Federal courts are now handing down firm decrees, stating that although “old habits die hard,” counsel must revise their “form” discovery responses immediately to comply with the Federal Rules of Civil Procedure. In two recent orders, courts have decried the “widespread addiction” lawyers have with the “menacing scourge” of “boilerplate” objections. Liguria Foods, Inc.v. Griffith Laboratories, Inc., 14-3041-MWB (D. Iowa Mar. 13, 2017); Fischer v.Forrest, 1:14-CV–1304-PAE-AJP (S.D.N.Y. Feb. 28, 2017). Because no litigator wants to be the subject of a strongly worded discovery order, it would benefit counsel to heed these courts’ warnings. This is especially so because both make clear: “admonitions from the courts [are] not . . . enough . . . only sanctions will stop this nonsense.”
So what should counsel do? As a starting point, Rule 26 sets out the boundaries of discovery succinctly. “[T]he concepts of materiality, relevancy, and discoverability are [not] fixed,” and a party is entitled to use discovery as an “investigatory tool” to explore freely its “theories of the case . . . .” In contrast, the party subject to a discovery request cannot avoid its duty to respond through “bald assertions” of privilege or other objections. Rather, it must first object and respond to the request specifically and utilize Rule 26(c) as a last resort if the issue is pressed. Liguria Foods, at 23–27.
Within this Rule 26 paradigm, litigants should avoid a variety of discovery practices. Lawyers should immediately stop using general and “boilerplate” objections. “The key requirement in both Rules 33 and 34 is that objections require ‘specificity.’” Liguria Foods, at 28. It is “simply not enough” for attorneys to assert vague and conclusory objections to interrogatories or requests to produce without specifying “how” a particular discovery request is “deficient,” and without “articulating the particular harm” that will accrue if forced to answer. Id.; accordFischer, at 5 (stating if a party objects that a request is“overbroad” or “unduly burdensome,” then explain: “Why is it burdensome? How is it overly broad?”).
However, even if counsel specifically explains the basis for an objection, more must still be done. Counsel must identify “whether any responsive materials are being withheld on the basis of that objection.” Fed. R. Civ. Pro. 34(b)(2)(C); 2015 Adv. Comm. Notes to Rule 34. “[S]imply stating that a response is ‘subject to’ one or more general objections does not satisfy the ‘specificity’ requirement[.] . . . [Rather,] it leaves the propounding party unclear about which of the numerous general objections is purportedly applicable as well as whether the documents or answers provided are complete . . . .” Liguria Foods, at 32–33.
In addition, privilege logs should always accompany any responses that assert a privilege. Otherwise, the objection “hamper[s], rather than facilitate[s], the timely and inexpensive determination of privilege issues.” Liguria Foods, at 31. Further, going forward, discovery responses must either (1) state that all requested documents will be produced at the time specified in the request, or (2) state “another reasonable time” for production “specifically . . . in the response.” Fischer, at 2–3, 5; Fed. R. Civ. Pro. 34(b)(2)(C). If “it is necessary to make the production in stages,” then “the response should specify the beginning and end dates of the production.”
So what is the take-away from these opinions? Courts simply will not tolerate these practices, no matter how entrenched or harmless they may seem to be. Remember, when objecting, “specificity” is key. “[A]n objecting party does not have the unilateral ability to dictate the scope of discovery . . . .” Liguria Foods, at 32. Thus, practitioners should remove vague and conclusory objections from their discovery toolbox altogether. Counsel must also explain the reasons underlying their objections and, if objecting to a document request, state whetherdocuments were withheld fromproduction. Be proactive and cooperate with opposing counsel to the extent possible. If a discovery dispute arises, “request an extension of time to respond and confer on troublesome discovery requests,” or “request an ex parte and in camera review” from the judge, “who might quickly render an opinion on whether [the request] in question [is] discoverable.” Liguria Foods, at 34. Lastly, always produce your privilege log and documents at the time your responses are due, or cooperate with opposing counsel for an extension.
The U.S. Supreme Court’s May 30, 2017 decision in Impression Products, Inc. v. Lexmark International, Inc., 137 S. Ct. 1523 (2017), should provide some comfort for secured parties and the lawyers who advise them, but not too much comfort. Caution is still needed before lending against inventory manufactured pursuant to a patent, particularly if the debtor is a manufacturer.
The Lexmark case involved a claim of patent infringement against Impression. Lexmark manufactured toner cartridges.It sold some at full price and free of restrictions on resale and reuse. It sold other cartridges at a discount but subject to restrictions on resale and reuse. The restricted cartridges had a microchip that made them inoperative if they were refilled. Impression bought restricted cartridges, allegedly with knowledge of the restriction, altered or removed the microchip, and then refilled and resold the cartridges. Lexmark sued for patent infringement.
The district court had ruled that Lexmark’s initial sale exhausted its patent rights pursuant to the so-called first-sale doctrine. The Court of Appeals for the Federal Circuit reversed. It acknowledged the existence of the first-sale doctrine, but concluded that a sale made under a clearly communicated, otherwise-lawful restriction as to post-sale use or resale does not confer on the buyer—or on a subsequent purchaser with knowledge of the restriction—the authorization to engage in the use or resale that the restriction precludes. The decision created a potential problem for secured parties. A secured party is not normally bound by the debtor’s contractualpromises to third parties that limit the debtor’s rights to use or sell the collateral (see U.C.C. §§ 9‑406, 9-408). The circuit court’s decision did not alter that rule, but by preserving and extending a patentee’s patent rights in goods sold to the debtor, it subjected a secured party that knew of and violated those patent rights to statutory damages and injunctive relief, even if the patentee had no provable damages under contract law (with possible treble damages for a willful violation under 35 U.S.C. § 284).
The Supreme Court, in a near unanimous decision, reversed the circuit court. In so doing, the Court adopted an expansive view of patent exhaustion: “a patentee’s decision to sell a product exhausts all of its patent rights in that item, regardless of any restrictions the patentee purports to impose,” and “[t]he purchaser and all subsequent owners are free to use or resell the product just like any other item of personal property, without fear of an infringement lawsuit.”
The Court’s decision is welcome news for secured parties that finance distributors or retailers that have purchased patented goods. Even if the patentee has imposed restrictions on the borrower’s resale of the goods, such as by limiting sales to a specified geographic area or to transactions in the ordinary course of business, the borrower would be free—as a matter of patent law, not contract law—to ignore those restrictions. More importantly, the secured party would not, when enforcing its security interest, be bound by those restrictions. Any disposition of the inventory by the secured party that did not comply with those restrictions would not violate the patentee’s patent rights because those rights will have been exhausted by the patentee’s prior sale of the goods. Moreover, the secured creditor will not be in privity of contract with the patentee, and thus, presumably will have no contract liability for breach of the restrictions.
It bears emphasizing that Lexmark does not prohibit patentees from restricting their buyers’ resale or reuse of the goods by contract. As a result, if a borrower purchases patented goods pursuant to a contract that imposes restrictions on resale or reuse, and if the borrower breaches those restrictions, the borrower might have undisclosed liabilities that will affect its creditworthiness and, indirectly, affect the likelihood of repaying the secured lender. Nevertheless, that risk is far less significant than the risk of subjecting the secured party to patent liability if it were to dispose of the goods.
Unfortunately, related but different risks survive. The Supreme Court was quite clear that the doctrine of patent exhaustion applies only when the patentee sells patented goods. It does not apply when the patentee licenses its patent rights. As a consequence, if a secured lender is financing a manufacturer, rather than a distributor or retailer, and if that manufacturer has made goods that are subject to a patent license, the secured lender must be cognizant of the restrictions imposed in the patent license. For example, a prohibition on sale in specified geographic areas or to specified types of buyers would not only limit the borrower’s ability to sell the goods, but could also apply to a disposition of the goods by the secured lender. Any unauthorized sale of the goods will expose the seller—whether the borrower or the secured lender—to liability for patent infringement.
Moreover, the risk of patent infringement exists even if the license does not impose a restriction on resale or reuse. If the borrower breaches the patent license (e.g., by failing to pay license fees), that breach might result in the termination of the license. In such a circumstance, the borrower might lose all rights to sell the goods, such that any sale would also be an infringement of the patentee’s patent rights. Unless the secured party obtains an independent right or license directly from the patentee, the secured party’s right to dispose of the goods would be subject to the same patent limitations. A security interest in goods that cannot be sold, either by the borrower or by the secured party, is not a very valuable security interest.
Finally, secured lenders and the transactional lawyers who advise them should note that the Lexmark decision does not deal with a situation in which the borrower is the owner of the patent rights. In such a case, the secured lender should consider whether it needs a security interest in the patent itself. Irrespective of whether the patent is available as collateral, the secured lender should consider having the borrower grant the secured lender, in the security agreement, a royalty-free, noncancelable license to use the patent in connection with any post-default disposition of the goods.
A public/private partnership (“PPP”) is a cooperative arrangement between the public sector and the private sector for the delivery of a specific infrastructure project or service. The public and private sectors each have strengths and weaknesses relative to each other with regard to the performance of certain tasks. A PPP seeks to exploit those strengths while mitigating the weaknesses. Typically, the public sector sets out the goals and objectives for the project by defining the level, quality, and scope of the required service or project while ultimately retaining ownership and, consequently, a measure of oversight over the finished asset. The private sector brings its managerial, technical, and financial expertise to the venture and is responsible for delivering an output which satisfies the goals and objectives defined by the public sector.
Increasingly, information collected and/or created in connection with PPPs is being digitized, stored, and accessed from complex networks and information systems. This information is often targeted by cybercriminals, state-sponsored players, and “hacktivists” by way of cyber attacks that can take the form of, for example, advanced persistent threats (APTs), malware (including ransomware), denial-of-service (DoS) attacks, domain name hijacking, social engineering, and phishing campaigns. Given the involvement of a public partner, the incidence of these attacks is increasing, and thus special attention must be given to cybersecurity risks. Public partners can draw on the technology capabilities of a savvy private counterpart to effectively reduce cybersecurity risks for a PPP.
Associated Risks
Cybersecurity attacks can have a significant impact on any organization, whether it is a private proponent or the public partner. For example, the attackers can steal or destroy key data, such as the organization’s intellectual property (often referred as the “Crown Jewels”), and/or customers’ personal information, which can result in financial and reputational losses and years of litigation. Moreover, a significant cyber attack can cause operational disruption and compound financial losses. These risks are multiplied in a PPP, where data is contained on information systems of two different entities, particularly with one in the private and one in the public sector, making a PPP increasingly vulnerable to cyber attacks.
Concerns about the risks associated with a cyber attack on PPPs have intensified in recent years. This is in part because the information necessary to conduct business and undertake projects is increasingly digitized and stored on servers of both the public proponent and the private partner. Given the potential high sale value of the data, the media coverage related to such attacks, and the ability of attackers to leverage an attack for political or social messaging, PPPs are frequently targeted.
In recent years, projects involving medical care, including hospitals, have been hit with cyber attacks for the purpose of extracting payment to release or unlock the system or to prevent disclosure. The nature of public activity, especially its participation in privately backed enterprise, makes it particularly prone to cyber attacks, as the consequences can be more significant and the pockets deep. In addition, public partners are increasingly concerned about protecting confidential and politically sensitive information, which makes such information more intriguing to attackers. Therefore, public enterprise has been the area of most significant cyber attacks for a variety of purposes in the last decade, and it is unlikely that such cyber attacks will lessen over the coming years.
Safeguards
While purchasing cyber insurance coverage is becoming more common in PPP transactions, the amount and scope of the insurance maintained by the organization may not be sufficient to cover losses resulting from a cyber incident or to adequately compensate the organization for the resulting disruptions.
Increasingly, laws require organizations to implement security safeguards to protect this type of information from loss, theft, and unauthorized access, disclosure, copying, use, or modification. These safeguards can vary with the nature of the confidential information in question, with more sensitive information requiring a greater level of security. Protection mechanisms should include physical measures (including locked or restricted-access storage locations), organizational measures (including appropriate security clearances for employees and disclosure of personal information on a need-to-know basis), and technological measures (including encryption keys and passwords).
