuarial analysis or geared toward a desired deduction amount, and policies might contain vague and ambiguous terms, or otherwise fail to meet industry standards. Further, premiums for policies that do not result in claims, but generate income tax deductions (at ordinary income tax rates to the insured), and are accumulated for future distribution (at capital gain rates) to family members or trusts created for their benefit, entirely sidestepping transfer taxes in the process, have also been identified by the IRS as potentially abusive.[3]

Continuing IRS Pressure. The soft letters recently issued are one tool the IRS uses to obtain information from taxpayers as well as advisors. The IRS has previously indicated that soft letters might be used as a tool for enforcement, and has recently used soft letters as an enforcement tool in its cryptocurrency campaign. Other methods of enforcement utilized in IRS campaigns include issue-based exams as well as practitioner outreach.

Micro-Captive Soft Letter. The Micro-Captive Soft Letter puts the taxpayer on notice that (a) the taxpayer has been identified as participating in a micro-captive; (b) several consecutive tax court rulings have issued in favor of the IRS; and (c) the IRS is increasing enforcement activity, which will entail opening additional examinations. The Micro-Captive Soft Letter then requests that if the taxpayer is “no longer claiming a deduction or other tax benefit for any micro-captive,” the taxpayer “must” sign a statement under the penalties of perjury indicating whether the taxpayer is still “participating” in a captive and the year the taxpayer last took a deduction or other “tax benefit” associated with the captive.

If the taxpayer is continuing to participate in a micro-captive, the Micro-Captive Soft Letter reminds the taxpayer to continue to disclose participation in the transaction on Form 8886. Additionally, it recommends that the taxpayer seek independent, competent counsel prior to filing 2019 tax returns, and to consult on whether the taxpayer should amend prior-year returns for improper deductions or tax benefits.

The IRS informs the taxpayer that complying with the terms of the letter will be considered in any future enforcement action. When filing amended returns, the IRS requests the taxpayer to write “Micro-captive” on the top of the amended tax return. The IRS closes its letter by stating that if prior years are amended, such amendments could be qualified amended returns (QAR). The IRS states that the Micro-Captive Soft Letter does not constitute an examination for purposes of the rule negating a QAR if the taxpayer has already been contacted by the IRS concerning any exam with respect to the tax return. This means the IRS will not seek penalties (under the first-contact exception to the QAR rules) if the IRS subsequently opens such years for exam. This benefit can be incredibly helpful in that the IRS has been seeking a 20-percent penalty and up to a 40-percent (nondisclosure of noneconomic substance) penalty for understatements resulting from denied micro-captive deductions. It is also worth noting that a transaction lacking economic substance carries with it strict liability for such penalties, notwithstanding an advisor’s opinion letter.

Micro-Captive Soft Letter Side Effects. The recent developments described above could have various impacts on the micro-captive industry. First, the soft letters might have a psychological effect making micro-captives and the associated management fees that go along with it seem decidedly less attractive. This in turn might impact revenue for those that rely primarily on the tax election as a source of business. See Endeavor Partners Fund, LLC v. Comm’r of Internal Revenue, 115 T.C.M. (CCH) 1540 (T.C. 2018), aff’d, 943 F.3d 464 (D.C. Cir. 2019) (“Recognizing that the IRS notices accurately described POPS and PICO, Bricolage advised its clients that the notices were only a statement of the IRS’ position, not a change in law. But the notices effectively eliminated demand for Bricolage products, forcing it to abandon many planned transactions. Bricolage accordingly began to wind down its activities.”). Second, some taxpayers might follow the IRS’s advice and seek independent counsel, who might suggest filing amended returns. This advice could be completely at odds with the advice that might be provided by a captive management company, thereby creating a quandary for the taxpayer as to who to trust. Further, conflicted advisors who are contacted by taxpayers might assist in procuring “independent” counsel, subject to the conflicted advisor’s “vetting process.” However, these advisors may not be viewed by the court as being truly independent, weakening the taxpayer’s defense against penalties. Consequently, it is likely that the industry will be divided into camps, where some will advise taxpayers to seek independent advice, and others, such as some promoters, will advise taxpayers that the latest IRS letter is a nothing more than the same IRS bullying. Their advice may be to ignore the letter and “wait it out,” given that the IRS has limited resources. Notwithstanding limited resources, LBI memo 4 14 2020 provided the campaign against micro-captives will continue, including opening new audits, despite the general postponement of new returns examinations until July 15, 2020.[4]

Signing under Penalty of Perjury. This particular signature carries with it important ramifications. In addition to perjury statutes of general applicability, an IRS-specific perjury statute, 26 U.S.C. § 7206(1), subjects false sworn statements to the IRS to fines of up to $100,000 ($500,000 in the case of a corporation) and imprisonment for up to three years. Consequently, any prevarication concerning continued participation in or tax benefits received from a micro-captive program could subject a taxpayer to criminal penalties, even if the program is otherwise defensible.

Parallel Investigations. The potential for criminal exposure provides further reason to heed the IRS’s advice and consult knowledgeable and experienced independent counsel. Indeed, unbeknownst to soft letter recipients, if the IRS suspects fraud, a criminal investigation could be proceeding in the background. The IRS routinely conducts such simultaneous civil and criminal investigations. Such parallel investigations are conducted separately, but whereas IRS policy forbids criminal investigators from directing actions in the civil investigation, the civil and criminal functions conduct regular “coordination meetings” to “facilitate sharing important case developments.”[5] IRS policy dictates that “[s]haring information between revenue officers and government attorneys assigned to the case is a key ingredient in developing civil and criminal cases simultaneously and efficiently.”[6] Therefore, in deciding whether and how to respond to the soft letter, counsel should consider the potential for criminal exposure, and in particular, whether to inquire about the existence of a criminal investigation, given that IRS policy forbids revenue officers from misleading taxpayers in this regard—though, a word to the wise, it also essentially directs revenue officers to avoid giving a straight answer to such an inquiry.[7]

Next Steps. Micro-captive owners should engage in a cost-benefit analysis with respect to the execution of the Micro-Captive Soft Letter. Although the response date is May 4^th, the IRS recently informed the press that the response date has been automatically extended to June 4^th, an extension that has also been confirmed by revenue agents working the Micro-Captive Soft Letter hotline. (According to hotline agents, this extension should be posted to the IRS website soon.)  The micro-captive owner must consider whether to respond because submitting the letter technically is not required. Additionally, the micro-captive owners should consider their exposure if audited and penalties are imposed, in addition to exposure to criminal penalties. All of this should be considered in light of the micro-captive owner’s particular facts and circumstances and the established precedent of the recent tax court opinions that found in favor of the IRS. Although one tax court opinion is currently being appealed, holding out hope for a favorable appeal does not help now, nor does it guarantee that a favorable ruling will be applicable to every micro-captive’s unique facts and circumstances.

