Introduction

“The loss of industrial information and intellectual property through cyber espionage constitutes the ‘greatest transfer of wealth in history,’” said Gen. Keith Alexander—at the time, the nation’s top cyber warrior.

In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has only become bigger, more insidious, and more expensive to address, and lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $5.06 trillion in value added, or 34.8 percent of U.S. GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60 percent of all U.S. exports. U.S. companies have a lot to lose.

Economic espionage (sometimes called industrial espionage) is a major drain on competitive advantage, unique IP, and market share. Not only are U.S. companies directly hurt by the theft of their IP, but they may end up competing against their own technology advanced by the IP thief. Susan Brewer & Anthony Crescenzi, State-Sponsored Crime: The Futility of the Economic Espionage Act, Hous. J. of Int’l L. (Summer 2016). For example, “American oil and gas firms are frequently targeted and subject to theft of trade secret, business plans, exploration bids and geological data.” Blake Clayton & Adam Segal, Addressing Cyber Threats to Oil and Gas Suppliers, Council on Foreign Relations (June 2013).

Economic espionage is not new. What is new is the way IP is stolen. Cyber attacks are the most used method that other nations, companies, and criminals employ to root out and steal your IP and other valuable or sensitive information. It is our increased dependency on IT systems and networks that creates vulnerabilities, even though there are such obvious benefits and uses to them.

In May 2013, the Commission on the Theft of American Intellectual Property released a report that concluded that the scale of international theft of American intellectual property is . . . roughly $300 billion per year and 2.1 million additional jobs now in our economy. While China is not the only actor targeting U.S. IP and technology, it is the only nation that considers acquiring foreign science and technology a national growth strategy.

U.S. Congressional Committee on Energy and Commerce Hearing, Cyber Espionage and the Theft of U.S. Intellectual Property and Technology (July 3, 2013). So, depending on how you calculate the impact of economic espionage to U.S. businesses, it can mean a loss of roughly a billion dollars a day or more.

Did the September Agreement between China and the United States Address the Problem?

By some accounts, U.S. cyber espionage concerns subsided on September 25, 2015, when China unexpectedly agreed with the United States (and, later, other countries) to refrain from cyber economic espionage. It remains to be seen whether China ceases its governmental involvement in cyber economic espionage, although there is good reason to be skeptical. The “understanding” did not cover other forms of economic espionage, only the cyber variety. According to Reuters:

There were clear limits to Friday’s deal. A White House statement said the two leaders agreed that neither government would knowingly support cyber theft of corporate secrets or business information. But the agreement stopped short of any promise to refrain from traditional government-to-government cyber spying for intelligence purposes. That could include the massive hack of the federal government’s personnel office this year that compromised the data of more than 20 million people. U.S. officials have traced that back to China, but have not said whether they believe the government was responsible.

Given the increasing complexity of the way cyber attacks are carried out and the challenges of attribution or “pinning” an information heist on one person or organization, perhaps the Chinese merely were placating the United States. In other words, the Chinese can say they will cease cyber economic espionage because verification of the true identity of the thief is nearly impossible. Thus, it is difficult to know exactly whether anything really has changed.

Furthermore, as reported by the FBI in April of 2016, the “FBI’s number of investigations into possible economic espionage on U.S. businesses has increased by 53% within the past year.” Although the list of Justice Department cases do not differentiate between cyber and in-person theft, the list of active criminal cases involving trade secret theft is sizable.

Going Public May Be the Law, but It Does Not Look Good

Sizing up the problem is further compounded by the fact that, although reporting requirements mandate the disclosure of events that have a material impact to a publicly traded company, there are strong disincentives to disclose a successful IP theft. Not only does such a theft raise questions about management not doing its job or IT leadership failing to keep the bad guys out, but it also tells other bad guys that your company has inadequate security and could invite further cyber attacks.

On December 18, 2015, the Cyber Information Sharing Act became law. The law was designed to create a voluntary cybersecurity information sharing process to encourage public and private entities to share cyber threat information while protecting classified information, intelligence sources, privacy, and more.

It remains to be seen whether the law will address the reluctance of companies to come forward.

The Law Cannot Really Solve the Problem

In-house lawyers play several roles that can help mitigate the effect of economic espionage on their individual company. From negotiating better security software agreements, to legally protecting IT, to aggressively going after IP thieves, lawyers increasingly play an important role. For the most part, however, lawmakers have been hamstrung in finding an effective legal solution to the theft of company trade secrets.

In this regard, it is important to differentiate between cyber economic espionage and in-person theft. In the case of cyber economic espionage, the “theft” is almost always done remotely and outside the United States by operators that go to great lengths to obfuscate their identity and whereabouts.

The issue is so great that new laws are needed to stem the flow of U.S. ingenuity. For example, the Cyber Economic Espionage Accountability Act was proposed to take aim at foreigners present in the United States and stealing IP.

Although the Economic Espionage Act of 1996 (EEA), 18 U.S.C. § 1832, is the major criminal law on which perpetrators of economic espionage are prosecuted, it may be ripe for reworking. David P. Fidler, Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets Through Cyber Technologies, 17 ASIL Insights 10 (Mar. 20, 2013). In U.S. v. Hanjuan Jin, the defendant was convicted of trade-secret theft, but was acquitted of charges under the EEA because there was insufficient evidence of the China connection.

Economic Espionage Act

The Economic Espionage Act details the legal framework for theft of trade secrets:

(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly—

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.

(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.

There have been several convictions under the EEA, but the true effectiveness of the law as a deterrent is questionable. The EEA has already been amended to increase penalties from a conviction, but still it seems like a drop in the bucket given the volume of IP theft. The EEA may be more effective if amended to allow for a private right of action, letting companies sue for the harm caused from theft of their IP.

On the international stage, agreements, treaties, and organizations exist but may be of limited usefulness in addressing IP theft. For some countries, economic espionage is no different than regular espionage and is considered “fair game.” With few laws to convict the criminals and many practical limitations, understanding how trade-secret crimes are perpetrated today may make more sense to preempt or mitigate harm or to protect your company’s information crown jewels before the theft has transpired than expecting real economic redress through any legal channels.

10 Shocking Ways They Are Stealing Your IP and Corporate Mojo

The world of economic espionage has become rather sophisticated, and in-person theft is very different than cyber theft. When your corporate value may be in jeopardy, it is prudent to assess the risk and attempt to mitigate the issues that create the greatest risk. For example, if your organization needs engineers and hires from abroad, conducting deep background checks, and even hiring judiciously from countries that pose the greatest risk, are prudent courses of action.

If the cyber assault on your IT infrastructure suggests that the bad actors are state entities trying to exploit a weak perimeter, different fixes are needed. In that regard, IT security, although good, will never keep out all the bad actors all of the time. No matter how much money and effort you exert to solve the problem, if they want it badly enough, the cyber thieves will find a way.

What follows are the things that your company is doing wrong and the frankly shocking and brazen nature of how your people and systems are assaulted

1. The Internet of Things (IoT) Is Awesome and Scary

The IoT involves smart devices (i.e., devices embedded with software and sensors such as copiers, medical devices, refrigerators, sports monitors, TVs, cars, music devices, etc.) that are connected to the Internet and collect and transmit information, sometimes without your knowledge. They continue to make everything interconnected and accessible, but often have limited security, making your information even more vulnerable to cyber attacks, and making it harder to calculate risk.

The prediction is an explosion of IoT and smarter and more connected devices over the next decade, which does not bode well for stemming the tide of theft of trade secrets. In other words, the IoT may be a way your trade secrets are exposed, exploited, and exfiltrated.

2. Economic Espionage as a Service

You can buy almost anything on the “dark web” that you cannot buy on the mainstream web, such as stolen credit-card numbers, stolen IP, and even IP thieves themselves. “Economic espionage attacks can be aided by espionage-as-a-service offerings that are readily available in cybercriminal underground forums and markets and the Deep Web. Attackers can easily buy the tools they need to spy on and exfiltrate highly confidential corporate data or “company crown jewels” from rivals. They can even hire hackers to do the actual spying for them,” according to Trend Micro.

In addition to state actors, IP theft is now increasingly perpetrated by sophisticated cyber mercenaries. Lawyers can help address the new threats by ensuring that heightened security functionality is part of new technology purchases when negotiating contracts on behalf of their company, mandating that company information is stored only in hyper-secure, compliance-driven Clouds, and that policy dictates that information is encrypted when “inflight” or “at rest.”

3. Beware of the Never-Ending Assault of Malware

Malware is malicious software that seeks to get in and grab data, spy, lie in wait to do something nefarious in the future, disrupt IT, and more. Although there are sophisticated attacks on IT security systems, many cyber attacks are successful because they bombard organizations with thousands, or even millions, of cyber assaults just to find a way into company computers. There are endless examples of hacks on U.S. companies that have caused major harm. Persistence combined with greater sophistication means cyber attacks will continue seemingly unabated.

What lawyers can do is help IT professionals combat persistence with compliance. Compliance methodology must be applied to IT and information-security policies and practices. Compliance methodology tends to institutional vigilance and “good” corporate behavior, which helps employees get it right and helps insulate the company if all else fails, as the built-in rigor manifests reasonableness. In other words, the company cares and tries, and institutionalized caring matters to shareholders, markets, the court of public opinion, courts, regulators, and the bottom line. Randolph Kahn, Information Nation: Seven Keys to Information Management Compliance Second Edition (Wiley Press, 2009).