Individuals dealing with a PPP project and its proponents will want to ensure that the project fully considers (i) the adequacy of the security measures implemented in connection with the project, and (ii) the measures contemplated to mitigate the consequences of a successful cyber attack. Of course, individuals should always be cognizant of the information that they are sending over electronic media and consider if such information should be sent, particularly given the prevalence of cybersecurity attacks and the gravity of potential consequences.
Conclusion
Cybersecurity will need to be carefully addressed in PPPs where the project will involve the gathering and storing of sensitive information concerning private individuals or of a public commercial or sensitive nature. This risk should not be ignored when consummating a PPP transaction, and adequate safeguards, such as an adequate insurance product, should be considered from the beginning to help protect all parties involved.
A recent decision from a federal magistrate judge in Virginia highlights the need for businesses—and their attorneys—to understand the technology their employees use and the risks associated with that technology, especially when confidential information is involved. The plaintiff in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15 cv 00057, 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017), used an online file-sharing service to exchange files with multiple users (including its counsel) at different times. Because the plaintiff did not limit access to the files by means of a password requirement or other control, opposing counsel was able to obtain the plaintiff’s confidential legal files. Describing the plaintiff’s actions as equivalent to publishing the files on the Internet, U.S. Magistrate Judge Pamela Meade Sargent held that both the attorney-client privilege and work-product doctrine had been waived. The court also sanctioned the defendant’s counsel for improperly accessing the unsecured files and not notifying opposing counsel of their privileged nature.
Notably, the Harleysville court indicated that both the plaintiff and its counsel should have recognized that the files were unprotected and acted sooner to preserve confidentiality. Indeed, an unintended disclosure like that in Harleysville is highly avoidable. With respect to file-sharing technology specifically, businesses should implement effective controls, such as password protections and file-availability time limits, to prevent unauthorized disclosure of confidential information. With respect to technology generally, businesses should adopt and enforce a comprehensive program of information-security policies, and then train employees on those policies. Law firms would also do well to adopt these practices, as they will enable attorneys to better meet their own confidentiality obligations and to identify risks in their clients’ practices.
Harleysville’s Failure to Limit Access to Files Results in Inadvertent Disclosure
In Harleysville, Harleysville Insurance Company (Harleysville) sought a declaratory judgment that it did not have to cover the claim of Holding Funeral Home, Inc. (Holding) for a 2014 funeral-home fire. An investigator for Nationwide Insurance Company (Nationwide), which owns Harleysville, uploaded a video about the fire damage to the file-sharing service of Box, Inc. (Box). On September 22, 2015, the Nationwide investigator sent an e-mail to a contact at the National Insurance Crime Bureau (NICB) with a hyperlink to the Box site. Although that e-mail contained a “confidentiality notice” indicating the e-mail contained privileged and confidential information and was subject to restrictions on its unauthorized disclosure or use, the file placed in the Box site was not password protected and was accessible by anyone who used the hyperlink.
Several months later, in April 2016, the Nationwide investigator used the same Box site to upload Harleysville’s entire claims file and Nationwide’s entire investigation file relating to the fire loss for the purposes of providing those files to Harleysville’s counsel. The investigator then sent an e-mail to Harleysville’s counsel with the same hyperlink he previously gave to the NICB contact.
In May 2016, the NICB responded to a subpoena from Holding by producing documents received from Harleysville, including the Nationwide investigator’s e-mail with the Box hyperlink. Holding’s counsel then used the hyperlink to access the Box site, which at that point contained the entire claims files of Harleysville and Nationwide. Holding’s counsel downloaded and reviewed those materials without providing any notice to Harleysville’s counsel.
Harleysville’s counsel did not discover the disclosure of the files on the Box site until October 27, 2016, after reviewing a thumb drive of discovery that Holding had produced in August 2016. In its initial review of that production, Harleysville’s counsel discovered it contained materials that were potentially privileged that the defendant had inadvertently produced. After contacting defense counsel and upon their request, Harleysville’s counsel destroyed the privileged documents that had been produced by the defense. For some reason, Harleysville’s counsel did not discover that the thumb drive also contained its own client’s claims file until late October. On November 2, 2016, Harleysville’s counsel requested that Holding’s counsel destroy its copy of the claims file, but by that time Holding and all of its counsel had reviewed the materials that were posted to Box. At some point thereafter, the plaintiff finally disabled the Box site.
Harleysville filed a motion to disqualify Holding’s counsel, arguing that defense counsel had improperly used the hyperlink to gain unauthorized access to Harleysville’s privileged materials. Holding opposed the motion, countering that Harleysville’s placement of the materials on Box, where it could be accessed by anyone, waived any claim of privilege or confidentiality. Although it conceded the files had been intentionally uploaded to Box, Harleysville argued that it had not waived privilege because it never authorized or intended disclosure of the files to anyone other than the NICB and its own counsel.
Failure to Limit Access to Files Available on the Internet Waived Privilege
Applying Virginia state law and precedent, the court found that, although Harleysville’s disclosure was inadvertent, it nonetheless waived the attorney-client privilege. The evidence showed that Harleysville failed to take “any precautions” to prevent disclosure of the information uploaded to Box. The court noted that the Nationwide employee had previously used the Box site and therefore knew or should have known that the information was unprotected. The disclosure was “vast” because the information was available to anyone who had access to the Internet. In addition, because Harleysville’s counsel used the unprotected hyperlink to access the information in April 2016, the court found that they knew or should have known the information was accessible on the Internet (but failed to take any remedial action until access to the site was finally blocked six months later). For similar reasons, the court also held that Harleysville had waived the work-product privilege under federal law.
Significantly, the court described the failure to password-protect the materials on Box as “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” The court found it “hard to imag[ine] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
As a matter of public policy, the court urged businesses to exercise caution when using “rapidly evolving” technology to share information. Because a company controls the decision on whether to use new technology, it “should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”
Defense Counsel Acted Improperly by Accessing Files Despite Privilege Flags
The court also criticized the conduct of Holding’s counsel, finding they acted improperly in accessing the Harleysville materials. The court assigned significance to the fact that the e-mail that contained the Box hyperlink had included a confidentiality notice that “should have provided sufficient notice to defense counsel that the sender was asserting that the information was protected from disclosure.” According to the court, Holding’s counsel should have realized, based on the confidentiality notice in the e-mail, as well as the extent of the materials on the Box site, that the materials were subject to privilege or other protection. Accordingly, they should have notified Harleysville’s counsel and sought a determination from the court regarding privilege and other protections before using or disseminating the information. Holding’s counsel had even consulted the state bar ethics hotline about the access, undermining their claims that they believed the access was proper.
Harleysville sought disqualification of Holding’s counsel, but the court found it not warranted because substitute counsel would have access to the same information in light of the privilege/protection waiver. Instead, the appropriate sanction was for Holding’s counsel to bear Harleysville’s costs to seek the court’s ruling on the matter.
Technology Provides the Problem but Also the Solution
Although Harleysville involves the pitfalls of file-sharing services, the case offers lessons that are applicable to the use of any new technology. Simple precautions can avoid, or at least mitigate the damages from, the risks that technology poses to confidential information.
To begin with, a business would be wise to require its employees to use only technology that the company has vetted and approved. The company should consider whether the service has the security features and other criteria that the business deems appropriate in light of the sensitivity of the information at issue and the threats to it as identified by the company. Because many file-sharing services operate in the Cloud, with respect to that particular technology this may include analysis of such questions as: What security protections are utilized, and how frequently are they tested and updated? Where will the service provider store the company’s information? Who will have access to the files and under what conditions? How long will the provider retain the data? How and when are backups conducted?
In addition to requiring that employees use only a company-approved file-sharing service, the company may also determine that employees’ use should be subject to certain security controls available within the service. For example, as Harleysville demonstrates, access to confidential files should be restricted (and perhaps tracked) by requiring the authorized users to enter a password or log-in information to obtain the files. Access can be further restricted by requiring multifactor authentication by which a second user-identifying factor beyond a password is necessary to gain access.
Another potential security control is to limit access to folders within the service to persons designated as authorized users. Separate folders can be established for specific target users. As to external users, this can limit permitted users to viewing only that information to which they are intended to have access. On an internal basis, limited access can serve to enforce ethical walls and need-to-know policies within the company. As a further precaution, the business can require that confidential information be encrypted before it is placed in a file-sharing service. That way, only intended recipients who have been given both access to the folder within the file-sharing service and the encryption key can access the sensitive information.
Beyond the need for password protections, Harleysville also illustrates the risk in making files accessible for a longer period than necessary. That risk can be reduced by ensuring the online file-sharing service does not become a long-term repository for sensitive information. A business can implement policies that prescribe how long files can remain posted in a file-sharing service, or even impose settings that automatically delete files after a specified period. The person sharing the file can implement security controls within the service to limit the time the file is accessible to designated users, as well as the number of times a file can be downloaded. Some services will also permit an organization to claw back documents after having been downloaded, so that a person accessing the file has only a temporary copy of the document.
Policies and Training Are Also Important in Data Protection
Although technology is certainly an important component of a company’s overall data-protection program, having effective policies in place is another key element. A company should strive to have a comprehensive scheme of policies that is tailored to address its specific needs in terms of protecting confidential information. Depending upon the company’s goals and the categories of information at issue, the policies may address such matters as limiting access to information based upon an employee’s need to know for his or her job role, mobile-device use and bring-your-own-device programs, remote network access, secure destruction of data kept in electronic and paper format, and monitoring of employee activity within the company’s network (including infiltration and exfiltration of data to and from the network and via other technology platforms, such as file-sharing services).
However, it does little good to adopt policies if the company does nothing to enforce them. A strong first step toward enforcement is education. Employees must be trained on the company’s policies. Ideally, this will be accomplished through a company-wide program that provides security-awareness training for employees at all levels of the company, from the executive suite to the lowest-ranking staff. A company may find it is effective to have different types of events and outreach, from in-person presentations by outside consultants, to e-mails with information-security tips, to online training exercises. It is also important that employees know who to contact with questions or concerns about policies and information protection. The goal is to ensure that employees know how the company expects them to handle confidential information and to enable them to identify and respond appropriately to matters that threaten the preservation of confidentiality.
Technology controls and security training could have gone a long way toward avoiding the Harleysville scenario. The opinion did not discuss whether the Nationwide employee was authorized to use Box as a file-sharing service, with or without password protections or other controls. Nor did it discuss the Nationwide employee’s previous use of Box in detail, although the court assumed that his previous use meant he was familiar with the site and the features available to protect information on it. That may have been true (or not), depending on how often he utilized the site and how frequently it underwent updates that changed its features. In any event, the opinion suggests there were less than adequate controls and training in place. In addition, the waiver of privilege surely has a detrimental effect on Harleysville’s success in the underlying coverage litigation, but a company could find itself in a worse position if the information improperly disclosed by an employee includes that of third parties who have entrusted it with their sensitive or legally protected information. In that instance, the company may find itself having to comply with federal or state laws that require notification when certain personally identifiable information is disclosed and potentially may face litigation over the disclosure.
Harleysville informs us that law firms likewise would bode well to employ technology controls and training programs. The court signified that plaintiff’s counsel should have realized the unprotected status of its client’s files because counsel itself used the unprotected link to access the files. In doing so, the court struck at the heart of an attorney’s ethical obligation of competency, which as adopted in most states includes having knowledge concerning the risks and benefits of relevant technology. Unless Harleysville’s attorneys had previous exposure to file-sharing services and their features, the attorneys likely would not have appreciated that access controls were not in place. Likewise, if the attorneys had a subordinate employee (such as a paralegal) access the files, the attorneys would be dependent on the subordinate to realize the risk to confidentiality and raise it with the supervising attorney. A firm-wide training program could help both attorneys and staff develop their technology competence and skills in spotting vulnerabilities that threaten the confidentiality of their clients’ sensitive information.