[1] The New York Times, March 20, 2020.

[2] The United States Supreme Court accepted review of the Sixth Circuit’s divided decision in favor of the IRS and its reporting requirements under Notice 2016-66.  See CIC Services, LLC v. Internal Revenue Service, et.al., 19-930.

[3] I.R.S. Info. Rel. 2019-47, Mar. 19, 2019.

[4] Memo from LB&I Commissioner to all LB&I employees regarding “LB&I Compliance Priorities During the COVID-19 Pandemic” dated April 14, 2020.

[5] IRM §§ 5.1.5.2 (Parallel Investigations) (12-16-2014), 5.1.5.6 (Coordination Meetings) (08-03-2009).

[6] IRM § 5.1.5.9 (Information Sharing) (08-03-2009).

[7] IRM § 5.1.5.7(3) (Interviews) (08-03-2009).

A new opinion provides insight into the SEC’s regulation-through-enforcement approach toward ICOs.[1] Digging into the facts of a potentially billion-dollar cryptocurrency raises questions, and provides a few answers, about cryptocurrency sales.

In SEC v. Telegram Group Inc. & TON Issuer Inc., 19-cv-9439 (PKC) (S.D.N.Y. Mar. 24, 2020), the district court ruled in favor of the SEC in a motion for preliminary injunction against the issuance of a new cryptocurrency by Telegram Group Inc. (Telegram). The court found that the SEC showed a substantial likelihood of success in proving that Telegram’s plan to distribute the cryptocurrency would be an offering of securities to which no exemption applies. Telegram’s cryptocurrency would have been one of the most important in the industry, and the court’s ruling provides insight into the legal treatment of cryptocurrency, in particular the nature of decentralization and blockchain governance.

Telegram runs a messaging service (Messenger) popular in cryptocurrency circles due to its heavy encryption and distributed server network. It is used worldwide and claims a user base of 300 million. The company runs largely without charging fees or displaying advertisements and is funded from the founders’ personal wealth. In 2017, the company began to develop a blockchain and a digital asset—the TON (Telegram Open Network) Blockchain and Grams, respectively, to be integrated with Messenger. The distribution of the Grams is the focus of the SEC’s enforcement action.

Grams Token Distribution Plan

The initial supply of Grams was intended to be limited to five billion, all of which would be initially held by Telegram. Telegram intended to distribute the Grams in several rounds.

Initial Purchasers. Round one consisted of the sale of 2.25 billion Grams to 81 purchasers (Round 1 Purchasers) for $850 million, or approximately $0.38 per Gram. Round 1 Purchasers were subject to a staged lockup period, ending three, six, twelve, and eighteen months after launch of the TON Blockchain. In round two, Telegram sold 700 million Grams to 94 purchasers (Round 2 Purchasers, and together with the Round 1 Purchasers, the Initial Purchasers) for $850 million, or approximately $1.33 per Gram. In total, the Initial Purchasers would hold 58 percent of the Grams upon launch of the network. Telegram filed Form Ds for the sales to Initial Purchasers and claimed an exemption under Rule 506(c).

Incentive Reserve. According to promotional materials, Telegram intended to retain four percent of the Grams for Telegram developers building the TON Blockchain, including one percent for each of the two founders. Further, Telegram stated that 10 percent of Grams would be reserved for incentive programs, such as distributions to Messenger users.

TON Foundation. The remaining unallocated Grams, about 28 percent, were intended to be transferred to a to-be-created nonprofit, the TON Foundation. The TON Foundation would be tasked with control of such reserve and maintaining governance functions for the TON Blockchain. The TON Foundation would be controlled by a board, including the Telegram founders. If the TON Foundation is not established, then the reserve would be locked indefinitely.

The SEC’s Preliminary Injunction

Prior to the establishment of the TON Blockchain and distribution of the Grams, the SEC filed for a preliminary injunction in the Southern District of New York. The SEC claimed that such distribution would constitute an unregistered offering of securities under section 5 of the Securities Act of 1933 (the Securities Act). On March 24, 2020, the court granted the SEC’s motion for a preliminary injunction and found that the SEC showed a substantial likelihood of success in proving that the sales to the Initial Purchasers are part of a larger scheme to distribute those Grams into a secondary public market. In essence, the Initial Purchasers are “underwriters” under the Securities Act; therefore, Telegram is not entitled to rely on the exemption under Rule 506(c) of Regulation D.

Howey Analysis. Section 2(a)(1) of the Securities Act defines a “security” to include an “investment contract.” In turn, under the Howey test, the Supreme Court defined an “investment contract” as “a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party.” S.E.C. v. W.J. Howey Co., 328 U.S. 293, 298–99 (1946). Essentially, there are four prongs to the test: (1) investment of money, (2) common enterprise, (3) expectation of profit, and (4) efforts of another.

Two factors were key to the court’s finding that the distribution of Grams constituted an offering of securities. One, the success and continued development of the TON Blockchain, and therefore the functionality and usability of the Grams, was tied directly to Telegram’s operations and support. The proceeds from the sales to the Initial Purchasers was used to cover Telegram’s expenses, and the reserve would provide price support. Further, the success of the project depended on Messenger’s popularity among a large user base. Two, the Initial Purchasers did not seek to obtain the Grams for consumption, but for resale to the general public. Despite representations in the purchase agreements to the contrary, the court found that the economic incentives of the transaction evidenced an investment intent and expectation of profit.

Telegram argued that even if the sale to the Initial Purchasers was a security offering, once the Grams are available upon launch of the TON Blockchain, they would be commodities with a consumptive purpose, not securities.[2] The court disagreed and found that the initial contracts must be considered along with all related expectations and understandings, including subsequent distribution of the Grams. Viewed as a whole, the sale to the Initial Purchasers was with the purpose of a sale in the public market. Therefore, the court found the transaction to be “a disguised public distribution” and not eligible for exemption from registration under section 4(a)(2).