4. Grabbing Treasure Troves Undetected Has Become Easier

More and more data fits in smaller storage devices, which makes stealing more and more valuable data that much easier. Further, sending the information outside the firewall via e-mail and the IoT has been effective as well. The CIA and NSA hacks are just recent examples. Organizations are not “risk profiling” their information so that they can apply the necessary protections. The fact is that not all information is equal in value, and organizations are woefully negligent at managing to that reality. The problem is that, as information volumes increase (and they are already massive for most big companies), being vigilant about everything is impractical.

Most companies have policies that require encryption of company trade-secret information and protection of any confidential information sent outside the protected firewall. Too often, however, information travels freely without any protection or encryption outside the company. In other words, policies are not followed, which leads to exposed IP.

However, the place to start to address the issue is knowing which information deserves protection. Large companies usually have information-security classification regimes that are underutilized or improperly utilized by employees, and technology that can apply the rules “automatically” too often is not harnessed either. To protect information and IP, it must be classified as a trade secret. In any event, the law requires that reasonable steps be taken to protect IP if you want to be able to assert your legal rights, and that begins with classification as well.

Lawyers can help reinvigorate classification regimes, simplify and redraft existing classification policies, and insist on the use of encryption technology. Once again, compliance methodology can help institutionalize vigilance.

5. Demanding Code and Information and Exploiting Legally Mandated “Backdoors”

One way some countries are gaining access to U.S. IP is by requiring the transfer of your company’s information (i.e., trade secrets), including computer code, to be allowed to do business in their country. Indeed, some countries even legislate the result, according to the World Economic Forum, which stated that “China, for instance, has joined Russia in tightening the requirements placed on foreign companies to store information within national borders.”

Another way IP is extracted is by providing access to IP and computer code through “backdoors” to encryption technology. In other words, the locked door protecting your trade secrets is now unlocked. From the hearing before the U.S.-China Economic and Security Review Commission: “Recently the government in Beijing has proposed a series of regulatory provisions that would require U.S. tech companies and their foreign customers, especially financial institutions and banks, to turn over source code and encryption software, effectively creating backdoor entry points into otherwise secure networks, all being done, of course, under the guise of cybersecurity.”

Before sharing a company’s secret sauce, its lawyers must advise their clients on how to proceed, if at all, with maximum protections in place.

6. Cyber Thieves Are Successfully Exploiting Laziness and the Lack of Understanding

The Office of Personnel Management (OPM) hack and so many others were successful because proper authentication to gain access is not effectuated. Many cyber hackers are successful because IT security is unimpressive at best. That is the reality, in part because there is a misunderstanding of how to keep cyber hackers away from your data, as well as a lack of vigilance in doing it. One easy solution to secure important information is to use better authentication techniques.

Two-factor authentication is the very least your company should be using. Passwords alone are not sufficient, as real hackers have technology that will crack your password in no time. Good passwords today are about concepts or ideas, not words. So instead of using “Fluffy123,” the better password is “MyLastDogAte5Shoes.” Still, that is only the first layer and not enough by itself. Every archive containing company “trade secrets” needs at least two-factor authentication, and there is confusion about what two- and three-factor authentication is, so the following is provided to clear it up:

• one-factor authentication is a unique something the employee knows, such as a strong password;
• two-factor authentication is the first factor plus something the employee possesses, such as a company ID card and security code, a security fob that generates a unique code, etc.;
• three-factor authentication adds to the above something the employee is, such as a voice scan, fingerprint, eye scan, etc.

Lawyers must revisit these information-security company policies and gather audit and compliance groups to focus greater scrutiny on how databases and repositories are managed. It may have prevented 20 million Americans from having their personal information stolen.

7. New Techniques and Never-Ending Attacks of Spear Phishing, Ransomware, and Zero-Day Malware Will Catch Someone Off-Guard

Cyber thieves are using more sophisticated ways to breach company security, including spear- phishing, ransomware, and zero-day malware attacks. Unlike phishing, which uses an e-mail and a malicious code attached from an organization with which you were not expecting to communicate, spear phishing is a communication from a trusted individual or organization and one with whom you are likely to engage. This far more targeted and sophisticated approach scams even technically sophisticated people. According to Trend Micro:

Using the intel gathered during reconnaissance, the attackers typically send contextually relevant malware-laden spear-phishing emails to the chosen high-ranking corporate official. This helps ensure they get the credentials with the highest level of access required to infiltrate systems where company crown jewels are stored. Network command and control (C&C) is then established aided by backdoors, remote access Trojans (RATs), or other malware. Attackers then move laterally across the network to seek out top-secret data. The data is then exfiltrated to a site that only the attackers have access to for selling to the highest bidders or delivery to the individual or company that hired them.

Ransomware is even more malicious. It is a special type of malware that secretly installs on a computer and then either holds data hostage, or is a sophisticated leakware that threatens to publish the data. It works by locking the system or even encrypting the files until a ransom is paid.

Finally, unlike in years past, organized entities are now seeking to harvest information or company trade secrets using zero-day malware that got its name because it is so new that no commercial anti-virus software exists yet to eradicate the harm.

8. Exploiting the Slow-Reacting Security Team

The hack of OPM, which has been linked to China, is a perfect example of breaching security and trolling for information. In that case, the bad guys made off with the most extensive collection of personal information about U.S. government employees, past and present, ever.

Shockingly, the OPM IT security team had watched and monitored the bad guys moving throughout their IT systems for months before the information was extracted. Had the IT staff reacted in a timely manner, they likely would have been able to protect the trove of information that ultimately was stolen.

Assuming the bad guys will get in from time to time, it is worthwhile walling off data and setting up “honey pots” in your archives. Honey pots are information troves marked “M&A targets,” “products specs,” or other valuable targets to attract the criminals to a specific location. That misinformation sends the bad guys in the wrong direction.

Lawyers can help customize the honey pots to deal with the various possible assaults on select pools of data depending upon the target country of the thieves, given that certain countries are after money and pricing information, while others are after M&A targets and product designs.

9. Exploiting Your Relationships and Joint Ventures

During negotiations between Westinghouse Electric and a Chinese state-owned nuclear power company, the companies began to cooperate more closely, and the Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business,” according to the Wang Dong Indictment.

For all relationships with partners doing business outside the United States, local lawyers will be essential to guide the transaction. Equally as important is limiting access to trade secrets and IP not part of the transactions. That may mean limiting access to facilities and systems where such information is housed, and having strict rules ironed out about who gets access to what information. If cloud-based collaboration tools are used to work on the partnership, more strict rules about what can and cannot be stored and shared in such environments is essential.

Make sure that your IP stays in the United States if possible. If you must bring your IP, make sure there are agreements in place for every eventuality, understanding that such measures still may not be enough protection. Perhaps more importantly is the need to control access to your information and to limit the number of people that have access.

There have been many cases where a “partner” is manufacturing in China and uses the U.S. company’s molds or designs. If there is no agreement governing the molds or designs, and what happens when the relationship ends, then it is quite possible that the Chinese partner will retain the molds or designs and use the same for their own benefit. Even if you have an agreement governing what happens when the relationship is over, they may still steal your molds and designs to work against you.

10. They Are Getting Information from Your Workforce or Your Recruiter

IP is being stolen by competitors or foreign entities hiring operatives who may work at your business for years or even decades. Monitoring and auditing information transmissions and extreme vetting must be utilized to mitigate this risk.

Even more troubling is the recent revelation that the Chinese have begun U.S.-based recruitment and headhunting firms that appear perfectly legitimate, but really are placing “operatives” at U.S. businesses that have IP deemed strategically important to China. Further, according to the FBI, job advertisements are posted online by those intent on stealing IP to attract employees.

Conclusion

Economic espionage from abroad is a significant and growing concern. Cyber attacks are becoming more challenging to combat and, in conjunction with traditional physical stealing of trade secrets, poses a large existential threat to American businesses, the economy, and security.

In the United States, officials are pursuing an enhanced and comprehensive strategy to attempt to counter economic espionage and IP theft in general. Many agencies, including law enforcement, are focused on the problem, and it is a top priority for the FBI. In the end, however, self-help likely is U.S. companies most prudent avenue. In that regard, lawyers play a unique and important role: negotiator, risk manager, creative drafter, and hopefully not litigator. At about a billion dollars a day of U.S. IP theft, however, U.S. companies have much to lose, and they are continuing to lose.

Predispute consumer arbitration has sparked energetic debate and sharp divides over the utility of the class action versus the utility of individual arbitration. Thus far, the U.S. Supreme Court’s jurisprudence has given a “thumbs up” approach to predispute consumer arbitration waivers, which almost always include a class waiver agreement. In AT&T Mobility LLC v. Concepcion, 563 U. S. 333, 347–48 (2011), the Supreme Court implicitly approved predispute class-action waivers, when it held that the Federal Arbitration Act (FAA) preempted California state law, which tended to hold such agreements unconscionable in consumer cases. Then in American Express Company v. Italian Colors Restaurant, 133 S. Ct. 2304, 2309 (2013), the Court rejected the argument that aggregate, or class litigation, is necessary to preserve the opportunity to vindicate low-value, statutory claims. Congress showed little interest in amending the FAA, even for consumer cases. It seemed that consumer arbitration was the “wild west” of the law, in that it was largely unregulated and could direct claims to the black hole of private dispute resolution.