The Harleysville court afforded great significance to the confidentiality notice in the e-mail that was used to initially forward the Box hyperlink, but the case demonstrates how ineffective that type of notice is for protecting sensitive information. It is common for businesses (attorneys especially) to include a confidentiality notice at the bottom of their e-mails. Typically, such notices are boilerplate, automatically appended at the very end of an e-mail, following the confidential message they are meant to protect, and often ignored as part of the “wallpaper effect.” Technology provides much more effective methods for protecting confidential information, such as password protection and encryption. As a lesson from Harleysville, businesses and attorneys would be well served to educate themselves about those alternatives and the pitfalls of and best practices for using them.
Bankruptcy law is provided for in the U.S. Constitution under Article I, Section 8, Clause 4 and has existed in some form or another since the Bankruptcy Act of 1800. See Cent. Va. Cmty. College v. Katz, 546 U.S. 356, 370 (2006). Its primary purpose has long been to “relieve the honest debtor from the weight of oppressive indebtedness and permit him to start afresh free from the obligations and responsibilities consequent upon business misfortunes.” Local Loan Co. v. Hunt, 292 U.S. 234, 244 (1934). In the context of a Chapter 13 case, it furthers the fundamental purposes of the Bankruptcy Code system to adjudicate and conciliate all claims with respect to a debtor in her bankruptcy case. Universal Am. Mort. Co. v. Bateman (In re Bateman), 331 F.3d 821, 828, n.6 (11th Cir 2003).
The Bankruptcy Code provides an incredibly broad definition of “claim,” which includes a “right to payment whether or not such right is reduced to judgment, liquidated, unliquidated, fixed, contingent, matured, unmatured, disputed, undisputed, legal, equitable, secured, or unsecured.” 11 U.S.C. § 101(5). The broad definition of “claim” is intentionally broad. 11 U.S.C. § 101(5) and 1978 Legislative History (“By this broadest possible definition . . . , the bill contemplates that all legal obligations of the debtor, no matter how remote or contingent, will be able to be dealt with in the bankruptcy case.” H.R. Rep. No. 595, 95th Cong., 1st Sess. 309 (1977), S. Rep. No. 989, 95th Cong., 2d Sess. 21–22 (1978), as reprinted in 1978 U.S.C.C.A.N. 5787 at 5807–08 and 6266).
The Fair Debt Collection Practices Act (FDCPA) was enacted in 1977 due to “abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors [that] contribute to the number of personal bankruptcies . . . .” 15 U.S.C. § 1692(a). Congress made its purpose in enacting the FDCPA explicit: “to eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.” Owen v. I.C. Sys., Inc., 629 F.3d 1263, 1270 (11th Cir. 2011) (quoting 15 U.S.C. § 1692(e)).
For many years both the Bankruptcy Code and the FDCPA existed peacefully in separate jurisdictions. Attempts to inject FDCPA claims into bankruptcy cases were rare, and when attempted were often rejected by the bankruptcy courts themselves. Back in 2001, the Ninth Circuit Court of Appeals held that an FDCPA claim based upon an alleged violation of section 524 of the Bankruptcy Code was precluded by the Code itself because “while the FDCPA’s purpose is to avoid bankruptcy, if bankruptcy nevertheless occurs, the debtor’s protection and remedy remain under the Bankruptcy Code.” Walls v. Wells Fargo Bank, N.A., 276 F.3d 502, 510 (9th Cir. 2001). Several years later, the Bankruptcy Appellate Panel for Ninth Circuit specifically held that the Bankruptcy Code precludes application of the FDCPA in the bankruptcy claims process. B-Real, LLC v. Chaussee (In re Chaussee), 399 B.R. 225 (9th Cir. B.A.P. 2008). Specifically, the panel found that “in our opinion, the debt validation provisions required by FDCPA clearly conflict with the claims processing procedures contemplated by the Code and Rules. Simply put, we find that the provisions of both statutes cannot compatibly operate.” The Second Circuit expanded on this reasoning in Simmons v. Roundup Funding, LLC, 622 F.3d 93, 96 (2d Cir. 2010) when it held that “the FDCPA is designed to protect defenseless debtors and to give them remedies against abuse by creditors. There is no need to protect debtors who are already under the protection of the bankruptcy court, and there is no need to supplement the remedies afforded by bankruptcy itself.”
Simmons and Walls were rather broad in their preclusion of all FDCPA claims in bankruptcy cases, whereas other circuits began to take a more analytical approach to whether there was a conflict between the portion of the Bankruptcy Code at issue and the FDCPA provision at issue. See, for example, Randolph v. IMBS, Inc., 368 F.3d 726 (7th Cir. 2004) and Simon v. FIA Card Servs, N.A. 732 F.3d 259 (3d Cir. 2013). Although the Third and Seventh Circuits would permit FDCPA claims under certain situations, one thing remained constant: no court would permit an FDCPA claim based upon the filing of a proof of claim. See also Owens v. LVNV Funding, LLC, 832 F.3d 726 (7th Cir. 2016); DuBois v. Atlas Acquisitions, LLC, 834 F.3d 522 (4th Cir. 2016); Nelson v. Midland Credit Mgmt. Inc., 828 F.3d 749 (8th Cir. 2016).
That all changed with Crawford v. LVNV Funding, LLC, 758 F.3d. 1254 (11th Cir. 2014). According to the Eleventh Circuit, “A deluge [had] swept through U.S. Bankruptcy courts of late. Consumer debt buyers—armed with hundreds of delinquent accounts purchased from creditors—are filing proofs of claim on debts deemed unenforceable under state statutes of limitations.” Unlike cases before it, Crawford likened the filing of a proof of claim to the filing of a lawsuit. Crawford reasoned that because the filing of a lawsuit on a debt that was beyond the statute of limitations violated the FDCPA, so too would the filing of a proof of claim on that same debt.
After Crawford, a new deluge swept through U.S. bankruptcy courts, but the new deluge was that of debtor’s attorneys filing FDCPA complaints against debt collectors for filing proofs of claims on debts that were subject to a statute-of-limitations defense. The Crawford case itself did not make it to the U.S. Supreme Court and, ironically, was ultimately dismissed on summary judgment because Crawford’s own FDCPA claim was barred by the one-year statute of limitations set forth in the FDCPA. One of the cases in the new deluge was Johnson v. Midland Funding, LLC, 823 F.3d 1334, 1336 (11th Cir. 2016), another case from the Eleventh Circuit. Like Crawford before it, the bankruptcy court and district court held that the filing of the proof of claim did not violate the FDCPA, and the Eleventh Circuit reversed. However, unlike Crawford, Midland specifically addressed the argument whether there was an irreconcilable conflict between the FDCPA and the Bankruptcy Code’s claim-filing process.
Writing for a 5–3 majority, Justice Breyer closed Pandora’s box and ended the new deluge almost three years after it began. Taking a practical approach, Justice Breyer examined the purposes of the FDCPA and what it intends to prevent: “false, deceptive, or misleading” statements and “unfair or unconscionable” collection practices. Midland Funding, LLC v. Johnson, 137 S. Ct. 1407, 1410–11 (2017). The court reasoned that a proof of claim cannot be false, deceptive, or misleading if, on its face, it indicates that the relevant statute of limitations has run. Given that a claim under the Bankruptcy Code is a “right to payment” which is determined by state law, the expiration of the statute of limitations did not extinguish the debt—the creditor still has a right to payment. The court rejected the debtor’s attempt to read the word “enforceable” into the definition of “claim,” noting that the word does not appear anywhere in the statutory definition. Rather, consistent with the text of the statute itself, the opinion notes that the definition of “claim” is extremely broad and even includes disputed claims.
Moving on to the unfair or unconscionable claims, the majority examined the purpose of a bankruptcy proceeding filed by the debtor and distinguished it from a collection lawsuit filed by a creditor, reasoning that the “features of a Chapter 13 bankruptcy proceeding make it considerably more likely that an effort to collect upon a stale claim in bankruptcy will be met with resistance, objection, and disallowance.” The court also rejected Johnson’s attempt to transfer the statutory burdens set forth in the claims process, noting that untimeliness is an affirmative defense. Ultimately, the majority determined that the differing purposes of the Bankruptcy Code and the FDCPA were at odds here, and applying the FDCPA would upset the “delicate balance” between the two. In the end, because Chapter 13 trustees and debtors have always had the burden to examine claims for potential defenses, the Supreme Court was not willing to try to craft a new exception to those well-established rules.
Unlike the majority, Justice Sotomayor’s dissent likened the filing of a proof of claim to that of filing a lawsuit. After spending a considerable amount of time discussing the debt buying process in general, the dissent also disagreed with the majority’s holding that the Chapter 13 trustee and the process itself will provide adequate protection to the debtor. Given the lengthy introduction, it appears that the dissent’s issue lies not only with the filing of proofs of claims for the older debts, but also with their collection at all. This, too, represents a fundamental disagreement between the two opinions, given that the majority views the filing of the proof of claim as a part of the process to discharge debts, whereas the dissent views it as an end run around a forbidden practice.
In the end, the majority held that “filing a proof of claim that is obviously time barred is not a false, deceptive, misleading, unfair, or unconscionable debt collection practice within the meaning of the FDCPA.” This opinion restores order among the circuits and requires the Eleventh Circuit to fall in line with the Second, Third, Fourth, Seventh, Eighth, and Ninth Circuits when it comes to the application of the FDCPA to proofs of claim. One thing that the majority did not do, however, was issue a broad holding that the FDCPA simply does not apply to bankruptcy cases like the Ninth Circuit in Walls or the Second Circuit in Simmons. On the other hand, the majority also did not necessarily endorse the irreconcilable-conflict analysis like the Seventh Circuit in Randolph or the Third Circuit in Simon. Nevertheless, the Midland opinion is obviously a welcome respite from the deluge for debt buyers and debt collectors.
Blockchain is the distributed ledger technology (DLT) behind Bitcoin, Ethereum, and other cryptocurrencies. Blockchain is widely believed to be a game-changing trend for global business across sectors. Blockchain has been described by the creator of Bitcoin as a “peer-to-peer network using proof-of-work to record a public history of transactions” and by Forbesas “a distributed and immutable (write once and read only) record of digital events that is shared peer to peer between different parties (networked database systems).” In other words, Blockchain is a record of peer-to-peer (P2P) digital transactions categorized into blocks by a decentralized network of computers. Each transaction is time-stamped, encrypted, and linked to its preceding block, creating a “blockchain.” Each new block added to the chain must be validated by a consensus among the network of participants.
“Disruptive” Potential of Blockchain
The potential disruptive uses of blockchain technology in the marketplace have been compared to that of the Internet. The possibilities of blockchain are said to be endless across all industries, including fintech, health care, analytics, retail, energy, manned and unmanned vehicles, insurance, and the sharing economy. Over time, corporations using blockchain combined with artificial intelligence (AI) and the Internet of Things (IoT) will likely be able to better integrate their business partners and suppliers into the network, giving them a complete view of the supply chain and enabling them to conduct all transactions inexpensively, transparently, and securely through blockchain.
In June, a number of international banks selected a multinational technology company to use blockchain technology to build an international trading system called Digital Trade Chain. According to an Accenture and McLagan report, blockchain may “reduce infrastructure costs for eight of the world’s 10 largest investment banks by an average of 30 percent, translating to $8 billion to $12 billion in annual cost savings for those banks.”
A major automobile manufacturer has partnered with MIT’s Media Lab and others to identify the uses of blockchain technology in the automobile industry. A global retailer teamed up with a multinational technology company and recently announced the results of a test using blockchain technology in which it traced a food product from farm to shelf in seconds, as compared to the days-long process without blockchain technology.
The Blockchain Insurance Industry Initiative B3i, which includes global banks and financial services companies, is exploring the application of blockchain technology in the insurance sector. In June, a major insurer and a major multinational technology company announced a successful pilot program of a blockchain-powered “smart insurance policy.” Such smart insurance policies would be designed to execute the contract terms when specified conditions are met, provide for data continuity, trace the origin of a risk, and reduce fraud, among other benefits. In addition, numerous startups are marketing their blockchain-based platform to health care companies.
Security of Blockchain?