Key Takeaways

Endorsement of Decentralization Defense. Without citation, the court stated that “[i]n the abstract, an investment of money in a cryptocurrency utilized by members of a decentralized community connected via blockchain technology, which itself is administered by this community of users rather than by a common enterprise, is not likely to be deemed a security under the familiar test laid out in [the Howey test].” This is a seeming endorsement of the SEC’s position that a cryptocurrency on a “sufficiently decentralized” blockchain would not be considered a security.

William Hinman, Director of the SEC’s Division of Corporate Finance, has stated that:

If the network on which the token or coin is to function is sufficiently decentralized—where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts—the assets may not represent an investment contract. Moreover, when the efforts of the third party are no longer a key factor for determining the enterprise’s success, material information asymmetries recede. As a network becomes truly decentralized, the ability to identify an issuer or promoter to make the requisite disclosures becomes difficult, and less meaningful.[3]

If a cryptocurrency is decentralized, the last prong of Howey, whether the expectation of profit stems from the efforts of others presumably would not be satisfied. Although there is no accepted definition of “sufficient decentralization,” the court in the Telegram case suggests a test: whether the cryptocurrency would have the same “mass adoption, vibrancy and utility” that would enable the expected profits even if the issuer moved offshore and ceased operations. In the court’s opinion, the TON Blockchain failed this test.

The test as stated leaves something to be desired; it is vague and may not be reasonably attainable. Establishing a decentralized network would take time before there was sufficient adoption in the developer community to ensure such a test could be met. Even in the cases of Bitcoin and Ethereum (which are generally accepted as decentralized), the networks likely would have failed this test initially. Further, one could imagine an open-source protocol where the initial development team is unable to enact unilateral changes, either due to legal or technology restrictions, and there is involvement by a wider developer community, yet the cryptocurrency still relies on the initial team for its “vibrancy.”

Importance of Token Governance. In considering the “common enterprise” prong of the Howey test, one factor was that Telegram intended for the Gram reserve to be held by a to-be-established TON Foundation. Such foundation would hold the reserve—in effect providing monetary policy for the token—and hold governance responsibility for the TON Blockchain. The court found fault with this plan, however. One, Telegram was under no legal obligation to create the TON Foundation or transfer the Gram reserve if created. Two, even if the TON Foundation was created and the reserve transferred, there was no requirement that Telegram appoint an independent board.

Establishing a foundation to manage blockchain governance can help ensure the independence and integrity of the blockchain and related tokens. As with the Ethereum Foundation, a foundation can promote and support a cryptocurrency that is otherwise fully decentralized. Yet, as the court points out, there is a risk of capture by the token issuer if governance roles and rules are not established and enforceable prior to issuance. Further, if the foundation is responsible for sale of the token, there is a risk that it would find itself liable for violation of the securities laws. Nevertheless, a legally existing and independent foundation with established rules could weaken an argument that a cryptocurrency is an investment in a common enterprise.

Evaluate Distribution Scheme Based on Economic Reality. Finally, it is important to note that the court focused much more on the economic reality of the token distribution than the terms of the purchase agreements. In particular, the court found that economic incentives, such as discounts and lockup periods, were intended to ensure the resale and wider public distribution of the Grams—“a disguised public distribution.” Further, the nature of the sales displayed an investment intent, including the fact that the initial purchasers were professional investors, such as VC firms, that bought large numbers of Grams. This is despite inclusion of appropriate legal representations in the purchase agreements.

The opinion was well-reasoned and should be influential either on appeal or in future ICO cases. In the face of the preliminary injunction, Telegram is already considering appealing the decision[4] or selling the Grams solely to non-U.S. purchasers.[5] Although the future of the TON Blockchain is unclear, this ruling should provide insight for legal practitioners and developers of future cryptocurrencies.

[1] Alex Fader is the Chief Legal Officer, Salt Blockchain Inc., and Chair, Corporate Counsel Subcommittee of the CBA Business Law Section ([email protected]). The views expressed in this article reflect the author’s own and do not reflect the views of Salt Blockchain Inc.

[2] Notably, the CFTC weighed in on the commodity versus security question as well. In a February 18, 2020 letter to the judge in this case, the CFTC stated:

Digital currency is a commodity. See, e.g., CFTC v. My Big Coin Pay, Inc., 334 F. Supp. 3d 492, 495-98 (D. Mass. 2018) (citing cases); In re BFXNA Inc. d/b/a Bitfinex, CFTC Dkt. No. 16-19, 2016 WL 3137612, at *5 (CFTC June 2, 2016) (“Bitcoin and other virtual currencies are … properly defined as commodities.”). However, the Commodity Exchange Act (“CEA”), 7 U.S.C. §§ 1-26, provides that many securities are commodities to which the securities laws apply. Thus, any given digital asset may or may not be subject to the securities laws, but that does not depend on whether the asset is a commodity. It depends on whether the asset is a “security” within the meaning of the ’33 Act itself.

Robert A. Schwartz, Deputy General Counsel, Litigation, Enforcement & Adjudication, CFTC, Letter to Judge Castel, Re: SEC v. Telegram Group, Inc., et al., No. 1:19-cv-09439 (PKC) (Feb. 18, 2020).

[3] William Hinman, Dir., Div. of Corp. Fin., SEC, Remarks at the Yahoo Finance All Markets Summit: Crypto: Digital Asset Transactions: When Howey Met Gary (Plastic) (June 14, 2018).

[4] Nikhilesh De, Telegram Appeals Court Ruling Barring Gram Token Distribution, CoinDesk (Mar. 25, 2020).

[5] Anna Baydakova, Telegram Hopes It Can Still Sell Tokens to Non-US Investors After Court Ruling, Yahoo Fin. (Mar. 30, 2020).

The Olympic Games: an event that involves athletes from 206 countries competing in 33 different sports, each requiring specialized training and competition facilities, that must be completed in 17 days as half the people on the planet watch the exciting drama unfold. Think of the tens of thousands of contractual and other arrangements that go into the delivery of an event as complex as the Olympic Games.