The CFPB Proposes an Arbitration Prohibition

But then entered the Consumer Financial Protection Bureau (CFPB). In May 2016, the CFPB issued a proposed rule prohibiting predispute arbitration agreements in providing consumer financial services products. This rule would prohibit mandatory predispute arbitration agreements in consumer agreements for items such as checking or savings accounts, credit cards, student loans, payday loans, automobile leases, debt management services, some payment processing services, other types of consumer loans, prepaid cards, and consumer debt collection. The rule would also prohibit predispute arbitration agreements in connection with providing a consumer report or credit score to a consumer or referring applicants to creditors to whom requests for credit may be made.

Ironically, the CFPB chose to exclude the federal government, its affiliates, and state governments when providing consumer financial products or services, permitting the government to enter into private arbitration class waivers, whereas private industry cannot. The rule includes other exclusions, such as for brokers under the Securities and Exchange Commission (SEC).

The proposed rule prohibits covered providers from “rely[ing] in any way on a predispute arbitration agreement” in connection with “any aspect of a class action that is related to any of the consumer financial services or products” covered by the rule after the final rule’s effective date. The prohibition does not apply if the presiding court has ruled that the case may not proceed as a class action and the time for interlocutory appellate review has passed.

For consumer arbitration agreements entered into after the effective date, the proposed rule requires the following arbitration agreement language: “We agree that neither we nor anyone else will use this agreement to stop you from being part of a class action case in court. You may file a class action in court or you may be a member of a class action even if you do not file it.”

The effective compliance date will be 211 days after publication of the final rule in the Federal Register. The Dodd-Frank Act requires that any proposed rule apply only to agreements entered into 180 days after the rule’s effective date, which is proposed as 30 days.

The proposed rule also provides for certain reporting requirements of arbitration results to the CFPB for any consumer arbitration that does occur, presumably when the consumer elects to choose arbitration over class actions. The provider must report the initial claim and counterclaim, the arbitration agreement, the judgment or award, if any, and any communication received from an arbitrator or arbitral service regarding a provider’s failure to pay required fees or a finding that the arbitration agreement is out of compliance with the arbitral service’s fairness principles or due process rules.

In support of the rule, CFPB Director Cordray touted the benefits of the class action for consumers, claiming that consumer financial services “group lawsuits delivered, on average, about $220 million in payments to 6.8 million consumers per year.” But the CFPB’s decision to require class resolution as superior dispute resolution vehicle to individual arbitration is not necessarily supported by the findings of the CFPB’s empirical arbitration study. Why are the study results so important? The Dodd-Frank Act delegates rule-making authority on arbitration in consumer financial products and services to the CFPB, but any rules promulgated “must be consistent with the [arbitration] study.” 12 U.S.C. § 5518(b) (emphasis added).

The CFPB Ban on Class Arbitration Waivers—What’s Happening Now

As noted above, the CFPB published the proposed rule banning the use of class arbitration waivers in May 2016. The notice-and-comment period ended August 22, 2016. The CFPB was flooded with nearly 13,000 comments on the proposed rule, both in favor of the rule and against it. A number of consumer financial services representatives stated that the CFPB’s rule will effectively end the viability of consumer arbitration. Put simply, without the “carrot” of a class arbitration waiver, a company has no incentive to offer, much less to cover the costs of, individual consumer arbitration.

Prior to the presidential election, most folks thought the CFPB would publish the proposed rule rather quickly. Even after the election, many predicted that the CFPB would publish the final rule banning class waivers in consumer arbitration agreements before President Trump’s inauguration. As of the date of this article, the CFPB’s fall 2016 regulatory agenda identifies February 2017 as the target date for publication of the final arbitration rule. But surprisingly, the CFPB has not published a final rule yet.

There are a number of reasons the CFPB may delay publishing the final rule. First, one might expect any rule so blatantly antibusiness to draw the attention of President Trump, which could cause a flutter of tweets or other social media ire.

Second, the CFPB’s previously impervious structure is now in question. In October 2016, the U.S. Court of Appeals for the District of Columbia in PHH Corp. v. Consumer Financial Protection Bureau, 839 F.3d 1, 8–9 (D.C. Cir. Oct. 11, 2016), declared the directorship of the CFPB, set up to be unaccountable to the executive, unconstitutional. The D.C. Circuit analyzed the enormous power this single–director structure gave the CFPB:

The CFPB’s concentration of enormous executive power in a single, unaccountable, unchecked Director not only departs from settled historical practice, but also poses a far greater risk of arbitrary decision-making and abuse of power, and a far greater threat to individual liberty, than does a multi-member independent agency.

. . . 

This new agency, the CFPB, lacks that critical check and structural constitutional protection, yet wields vast power over the U.S. economy. So “this wolf comes as a wolf.”

Id. at *4 (quoting Morrison v. Olson, 487 U.S. 654, 699 (1988) (Scalia, J. dissenting)). The D.C. Circuit chose to remedy the CFPB’s structural flaw not by shutting down the CFPB, but by electing the narrower remedy of severing the “for-cause” director removal provision, making the CFPB director removable at the will of the president. The ramifications of this decision certainly affect the CFPB’s unwieldy power, but the extent of that weakening remains to be seen.

The D.C. Circuit granted the CFPB’s petition for rehearing en banc and vacated the panel’s opinion on February 16, 2017. The en banc court hearing will be held on May 24, 2017. This opinion will likely have a large effect on the scope of the CFPB, and current Director Cordray’s authority under this new administration. Even if the CFPB goes forward with the final rule, it is likely that it will face a slew of litigation from industry advocates who support consumer arbitration, which may deteriorate the effectiveness of the rule.

In the interim, to the extent the CFPB is reconsidering the effectiveness of this watershed anti-arbitration rule, it could revise the rule to still permit consumer arbitration to develop, but under a regulatory regime that is more pro-consumer. The CFPB arbitration study shows some defects in consumer arbitration in its current form, but it also highlights some major deficits in consumer class actions.

The CFPB Arbitration Study: What is Working In Consumer Arbitration, What is Not

In 2015, the CFPB finished its multiyear study of consumer financial arbitration before the American Arbitration Association (AAA) and of class actions based on consumer financial services. Although the CFPB states that the study shows “that class actions provide a more effective means for consumers to challenge problematic practices” by financial services companies, the results are not quite so conclusive. The Arbitration Report showed:

• Over the three-year period of 2010–2012, consumers filed an average of 411 claims for arbitration in consumer financial services products. This is abysmally low.
• Of the 1,060 arbitration filings studied, about 60 percent settled or ended in a manner consistent with settlement. Only 32 percent were resolved on the merits. This settlement figure suggests that some sort of resolution is being achieved prior to a merits decision in consumer arbitration.
• Consumers had access to attorneys. Counsel represented consumers in nearly 60 percent of the cases. Companies, of course, nearly always had counsel.
• It appears that attorneys with arbitration experience are representing these consumers. Repeat player attorneys represented consumers in 50 percent of filings across all consumer financial services product markets. Forty-five percent of those filings were by “heavy” consumer repeat players, meaning the attorney appeared in four of more arbitration disputes in the three-year study period. For student loan disputes, heavy repeat player law firms represented 93 percent of consumers.
• Dispute resolution is not a primary concern for consumer choice. When asked about factors that are important in selecting a credit card, no consumer raised dispute resolution. When asked, in a telephone survey, what one would do if a credit card company charged an improper fee, most respondents commonsensically answered he or she would cancel the credit card. Less than 2 percent mentioned seeking legal advice or suing, but 10 percent said they would refer the issue to a governmental agency.

What does this information tell us about consumer arbitration? Well, first it tells us that consumers are not pursuing consumer arbitration at all, which is troubling. Are consumers scared of arbitration? Unwary of the procedure? Cynical of recovery? Or are the arbitration fees still too high to make it worth pursuing? The AAA currently caps a consumer’s fees in consumer arbitration at $200. The business portion of a consumer arbitration, regardless of who initiates it, is $1,700, plus an additional $750 arbitrator compensation fee. Some businesses agree to fully pay the costs of consumer arbitration in the arbitration agreement, and some “consumer-friendly” agreements even offer to pay a premium and/or attorneys’ fees if the consumer receives an arbitral award that is greater than the business’s last settlement offer. The Arbitration Study did not report on how often an arbitrator awards such “incentivizing premiums,” but one would think their very presence encourages settlements.

The Arbitration Study also tells us that for the few consumer cases being pursued, consumers have access to attorney representation. The attorneys who tend to represent consumers in this dispute have developed a cottage niche, no doubt because they are familiar with the AAA Consumer Arbitration Rules and procedure. Finally, the settlement figures tell us that something useful is occurring in consumer arbitration. In some way, perhaps due to the business-side costs of consumer arbitration or incentivizing premiums, parties are likely reaching a settlement resolution prior to a merits decision.

The study also reported “win” rates for affirmative consumer claims and for business claims. Remember that only 32 percent of the cases filed resulted in an arbitrator decision on the merits, thus the sample size is very low. For claims brought by consumers that resulted in a decision on the merits, consumers “won” some kind of relief in about 20 percent of the cases (32/158). Businesses “won” relief in over 90 percent of the business-brought cases (227/244) that went to a merits decision, although some of the decisions were similar to a default judgment.