Because changes to a blockchain are displayed in real time and no central user controls the record, blockchain is said to be much less susceptible to hacking than a traditional database. For instance, if hackers wanted to modify information in a blockchain, they would first need to hack into both the specific block and all of the preceding and ensuing blocks in the blockchain across every ledger in the network at the same time. Because consensus among the network participants is required, the hackers’ change would likely be rejected as it would conflict with the other ledger entries on the network. Many observers believe this leads to an unparalleled level of security.
However, blockchain technology, like the Internet before it, will likely lead to unforeseen risks and exposures. For example, in 2013, Mt. Gox, a Bitcoin exchange handling 70 percent of all Bitcoin transactions at the time, suffered a technical glitch resulting in Bitcoin’s temporarily shedding a quarter of its value. That technical glitch was a fork in the blockchain, which resulted from the use of differing versions of the Bitcoin software. In 2015, Interpol identified an opening in blockchain used for cryptocurrencies that hackers could exploit to transfer malware to computers. In addition, blockchain is only as secure as its entry points. If the access systems used for blockchain are vulnerable to attack, the technology’s security may be undermined. In sum, blockchain is not risk-free and may not be hacker-proof. Given the value and potential high profile of transactions that may take place using blockchain technology, hackers will have incentives to invent new ways of using the technology for malicious purposes despite its protections.
Insuring the Blockchain
Because blockchain technology is not risk-free, companies should consider how their insurance policies, especially their cyber insurance policies, can protect against risks arising out of the use of blockchain technology—and whether they include provisions that could be used to deny coverage for claims with a connection to blockchain technology. For instance, one insurer’s cyber insurance policy form insures against disclosure of personally identifying information that results from unauthorized access into a system owned by either (a) an insured; or (b) “an organization that is authorized by an Insured through a written agreement to process, hold or store Records for an Insured.” Because blockchain is peer-to-peer, the insurer may argue it is not owned by any insured or any other “organization.” Thus, a policyholder experiencing losses due to the disclosure of personally identifying information arising out of the use of blockchain technology may face a coverage dispute with its insurer.
As another example, another cyber insurance policy form provides coverage for the “failure or violation of the security of a Computer System,” and defines “Computer System” to include “cloud computing” and “other hosted resources operated by a third-party service provider.” It is not clear whether the insurer would consider blockchain technology to fall within this definition, particularly because blockchains are peer-to-peer networks not operated by a central administrator. Policyholders also should review exclusions in cyber policies carefully, including those for accessing unsecure websites, self-inflicted losses, terrorism, and others.
Finally, policyholders should consider whether coverage for blockchain-related risks remains available under their traditional policies, such as technology professional liability policies, commercial crime policies, and specialty coverage forms. They should specifically review cyber, computer or technology, and data-related exclusions.
Conclusion
As the use of blockchain technology grows, cyber policies will adapt and begin to incorporate language addressing blockchain technology. However, the complexity of the technology, the lack of understanding of it, and the scarcity of data about its use may impede the development of the market for insurance covering operations or transactions involving blockchain. Nonetheless, as insurers increasingly conduct blockchain scenario analyses, follow developments in blockchain and related technologies, and improve their own understanding and analysis of blockchain’s risks, policyholders can expect them to offer new policies covering such risks. In the meantime, policyholders looking to conduct business using or involving blockchain should consider consulting experienced coverage counsel and carefully reviewing the policies they buy to ensure that those policies provide the insurance protection they need.
Most enterprises today are almost totally dependent on digital data and network systems. Virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders in the event of a security breach.
Accordingly, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.
As recent security incidents have made clear, intruders can operate from anywhere in the world, and by stealing, changing, or destroying critical corporate information, or exploiting access to a company’s systems to harm and disrupt its operations, they have been able to inflict significant damage on numerous businesses. No enterprise is immune from cyberattacks; none are impregnable. Virtually all enterprises have been breached and have had at least some of their sensitive information compromised.
In FY 2006, federal agencies reported 5,503 information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). In FY 2014, the reported incidents totaled 67,168—an increase of 1,121 percent. Given that corporations are loathe to report cybersecurity breaches and may not detect successful incidents, the number of reported incidents probably represents only the “tip of the iceberg” of cyber attacks and intrusions.
Over the past three years, the consequences to organizations affected by such security breaches have been significant, and in some cases near catastrophic. One need only consider the injury suffered by organizations such as Target, Home Depot, Sony, and Yahoo!, or to victims of the recent “Petya”ransomware attacks such as Federal Express, DLA Piper, and A.P. Moller Maersk to realize the significance of such events.
It should be critically important to a prospective acquirer of a target enterprise to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack. Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporation information and IP assets. Otherwise, the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers. In short, it will not comprehend the potentially devalued nature of the assets it is acquiring, nor the magnitude of liabilities it may incur at closing.
Cyber Threats to M&A Deals
M&A practice may at times overlook the significance of the cybersecurity risks facing target enterprises, including the risk that cyber attacks could already be devaluing the digital assets of a target without the target’s awareness and without the acquirer’s knowledge. By December 2014, such risks had become widely reported, as demonstrated by the following bleak recap by Nicole Perlroth in The New York Times:
In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers, and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. . . . But the value [of stolen credit cards during this period] . . . which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of the United States corporations, universities and research groups by hackers in China—so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. . . . Most large organizations have come to the painful recognition that they are already in some state of break-in today.
Most recently, numerous businesses, organizations, and governments found their digital data imperiled by a world-wide dispersal of two waves of malware. The first wave, a ransomware attack dubbed “WannaCry,” began on May 12, 2017. Globally, it infected “230,000 computers in 48 hours,” locking down the computers it infected, and encrypting and rendering inaccessible all of their stored data. The WannaCry worm caused kinetic effects—“paralyzing hospitals, disrupting transport networks, and immobilizing businesses.” WannaCry should make people treat cyber-crime seriously, The Economist, May 20, 2017.
The second wave of malware, called “Petya,” began on June 27, 2017, and severely disrupted operations of “some of the world’s largest companies, including WPP, Roseneft, Merck, . . . AP Moller-Maersk[,] . . . Saint-Bobain and the DLA Piper law firm.” Global groups hit by fresh ransomware cyber attack, Fin. Times, June 28, 2017, at 11. For example, one day into the Petya attack, integrated global transport and logistics company A.P. Moller-Maersk “tweeted” on June 27, 2017, that the malware had brought down its “IT systems . . . across multiple sites and select business units.” By the second day, Maersk had “shuttered many of its ports around the world.”
WannaCry and Petya vividly demonstrated the vulnerability of many companies to a crippling cyber attack, and the experience of Target Corp. provides insight into the costs of a major breach. In 2014, Target Corp. experienced a breach of its networks affecting 40 million credit- and debit-card numbers and personally identifiable information for up to 70 million individuals. The remediation costs had a material impact on the company. Target eventually reported that it “incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million.”
Despite the ubiquity of cyber incidents, and the cost and disruptive impact of cyberattacks, such risks appear to remain “below the radar,” underestimated, or belatedly addressed in many M&A deals. Yet with the value of so many enterprises dependent upon the condition of their high-value digital assets, and with so many of those assets vulnerable to cyber attack, consideration of adding a cybersecurity due diligence review would seem a good and prudent precaution at the start of any proposed M&A deal.
Illuminating the Impact of Cyber Incidents on M&A Deals
The cybersecurity experiences of two companies involved in recent M&A transactions demonstrate the critical importance of cybersecurity due diligence.
Neiman Marcus
Luxury department store Neiman Marcus experienced, unawares, a cyber incident that began as early as July 16, 2013. The incident involved injection of malware into the retailer’s customer payment-processing system, ultimately compromising data on about 350,000 customer payment cards.
Several weeks later, on September 8, 2013, as the intruders operated undetected within the retailer’s networks, Neiman Marcus agreed to be acquired by a group led by Ares Management and a Canadian pension plan. On October 25, 2013, the acquisition of Neiman Marcus closed. Five days later, on October 30, 2013, the card-scraping activity of the malware inside the retailer ceased. No report of the incident suggests that Neiman Marcus or its acquirers knew, as of the closing, that the digital assets of the retailer had been compromised by intruders.
On December 17, 2013, Neiman Marcus received the first of several reports indicating fraudulent use of customer credit cards at its stores, and on January 10, 2014, Neiman Marcus publicly disclosed the incident. Shortly thereafter, affected customers filed class-action complaints alleging the retailer failed to protect them adequately against the breach and to provide them timely notice. Although Neiman Marcus sought to dismiss the suit by arguing that there was no harm to the plaintiffs, and thus no standing to sue, the Seventh Circuit allowed the case to proceed, holding that:
[i]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.
In so holding, the Seventh Circuit pointed to the continuing risk, noting that: “stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” In March 2017, Neiman Marcus entered into a settlement with the class-action plaintiffs and agreed to create a settlement fund in the amount of $1,600,000 to cover claims, legal fees, and other litigation-related expenses.
Apparently, neither the buyer nor the seller knew that Neiman Marcus digital assets had been compromised as of the closing, nor did they foresee the future risk of harmful use of such data. As the Neiman Marcus incident illustrates, there is a growing need to assess a target’s cyber vulnerabilities and the potential repercussions from incidents so that they can be given their appropriate weight in the negotiations of a deal.
Yahoo!
In late 2014, senior officers and legal staff of Yahoo!, Inc. learned that unauthorized access to its computer network had been gained by what Yahoo! identified as a “state-sponsored actor.” Yahoo! did not, at that point in time, publicly disclose the incident. Yahoo!’s board apparently did not receive a report of the incident or learn of it until almost two years later.
On July 23, 2016, Yahoo! and Verizon Communications Inc. entered into a stock purchase agreement by which Verizon agreed to acquire “one or more subsidiaries of Yahoo holding all of Yahoo’s operating businesses, for approximately $4.83 billion in cash . . . .” The acquisition of Yahoo! was “expected to close in the first quarter of 2017.” Verizon Communications Inc., Form 10-Q for the period ending June 30, 2016, filed Jul. 29, 2016, at 10.
Around the time that Yahoo! and Verizon signed their agreement, “a hacker claimed to have obtained certain Yahoo! user data. [T]he Company could not substantiate the hackers claim [but] . . . intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.” Yahoo, Inc., Form 10-Q for the period ending September 30, 2016, filed Nov. 9, 2016, at 40.
Thereafter, Yahoo! issued a statement to the U.S. Securities and Exchange Commission (SEC) that said it had no knowledge of “any incidents” of “security breaches, unauthorized access or unauthorized use’ of its IT systems.” Yet less than two weeks later, in September 2016, Yahoo! disclosed to Verizon, and shortly thereafter to the public, that a “copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the First Security Incident).” After disclosing the incident, Yahoo! began notifying potentially affected users, regulators, and other stakeholders.
On December 14, 2016, five weeks after Yahoo! filed its Form 10-Q with the SEC that addressed the First Security Incident, Yahoo! disclosed on its website and in a Form 8-K that analysis of data by Yahoo!’s outside forensic experts convinced Yahoo! that a separate cyber incident involving almost 1 billion accounts had also occurred (the Second Security Incident).
After further negotiations and as a result of the two cyber incidents, Yahoo! agreed with Verizon to modify the terms of the deal as follows:
the purchase price was reduced by $350 million, down to $4.48 billion;
Yahoo! would be responsible for all liabilities arising from shareholder lawsuits and SEC investigations related to the two cyber incidents; and
As the cyber incidents at Neiman Marcus and Yahoo! demonstrate, cybersecurity now deserves to be an integral part of M&A due diligence, and to be done properly, it must begin at the earliest practicable time in the transaction. Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.
Assessing a Target’s Cybersecurity Defenses
Assessing the quality of a target’s cybersecurity defenses and its experience with cyber incidents poses a challenging risk assessment for an acquirer, and one quite different from other risk assessments in an M&A deal. How does an acquirer’s counsel evaluate the target’s cybersecurity program or inquire into its probable experience with cyber incidents? How does counsel assess the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited? How does counsel determine the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise?
Cybersecurity due diligence might not yield a precise and exact picture, but it has the capability to provide an acquirer with a far closer approximation of the actual condition of the target’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets. Knowing such facts, the acquirer’s counsel will be in a better position to structure the definitive acquisition agreement to mitigate the risks identified.