The Games are awarded to the city selected by a majority of the members of the International Olympic Committee (IOC) from among candidate cities around the world approximately seven years prior to the date of the Games. The organizational aspects are set forth in a contract between the IOC, the host national Olympic committee, and the government of the host country. Tokyo was chosen in 2013 for 2020 Games, and the exact dates were identified shortly thereafter: July 24–August 9.

Once the dates are confirmed, everything turns on ensuring the Games will start and finish on those precise dates. There is no margin for error; everything must work perfectly—the first time. Using military terminology, the Games are a no-fail mission.

Athletes build their training around a fixed schedule: an athlete competing in the 100-meter dash, for example, knows precisely when the heats, quarter-finals, semi-finals, and finals will occur in order to achieve optimal performances during the Games. The international sport schedules in all Olympic sports are designed around the Olympic calendar so that all athletes are at their best for the Games.

Broadcasters, sponsors, spectators, transportation companies, hotels, meeting and other facilities such as conference and convention centers, suppliers, and construction and development organizations all base their planning on the dates of the Games. Legislation in the host country generally needs adjustment to permit entry without visas (merely the Olympic identification card), to permit Olympic parties to bring equipment and workers without taxation and to remove both when the Games finish (again without taxation), to establish the necessary security arrangements, and to provide special access at airports and other border crossings, to name but a few.

The Japanese organizers have been first class, and there was little doubt that the Games were going to be extremely well organized. There was a universal expectation, within the Olympic movement and throughout Japan, that the forthcoming Games would set new standards in Games planning and delivery.

Enter COVID-19.

That the world was unprepared to deal with this virus is now all too apparent. Not only was the world unprepared, but in too many cases the threat was underestimated, and exceptional measures to limit its spread were not undertaken quickly enough. The virus spread and a pandemic resulted. Personal livelihoods and freedoms have been compromised, the economy has suffered, education has been affected, people have died from the virus, and more will die.

Although an event like the Games is not as important as the larger existential threat implicit in COVID-19, it nevertheless is impacted by it and, depending on the organizers’ conduct, could either support efforts to contain the virus or act in disregard of those efforts.

The contractual right to cancel the Games in the face of, among other considerations, safety concerns could have allowed the IOC to unilaterally cancel the Tokyo Games. It did not do so. Instead, it responded positively to a request by the Japanese government to postpone the Games, after consultation with the WHO, competing athletes, international federations, and national Olympic committees. The most convenient postponement was almost exactly one year, to begin on July 23, 2021, taking advantage of vacation periods and student holidays to reduce traffic and strains on the transportation systems. The schedule matches previous athlete training rhythms and minimally impacts sport programming for the major broadcasters. It also gives the organizers the time they need to extend, vary, or renegotiate the many contracts entered into before the disruption resulting from the pandemic.

The organizers and others are now undertaking the many challenges of re-weaving the contractual tapestry for Games in 2021. This will remain a work in progress and will require the exercise of tact and compromise, as well as a general desire to make the postponement work. Organizing a first-bounce recovery is much better for everyone, including for Japan, the athletes, and the spectators, rather than simply to cancel the Games. It is not the fault of the Tokyo organizers, nor the Olympic parties, that the pandemic has struck, and no “blame” can fairly be assigned to any of the contractual parties.

A formidable series of challenges looms ahead. To mention but a few, consider the Olympic Village, generally recognized as the “heart” of any Olympic Games, where the athletes of the world come together. This involves some 20,000 people (athletes, coaches, officials, and medical staff) who all must be accommodated, fed, and transported to and from training and competition venues. Security must be provided in a post-Munich and post-9/11 era, which has changed the former, less formal paradigm. All those arrangements must be put on hold and reinstalled a year later. Organizing committee employees may be kept on, or laid-off and rehired several months later. Venue arrangements need renegotiation, and ticket arrangements may be carried forward if the venues remain exactly the same, or revised if there will be new venues. Hotel accommodations may or may not be carried forward, depending on negotiations with the relevant associations. Airport and border-crossing security must be reconfigured, and coordination with law enforcement agencies and even the military put back into place.

With the goodwill surrounding the Olympic Games, this should all be possible. The world wants the Olympics to work because if the Olympics can work, perhaps someday the world will work. First, however, we must wrestle COVID-19 to the ground.

 Joining the global trend originating in Europe with the General Data Protection Regulation (GDPR), Brazil recently enacted its own omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy. Similar to the EU’s GDPR and California’s Consumer Privacy Act (CCPA), LGPD is intended to regulate the processing of personal data. The stated purpose of the law is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

This article addresses the most commonly asked questions about the applicability of LGPD and its exemptions and enforcement. The analysis is woven with a comparison to the GDPR and CCPA.

To Whom Does LGPD Apply?

The LGPD applies to any natural person or legal entity, including the government, that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. There are some exceptions, however, such as (1) when the processing is done by a natural person exclusively for private and noneconomic purposes; (2) when done exclusively for journalistic, artistic, or academic purposes; or (3) when done for purposes of public safety, national defense, state security, or activities or investigation and prosecution of criminal offenses.

What Is Personal Data and How Can It Be Processed?

Personal data in this statute is defined broadly as “information regarding an identified or identifiable natural person.” There are also special restrictions for the processing of “sensitive personal data,” which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health information, sexual preference, or genetic and biometric data. To that end, and similarly to the GDPR and CCPA, sensitive personal data may only be processed when the data subject specifically and distinctly consents to the specified purposes.

Personal data may be processed without consent for certain specific and limited purposes, including (1) to comply with a legal obligation; (2) when it is necessary by the public administration for the execution of public policies; (3) when it is a study carried out by a research entity; or (4) to protect the life or physical safety of the data subject or a third party.

Companies can collect and use publicly available personal data under the LGPD only if it is (1) being used for the same purpose that it was originally collected, in which case consent from the data subject is not needed; or (2) for a different purpose, but only if the controller has identified a valid legal basis for the use of the data.

What Rights Does LGPD Grant to Data Subjects?

The LGPD sets out nine fundamental rights granted to all Brazilian data subjects that are similar to the eight fundamental rights laid out in the GDPR. The ninth comes from a more specific definition of the “right to be informed” as granted in the GDPR. LGPD separates the right to be informed into (1) the right to “information about the public and private entities with which the controller has shared data” and (2) “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process his or her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision.”