But one cannot make an assessment of arbitration by simply comparing consumer win rates to business win rates. As stated above, the sample size of merits decision was very small. More importantly, the study shows that most arbitration disputes resolved in a manner consistent with settlement. Additionally, differing incentives to assert claims can explain some of the difference in outcomes. If a business funds all or most of the dispute resolution process, consumers are incentivized to bring claims of questionable merit. Yet for the business which must pay all or most of the upfront costs ($1,700 per consumer claim under AAA rules), the incentive is to not bring (1) low value claims or (2) claims of questionable merit. Any comparative “win” rate of consumers to businesses would need to be compared to how consumers fare in litigation, not just how consumers fare compared to businesses, a point the Arbitration Study made.

The CFPB Arbitration Study: What It Tells Us About Individual Consumer Recovery in Class Actions

The CFPB Consumer Arbitration Study also examined class action recovery in consumer financial class actions. Although the CFPB concluded, in proposing its arbitration class-waiver ban, that consumers are better off preserving the class action than waiving it, the study results do not support this conclusion. For example, the CFPB Arbitration Study found that approximately 60 percent of the consumer financial products class actions filed ended in a non-class settlement or potential non-class settlement (i.e., withdrawal or dismissal by the plaintiff). Only 12 percent (69 cases) reached an approved class-action settlement. This means that only a very small portion of class actions filed resulted in any damages to the class-member consumer. Yet those class actions filed do result in a societal drain on judicial resources and corporate class action defense costs (which we would assume are passed on in one form or other to the consumer). Attorneys’ fees awarded to counsel in class action settlements during the relevant time frame were $424 million, which is estimated at about 24 percent of total class payments and 16 percent of gross relief (proposed cash relief and in kind relief).

Second, the average claims rate (claims made as a percentage of eligible class members) was low, 21 percent, with an 8 percent median. Thus, even when consumers obtain a settlement through the class device, they usually do not take the administrative steps to obtain the payout. Finally, the CFPB study did not attempt to provide data on the average class member recovery for those 69 cases that reached class settlement or the difficulty of obtaining settlement proceeds. But even taking Directory Cordray’s slogan of an average of “about $220 million in payments to 6.8 million consumers per year in consumer financial services cases,” one could estimate this results in about $32.35 in recovery to the individual per year, that is, if he or she takes the time to read and fill out the cumbersome forms required for claims-made recovery. These statistics cause one to at least question the effectiveness of the class action for providing individual relief to the class members.

The CFPB Could Take a More Moderate Approach to Facilitate Transparent and Free Consumer Arbitration

What should we make of the data provided above? First, it is premature to conclude that the class action is a more effective dispute resolution platform than individual arbitration. When only 12 percent of cases filed results in any class settlement, it suggests that there is a significant waste in the system. Second, we know arbitration is chilling consumer activity. The CFPB could confront this by providing more consumer education on arbitration and requiring more transparency. The CFPB could implement data-reporting requirements (similar, but more extensive than, those in the proposed rule for essentially post-dispute arbitration) that require reporting of the types of claims made, demand amounts, counterclaims and amounts, case resolutions, product types, and information about consumer representation.

The CFPB should require any consumer arbitration to be fully business-funded at no cost to the consumer. When a business faces transaction costs of nearly $2,000 per arbitration filed, repeat consumer filings will attract its attention. In addition, the CFPB could consider requiring that any consumer arbitration which results in a favorable consumer award on the merits should be awarded treble damages and attorneys’ fees. This provision would include a sort of “built in” incentivizing provision. The goal of this provision is to encourage organically what we already see occurring, increased settlement of consumer disputes. Still further, the CFPB should require that any consumer arbitration award must result in a written statement of decision, which permits other consumers to know how the arbitrator applied the law to the facts of that case. This will facilitate consumer knowledge of potential corporate overreach (and encourage more recovery), and will also help aid the consumer in arbitrator selection. The CFPB has a number of measures it could take to regulate consumer arbitration to the benefit of the consumer, short of removing a potentially viable dispute resolution platform that could benefit the individual consumer.

Conclusion

The CFPB’s proposed anti-arbitration rule will have a wide effect on consumer financial services, and even potentially on other consumer arbitration agreements. But the CFPB’s arbitration class-waiver ban is essentially an election of the class action to the expense of individual arbitration. This policy choice is premature and is not yet supported by the data. The abysmally low number of consumer arbitration filings is too low to make generic assessments regarding the efficacy of consumer arbitration. But it tells us consumers need to know more and have confidence to pursue their own low-value claims, or be aware that attorney assistance may be available. Even still, the image the Arbitration Study paints of class actions show that this vehicle is not providing satisfactory recovery to the individual class members. But requiring businesses to fully fund and incentivize consumer arbitration in a fair and transparent way could provide a vehicle for individualized low-cost consumer relief. Will there still be some de minimis claims that are not pursued on the individual level? Yes. But this tradeoff may be rational in the eyes of the consumer to preserve an essentially free dispute resolution platform for economically rational claims. The CFPB should take the time pending issuance of its final rule, under a new Executive Branch, to issue regulations that will make consumer arbitration more susceptible to empirical study, more transparent, and cost free for the consumer.

Introduction

There seemingly are lots of new ways to make payments today. New apps for smart phones, new peer-to-peer payment networks, new currencies, and new ledger systems offer to meet the needs of U.S. consumers and businesses in ways that legacy payment methods do not. Many of these new ways to pay have improved end-user experience by providing more convenient or intuitive ways to initiate payments through legacy systems (such as the ability to accept card payments through a device that connects to a phone). In other cases, the underlying payment system through which payments are made is new (such as the ability to pay someone instantly with virtual currency through a distributed ledger system).

It does matter how you pay; however, the part that matters—from a legal perspective—is not the means of initiation (i.e., payment via mobile app) or infrastructure (i.e., blockchain), but rather who is providing the payment service to the payor and payee and the characteristics of the payment service.

This article’s focus is how payment-system and consumer-protection laws apply (or do not apply) to some of the new ways to pay. It should be noted that there are other important legal and regulatory frameworks that apply to payments, such as financial privacy, cyber and information security, Bank Secrecy Act/anti-money laundering, and economic sanctions, all of which are beyond the scope of this article.

The Legal Framework for Payments

One’s legal rights and responsibilities as a payor or payee for noncash payments are determined by payment-system laws—statutory, regulatory, and contractual. For example, if a payor instructs payment for $100, but through error or fraud the payee is instead paid $1,000, payment-system laws will determine who among the various parties to the payment takes the loss for the extra $900 received by the payee. When consumers are a payor or payee, certain statutory and regulatory consumer-protection laws may also apply to the payment.

Payment-System Laws

With respect to payment-system laws, it should come as no surprise that different laws apply to different types of payments. At the state level, the Uniform Commercial Code (UCC) Articles 3 and 4 serve as the foundational laws for checks, and UCC Article 4A establishes the laws for wholesale wire transfers. These state laws generally may be supplemented or varied by agreement of the parties involved, or by clearinghouse or funds transfer system rule. For example, banks and image clearinghouses generally adopt the Electronic Check Clearing House Organization Rules (ECCHO Rules) to modify and supplement rights and responsibilities under the UCC to address issues unique to the interbank exchange of check images. Note, however, that the ability to vary the UCC by agreement or by clearinghouse or funds transfer system rule is not unlimited. For one thing, the UCC obligation to act in good faith may not be waived.

There is no statutory framework that serves as the basis for exchange of electronic debits through the Automated Clearing House (ACH) system, although commercial credits fall under UCC 4A. Banks rely on the Operating Rules of the National Automated Clearing House Association (NACHA), as adopted into ACH operator rules, both to establish the framework for the debits and to supplement the UCC 4A framework for commercial credits.

It is important to note that the scope of the laws and rules governing traditional noncash payment mechanisms—funds transfers, ACH, and checks—includes bank customers and banks, but does not necessarily contemplate or apply to nonbanks that serve as intermediaries to payors and payees or payments that are made through nonbank networks. Thus, the funds transfer process, under article 4A and the Federal Reserve’s Regulation J, begins with an instruction by an originator to its bank to pay or to cause another bank to pay a beneficiary, and the funds transfer ends when a bank for the beneficiary accepts an instruction to pay its customer. Likewise, the check collection process under article 4 and the Federal Reserve’s Regulations J and CC begins when an item is deposited with a depository bank, and typically ends when the payor bank pays the item. Similarly, under NACHA’s rules, an ACH payment begins with an authorization provided by a customer of a bank, is initiated to an ACH operator by a sending bank, and ends when the receiving bank has received and settled for the payment.

As further discussed below, this means that payment-system laws will not completely address—or may not address at all—issues that may arise for payors and payees whose payments do not begin and end at a bank.

Consumer-Protection Laws

With respect to consumer-protection laws, the primary federal laws in the payments area are: (i) the Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E, for consumer payments made via debit cards, ACH, payroll cards, prepaid accounts, and other consumer electronic funds transfers (discussed further below); and (ii) the Truth in Lending Act (TILA) and its implementing regulation, Regulation Z, for consumer payments via credit cards. These federal laws and regulations establish certain baseline consumer protections, such as disclosures, periodic statements, and most relevant to this article, limitation of liability for unauthorized payments and error-resolution requirements. These consumer protections generally cannot be varied by agreement.