To accomplish its goal, the acquirer’s M&A cybersecurity due diligence process should address six categories of topics, as follows:
identify the target’s high-value digital assets and evaluate the relative importance of those assets to the target’s business;
evaluate the target’s internal cybersecurity program to protect those high-value digital assets, e.g., whether it is appropriate for the business; whether it is complete, etc.;
assess the target’s cyber-risk-management efforts as they relate to third parties on which the target depends for goods, services, data, outsourced business functions, and joint business initiatives;
identify the target’s prior breaches and assess its incident-response capabilities;
evaluate the status of the target’s cybersecurity regulatory compliance, i.e., identify applicable compliance requirements, determine whether the target is in compliance with its cybersecurity legal obligations, and evaluate the risks posed by any failure of such compliance; and
consider and evaluate the target’s overall resilience and general ability to withstand a direct cyber attack on its digital assets.
Evaluating a Target’s Cyber Incident Experiences
In cases where the target company has experienced a recent security breach, it is important for M&A cybersecurity due diligence teams to assess whether a target company has the means to know five fundamental facts about the target’s experience with any cyber incidents.
First, what data might the attackers have gained (or still be gaining) access to? Did they read files? Did they change permissions so that they could log in and appear authorized? Did they make copies of customer lists? Or worst of all, did they modify data? It is important that the target have the answers to such questions.
Second, what data might the attackers have viewed and exfiltrated copies of? It is possible the attackers saw something they wanted, such as the company’s password file or key product designs. Knowing what data was taken is key to evaluating the scope of the damage done, as well as the potential for future damage.
Third, what data might the attackers have changed? This is often the real bugbear. Did the attackers modify data contained in certain files and, if so, what changes did they make? This can be far more difficult to determine than whether the attackers accessed or removed a copy of a file’s data. For example, in the case of a defense contractor, the attackers might not only have removed a copy of the manufacturing design for a stealth fighter’s aileron, but also modified the target’s copy so that further use of that design data will embed defects or flaws that were not in the original design. No one at the target will know that has happened unless they are extraordinarily familiar with the data and happen to make a close comparison of the currently active file with a back-up that is reasonably good, i.e., that the attackers did not alter. Given that sophisticated, stealthy attacks may continue undetected for months or years, however, how far back does a target’s personnel have to go to obtain a reasonably good and reliable back-up in order to ensure the copy is of the original design and not of the design as modified by the attackers? Even small, seemingly insignificant changes to critical data can have catastrophic impact on products and on users.
Fourth, what defenses of the target did the attackers force the target’s system to reveal? Attackers now have tools that can force a target’s system to “reveal secrets that are relied upon for security.” Such a tool works analogously to the flying of aircraft towards or extremely close to an adversary’s border (or even crossing it briefly and departing) in order to prompt the adversary to turn on its most sophisticated air-defense radar, thereby revealing its location, signature, strength, and other features. In cyber attacks, as with probing air defenses, the prospective attackers want to determine what actions will cause the defensive measures to be activated, or “turned on,” and when it counts, what actions will not cause the defensive measures to “turn on” and enable the attackers to bypass them. Not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyber attacks than the target (or an acquirer) may realize. It may also cause the target’s officers to become overconfident or complacent about their company’s cybersecurity.
Fifth, did the attackers gain entry by breaching a layer of the target’s system that did not have the same defenses as other layers? Many target companies are unaware of the fact that a protection system is only “reliably effective against attacks” that occur “at the same system layer in which the protection system” has been implemented—and that at some of a target’s computer-network system layers there may be fewer or different protections than at others. As a result, the cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer, just as attackers in medieval warfare could get past a deep moat and insurmountably high castle wall by tunneling beneath and past both of those defensive layers.
A target’s exposure to cyber intrusions will be a function, in part, of how well prepared it is with tools to address those five features of a cyber incident.
Unfortunately, the means for discovering vulnerabilities, closing gaps in defenses, detecting intrusions, figuring out what has been accessed, what has been done to it, and what awful things may happen at a time and place of the cyber intruder’s choosing, are the trailing-edge technologies. Methods of cyber intrusion, of conducting exploits, and of postponing their detection with stealth continue to outpace any improvements in defenses. A victim’s first knowledge of an attack may come only when the damage or misuse of digital assets becomes conspicuous or is reported by third parties. As a result, “companies often do not discover a data breach” or compromise of their digital assets “until an extended period of time after they have been hacked.” Clifford G. Tsan & Michael D. Billok, Cybersecurity Insurance: Facing Hidden Risks and Uncertainty, N.Y.L.J., May 2, 2016.
For an acquirer there are actually two risks of breaches of the target that may initially be difficult to distinguish from each other. In one kind, the target remains unaware of the attacker’s intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. In the other kind, the target may have discovered the breach months or years before the start of the acquisition, but for various reasons postpone from disclosing it to the acquirer until the definitive agreement has been signed and due diligence may be quite advanced.
Conclusion
Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them. In light of the transactional difficulties that cyber incidents can create, as observed in the Neiman Marcus and Yahoo!/Verizon deals, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognized as essential to protecting an acquirer’s interests.
Have you ever paid an expert bill and cringed? Have you ever dreamed of brushing aside the procedures that bog down litigation, and instead quickly get to the real issues that brought your client to court? Have you ever represented a party who had a legal claim and wanted to preserve its relationship with the party it was forced to sue?
If you answered “yes” to any of these questions, Structured Negotiation is a dispute-resolution process that might be able to help.
What Is Structured Negotiation?
Structured Negotiation is a dispute-resolution method that happens without a lawsuit on file. It is a strategy to resolve legal claims that focuses on solution and encourages relationships between parties—and their counsel. Structured Negotiation trades the stress, conflict, and expense of litigation for direct and cost-effective communication and problem solving.
Structured Negotiation avoids the negative publicity that can accompany litigation and replaces expert battles with respected joint experts. It substitutes round-table discussions for contentious depositions, and it gives clients a seat at the table and a meaningful role in resolving claims.
With roots in the disability-rights movement, Structured Negotiation has potential application to many types of civil claims handled daily by business lawyers.
How Did Structured Negotiation Develop?
Structured Negotiation grew out of the blind community’s quest for financial privacy and access to financial technology. In 1995 my co-counsel and I wrote letters to Bank of America, Citibank, and Wells Fargo on behalf of three groups of blind clients and an advocacy organization. The issue was ATMs: not a single one in the United States talked, which meant that not a single blind person could use one.
We wrote those letters as an alternative to filing lawsuits under the Americans with Disabilities Act. We offered to negotiate with each financial institution about the development of “talking ATMs” and other services and technology for blind customers. Four years later we had negotiated comprehensive settlement agreements with each bank that produced some of the earliest talking ATMs in the world, compensated our clients, and provided for our attorney’s fees as allowed by civil rights laws. No lawsuit needed.
Joint press releases, beginning in the fall of 1999, heaped praise on each institution and resulted in an avalanche of positive press. Strong monitoring language and a commitment by our negotiating partners resulted in smooth implementation of each agreement.
Buried in the Bank of America 2000 press release was reference to the bank’s agreement to develop and design its online banking platform so that blind people could bank independently on the web. It was the first settlement in the country to address the disability community’s need for accessible websites. (Seventeen years later, on June 12, 2017, a blind shopper of the Winn-Dixie grocery chain won the very first web accessibility trial under the ADA.)
We used a mediator to help us in each of those early cases, but never had to file a lawsuit. The banks saved untold amounts of money, and relationships were built that continue to this day. Had it just been luck? Or had we stumbled on a way to practice law that avoided conflict, saved money, focused on solution, and preserved relationships?
The 18 years since those first agreements have proven that it was not just luck. As my colleagues and I named the process “Structured Negotiation” and began to use it across the country, some of the largest organizations in the United States said “yes” to a new a dispute-resolution process.
Walmart, Anthem, Inc., Major League Baseball, Target, E*Trade, Charles Schwab, and others have worked with my clients in Structured Negotiation to resolve claims under the ADA and related laws. Structured Negotiation with the City and County of San Francisco, the City of Denver, and Houston’s transit agency demonstrate the method’s usefulness in claims against government entities. A Structured Negotiation settlement with the American Cancer Society shows how the process can benefit nonprofit organizations.
These cases involved the civil rights of disabled people to access information and technology in the 21st century. Many of them were about web (and later mobile) accessibility. Today, digital access is a hot-button issue, with a significant number of new court filings and judicial rulings monthly. Structured Negotiation has been helping some of America’s largest companies make their digital content available to everyone since that early Bank of America commitment in 2000. No lawsuits, bad publicity, or run-away costs required.
Why Structured?
In 1999, after the early successes with Wells Fargo and Citibank, we named the process Structured Negotiation to emphasize that it was a robust alternative to filing a lawsuit. We knew our early negotiations had been successful because they had a structure, and for the past two decades the elements of that structure have been refined through practice. Those elements are listed here. Elaboration of each element, with stories from cases, can be found in my book about the strategy, Structured Negotiation, A Winning Alternative to Lawsuits.
A conscious decision by clients and their attorneys to pursue claims resolution without filing a lawsuit.
An opening letter that invites participation. The language change is deliberate: the first correspondence is not a demand letter in the traditional sense. It can (and often should) even say something nice about the recipient while calmly describing the legal and factual basis of the claims.
A period of uncertainty when all counsel begin communications about both the claims and the dispute-resolution process, and would-be defendants determine whether to participate. This period includes both waiting for a response and evaluating a response that might be laden with legal jargon and still leave room for negotiation. Without skillful handling of this element, a Structured Negotiation can fall apart before it begins!
A ground rules document signed by all parties that identifies negotiating topics, preserves confidentiality, protects statutory rights to damages and attorney’s fees, and tolls applicable statutes of limitations.
A period of information sharing involving written documents, meetings (live, virtual, and/or by phone), and site visits when needed. Meetings take a “show don’t tell” approach with a constant subtext of forming and maintaining relationships. They allow clients to have a meaningful seat at the table and are the cornerstone of the most successful Structured Negotiations.
Sharing expertise (most often via joint experts and client participation) in a manner that avoids expert battles and run-away costs and values client contributions.
Taking baby steps toward resolution. Pilot programs, interim measures, and partial agreements before final resolution have been key to many successful negotiations.
Recognizing and dismantling fear through honest conversation and effective listening practices.
Drafting the settlement, a process that begins cautiously and with joint acknowledgment that the time is right to formalize commitments.
Negotiating about money, an aspect of Structured Negotiation to be undertaken with particular care because it is easy to slip into traditional adversarial lawyering when the subject is money.
Use of a mediator when appropriate to guide parties around points of conflict. Although used in all three of the first cases, as I learned to be a better negotiator I found I needed third-party help less frequently. Structured negotiation has been referred to by one of my big-firm negotiating partners as “mediation without the mediator.” Most often direct communication in a collaborative environment is all that is needed to get to the finish line, but parties should not be afraid to use a mediator when third-party help might be useful.
Settlement monitoring, a task made easier by positive relationships developed during the process. Skillful and direct communication among parties and counsel typically make court enforcement unnecessary even when implementation does not go as planned.
Media strategy that avoids negative press releases in favor of jointly issued positive statements.
Use of collaborative language. Structured negotiation avoids terms that detract from an environment of problem solving. Why call someone a “defendant” if you do not want them to defend past practices? Why say “opposing counsel” if you do not want opposition?
Development and maintenance of the Structured Negotiation mindset. This might be the most important element of all and maybe the trickiest for most lawyers. Without patience and trust, operating in the absence of the safety net of a filed case can lead to frustration and failure. Grounded optimism, equanimity, and empathy give Structured Negotiation participants needed tools when the going gets tough. In my experience, when appreciation and friendliness infuse interactions, parties can more quickly reach resolution.
Can Business Lawyers Use Structured Negotiation?
Although I have never been a business lawyer, I pose the question: Why not?