What Is Exempted under LGPD?

Although the GDPR has six lawful bases for processing data, the LGPD expands upon those, listing 10 legal bases for justifying the processing of personal data. The 10 bases listed in the LGPD generally follow the bases listed in the GDPR, with the exception of the last legal basis listed in the LGPD, giving the ability to process data for “the protection of credit.” This implies that consent is not necessary under the LGPD to process data for credit protection purposes, but this section should still be read in the context of two other laws that govern personal data for protection of credit purposes (the Federal Consumer Code and the Positive Credit History Law).

In addition to the legal basis exempted to process data, like the GDPR and CCPA, under the LGPD, data that has been anonymized is generally exempt from the requirements of the LGDP so long as the process by which the data was anonymized is not able to be reversed applying reasonable efforts. The LGPD defines “anonymization” as the “use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person.” A key difference here, however, is that per the LGPD, some anonymized data may even be deemed as “personal data” if it is used to “formulate behavioral profiles of a particular natural person, if that person is identified.” As such, if the anonymized data is still being used for behavior profiling, it is subject to the restrictions of personal data. Another difference is that, unlike the GDPR, the LGPD does not necessarily endorse pseudonymization as a best practice; in fact, it only addresses pseudonymization once, encouraging public health research bodies to either anonymize or pseudonymize when possible. GDPR, by contrast, frequently references pseudonymization as a best practice in order to assure compliance.

What Other Key Requirements Does LGPD Impose?

Aside from having to identify a legal basis for processing data without consent, companies must also create and maintain a map of the personal data that they collect and process. This requirement is not imposed by CCPA but it does appear under GDPR. Furthermore, organizations must ensure that they are tracking consents and revocations by data subjects, which should be done as a matter of best practice even to establish compliance if it were not specifically mentioned in LGPD.

Does LGPD Require a DPO?

Like the GDPR, and unlike the CCPA, the LGPD requires businesses and organizations to hire a Data Protection Officer (DPO). However, unlike GDPR, the LGPD does not outline specific cases for which a DPO is needed. It simply states that the “controller shall appoint an officer to be in charge of processing personal data.” This implies that any organization that processes the data of people in Brazil will need a DPO. Both controllers and processors must appoint a DPO.

Who Will Enforce LGPD?

The LGPD creates an enforcement authority responsible for overseeing the data protection regulation in the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD). The ANPD has the authority to create separate guidelines, rules, and deadlines applicable to small businesses and startups to make sure that they comply with the LGPD. As the ANPD begins to issue guidance on the provisions of the LGDP, this will affect how they will be enforced and implemented. The LGPD does not give a firm deadline for reporting data breaches to the ANPD; it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident . . . in a reasonable time period, as defined by the national authority.”

What Are the Fines for Noncompliance?

Fines for noncompliance are not as substantial in the LGPD as they are in the GDPR, giving the maximum fine for a violation as “2% of a private legal entity’s, group’s or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals.” The sanctions will be applied only after an administrative procedure where opportunity is given for a full defense, and taking into account the severity of the infraction and other parameters.

Over the years many of us have imagined what the world would be like in some sort of global pandemic. There have been books, movies, and short stories all “imagining” the day a global pandemic might hit. The time, tragically, is upon us. For those of you who have geared your practices toward a remote working environment, you are several steps ahead of the game. For the majority, now is the time to consider what tools you should have in your toolkit to survive this and perhaps future experiences. Fortunately, we have not had to experience a mass disaster such as an earthquake, but many of the concepts discussed in this article are applicable to all sorts of disasters.

Tip 1: It’s about your hardware. Needless to say, having an iPad, a laptop, or a home computer is the first, most important way to connect remotely. Although you could certainly use your smart phone, having an adequately sized piece of hardware is critical to getting the most out of your out-of-office productivity. For the last 20 years, I used a laptop to connect to the office remotely, but over the last five, I have abandoned the laptop and use an iPad exclusively when working remotely. The current generation of iPad I am using is the iPad Pro 12.9 device. It truly is, at least for me, a laptop replacement. Using the iPad Pro with the Apple keyboard (although there are several third-party keyboards available as well) provides enormous amounts of productivity wherever I am. However, there are several manufacturers that produce fantastic laptops to be considered as well. What’s great about the iPad is that rather than having to lug around a separate computer charging cable, the iPad Pro cable is easy to carry, and with just a replacement, the lightening plug works with the same adapter. As an aside, my firm is totally PC-based; therefore, even though the iPad is an Apple product, I almost exclusively use Microsoft software on my iPad.

Tip 2: Software. You must ensure that you are using software that allows you to connect to your office remotely. In my firm there are two ways for users to connect to the office remotely. The first is through Citrix, which is a software system that allows remote connectivity to my office’s servers using a remote connection. The other option is LogMeIn, which is software that allows you to connect remotely to your actual desktop computer and work as though you were literally sitting at your own desk at the office. I really enjoy LogMeIn because of this experience. The backbone for all of this remote connectivity is Tip 3.

Tip 3: Internet connectivity. When you are remotely connecting to your office, it is important that you have good, stable internet connection, as well as the appropriate security. (I will deal with security in Tip 4.) It is important that you are connecting to your office through one of at least three different methods. The first method is a wired internet connection at your home to connect to your firm’s computers. If you are working somewhere where you do not have direct internet connectivity, another option is hardware with built-in wireless connectivity. For example, the iPad has two versions: one is a purely Wi-Fi-based connection, and the other is Wi-Fi plus cellular. I have the iPad Pro with both Wi-Fi and cellular access because sometimes there may not be Wi-Fi available, and I do not want lose access to the internet. However, if you do not have a cellular iPad, you could use your own cell phone to create a wireless “hotspot” to connect with your iPad. For example, my iPhone 11 Pro has a feature to connect my remote device through the Sprint network to the internet. In other words, if I did not want to use my iPad’s own cellular connectivity, I could turn my iPhone into an access point for connection. When I have traveled outside of the United States where the cellular connection does not work on my iPad, I can actually use my iPhone to connect the iPad wirelessly. That said, it tends to be expensive to use my iPhone to connect my iPad to the internet. You can also purchase a cellular providers’ “hot spot,” which is a separate device that serves as a gateway between your laptop or iPad and an internet connection. Nevertheless, those are your options for internet connectivity as we begin 2020. There are several companies working on developing a blanket around the world of access points that would essentially create Wi-Fi for all no matter where you are.