Historically, the payments laws and consumer-protection laws described above provide mutually exclusive legal frameworks governing consumer funds transfers. In particular, the scope of article 4A by its own terms (Section 4A-108) generally excludes from its coverage funds transfers, any part of which is governed by EFTA. In turn, EFTA and Regulation E govern consumer funds transfers—specifically, “electronic fund transfers,” which include essentially any electronic transfer of funds to or from a consumer account, but excludes funds transfers sent by a financial institution on behalf of a consumer through a wholesale payment system (that is, a funds transfer system that is not designed primarily to transfer funds on behalf of consumers), such as a wire transfer system—as a result, those transfers would be covered by article 4A. In recent years, however, most state legislatures have taken steps to amend article 4A to permit some overlap with EFTA with respect to certain remittance transfers that became covered by EFTA and Regulation E as a result of the Dodd Frank Act.

In addition, federal consumer-protection laws historically were tied to payments made to or from consumer accounts held at banks. However, Regulation E’s remittance-transfer provisions apply to remittance-transfer providers that are both banks and nonbanks. Similarly, the Consumer Financial Protection Bureau (CFPB) finalized a new rule in early October that applies Regulation E’s disclosure, periodic statement, limitation of liability, and error-resolution requirements to prepaid accounts, regardless of whether the prepaid account is held by a bank or a nonbank. Specifically, the revised regulation defines a prepaid account to include a variety of payment products, including general purpose prepaid cards and nonbank payment services, such as digital wallets and payment networks, that involve an account that is either issued on a prepaid basis or capable of holding consumer funds. The new provisions become effective April 1, 2018 (although the CFPB also recently announced its decision to revisit certain substantive issues in the rule), and will cover many, but not all, nonbank payment services. Among the payment services that will fall outside the rule are those that only facilitate payments, but do not require consumers to have accounts with the service provider.

For payment services provided by nonbanks that fall outside the CFPB’s prepaid rule and remittance transfer rule, a consumer’s rights and responsibilities as a payor or payee primarily will be determined by the contractual terms that apply to the payment service. However, the consumer may have Regulation E protections for parts of a nonbank payment if the nonbank payment involves funds transfers to or from the consumer’s bank or prepaid account.

Some Examples

The scenarios below illustrate how a payor’s legal rights and responsibilities may vary depending upon whose payment service the payor uses.

Hypothetical 1: Person-to-Person Payment

CoolPay is a nonbank payment service that provides CoolPay accounts to its users and enables them to send funds to each other through its service. CoolPay makes payments in two ways. If a payor-user has funds in his or her CoolPay account, CoolPay will pay the payee through a book transfer: i.e., a debit entry to the payor’s CoolPay account and a credit entry to the payee’s Cool-Pay account. If a payor-user does not have funds in his or her account, CoolPay will initiate an ACH debit to the payor-user’s bank account and then credit the payee-user’s CoolPay account once CoolPay’s bank account is credited for the ACH debit it sent to the payor-user’s bank account.

Jane and George are CoolPay users. Jane uses CoolPay to send George $100 for his birthday. Although Jane is a CoolPay user, she does not keep funds in her CoolPay account. Hence, to effectuate the payment, CoolPay instructs its bank, Bank A, to send an ACH debit for $100 to Jane’s bank, Bank B. Once Bank A receives settlement from Bank B for the ACH debit, it credits CoolPay’s bank account. CoolPay then credits George’s CoolPay account for $100. What if CoolPay makes a mistake and credits Ted’s CoolPay account rather than George’s?

Given that CoolPay provides a payment service that enables consumers to hold funds in CoolPay accounts, CoolPay will be subject to the new prepaid account requirements of Regulation E, including its disclosure and error-resolution requirements, when it goes into effect. The rule will require CoolPay to: (i) disclose to Jane that she has error-resolution rights; and (ii) investigate the error upon timely notice from Jane that her bank account has been debited, but that George has not received his birthday money. CoolPay generally will be required to investigate and determine whether an error occurred within 10 days of Jane’s notice. If CoolPay determines that an error occurred, it must correct the error within one business day of such determination.

Note that, until the CFPB’s prepaid rule is effective, Jane’s ability to seek redress from CoolPay will be determined by the terms and conditions governing Jane’s use of the CoolPay service or possibly her state’s money transmission laws. It should further be noted that, due to the fact that the debit to Jane’s bank account was in the correct amount, it is unlikely that Jane could have sought redress from her bank for CoolPay’s error because the debit was authorized, in the correct amount, and her bank made no error is transmitting the funds to CoolPay’s account with Bank A.

It is also the case that, if CoolPay acted as only a payment facilitator and did not hold consumer funds in CoolPay accounts, the CFPB’s prepaid rule will not be applicable to Jane’s payment. She would again look to the terms and conditions of CoolPay’s service and her state’s money transmission laws for redress.

Hypothetical 2: Business-to-Business Payment

Company A and Company B are CoolPay users. Company A instructs CoolPay to pay Company B $10,000 via transfer from Company A’s CoolPay account to Company B’s CoolPay account. Company A has sufficient funds credited to its CoolPay account to pay for the transfer without the need to debit Company A’s bank account. Hence, CoolPay debits Company A’s CoolPay account for $10,000. However, CoolPay erroneously credits Company C’s CoolPay account rather than Company B’s CoolPay account.

If CoolPay were a bank, this type of error would be an error in execution. Under article 4A, if Company A’s bank paid a party other than the beneficiary Company A identified in its payment instruction, Company A would be entitled to a refund under article 4A’s money-back guarantee provisions for the amount of the payment. Company A’s bank could seek to recover the amount from Company C, but it would be required to refund Company A regardless of whether it does so. Under article 4A, the bank would not be permitted to vary its obligation to refund Company A by agreement.

In the absence of article 4A, the rights of Company A and CoolPay will be governed by the terms and conditions of CoolPay’s service, other agreements among the parties, and common law. In addition, if CoolPay’s terms are not favorable to Company A, it may find itself in court arguing by analogy to article 4A that CoolPay must provide a refund. If Company A is unable to recover from CoolPay, it may also be able to recover from Company C under CoolPay’s terms or common-law theories, but Company C, its jurisdiction, and a number of other factors will be completely unknown to Company A.

Hypothetical 3: Business-to-Business Payment with Distributed Ledger

Let us add a variation to the previous two examples where CoolPay provided payment services to the payor and payee: What if instead it is simply banks providing those services? Does it matter if those banks, in turn, choose to use a fundamentally new infrastructure, such as blockchain, to settle with each other?

Suppose Company A wishes to pay Company B $10,000 for products that it purchased. Company A has an account with Bank A, and Company B has an account with Bank B. Company A opts to make that $10,000 payment by a funds transfer from its account at Bank A to Company B’s account at Bank B. The funds transfer begins with a debit to Company A’s account on Bank A’s books (funds are withdrawn from the payor’s account), and ends with a credit to Company B’s account on Bank B’s books (funds are deposited into the payee’s account).

Suppose, however, that Bank A and Bank B do not have a direct relationship with each other that enables Bank A to credit an account it holds for Bank B, or for Bank B to debit an account it holds for Bank A. Instead, they choose to use blockchain technology—CoolChain—to clear and settle payment from Bank A to Bank B in real time on their own books. A detailed description of how the banks may use blockchain technology in this way is provided in a March 2016 article by Jessie Cheng and Benjamin Geva. In essence, blockchain technology allows banks with no direct relationship to establish trust and coordinate their actions to settle with each other.

Does the fact that the banks in the funds transfer opt to use CoolChain, rather than a traditional funds transfer system like CHIPS or Fedwire, to transact with each other in this way mean that the payment is outside the scope of article 4A? Not necessarily. Article 4A focuses on the type of entities involved, not the means by which they transact with each other. The primary focus of article 4A is the “funds transfer,” the transfer of bank credit from the payor to the payee. The hypothetical above—where Company A transmits an instruction to its bank, Bank A, to pay or cause another bank to pay Company B—falls within article 4A’s definition of “funds transfer” in section 4A-104. This remains so even where Bank A and Bank B happen to choose to use CoolChain or any other blockchain technology to settle with each other. That transfer is still a series of transactions, beginning with Company A’s payment order (Company A’s instructions to Bank A to pay or cause another bank, like Bank B, to pay a fixed amount of money to Company B) made for the purpose of making payment to Company B, the beneficiary of the order. Thus, Bank A’s and Bank B’s choice to use CoolChain to settle with each other would not remove the transfer from the ambit of article 4A.

Although article 4A can be read to apply to a funds transfer involving blockchain rails as a general matter, the application of the technology varies from blockchain to blockchain, and each implementation must be analyzed to determine whether or precisely how certain of its concepts map onto an article 4A framework. Thus, might the legacy article 4A concepts of “funds transfer system” apply to a network of banks that all use CoolChain and together agree to a certain set of payment rules governing their interbank rights and obligations? As described above, one could interpret section 4A-105(a)(5)’s definition of “funds transfer system” and its official commentary to say “yes,” even though the official commentary has not been updated to specifically recognize emerging systems that fundamentally differ from legacy payment rails. The same may not be true of another blockchain rail.