What is the downside of trying a dispute-resolution method that saves tremendous amounts of money? If Structured Negotiation proves ineffective, the litigation route is still available. In my book I quote a litigation partner in a national law firm: “I found Structured Negotiation to be fairer to my client than litigation. I like the process because it gives my client the opportunity to do the right thing and avoids costly litigation. And if the negotiation does not succeed, my client has not waived the right to engage in an aggressive, strategic defense.”
What is the downside of seeing if relationships can be preserved while working out disputes?
Is your case likely to settle “at the end?” Why not at least try to settle early?
Would you rather give up control and prove to a judge that your client is right, or put aside legal differences and get to the heart of the matter?
It is critically important to preserve the litigation system in the United States, and many times filing a lawsuit is the best and most effective tool for our clients; however, when all you have is a hammer, everything looks like a nail. A filed lawsuit is a hammer. Structured Negotiation is another tool in the tool box.
I hope that business lawyers will find Structured Negotiation a tool worth exploring in appropriate cases. Along with other early dispute-resolution strategies such as pre-suit mediation, Structured Negotiation can speak to a host of client needs. It can offer a winning alternative with a 20-year track record to a public craving litigation alternatives that are cost-effective and preserve relationships. It holds the promise of a strategy that avoids conflict and minimizes stress, encourages trust over fear, and even kindness over anger.
This is the third article in a three-part series exploring Europe’s Right to be Forgotten in the context of an American Right to Dispute Personally Identifiable Information directly with private entities, such as consumer reporting agencies or search engines. It reaches the conclusion that based on the magnitude of consumer-specific data in the possession of such private entities, the debate has shifted from the inherent fairness of generating temporary “snapshots” of creditworthiness or moral character to the fundamental control of one’s identity in light of the “commoditization of the individual.”
***
The Commoditization of the Individual: Who Legally Controls Information Equating to One’s Identity?
Data, particularly consumer data, has been officially labeled “the new oil.” This metaphor characterizes the observation or notation of one’s personally identifiable information (PII), such as one’s biometrics, DNA, geolocation history, Internet browsing history, or character, as a commodity, and commodities may be “exploited.” In one sense, the exploitation of a commodity involves the process by which a raw material is processed to serve a more valuable purpose. In another sense, such an exploitation may infer the receipt of an unfair benefit at the expense of another. The Digital Age is set to experience the production of more than 163 zettabytes (i.e., one-trillion gigabytes) of data per year by 2025, much of which will be consumer-specific. Andrew Cave, What Will We Do When The World’s Data Hits 163 Zetabytes in 2025?, Forbes.com (Apr. 13, 2017). How will such massive quantities of consumer data be used? The FTC has found that within large companies known as data brokers, individual profiles have been created on nearly every U.S. consumer for the purpose of discriminating between them. Edith Ramirez, et. al., “Data Brokers: A Call for Transparency and Accountability,” FTC Rep. 8, 46 (2014). Data brokers do not generate consumer reports, however, and are subsequently not regulated by existing U.S. consumer-protection or privacy laws limiting who and for how long one may see negative information prior to being “forgotten.” Thus, any exploitation of such data remains unregulated. This article will explore existing exploitations of PII that are resulting in the consolidation of massive troves of comprehensive, consumer-specific PII that may equate to the commoditization of one’s identity.
The Existing Exploitation of PII in Relation to Individual Liberty
Automobiles need oil to function. Petroleum requires refinement for an automobile to operate as expected. The exploitation of crude oil serves an important purpose in allowing individuals to travel according to their needs or desires. Such an exploitation enhances individual autonomy and liberty. Servitude, on the other hand, allows one individual to take unfair advantage of the fruits of the labor of another individual. Such exploitations significantly diminish individual autonomy and liberty. Meanwhile, slavery and indentured servitude facilitate a mechanism of empowering one individual to comprehensively control another individual’s person. Such exploitations decimate individual autonomy and liberty. Consequently, the spectrum for interpreting the meaning of an exploitative act—in terms of liberty—is one of degrees ranging from augmentation to annihilation. Perhaps George Orwell was right about the notion of “doublespeak” in that no term is more fitting to describe existing collection and consolidation efforts of PII than the term “exploitation.” Current collection efforts have both the power to enhance individual liberty or extinguish it. The key will be determining the core purpose for which PII is collected.
PII is primarily gathered and aggregated for marketing and predictive analytics, people-search functions, risk mitigation, and predictive voting models.
Marketing and Predictive Analytics.The FTC recognized that large data brokers consolidate aggregate PII for the purpose of utilizing predictive analytics to discriminate among consumers regarding their race, economic status, age, credit worthiness, health status, familial status, and propensity to default to or engage in a crime, etc. Ramirez at 19–21, App’x B. Marketing purposes include thousands of data points designed to consolidate an individual’s prior actions for the purpose of predicting future behavior (i.e., predictive analytics). Id. For example, Cambridge Analytica has created profiles consisting of: (i) demographics/geographics (e.g., age, gender, ethnicity, race, income); (ii) “psychographics” (i.e., advertising resonance, consumer data, lifestyle data, political engagement, cellular/mobile opinions); and (iii) personality to predict how an individual will act when confronted with a specific purchasing decision or an opportunity to vote. Alexander Nix, The Power of Big Data and Psychographics, Concordia Summit (Sept. 27, 2016), available athttps://www.youtube.com/watch?v=n8Dd5aVXLCc.
People Search.Data brokers are engaged in consolidating broad data sets for the purpose of tracking and locating specific individuals. According to the FTC, these products allow users to “research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers.” Ramirez at 34.
Risk Mitigation.Data brokers engaged in risk mitigation provide services that allow users to conduct identity verification and fraud prevention. For example, financial institutions utilize these services to comply with “know your customer” identity verification requirements pursuant to the USA PATRIOT Act. Ramirez at 32–33 (e.g., knowledge-based authentication (KBA) and fraud detection).
Predictive Voting Models. Data brokers engaged in predictive voting models aggregate thousands of types of PII for the express purpose of predicting how an individual will react to voting advertisements or propaganda. See, for example, Nix (discussing the “OCEAN” Paradigm (i.e., Openness, Conscientiousness, Extraversion, Agreeableness, and Neuroticism)).
These efforts have both the power to increase individual liberty or suffocate it. On the one hand, individuals may receive enhanced product offerings with expedited purchasing options, increased social connectivity, better searchablity of public or private figures, enhanced digital security when engaging in sensitive online financial transactions, or more relevant political information during elections. On the other hand, all such records containing aggregate PII in possession of these entities—by virtue of existing—are discoverable by government authorities, exposed to significant risks of unauthorized access or theft, and may be used in illegally discriminatory ways to limit, inter alia, the individual’s ability to access credit (i.e., mortgage, educational loans or auto loans) or procure certain types of employment. Consequently, existing exploitations are in need of effective regulation to ensure that such information is not misused.
Scope of Collection Efforts
Data brokers acquire PII not from the individuals themselves, but from other businesses or government entities. Ramirez at iv, 49. Consequently, data brokers afford no choice or consent options to the individuals impacted by the collection of such data. There are both government and private actors, such as administrative agencies like the NSA, data brokers, search engines, social media giants, and consumer reporting agencies, that have feasible and independent capacities to collect and store vast quantities of data on each of the approximately 8 billion people presently living on this planet. See, for example, Utah Data Center (last visited Aug. 25, 2017) (stating that one facility has the capacity to store one yottabyte of data). For example, Facebook alone has confirmed that it has consumer-specific data on nearly one-quarter of the entire global population. Jack Flemming, Facebook reaches 2 billion users, L.A. Times (June 27, 2017). The FTC has confirmed that individual data brokers each house billions of consumer transactions. This information is consolidated into profiles on nearly every U.S. consumer and used to generate millions to billions of dollars for these entities. Ramirez at 8, 23; IAB Internet Advertising Revenue Report, IAB.com (2017). There are approximately 2,500 to 4,000 data brokers in the United States alone. E.g., Paul Boutin, The Secretive World of Selling Data About You, Newsweek (May 30, 2016). Thus, existing collection efforts have the technological capacity to collect and store consumer-specific data on every human being on Earth.
Furthermore, each data broker has the capacity to consolidate PII and categorize it for discriminatory purposes based on thousands of criteria, ranging from household size, personal relationships, societal memberships, personal preferences, medical-related purchases, employment activity, educational opportunities, and political and religious leanings, to name a few. See Ramirez at App’x B. Such PII may include government IDs, biometrics, account numbers, purchase histories, etc. See, for example, Ramirez at 11–15; Adam Schwartz, End Biometric Border Screening, EFF.org (Aug. 9, 2017). In fact, the power now exists to create independent registries that may be synonymous with the power to control one’s actual identity within society. Such entities have converted the intangible nature of one’s existence into intellectual property that may be purchased and sold without any regard to the choice or the consent of the individual. Thus, private and public entities have power to commoditize one’s identity.
Can PII Ever Equate to an Individual’s Identity?
PII has been defined as any information about an individual, such as data that can “distinguish or trace an individual’s identity” (e.g., name, Social Security number, date and place of birth, mother’s maiden name, or biometric records) or that is “linkable to an individual” (e.g., medical, educational, financial, and employment information). NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), ¶2.1 (2010). The U.S. Constitution was drafted in a day when an individual’s “papers and effects” were physical tangible pieces of property. U.S. Const. amend. IV. The Founders’ intent on codifying this natural right likely had little to do with protecting the intrinsic value of the actual paper or effect in question, and everything to do with protecting the information or content contained thereon. Consequently, it was the information that might be revealed via an illegal search or seizure that was protected. Thus, the right to control one’s personal information has always been a protected Constitutional interest.
In the 21st century, property has been transferred into bits and bytes of data that may seamlessly and instantaneously flow across intercontinental land masses via satellite or Internet transmission. An individual’s “person” in terms of character, creditworthiness, thoughts, desires, geolocation, biometrics, DNA, expenditures, business ventures, religious, political, or social preferences may now be gathered, processed, consolidated, sold, purchased, and transferred into registries that have the potential of defining who they are, what their potential is, and what their social desirability is without ever physically entering their home or their land or without coming into contact with their physical person. These essential elements of a person, having been reduced to bits and bytes of data, have effectively transformed the person into property.
In isolation, PII is a reproduction, a writing, or a record of a physical object, characteristic, attribute, behavior, or action of an identifiable human being extant in the tangible world. In its simplest form, PII is merely the annotation of data like a name or address. When aggregated, however, PII has the potential of becoming the digital equivalent of a living person’s identity. If an unauthorized third party spied on another person and collected saliva samples containing DNA, fingerprints, faceprints, complete lists of past addresses, employers, educational institutions attended, and close relationships, journals, thoughts, ideas, desires, innovations, writings, wants, purchase histories, vacation destinations, acts of religious observance, political statements and leanings, and economic status, would the law grant a superior property right to that individual in relation to the person to whom the data related? The answer lies in whether aggregated PII may become something more than property: a right to control one’s identity.
Does an Enforceable Cause of Action Exist to Safeguard the Right to Control One’s Identity?
Currently, many scholars and practitioners most closely categorize the harm associated with an unauthorized collection of PII with protections afforded by the fundamental right to privacy. The harm, however, transcends rightto privacy precedence because the control of one’s identity is fundamental to liberty. When analyzing government actors, the Supreme Court has bifurcated the fundamental right to privacy subjecting data privacy to rational basis review, thus allowing government actors to easily subvert such privacy rights. See Whalen v. Roe, 429 U.S. 589, 598 (1977). With regard to private actors, the FTC observed that data brokers are not currently regulated under the Fair Credit Reporting Act (FCRA) or other federal consumer-protection laws because data brokers do not generate “consumer reports.” Given that there is no direct relationship with a consumer, UDAAP laws, Dodd-Frank, and Gramm-Leach-Bliley arguably do not apply. Thus, analyzing the unauthorized collection of PII pursuant to existing right toprivacy precedence equates to analyzing the harm associated with this conduct in a laissez-faire economy or deregulated environment. The individual is thus subject to the will of those with far greater resources to track or acquire their PII. See Mark T. Andrus, Not without My Consent: Preserving Individual Liberty in Light of the Comprehensive Collection and Consolidation of PII, 20 J. Internet L. 9 (Mar. 2017).