Tip 4: Security. It is important that your communications with your firm remain private. The one way to ensure privacy in your communications when working by Wi-Fi is using a virtual private network (VPN). When using a VPN, your communications are encased in a steel tube so that no one can penetrate the contents of your communications from your device to your office systems, assuming you are accessing a secure connection. You may have seen the following designation: “www.https://.” The “https” designation denotes a “s”ecure connection. When you visit a bank website, for example, you will notice it is designated as an httpS, meaning it is secure. However, the connection is only as secure as your initiation point. Whenever I am using a “public” wireless connection, whether at a hotel, an airport, or a Starbucks, I always initiate the VPN software on my iPad. VPNs are readily available and cost a minimal monthly amount for their use. There are numerous amazing benefits to a VPN, but they are beyond the scope of this article. However, if interested, I would encourage you to find out more about VPNs and how to use them. It is sufficient to say that if you are not entering your firm’s network from a secure location, such as your home, you should absolutely use a VPN.

Tip 5: Telephone calls. Most office phone systems now allow you to call-forward your office line to your remote device. If you have a direct dial at your office and can call-forward your direct dial to your remote device, whether it’s a cell phone or a home number, it is important that you have the ability to call-forward your main office line. However, at a small firm, you may need to simply direct the main number for your office directly to one individual, like a receptionist, who can take and process all calls. In times such as these where your offices are essentially vacated, you must have someone monitor your telephone system.

Tip 6: Video communication. I have been a power user of Zoom, a U.S. web-based video teleconferencing system, since 2012. Zoom is one of several companies that offer real-time video connectivity between yourself and anyone else who has access to the Zoom network. There are certainly several competitors to Zoom, but I personally find the ease-of-use and scalability of Zoom preferable. You are able to call as few as one to as many as 1,000 individuals at the same time. On a smaller scale, you can use Apple’s FaceTime for basic, peer-to-peer videoconferencing. Ring Central offers videoconferencing, as does Microsoft meeting. I find, especially during these isolating times, that the ability to see people face-to-face is absolutely necessary to maintaining your sanity when working.

Tip 7: Speech-recognition software. Those of you who are challenged in your typing skills and do not currently have access to support staff might need to look into speech-recognition software for assistance. I have used Dragon NaturallySpeaking for almost 25 years. Dragon translates your spoken word into typewritten text one word at a time and is the program I am using to prepare this article. Whenever I am doing any sort of word processing, I dictate my work directly into Dragon and subsequently proofread, cleanup, and then send. I oftentimes dictate using Dragon and then forward to my legal assistants to clean up my dictation, deal with formatting issues, and then finalize the pleading, correspondence, or even an article like this. I highly recommend Dragon NaturallySpeaking as a fantastic complement to your remote work environment.

Tip 8: Screening your calls. Google Voice allows you to force callers to identify who they are before the call gets forwarded to you. I oftentimes choose not to give out my cell phone number in favor of my Google Voice number. When you pick up a Google Voice call, the individual calling you is first announced and then you can choose whether to accept or reject the call—a nice feature when working remotely. At the office, you might have your receptionist or secretary “screen” your calls for you, but when working remotely you lose that opportunity. Google Voice solves that problem. Unfortunately, Google stopped supporting Google Voice in 2019, but there are several alternative products available, and you should research which one might be best for you.

Tip 9: Cloud-based computing. Although my office has continued to use on-site servers, several of my colleagues in larger firms have migrated to cloud-based software providers. Essentially, a cloud-based system allows you to work remotely as though you were in your office wherever you are in the world. Unlike the options mentioned earlier through Citrix or LogMeIn, if you are a cloud-based user, your law firm software resides somewhere in the world. It really doesn’t matter to you where it’s located so long as you have consistent access to your data. Although I prefer having all of my client files, documents, and other information reside at my office, if your firm uses a cloud-based computing platform, you have access to the entire suite of information wherever you are based. This certainly would be true if there were some sort of a mass catastrophic event that took your office out of service. Currently the pricing of cloud-based computing is expensive enough that I prefer housing my servers at my firm along with the concomitant outside vendor support, but in the future, that will probably change. In short, it really doesn’t matter whether a cloud-based office is physically open for business or where in the world you are in order to access your data.

Tip 10: Password managers. All of us have dozens of sites that we access daily that require password access. Whether you are accessing your office’s computer system, your Apple account, your Google account, or even your grocery store, managing your passwords is an important task. I have used for many years Dashlane to manage my passwords. I have over 300 different sites maintained in my Dashlane account, and these passwords synchronize among my devices. In other words, I have Dashlane at the office, at my home, on my iPad, and on my iPhone, and anytime I change one password, all of the other devices connected to Dashlane synchronize through the cloud and update every other device. It is not a good idea to use the same password on every website. Although I realize it is difficult to use multiple passwords because it is hard to remember which password is for which account, that is the beauty of Dashlane. It automatically remembers and recalls for you the password you’ve used for each individual website. One trick to think about for your passwords is to use a phrase. Studies have shown that a series of lowercase letters, capitalized letters, symbols, numbers, etc. is not as effective as a long password, such as a common phrase that only you know. For example, you could simply vary the end of the phrase “hickorydickorydock” depending on the website.

Needless to say, there are a whole lot more than 10 tips, but this is a pretty good start when working remotely now and in the future. Be safe and be healthy!

Recent developments in the global markets, including changes in tax and regulatory regimes, have motivated businesses to seek new jurisdictions for incorporation by entities in their corporate structure.* Although such a change may be accomplished by merger of the relevant entity with another entity located in the desired destination where applicable law permits, many recent migrations and transformations have taken advantage of the conversion provisions of sections 265 and 266 of the Delaware General Corporation Law (DGCL) and the transfer, domestication, and continuation provisions of sections 388 and 390 of the DGCL. Unlike a merger, which recognizes the existence of at least two constituent entities, a company proceeding through a conversion, transfer, domestication, or continuation is recognized as a single entity that retains its corporate personality while migrating and/or transforming into a seemingly different entity. Given that those technical processes have been used less frequently than merger provisions, a moment with those sections of the DGCL—before considering their utility in a corporate reorganization or flip transaction—may be in order.