Conclusion

The robust competition for payment services in the United States offers consumers and businesses many ways to pay. However, the legal framework that applies to payments, and that ultimately determines the rights and responsibilities of consumers and businesses when they make and receive payments, is dependent upon a combination of whether the payments begin and end at a bank and, for consumers, the characteristics of the payment service.

In an April 2016 article in Business Law Today, we provided a primer on foreign investment regulation in Canada, an important issue in Canadian cross-border M&A transactions. Foreign investment primarily is regulated through the Investment Canada Act (ICA) and its regulations (although some sectors like banking have separate rules, and other statutes regulating foreign investment may also apply). In the ensuing year, a number of significant changes have occurred or have been announced by the Canadian federal government and are addressed below. It should be noted that this article discusses the ICA and its regulations generally and does not discuss a number of exceptions and nuances affecting its application, including the regime applicable to investments by foreign state-owned enterprises. All currency conversions in this article are made as of March 28, 2017.

Review Thresholds

As explained in the April 2016 article, under the ICA, the acquisition of control of a Canadian business by a non‐Canadian triggers either a (usually pre-closing) review or a (usually post-closing) notification process. The review process generally is triggered if the value of the Canadian business exceeds an applicable threshold, which can vary on a number of factors.

As part of its 2016 Fall Economic Statement, other than for investments by foreign state-owned (or influenced) enterprises (SOEs), the Canadian government committed to increasing the threshold applicable to a direct acquisition of a Canadian business by nationals of World Trade Organization (WTO) member states, which would include a U.S. company ultimately controlled by U.S. nationals. This threshold for review has changed significantly over the last few years, shifting even more transactions into the notification process and thereby reducing ICA compliance costs. In March 2015, this threshold was changed, from one based on the book value of assets of the Canadian business, to a threshold based on the “enterprise value” of the Canadian business, and a planned increase schedule was set out. In its 2016 Fall Economic Statement and again in its 2017 budget, the Canadian government committed to increasing this threshold even more quickly than originally planned, as shown in the table below.

1. Upon enactment of budget implementation legislation, anticipated in the spring or fall of 2017.
2. On a date to be determined (likely January 1, 2019).

The Canadian government also is in the process of implementing the recently negotiated Canada and European Union (EU) Comprehensive Economic and Trade Agreement (CETA), which will increase the threshold for nationals of EU member states. Once in force, CETA will increase the enterprise threshold for nationals of EU member states to C$1.5 billion (approximately US$1.12 billion). A number of countries, including the United States and Mexico, have trade agreements with Canada that contain most-favored-nation protection, with the result that nationals of these countries will also benefit from this substantially increased enterprise value threshold. The legislation in Canada to implement the CETA currently is expected to be in force as early as late June 2017.

An indirect acquisition of a Canadian business (i.e., through the acquisition of its foreign corporate parent) by nationals of WTO-member states, including the United States, with limited exceptions, are exempt from review.

An important exception to these rules on direct and indirect acquisitions remains where the Canadian business is engaged, even if only partially, in the activities of a “cultural business.” A direct acquisition of a cultural business continues to be subject to review where the book value of the Canadian business’ assets exceeds C$5 million (approximately US$3.7 million), and an indirect acquisition of a cultural business continues to be subject to review where the book value of such assets exceeds C$50 million (approximately US$37 million), although in the case of the latter, the review may be done post-transaction and therefore is not an impediment to closing.

Some Clarity on National Security Review

As explained in the April 2016 article, the national security review process allows the Canadian government to review investments where it has “reasonable grounds to believe” that the investment “could be injurious to national security.” Any investment in Canada by a non-Canadian investor can trigger this process regardless of: (i) whether it is reviewable or notifiable according to the rules above; (ii) whether by a U.S. or other investor; (iii) whether it is for the establishment of a new Canadian business, the acquisition of control of a Canadian business, or the acquisition of a minority interest in a Canadian business; and (iv) the dollar value of the transaction. This means that a minority investment in a Canadian business, regardless of its size, could trigger a national security review. This process is, to a certain extent, the Canadian equivalent to the Committee on Foreign Investment in the United States (CFIUS) regulations.

The concept of “could be injurious to national security” is not defined in the ICA or its regulations and, until recently, the Canadian government did not provide any guidance on what it considered “could be injurious to national security” (other than certain statistics on the frequency and outcomes of national security reviews). On December 19, 2016, the Canadian government delivered on a promise, made in the previously noted 2016 Fall Economic Statement, to make the national security review process more transparent by publishing Guidelines on the National Security Review of Investments (the Guidelines), which identify the following nine, nonexhaustive factors that will be taken into account in determining whether foreign investments could be injurious to national security: (i) the potential effects of the investment on Canada’s defense capabilities and interests; (ii) the potential effects of the investment on the transfer of sensitive technology or know-how outside of Canada; (iii) the involvement in the research, manufacture, or sale of goods/technology relating to certain controlled goods noted in the Defence Production Act, including firearms, military training equipment, certain types of aircraft, weaponry and defense systems, etc.; (iv) the potential impact of the investment on the security of Canada’s critical infrastructure, meaning the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government; (v) the potential impact of the investment on the supply of critical goods and services to Canadians, or the supply of goods and services to the Canadian government; (vi) the potential of the investment to enable foreign surveillance or espionage; (vii) the potential of the investment to hinder current or future intelligence or law enforcement operations; (viii) the potential impact of the investment on Canada’s international interests, including foreign relationships; and (ix) the potential of the investment to involve or facilitate the activities of illicit actors, such as terrorists, terrorist organizations, or organized crime.

The Canadian government’s 2017 budget also announced an intention to require the publication of an annual report on the administration of the ICA’s national security.

The Guidelines also provide recommendations for dealing with national security. For example, the ICA contains no formal preclearance mechanism, which is a significant distinction between the Canadian national security regime and the CFIUS regime. To address this issue, the Guidelines recommend that foreign investors file their ICA notifications “early” and prior to the deadlines set out by statute, even though this is not required by law, particularly in cases where the assessment factors described above may be present. By doing such a filing on a preclosing basis and waiting for 45 days to elapse following the filing of such notification, if no action is taken, the investor can proceed with closing knowing that the period within which a national security review could be ordered has expired. Note, however, that this “early filing option” is not available unless an investment triggers a notification (or economic review) requirement. Where no notification (or review) is required (for example, the acquisition of minority interest in a Canadian business where there is no acquisition of control by the non-Canadian investor within the meaning of the ICA), the 45-day period for triggering the national review process runs from implementation of the investment, which precludes the early filing option for obtaining comfort. Nevertheless, early engagement with the government may still be beneficial in securing meaningful comfort from the government. Such engagement allows the government an opportunity to examine the investment and to ask questions of the investor, which, even absent explicit pronouncement from the government, may allow the investor to make meaningful inferences about the government’s assessment of whether the investment would be injurious to national security.

Conclusion

The proposed change to the ICA’s enterprise value thresholds will result in fewer transactions subject to review, and the Guidelines provide additional clarity on national security review. Understanding the ICA’s regulation of foreign investment is important because sanctions can include fines and even a reversal of the transaction (although the authors are not aware of this remedy ever having been used by the Canadian government). It is also important to consult with a Canadian legal advisor, given that many other federal and provincial laws can affect the implementation of an M&A transaction.

Until the 1930s, securities purchasers looked solely to state securities laws—so-called Blue Sky Laws—for protection against securities fraud. That all changed after the Crash of 1929, when the federal securities laws were enacted and came to dominate the field in the ensuing decades. But state securities laws have made a bit of comeback in recent years, and an April 2017 decision out of a California federal court may continue to fuel their rise. Colman v. Theranos, Inc. The Theranos court found that indirect purchasers of securities—those who invest in a fund that in turn purchases securities from a company—can sue that company. The decision raises a number of important questions for both issuers of securities—especially large private companies—and the many funds that buy directly into them.

A brief review of the facts will set the stage. Theranos is a privately held life sciences company recently thrust into the national spotlight over questions about the legitimacy of its business. Plaintiffs in the case had invested money in two different private funds expressly formed to invest in the company. One fund acquired stock directly from Theranos; the other acquired its stock on the secondary market. Plaintiffs’ purchases came amid a publicity campaign about Theranos that, allegedly, was designed to raise capital from private investors, including plaintiffs. After news broke questioning the viability of Theranos’s technology, the indirect purchaser plaintiffs sued the company for fraud, asserting securities claims under various provisions of California law.

Ruling on Theranos’s motion to dismiss, Magistrate Judge Nathanael Cousins of the Northern District of California held that the indirect purchasers had standing to sue under California law. In pertinent part, the California provisions at issue make it unlawful for “a broker-dealer or other person selling or offering” a security to willfully make, “directly or indirectly,” a false or misleading statement “for the purpose of inducing the purchase or sale of such security.” Unlike most of the federal securities laws, notably Section 10(b), this statute does not require a plaintiff to prove actual reliance; rather, a plaintiff need only prove that defendant intended the plaintiff to rely on his statement. And, now, if the Theranos court’s ruling is accepted by other courts, the statute also will not require “privity,” or a buy-sell relationship, between indirect purchasers and the issuing company. Defendants unsuccessfully pressed the court to impose such a requirement, but the court disagreed, noting the statute “focuses on the actions of the seller of the securities, not the relationship between seller and buyer.”