There exists another relevant aspect of the right to privacy that goes beyond a “right to be let alone” to a right “to not be harmed.” Cf. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890); Thomas McIntyre Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract 29 (2d ed. 1888) (expounding a right of complete immunity to be free from injury). William Prosser propounded that the right to privacy was rooted—in relevant part—in the tort of appropriation. He defines an “appropriation” as the “exploitation of attributes of a plaintiff’s identity.” William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 401 (1960). The Supreme Court later affirmed this definition. See,for example, Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 571 (1977). The Restatement Second of Torts requires “the appropriation [i.e., taking] of another’s name or likeness for the use or benefit [i.e., gain] of the defendant.” Restatement (Second) of Torts § 652C. The right is designed to protect a person against the harm of forfeiting something of value (i.e., profit) associated with the individual’s identity. The harm is rooted in a lack of consent. Prosser notes that it is the plaintiff’s attribute “as a symbol of his identity” that creates an appropriation action. Prosser at 403.
Furthermore, the U.S. Supreme Court has recognized “right to publicity” laws in which an individual possesses rights that protect their interest to reap benefits from proprietary interests in any rewards from their endeavors, which include the unauthorized use of characteristics of their identity. See, for example, Zacchini, 433 U.S. at 562. The Restatement Third of Unfair Competition defines the right of publicity as “one who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purposes of trade.” Restatement (Third) of Unfair Competition § 46 (emphasis added). Thus, rights to control a benefit associated with one’s identity are currently extant.
Although these causes of action are rarely utilized and would be matters of first impression in a data acquisition case, they provide a framework that goes beyond trespass, intentional torts, or intellectual property, which are areas of law not well suited to address the potential harm involved in amassing troves of aggregate PII. The harm is not one associated with an interference preventing an individual from using his or her own PII, but rather in empowering an unauthorized third party with the ability to control and profit from that individual’s identity. The harm is wholly distinct from mere interference or invasion.
Is There Actual Harm When an Unauthorized Third Party Collects PII on an Individual?
Historically the element of actual injury required a tangible harm. For example, trespass laws allowed courts to remediate harm associated with unauthorized physical invasions of land and chattel. Trespass to an individual’s person was governed based on harm associated with an unconsented touching, fear, apprehension, or confinement through battery, assault, and false imprisonment laws. When analyzing the modern acquisition of PII, there is often no physical invasion, no confiscation of actual property, and no physical touching, apprehension, or confinement. Physical invasion is no longer relevant. One series of cases has attempted to analyze harm associated with the unauthorized acquisition of PII as a trespass to chattel. This analysis requires actual interference with the physical functionality to the tangible computer system. Intel v. Hamidi, 71 P.3d 296 (Cal. 2003); see also eBay, Inc., v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000). Unfortunately, the root harm has been largely overlooked.
The lesser yet substantial harm associated with an unauthorized comprehensive collection of PII is an unconsented and forfeited benefit from the value of such property through the appropriation of the individual’s identity. The greater and more compelling harm associated with these acts is a loss of liberty and autonomy, particularly if biometrics (i.e., facial profiles, fingerprints, DNA, etc.) are involved. See, for example, Amy Korte, Federal Court in Illinois Rules Biometric Privacy Lawsuit Against Google Can Proceed, IllinoisPolicy.org (Mar. 8, 2017). Comprehensive PII profiles may literally include not only preferences and consumer’s past dealings with businesses, but also one’s biology and genetic makeup. If used for malevolent purposes (e.g., eugenics-based sterilization), one’s aggregate PII, or identity, could be manipulated or abused by those in possession of such data. Could an individual in such a society be denied educational, employment, or familial opportunities based on predictive analytics? If so, such a harm would be more akin to servitude or slavery than a lost wallet. Some harms truly are irreparable.
Exclusive Rights and the Right to Control One’s Identity
Owners of real property may bring trespass actions based on their exclusive rights for the use and enjoyment of the property. Existing intellectual property rights, such as copyright, trademark, and patent laws grant an owner exclusive rights to any benefit derived from such property. The U.S. Constitution expressly grants exclusive rights to “authors and inventors” to their respective “writings and discoveries.” U.S. Const. I. sec. 8 cl. 8. Such “writings” include the act of converting such content to bits and bytes of digital data. See, for example, The Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860. In articulating a right to privacy, Louis Brandeis and Samuel Warren argued that any individual desiring to make “public” private sentiments (e.g., with paintings or words) had exclusive rights to limit any disclosure. Consequently, publication was prohibited absent consent. Which is more worthy of exclusive rights: a painting or an individual’s right to control their identity? No third party should have a greater right to control aggregated data equating to the identity of another.
Regulating the Acquisition and Consolidation of Aggregated PII: Consumer Reporting v. Social Control
The FCRA was primarily enacted to govern and regulate private parties engaged in gathering, storing, and transferring consumer-specific data for the purpose of improving the effective interest rate or premium that the consumer would be offered based on the consumer’s risk of nonrepayment or filing an insurance claim. In theory, the collection and processing of this data increased the efficiency of the banking and insurance markets, thus increasing the likelihood that consumers would have access to credit or insurance products when needed. The overall regulatory scheme was constructed to exploit consumer data for the purposes of increasing consumer access to credit and arguably liberty. Furthermore, the consumer-specific data was limited to only those parties with a valid permissible purpose, and negative information was required to be deleted, or “forgotten,” no later than seven to ten years from the first date of delinquency.
Existing data-collection efforts by private parties such as data brokers, search engines, and social media giants far exceed anything that Congress attempted to regulate in consumer-protection statutes such as the FCRA or other consumer-protection laws. Such efforts go beyond consumer reporting and have the potential to create new mediums for social control. Current data-collection efforts go beyond liens, late payments, and bankruptcy filings by including biometrics, DNA reports or analyses, geolocation records, browsing history, vast records of social relations, public commentaries, and political, religious, or social leanings. Yet, consumer records that consolidate these types of data are not classified as “consumer reports.” See Ramirez at 7–10. Thus, they are not regulated by consumer-protection laws.
The entire data-gathering/consumer-reporting process must be revisited and redefined in light of the harm inherent within aggregated PII, such as a loss of liberty, both in terms of consent to benefit from the economic use of the individual’s indicia of identity and in terms of a forfeiture of the control of one’s identity. The key will be in regulating PII in a way that allows for the positive exploitation of such data while minimizing the comprehensive consolidation of aggregated PII that may allow a third party to control the identity of another. These objectives will be best achieved by applying underlying principles associated with the separation of powers doctrine (e.g., a sectoral mandate, such as a prohibition on consolidating medical/genetic PII with consumer financial PII), by requiring the eventual anonymization of PII (e.g., businesses may continue to benefit from generalized statistics and analytics involving PII; however, PII itself could only be possessed for a set period of time), and by recognizing an exclusive or inalienable right to control aggregated PII equating to one’s identity. The U.S. Constitution is founded on “Creator-created” inalienable rights (i.e., granted by “Nature and Nature’s God”) as opposed to man-made or man-revoked civil rights. See Andrus at 18–23. Such rights may not be legally transferred. No third-party entity should have a superior right to control aggregated PII equating to one’s identity.
Conclusion
A right to control one’s identity in light of existing exploitations of PII rests on the degree of control a third party has by virtue of possessing aggregate PII. Possession is ninth-tenths of the law of ownership. No third party should have an ownership interest in an individual’s comprehensive PII, particularly when such data may reasonably equate to the ability to control one’s identity. Although the “new oil” may be exploited for purposes that benefits the consumer and enhances liberty, the risks associated with the existence of individual profiles on societal-wide populations are significant. Regulation is required to ensure that existing data-collection efforts properly safeguard and protect liberty interests. Although there is currently no official recognition of a right to control one’s identity, torts of appropriation and rights of publicity protect an individual’s right to control their identity. The right to control one’s identity is fundamental to liberty and should be recognized as inalienable. Absent such recognition or regulation, data gatherers will continue to commoditize the individual by converting the tangible person into intangible property that may be bought or sold at will, regardless of the consent of the individual.
Whistleblower claims are brought under a variety of federal and state statutes and are usually handled for contingent fees. On big recoveries, a legal fee of 40 percent—or any other customary contingent fee—can be a lot of money. That means the tax treatment of the gross recovery and the legal fees can be a very big issue.
Most plaintiffs and whistleblowers assume that the most that could be taxable to them by the Internal Revenue Service (or by their state) is their net recovery. Lawyers often receive the gross amount, deduct their fees, and remit only the balance to the plaintiff or whistleblower. Their net take-home pay after legal fees and costs is not the only money the IRS sees, however.
For many plaintiffs and whistleblowers, the first inkling that the gross recovery may be their income is the arrival of Forms 1099 in January. The statute under which the claim is made can impact taxes materially. The oldest whistleblower statute is the federal False Claims Act, dating back to the Civil War. See 31 U.S.C. §§ 3729–3733. However, there are state versions of this law, IRS whistleblower claims, and SEC whistleblower claims. The latter emanate from section 922 of the Dodd-Frank Act, Pub. L. No. 111-203, 124 Stat. 1377 (July 21, 2010).
To say that not all whistleblower claims are created equal when it comes to taxes would be an understatement. Not all claims qualify to have legal fees deductible “above the line,” which means essentially off the top, so the whistleblower does not pay any tax on the legal fees. Otherwise, you must claim a miscellaneous itemized deduction, which is subject to a number of limits.
If you obtain a huge recovery and must pay 40 percent or more to your lawyer, you will care very much about what type of deduction you receive for those fees.
Contingent Fees and Gross Income
Clients often have a hard time understanding this rule. They might ask, “How can I be taxed on something I never received?” Generally, amounts paid to a plaintiff’s attorney as legal fees are gross income to the plaintiff, even if paid directly to the plaintiff’s attorney by the defendant. See Comm’r v. Banks, 543 U.S. 426 (2005). For tax purposes, the plaintiff is considered to receive the gross award, including any portion that goes to pay legal fees and costs.
The IRS rules for Form 1099 reporting bear this out. Under current Form 1099 reporting regulations, a defendant or other payor that issues a payment to a plaintiff and a lawyer must issue two Forms 1099. The lawyer should receive one Form 1099 for 100 percent of the money actually paid to the attorney. The client should receive one, too, also for 100 percent. The client, however, will invariably receive a Form 1099-MISC that reports 100 percent of the money. When you receive a Form 1099, you must put the full amount on your tax return. Not every Form 1099 is correct, is ordinary income, or is necessarily income at all.
Plaintiffs receive Forms 1099 in many other contexts, which they must explain. For example, plaintiffs who are seriously injured, and who should receive compensatory lawsuit proceeds tax-free for their physical injuries, may still receive a Form 1099. In those cases, they can report the amount on their tax return and explain why the Form 1099 was erroneous.
Plaintiffs and whistleblowers do not have this argument because they are required to report the gross payment as their income. The question is how the plaintiff or whistleblower deducts the legal fees and costs. Successful whistleblowers may not mind paying tax on their net recoveries, but paying taxes on money their lawyers receive has long been controversial.
In 2005’s Comm’r v. Banks, the U.S. Supreme Court resolved a bitter split in the circuit courts about the tax treatment of attorney’s fees. The court held—in general at least—that the plaintiff has 100 percent of the income and must somehow deduct the legal fees. That somehow is important.
In 2004, just months before the Supreme Court decided Banks, Congress added an above-the-line deduction for attorney’s fees, but only for certain types of cases. The above-the-line deduction applies to any claims under the federal False Claims Act, the National Labor Relations Act, the Fair Labor Standards Act, the Employee Polygraph Protection Act of 1988, and the Worker Adjustment and Retraining Notification Act as well as claims under certain provisions of the Civil Rights Act of 1991, the Congressional Accountability Act of 1995, the Age Discrimination in Employment Act of 1967, the Rehabilitation Act of 1973, the Employee Retirement Income Act of 1974, the Education Amendments of 1972, the Family and Medical Leave Act of 1993, the Civil Rights Act of 1964, the Fair Housing Act, the Americans with Disabilities Act of 1990, chapter 43 of title 38 of the United States Code, and sections 1977, 1979, or 1980 of the Revised Statutes.