Origins and Development of Domestication and Conversion under the DGCL

The concept of domestication was explored in the context of modern corporate statutes around World War II.[1] Section 388 was not adopted until 1984, however, when entities formed outside of the United States were allowed to transfer or domesticate as Delaware corporations.[2] Eleven years later, section 390 was adopted to allow Delaware corporations to similarly transfer and domesticate as corporations in a non-U.S. jurisdiction.[3] Sections 388 and 390 have since been amended periodically to provide greater flexibility and, in their current forms, allow Delaware corporations to transfer and domesticate as any entity type in a non-U.S. jurisdiction (and vice versa). Those statutes also allow the original entity, which has transferred to a new jurisdiction of incorporation, to continue a dual existence in the original jurisdiction while being considered a single entity with the entity that has incorporated in the new jurisdiction.

The expanding scope of the domestication statutes has also come to overlap with significant aspects of the conversion statutes. Sections 265 and 266, arising from less bellicose beginnings, were adopted in 1999 to allow Delaware entities other than corporations (e.g., limited liability companies, limited partnerships, or business trusts) to convert into Delaware corporations (and vice versa). Given the similarities in function, the drafting of the conversion statutes closely tracked the drafting of the domestication statutes. When the domestication statutes were significantly expanded in 2005 to allow a Delaware corporation to domesticate as a non-U.S. entity other than a corporation, the conversion statutes were similarly expanded to allow a Delaware corporation to convert into an entity other than a corporation of a jurisdiction outside of Delaware (and vice versa).

As a result of their historical development, the conversion and domestication statutes now overlap significantly. Below is a chart comparing key aspects of those statutes and the merger statutes.

Practical Considerations

Through time and practice, the conversion and domestication provisions of the DGCL have evolved from their narrower original purposes. The current versions are broader and more flexible, but consideration of the entities, stakeholders, and objectives involved in a particular transaction, as well as limitations under the DGCL and other applicable laws, is also important. For instance, we have noticed a recent increase in the use of these statutory mechanics to “flip” an entity into another jurisdiction. Of course, mergers also permit such a possibility and do not carry the requirement of unanimous stockholder approval as do the conversion and domestication statutes, but other sources of applicable law may provide for different and potentially less attractive treatment when effecting a merger.

The benefits of conversion and domestication may be limited, however, to jurisdictions that have statutes authorizing such transactions. For instance, although jurisdictions outside of Delaware may be likely to have such authorizing statutes, only a subset of them may also authorize an entity to continue a dual existence there and in Delaware. Indeed, issues around a Delaware corporation with continuing existence in another jurisdiction, such as the governing law applicable to internal affairs, require careful consideration, especially if there is a broad base of stockholders.

Finally, it is worth noting that the Delaware General Assembly has adopted analogous provisions in the statutes governing entities other than corporations, such as the Limited Partnership Act[9] and the Limited Liability Company Act.[10] Given the similarities between those statutes and the analogous provisions of the DGCL, similar issues may arise when dealing with those alternative entities.

* Nate Emeritz is of counsel, and Jason Schoenberg is an associate, at Wilson Sonsini Goodrich & Rosati, P.C. in Wilmington, DE. The views expressed herein are those of the authors and do not necessarily reflect the views of the firm or its clients.

[1] See, e.g., Max Meyer & Harry Torczyner, Corporations in Exile, 43 Columbia. L. Rev. 364 (1943).

[2] This article does not comment on whether a particular jurisdiction permits corporate actions under the DGCL, such as merger, conversion, or domestication, involving an entity in that other jurisdiction.

[3] Perhaps reflecting its incubation during wartime, section 388 was not introduced alongside a reciprocal provision allowing a Delaware corporation to domesticate outside of the United States. Rather, section 389 was concurrently adopted with section 388 to allow a non-U.S. entity to move its domicile to Delaware on a temporary basis in the event of an emergency such as war, rioting, or nationalization of assets.

[4] This chart pertains to mergers, conversions, and domestications solely from the standpoint of the applicable DGCL provisions; however, implementation is also subject to the law of any other jurisdiction, entities’ governing documents, and applicable contractual terms.

[5] A surviving company maintains its original entity formation date following a merger, but any other constituent entity does not survive the merger.

[6] The sections of the DGCL applicable to conversions and domestications provide that entities involved in such an action (e.g., a Delaware corporation and another entity) shall be “deemed to be the same entity.” The DGCL sections applicable to mergers, on the other hand, contemplate at least two separate entities; one of those constituent entities may survive while the other ceases to exist, or both constituent entities may cease to exist and an additional, new entity may survive the merger, but in any event more than one “corporate personality” is recognized under the DGCL.

[7] The sections of the DGCL applicable to conversions and domestications provide that those actions “shall not be deemed to affect” the obligations or liabilities of a converting or domesticating entity. The statute applicable to mergers, however, provides that the surviving entity in a merger will “possess[] all the rights” and be “subject to all the restrictions, disabilities and duties” of each constituent entity, such that contracts of the surviving entity would remain intact after a merger, but contracts of a disappearing entity in the merger would be affected by operation of the DGCL. Of course, a complete analysis of the impact that a merger, conversion, or domestication may have on the related entities’ commercial contracts does not end with the effect of the DGCL as described in the chart above, but must also include a careful review of those contracts for provisions that may have been drafted to be triggered by the transaction.

[8] Section 262 of the DGCL provides appraisal rights for dissenting stockholders of a Delaware corporation in many, but not all, mergers. Thus, the availability of appraisal rights depends on the structure of the merger. Stockholders of a Delaware corporation do not have appraisal rights in a conversion or domestication, presumably because unanimous stockholder approval is required under the applicable DGCL provisions.

[9] See, e.g., 6 Del. C. § 17-215–17-217, 17-219.

[10] See, e.g., 6 Del. C. § 18-212–18-214, 18-216.

The American Bar Association (ABA) Mergers and Acquisitions Committee recently published its latest Private Target Mergers Deal Point Study. For the market metrics of major negotiated legal issues in U.S. private company acquisitions, this publication is widely considered the gold standard.