So, did the court get it right? The answer is both yes and no, with a bit of history explaining why. The California statute at issue was modeled after and closely resembles Section 9 of the Securities Act of 1934, which was specifically aimed at prohibiting the manipulative market conduct prevalent in the 1920s. As numerous state and federal courts have noted, including those in California, “market manipulation” is a term of art that covers some artifice or scheme where a defendant enters the market and alters the natural forces of supply and demand. Some of that fraudulent conduct—such as a “wash sale,” where the defendant buys and sells from himself to create the appearance of demand, or a “matched order,” where he buys and sells to co-conspirators for similar purposes—involves trading that occurs solely between one or more co-conspirators. The court is thus right that privity is not universally required; if it were, a defendant trading solely with himself or his scheming confederates could never be liable.

But the court’s analysis failed to see the full picture. Like Section 9, the California statute at issue was never intended to reach false or misleading oral or written statements like those Theranos made to the market. Rather, it is focused on specific schemes, in the market, that artificially alter the natural forces of supply and demand. Nowhere is Theranos alleged to have engaged in any such conduct. The result, then, is to allow an indirect purchaser to repackage a traditional misstatements case—which does require privity under California law—into a manipulative conduct case that does not. Courts have rejected this strategy for years.

The consequences of this approach are potentially far reaching for private companies and the funds that invest in them. For private companies, the decision poses concerns about raising money from institutional investors and publicly traded companies, which have become a significant source of financing. The court’s ruling could give disappointed investors in those entities standing to sue the private companies in which they invest. Since the universe of those investors under the reasoning of Theranos is much broader than those who participate in private offerings—and since those investors may only be able to rely on general statements in the public domain—the court’s ruling raises the possibility that retail investors could sue private companies without ever having directly invested in them.

For private funds that invest in private companies, the decision also raises a number of serious questions, especially as to who controls claims that belong to the fund. For instance, what recourse, if any, does a fund and its other investors have if they believe a lawsuit is frivolous or would distract management and thereby harm their investment? Without an express waiver of the indirect purchasers’ claims, it would seem very little. And would an investor further down the investment chain, say in a fund-of-funds, also have standing to bring a claim against the private company? The court seemed to take comfort that the universe of potential plaintiffs was limited to those the company “intended” to defraud. But drawing the line based on something so subjective provides little comfort to companies and the funds that invest in them.

It is worth emphasizing that there are ways to read the court’s ruling as limited to its unique set of facts. The funds at issue were set up for the express purpose of investing in Theranos stock, not to invest in multiple securities. What’s more, Theranos has been accused of misrepresenting the viability of its business as a whole, something different in kind and degree from an allegedly misleading statement about a discrete event or fact. Nor is it clear that the indirect purchasers had been provided any documents upon which to base their indirect investment in Theranos.

If limited to these facts, the court’s decision could be understood. But if future courts look beyond the facts to the general proposition for which Theranos stands—that indirect purchasers may sue a private company for plain vanilla securities fraud without having to prove privity—the prominence of state securities laws like those in California may only grow.

We begin with ULLCA, because the answer to the delineation question appears straightforward under the uniform act. This column quotes from ULLCA (2013), text and comments, but the analysis applies equally to ULLCA (2006), sometimes informally referred to as “RULLCA” or “Re-ULLCA,” and also to ULLCA (1996), the first uniform LLC act.

ULLCA (2013), Section 105(c)(6) states that, while an operating agreement may not “eliminate the contractual obligation of good faith and fair dealing under Section 409(d),” the agreement “may prescribe the standards, if not manifestly unreasonable, by which the performance of the obligation is to be measured.” The official comment provides several examples, including this one:

EXAMPLE: The operating agreement of a manager-managed LLC gives the manager “sole discretion” to make various decisions. The agreement further provides: “Whenever this agreement requires or permits a manager to make a decision that has the potential to benefit one class of members to the detriment of another class, the manager complies with Section 409(d) of [this act] if the manager makes the decision with:

a. the honest belief that the decision:

i. serves the best interests of the LLC; or
ii. at least does not injure or otherwise disserve those interests; and

b. the reasonable belief that the decision breaches no member’s rights under this agreement.”

This provision “prescribes[s] the standards by which the performance of the [Section 409(d)] obligation is to be measured.”

Under Delaware law, the delineation question requires a different and more complicated analysis. The conceptual answer is “not possible,” but the practical answer is “can do.” Under Delaware law, the implied covenant acts as a special type of “gap filler,” a process of interpolation implied by law: “An implied covenant claim … [asks] what the parties would have agreed to themselves had they considered the issue in their original bargaining positions at the time of contracting.” Gerber v. Enter. Prods. Holdings, LLC, 67 A.3d 400, 418 (Del. 2013) (quotation marks and citations omitted).

By its nature, this approach is invariable. The law supplies the gap-filling methodology, which no agreement has the power to change. For instance, an operating agreement may not provide that “a manager’s act in any manner pertaining to this agreement satisfies the implied covenant of good faith and fair dealing if the person asserting a breach of the implied covenant had at the time of contracting reason to know that the agreement could reasonably be interpreted to authorize the act.”

However, a Delaware operating or partnership agreement can reign in the implied covenant by avoiding gaps. Consider the above example from the ULLCA comments, revised as follows:

Whenever this agreement requires or permits a manager to make a decision that has the potential to benefit one class of members to the detriment of another class, the manager complies with Section 409(d) of [this act] the manager’s decision is binding and breaches no duty to the company or its members, if the manager makes the decision with:

a. the honest belief that the decision:

i. serves the best interests of the LLC; or
ii. at least does not injure or otherwise disserve those interests; and

c. the reasonable belief that the decision breaches no member’s rights under this agreement.”

Although “[n]o contract, regardless of how tightly or precisely drafted it may be, can wholly account for every possible contingency,” Allen v. El Paso Pipeline GP Co., L.L.C., No. CIV.A. 7520-VCL, 2014 WL 2819005, at *11 (Del. Ch. June 20, 2014) (internal quotations and citations omitted), opportunistic conduct brings Delaware’s implied covenant into play. The ULLCA example as revised leaves scant, if any, room for such conduct. Thus, while under Delaware law “safe harbor” provisions cannot be upheld, in the language of ULLCA (2013) § 105(c)(6), as “prescrib[ing] the standards …by which the performance of the obligation [of good faith and fair dealing] is to be measured,” safe harbor provisions can render the implied covenant inapposite if carefully drafted and sensibly invoked.

For example, in the author’s opinion, it was not sensible to rely on a Special Approval valuation process that had ignored two assets of the company, which were arguably quite substantial. Gerber v. Enter. Prod. Holdings, LLC, 67 A.3d 400, 422–23 (Del. 2013).

Care is also required when an operating or partnership agreement imposes an express requirement of “good faith.” Left undefined, the phrase is a minefield for parties and a godsend for litigators—as exemplified in Policemen’s Annuity and Benefit Fund v. DV Realty Advisors LLC (“Policemen’s Annuity”). The case arose from a limited partnership agreement that permitted the limited partners to remove the general partner:

without Cause by an affirmative vote or consent of the Limited Partners holding in excess of 75% of the [Limited] Partnership Interests then held by all Limited Partners; provided that consenting Limited Partners in good faith determine that such removal is necessary for the best interest of the [Limited] Partnership.

The agreement did not, however, define the term. Policemen’s Annuity No. CIV.A. 7204-VCN, 2012 WL 3548206 at *12-13 (Del. Ch. Aug. 16, 2012).

Both the Chancery Court and Delaware Supreme Court addressed the definitional omission, but each used a different approach and reached a different definitional conclusion. The Chancery Court, 2012 WL 3548206, at *13, used an a fortiori analysis to resolve the case without actually deciding on a definition:

The conduct of the Limited Partners in this case does not approach the sort of unreasonable conduct that is necessarily undertaken in bad faith. A test is nevertheless required; the Limited Partners’ conduct must be analyzed under some rubric. … The definition prescribed in [Delaware’s Uniform Commercial Code] § 1–201(20) [“honesty in fact and the observance of reasonable commercial standards of fair dealing”] is at least as broad of a definition of good faith as that applied to contracts at common law, and… the Limited Partners can meet the [the broader] definition…. Thus, the Limited Partners necessarily satisfy Delaware’s common law definition of good faith as applied to contracts, which is the definition of good faith that the Court presumes was adopted in [the limited partnership agreement].

The Delaware Supreme Court flatly rejected the lower’s court methodology, substituting a standard far more easily met. Relying on one of its own decisions, the court held that the limited partners’ “determination will be considered to be in good faith unless the Limited Partners went ‘so far beyond the bounds of reasonable judgment that it seems essentially inexplicable on any ground other than bad faith.’” DV Realty Advisors LLC v. Policemen’s Annuity & Ben. Fund of Chicago, 75 A.3d 101, 110 (Del. 2013) (quoting Brinckerhoff v. Enbridge Energy Co., Inc., 67 A.3d 369, 373 (Del.2013)).