The above-the-line deduction also applies to any claim under any provision of federal, state, or local law, whether statutory, regulatory, or common law, that provides for the enforcement of civil rights or regulates any aspect of the employment relationship. Beyond that, a deduction for attorney’s fees and costs would be a miscellaneous itemized deduction. That is below-the-line, under I.R.C. Section 212. An above-the-line deduction means you pay no tax on the attorney’s fees.
An above-the-line deduction, as a matter of tax mathematics, is like not having the lawyer fee income in the first place. Despite the holding in Banks, an above-the-line deduction means paying tax only on your net. In contrast, a below-the-line deduction faces numerous limitations. It is aggregated with your other itemized deductions. There is a two-percent threshold, and there are deduction phase-outs that start with surprisingly little income. These limits can cut deep.
Arguably worst of all, the alternative minimum tax, or AMT, can mean no deduction. It is why in some famous cases, “successful” plaintiffs have actually lost money after attorney’s fees and taxes. Spina v. Forest Preserve Dist. of Cook County, 207 F. Supp. 2d 764 (N.D. Ill. 2002). Running some tax calculations both ways (with above- and below-the-line deductions) can bring the point home in stark terms with almost any set of numbers. In short, the distinction between above-the-line and below-the-line can be significant.
SEC Claims
I.R.C. Section 62(a)(20) was enacted as part of the American Jobs Creation Act of 2004. It allows taxpayers to deduct above-the-line attorney’s fees and court costs paid by the taxpayer “in connection with any action involving a claim of unlawful discrimination.” The term “unlawful discrimination” is defined in I.R.C. Section 62(e).
The law also allows for the deduction of legal fees connected with many federal whistleblower statutes. I.R.C. Section 62(a)(21) allows for the deduction of legal fees incurred in connection with federal tax whistleblower actions that result in qui tam awards from the IRS. Under I.R.C. Section 62(a)(20), any action brought under the federal False Claims Act is a claim of unlawful discrimination and can therefore qualify for an above-the-line deduction of legal fees. See I.R.C. § 62(e)(17).
However, these provisions do not explicitly include SEC whistleblower claims. Indeed, there are at least some indications that when Dodd-Frank was being considered, some senate staff working on the bill specifically acknowledged that Dodd-Frank did not qualify for an above-the-line deduction. See Letter by Harold R. Burke to Mary Schapiro, Chairwoman, Securities and Exchange Commission (Sept. 14, 2010). Moreover, a former SEC Senior Counsel similarly suggested in 2013 that Dodd-Frank does not qualify under this above-the-line deduction. See Gary Aguirre, “Unfair Tax Liability for Whistleblower Awards under Dodd-Frank,” Government Accountability Project (Apr. 11, 2013).
To an SEC whistleblower, this may not be conclusive, but it is sure worrisome. Of course, there can sometimes be an overlap. For example, whistleblower claims often arise out of employment. In my experience, many SEC whistleblowers were employed by the firms whose conduct they reported.
There is also an awfully broad “catch-all” provision of I.R.C. Section 62(e)(18). That provision provides that a claim of unlawful discrimination includes a claim under any provision of state law “regulating any aspect of the employment relationship including . . . [any provision] prohibiting the discharge of an employee, the discrimination against an employee, or any other form of retaliation or reprisal against an employee for asserting rights or taking other actions permitted by law.” I.R.C. § 62(e)(18)(ii) (emphasis added); see Robert W. Wood, Tax Aspects of Settlements and Judgments, 522 T.M., Part V.G.1., A-63 (2015).
This language in I.R.C. Section 62(e)(18) is nearly identical to the language in I.R.C. Section 62(e)(17). I.R.C. Section 62(e)(17) provides that legal fees for suits involving claims of retaliation against whistleblowers in violation of any federal whistleblower protection laws can qualify for the above-the-line deduction. The SEC whistleblower rules contain robust whistleblower protections against employment retaliation. SeeDodd-Frank Act § 922(h), codified as 15 U.S.C. § 78u-6(h).
The SEC whistleblower protections created by the Dodd-Frank Act allow SEC whistleblowers who have been retaliated against other remedies, too. They may be entitled to reinstatement; double back-pay, with interest; and compensation for their legal expenses and attorney’s fees. In fact, if an SEC whistleblower has been retaliated against, there is a strong argument that they can deduct their legal fees above the line.
However, it is less clear whether an SEC whistleblower who has not been retaliated against can qualify for the above-the-line deduction. If such a line can be drawn, the public-policy implications seem odd. After all, Congress surely hoped to create every incentive possible for SEC whistleblowers to come forward.
Indeed, retaliation is expressly discouraged. It seems perverse to create incentives for whistleblowers to try to prompt retaliation against them (or to allege retaliation that did not occur) to qualify for an above-the-line deduction. Nevertheless, under the current law, whistleblowers bringing suit might understandably cross their fingers in hopes of at least some measure of retaliation. Paradoxically, retaliation might be good if it is the ticket to claiming an above-the-line tax deduction.
Allocating Among Claims
The above-the-line deduction is available for any action “involving a claim of unlawful discrimination.” Of course, many complaints allege multiple claims. Read literally, this language suggests that if one claim in a lawsuit qualifies as a claim of unlawful discrimination, then all of the legal fees may be deducted under I.R.C. Section 62(a)(20). One might make the same observation about an SEC whistleblower’s claim of retaliation, however minor that retaliation might be.
However, knowing the IRS, you might reasonably assume that there be some kind of allocation—that is, if only 10 percent of the case is about “unlawful discrimination,” perhaps only 10 percent of the fees would be covered. For example, assume you have a tax-free, physical injury recovery, but 50 percent of the damages are punitive. With damages that are 50 percent tax-free and 50 percent taxable, the legal fees must be divided, too. One generally treats 50 percent of the legal fees as attributable to each part of the case. If 50 percent of the damages are tax-free, 50 percent of the legal fees are, too. That means there is no need to include the tax-free portion in income and try to deduct it. The punitive damages are taxable, and the 50 percent of the legal fees attributable to those damages are also income to the plaintiff. So, the plaintiff must report the gross amount of punitive damages (including the legal fees), and then deduct the fees.
That usually means a miscellaneous itemized deduction, which is treated unfavorably. One potential answer is a non-pro-rata allocation of legal fees. The IRS says that the presumptive allocation of fees is pro-rata, but you can have another allocation if you can support it. For example, suppose that 90 percent of the lawyer’s time in the case was devoted to compensatory damages, with only 10 percent to punitive damages. If lawyer bills and declarations support that, it could mean large tax savings. Anything better than 50/50 might help.
Allocating SEC Claims
With this background, should legal fees in SEC and other whistleblower recoveries be allocated in some way? Assume an SEC whistleblower collects $10 million, allocated as follows: 90 percent from the target’s bad conduct exposed in the claim, and 10 percent for relation against the employee-whistleblower. Does this suggest an above-the-line deduction for 10 percent of the legal fees, and a miscellaneous itemized deduction for 90 percent of the fees?
It should not, in my opinion. I worried about this issue in 2004 when the above-the-line deduction was enacted. See Robert W. Wood, “Jobs Act Attorney Fee Provision: Is it Enough?,” 105 Tax Notes 8, 961 (Nov. 15, 2004). However, I have seen no suggestion since then that the IRS would require it. I have also not encountered other practitioners who seem worried about it. Where one claim qualifies for an above-the-line deduction under I.R.C. Section 62(a)(20), I think it is likely that all legal fees allocable to taxable recoveries can be deducted above the line. See also Robert W. Wood, Tax Aspects of Settlements and Judgments, 522 T.M, Part V.G.2., A-64 (2015).
The IRS has provided at least one indication that it might agree. In Chief Counsel Memorandum 20133501F (Aug. 30, 2013), the IRS described I.R.C. Section 62(e)(18) as providing “an above-the-line deduction for attorney’s fees and costs incurred in an action or proceeding involving any aspect of the employment relationship.” (Emphasis added.) At the very least, this language seems to suggest a liberal application of I.R.C. Section 62(e)(18) for actions where at least one claim involves the employment relationship.
More generally, 13 years have elapsed since the above-the-line deduction was enacted. In that time, I have seen large numbers of legal-fee deductions claimed, audited, and disputed. In my experience, the IRS in the field interprets the above-the-line liberally, which seems to me to be entirely appropriate.
Moreover, I have not seen a single case in which the IRS has tried to allocate legal fees between above-the-line qualifying fees (such as employment) and other legal fees. I have seen cases in which the issue could have been raised, but was not. It is true that SEC whistleblower claims might be viewed differently, given the statute, but hopefully they will not be.
Deductibility Limits
One detail of the above-the-line deduction that is easy to miss relates to gross income. Normally, a cash-basis taxpayer is eligible to claim a deduction in the year the underlying payment was made. See I.R.C. § 461(a); Treas. Reg. § 1.461-1(a)(1). However, I.R.C. Section 62(a)(20) limits the available deduction to the income derived from the underlying claim in the same tax year. As a result, a deduction allowable under section 62(a)(20) cannot offset income derived from any other source or received in any other year. This is usually not a problem, but occasionally it can be. For example, where there is a mixture of hourly and contingent fees, the issues can be thorny and may require professional help.
Trade or Business
Before leaving above-the-line versus below-the-line deductions, it is appropriate to consider an additional way that taxpayers may qualify for above-the-line deductions. A taxpayer operating a trade or business and incurring legal fees—contingent or otherwise—need not worry about these issues. In a corporation, LLC, partnership, or even a proprietorship, business expenses are above-the-line deductions.
Some plaintiffs have even argued that they were in the business of suing people. This may sound silly in the case of plaintiffs in employment cases. That is where the argument first appears to have surfaced (long before the above-the-line deduction was enacted in 2004). See, e.g., Alexander v. Comm’r, 72 F.3d 938 (1st Cir. 1995). However, it is quite credible in the case of some serial whistleblowers.
Some file multiple claims, and some go on the lecture circuit, especially after their claims bear fruit. Thus, there is a distinct possibility that a whistleblower can, in a very real sense, be operating a business. A proprietor—a taxpayer operating a business without a legal entity—reports income and loss on Schedule C to his or her Form 1040.
To be sure, you are not likely to want to make a Schedule C argument if you have a good argument for a statutory above-the-line deduction. Schedule C to a Form 1040 tax return is historically more likely to be audited than virtually any other return, or portion of a return. In part, this is due to the hobby-loss phenomenon, with expenses usually exceeding income. It is also due to self-employment taxes. Placing income on a Schedule C normally means self-employment income, and the extra tax hit on that alone can be 15.3 percent. Over the wage base, of course, the rate drops to 2.9 percent.
Even so, most whistleblowers and plaintiffs do not want to add self-employment tax to the taxes they are already paying. Still, when it comes to deducting legal fees, the Schedule C at least deserves a mention. Plaintiffs or whistleblowers who have been regularly filing Schedule C for business activities in the past stand a better chance of prevailing with their Schedule C.
Conclusion
Long before and shortly after the Supreme Court’s Banks case in 2005, there was considerable discussion about the tax treatment of legal fees. Plaintiffs’ employment lawyers were especially vocal in the years leading up to 2004, and they were particularly effective in lobbying Congress. That led to the statutory change in 2004, which ended up covering some whistleblower claims, too.
In part, the statutory changes in late 2004 blunted the impact of the Banks case, which even the Supreme Court itself noted in its opinion. Yet vast number of plaintiffs—and some whistleblowers—are still stuck with the dilemma of how to deduct their legal fees. In the case of SEC whistleblower claims, some people seem to assume that the above-the-line deduction surely must apply. Some people say it does not—not technically. Some seem to ignore the issue entirely. Given the dollars that are often involved, however, it would be wise to consider the income and deduction side of legal fees and costs. A large number of successful plaintiffs and some whistleblowers end up surprised at tax time. As more SEC whistleblower claims are paid, there will hopefully be no successful whistleblowers surprised by their tax preparer, or worse still, by the IRS.
Connect with a global network of over 30,000 business law professionals