As is often the case, the ABA Deal Points Study began tracking some newly appearing representations and warranties in the sale purchase agreements they reviewed. Two of the newly tracked representations (reps) were related to privacy and cyber security. The ABA Deal Points Study looked for reps that went beyond compliance with the law or were limited to a specific area, such as medical records.

Privacy reps were included in 68 percent of the reviewed agreements. The ABA Deal Points Study provides sample language below to demonstrate the kind of language it is seeing:

Target has complied with all Laws and contractual and fiduciary obligations as to protection and security of Personal Data to which it is subject. Target has not received any inquiries from or been subject to any audit or Legal Proceeding by any Governmental Authority regarding Personal Data. Target has complied with its policies and procedures as to collection, use, processing, storage and transfer of Personal Data. No Legal Proceeding alleging (a) a material violation of any Person’s privacy rights or (b) unauthorized access, use or disclosure of Personal Data has been asserted or threatened to Target. Since [date], there has not been a material violation by Target of any Person’s privacy rights or any unauthorized access, use or disclosure by Target of Personal Data.

Cyber security reps were included in 70 percent of the reviewed agreements. As in the above, the ABA Deal Points Study provides sample language to demonstrate what the study was looking at here:

The information technology equipment and related systems owned, used or held for use by Target (“Systems”) are reasonably sufficient for the Business’s immediate needs. Since [date], there has been no unauthorized access, use, intrusion, or breach of security, or material failure, breakdown, performance reduction or other adverse event affecting any Systems that has caused or would reasonably be expected to cause any substantial disruption to the use of such Systems or the Business or any material loss or harm to Target or its personnel, property, or other assets.

So how would both representations and warranties insurance, and cyber insurance, respond to some of these new reps?

How Reps and Warranties Insurance Would Respond

When looking at the ability to obtain coverage for particular reps, from a representations and warranties perspective, we focus on two aspects: diligence (the work undertaken by the buyer or their third-party providers to verify the truth of the representation for themselves) and underlying insurance coverage (meaning the coverage already in place for the target that is being acquired).

If the buyer of the target is a private equity entity, then this diligence is most often handled by a third-party provider. On the other hand, a strategic buyer might handle this type of diligence internally, depending on the buyer’s size and sophistication in this field.

When an underwriter feels that a representation is too broad, by which we mean that it would be unreasonable for someone to make such a representation because they could not know whether it was true, they might seek to limit that statement to “knowledge.”

For example, a representation like, “We have not infringed anyone’s intellectual property (IP) anywhere in the world,” for the purposes of the policy might instead read, “To the best of our knowledge we have not infringed anyone’s IP anywhere in the world.”

Despite the above, these are not inherently difficult representations on which to conduct diligence. Providing access to a seller’s policy and procedures, their IT staff, any third-party penetration testing they have had done, and their claims history can all add comfort for the underwriter.

If diligence can be done, then the second issue becomes the quality of the underlying coverage. The underwriter will wish to review the target’s cyber insurance policy to see if a breach of the representations would be covered adequately by the existing policy if a claim is reported post-sign/close for an incident that occurred prior to signing.

Underwriters will want to have said coverage as a first port of call before they respond. In the event that the target’s coverage is inadequate, they will seek an exclusion or particularly high deductible for a claim against those breaches.

How Cyber Insurance Would Respond

Both scenarios under the contractual provisions highlighted in the ABA Deal Points Study would be covered by a well-brokered cyber insurance policy. Cyber insurance policies have been expanding coverage over the past few years, and affirmatively respond to both a failure of security, such as unauthorized access, as well as violations of consumer privacy rights.

Damages are a bit different in each case, but the coverage would respond to cover costs the “target” itself incurred to respond to the breach of security (first-party loss), as well as to cover any liability owed to a consumer or regulator (third-party liability).

Timeframes Are Key

One of the key aspects to these agreements is the date included in the cyber security representation because the farther back the time frame of the representation goes, the more risk that would be involved. Cyber security issues are notorious for taking a long time to surface in that attackers have become adept at infiltrating networks and moving laterally to avoid detection for long periods of time.

So, for a company that is looking to warrant no such security incidents for an extended period of time, they should consider an external assessment of their system to validate the warranty statement they are making.

There are many companies that provide IT expertise willing to do a security assessment and certify no security failures or unauthorized access for a company during an M&A transaction.

Consider Future Policy Protocols

We must also consider how the “target’s” cyber policy is going to be handled moving forward. Cyber insurance policies are typically written on a claims-made and reported basis, meaning the loss is attributed to the policy year that it is first discovered and reported to the insurance carrier.

Most include a “prior acts date” that provides coverage for events that occurred back to a specific date, but were not discovered and reported until the current date.

For example, say the “target” first experienced a breach in 2018 but did not discover it until 2019. Provided that the policy included a prior acts date that precedes the initial intrusion, i.e., the prior acts date lists some date before 2018, the claim would go against the 2019 policy because that is when the breach was discovered and reported, despite the initial intrusion occurring in 2018.

As a result, underwriters will want to see that the cyber policy in force at the time of the acquisition goes into run-off. A run-off is a mechanism that allows the policyholder to make a claim for breaches discovered for a set period of time, often up to six years, but which occurred prior to the transaction.

This would allow the new owners to mitigate the risk of an unknown cyber intrusion by allowing them to report a claim to the old policy and prevent a dilution of the limits on the new owner’s policy.

Not All Policies Are Created Equal

It is worth being aware that not all cyber policies are created equal. Our team at Woodruff Sawyer has seen more than a few situations where a target either has no cyber policy in place or one that only provided partial coverage. In these situations, a couple of alternative options exist:

• Purchase a stand-alone run-off policy, which would act as if a cyber policy had been in place and provide coverage for incidents that occurred during a specific time frame (i.e., from the set prior acts date to the deal closing date) but were not discovered until a later date.
• Have the target rolled into the buyer’s existing policy, but purchase backdated coverage of two or three years in order to avoid an exclusion or carve out of coverage under the reps and warranties policy.

In conclusion, we expect to see these clauses and representations flagged by the ABA Deal Points Study to continue to appear at an even higher rate as cyber security is front and center in the minds of strategic acquirers and private equity buyers.

Making sure diligence is done on the target’s existing insurance policy, along with good practices and procedures, will ensure coverage is available for these types of representations in your transaction.