An Oregon case provides another example. U.S. Genes v. Vial, 923 P.2d 1322 (Ore. App. 1996) concerned a contract that expressly required the parties “to engage in good faith and in fair dealing with respect to the other at all times during the term of this agreement.” The contract did not define the “good faith and … fair dealing,” and the trial court decided “to treat the express good faith provision in the contract as equivalent to the covenant of good faith and fair dealing that is implied in every contract.” The Oregon Court of Appeals reversed, stating that that decision was “[t]he source of the court’s error” and holding that the “express and implied covenants of good faith cannot be equated.”

That holding makes good sense; equating the express with the implied would render the express term surplus. However, half a page further in the decision, the appellate court interpreted the express term according to one scholar’s famous gloss on the implied covenant.

The moral of these stories is clear—never use the phrase “good faith” in an operating or partnership agreement without carefully defining the term.

Kevin Johnson spent nearly 20 years in the banking and financial services industry, so when he went back to law school, he knew exactly what kind of law he wanted to practice and where he wanted to work. He’s now an attorney in the Administrative Law Division of the National Credit Union Administration, with a focus on privacy law. Prior to this, he worked as a banking consultant and served as the Financial Services Director of the Federal Reserve Bank of Atlanta in the Birmingham branch.

He’s been very involved with the ABA, serving as the National Chair of the ABA Law Student Division, for which he received the ABA Law Student Division Gold Key Award, in honor of his high degree of service, dedication and leadership.

*     *     *

For many years, you worked in the banking and financial services industry as a consultant. And, prior to that with the Federal Reserve Bank of Atlanta as a Financial Service Director. What prompted you to go back to school and get a law degree?

I originally worked for commercial banks in various capacities. And, after a number of years I decided to take an opportunity with the Federal Reserve Bank. One of the things that led me to seek a law degree was the fact that I was responsible for operations at the Fed that correlated directly to a number of banking laws and regulations. I found myself always consulting the regulations that guided the Fed in its operations and its philosophical approach to banking and financial services. After a number of years of this, I thought: if you can’t beat them, you might as well join them.

During law school, you worked as an intern at the National Credit Union Administration. Why did you choose this government entity and how were you able to secure a position at such a well-known agency?

It actually came about while I was at an ABA meeting. Someone suggested to me that I apply to the NCUA, which I promptly did. I received a call while I was in class in law school, and they offered me the opportunity to fly up to D.C. and spend the summer working as the only legal intern that year.

What did you like about it, because after law school, you accepted a full-time position at that agency?

I was in my element. I focused my entire law degree and my career on banking and financial services, because I knew that’s what I wanted to do. My intent was always to go back to a financial institution regulator. On my list I had the Fed, the NCUA, the Consumer Financial Protection Bureau, and the FDIC. The NCUA happened to be the one that gave me the opportunity when I came up here for the summer. They gave me lots of very meaningful work. I developed serious relationships with my colleagues, I felt comfortable here, and I was treated as a valued member of the team. That had a lot to do with my making the decision to come back.

You’re currently an attorney in the Office of General Counsel, with a focus on privacy law. Can you expand on what you’re doing in this area of law?

For all federal executive agencies, certain laws and regulations exist in regards to how we collect, maintain, share, protect, and destroy the information that we collect from the public. As you can imagine, a lot of that data is extremely sensitive, from Social Security numbers to banking information, all of the different categories of personally, identifiable information.

I serve my agency as a privacy attorney, helping to build and maintain an effective and efficient privacy program that allows us to continue collecting this information, but also doing so in a way that is compliant with the laws and the regs. And that it’s protected from the increased cyber threats that exist in our environment today.

The crux of my work is basically helping to maintain the privacy program and make sure that we’re compliant with the Privacy Act of 1974, the E-Government Act of 2002, and the whole host of other Office of Management and Budget guidance, presidential directives, and executive orders.

It feels like this would be a constantly shifting landscape. Is that right?

That’s absolutely right. When I started in privacy, our agency as well as the other financial institution regulators, were coming off the financial crisis that kicked off the recession. I was asked if I wanted to become involved with the privacy side of things. I jumped at the chance, because I had already developed a keen interest in privacy, and privacy-related issues. Little did I know that it was going to take off the way it has. It has led to so many different opportunities and a wonderful learning experience.

Prior to being in the administrative law division, you served as a trial attorney at NCUA. What kind of cases did you handle?

I spent a little more than a year in enforcement litigation before I switched over to the admin. law and the privacy area. While I was in enforcement and litigation, I mostly dealt with issues such as financial services prohibitions. Basically that involves working with individuals who, for whatever reason, our agency felt were no longer fit to serve in this particular industry. If you look at our website, and if you filter through the correspondence that comes out of this agency, we regularly report on individuals who, for whatever reason, whether it was wrongdoing or convictions of a certain type, can no longer serve in the financial services industry. I also worked with conservatorships of failing or failed credit unions. I also did some work with the fraud hotline, chasing down issues that came to us, people reporting different things that go on in the credit union system that need our attention.

How has your background in finance helped you as an attorney?

It helped me hit the ground running. It was also one of the major factors that contributed to me being hired at NCUA. The folks here didn’t have to train me on certain aspects of financial services because not only did I have the knowledge, but I had been involved in many issues that we face. As a result, I was able to contribute to the team at a higher level at a much faster pace.

You worked at the Federal Reserve in Atlanta, including serving as the Director of Operations. What stands out for you from that experience?

The leadership aspect of my career blossomed there. It gave me a better understanding of how to lead people, how to lead through change and adversity, how to lead during times when some very important decisions have to be made. I developed and I solidified my management style there. It was a difficult environment to lead in, but at the same time, very rewarding.

What advice would you give to someone who has to lead during a challenging time?

The main thing I took away was that each member of my team is an individual, and different things motivate different people. Before leadership at the Fed, I’d used a blanket approach. I handled everybody pretty much the same way. I didn’t take the time out to really understand or tap into the individuality of each member of my team. At the Fed, I started getting to know each person, understanding what motivates each individual, treating each individual in a way that’s beneficial to both the organization and to that person. I was able to get much better results using that approach.

What advice would you give to a young attorney who’s just starting out?

I’m currently mentoring a number of young attorneys. Figure out what your interests are. The quicker you narrow your desired areas of practice, the better off you’ll be, because you’ll be able to focus on developing the expertise in whatever those areas of interest happen to be.

Is it a matter of trying different things?

I don’t know if it is as much trying different things as it is knowing yourself and knowing what makes you tick. My advice comes more from an introspective approach. Know what you’re interested in, know what things make you tick, what things excite you, and then, project outward from that point.

You’ve been very involved with the ABA, including serving as the National Chair of the ABA Law Student Division. What made you want to get involved and how have you benefited?

Before I went back to law school, I realized, of course, that I had been out of school for a while. I considered myself a nontraditional student. So, I was apprehensive about going back to law school after having been out of school for so long. I did some research on the organizations that provided resources to help students like me to reacclimate themselves to full-time study. I came across this organization called the Council on Legal Education Opportunity (CLEO). They take in students who are accepted to law school and they start building a foundation, before you start school.

I attended a program in Atlanta, and was taught legal writing, and reading and analyzing cases, how to organize your materials, and how to read statutes. It was excellent. When I got back to Birmingham after that particular program, I did some research because I was so impressed. I found out that the American Bar Association is one of the major benefactors of CLEO.

From there, I started researching the ABA and, lo and behold, I found out it’s one of the largest professional organizations in the world. I knew I needed to get involved. Then I found out they had a law student division. I made my decision to get involved with the ABA before I even enrolled in law school.

As soon as I enrolled at the University Alabama School of Law, I paid my $25 fee, and I became a member of the ABA as a law student. From that point, I got involved anyway I could as a student. I participated in conference calls. I participated in opportunities to help draft comment letters on certain banking regulations. At that time I was, of course, a member of the Banking Law Committee. I assisted with a lot of those things, and it was just very beneficial for me to work with and to correspond with attorneys who were actually doing what I aspired to do.

Did it help you stay motivated during law school because you saw what was out there?

Absolutely. When I got the opportunity to apply for a CLEO scholarship, sponsored by the ABA Business Law Section, I jumped at the chance. I won the scholarship. Basically, this scholarship provided an opportunity for me to attend the Spring Meeting, where I was assigned two mentors. That’s where I transitioned into hyperdrive, if you will, as far as being involved in the ABA.

You’ve received many awards. Is there one that stands out for you?

Probably the most meaningful is the Gold Key Award from the Law Student Division after I served my year as Chair. That was a really, really huge honor.

What do you do for fun?

My wife and I have five beautiful children. They range in age from 11 all the way down to two and half. We have two-and-a-half-year old twins, so they are my hobby. I do have a son who is a golfer, so I spend a lot of time playing golf and shuttling him around to his golfing activities and tournaments. I did my undergraduate work at University of South Carolina, in Columbia, South Carolina, and I attended law school at the University of Alabama School of Law in Tuscaloosa, Alabama, so there are a lot of SEC sports that happen around our household, centered around those two programs.

Anything else you’d like to add?

My involvement in the American Bar Association has paid off for me in an infinite number of ways. From colleagues and the relationships I’ve developed to the meaningful work that we’ve done within our section and within the association as a whole. I’ve enjoyed the opportunities to mentor other students who are eager to learn and eager to navigate the legal industry. I would recommend it to anyone.

Thank you so much!