“Global Rule of Law Trends Pose Challenges for ESG Movement” is the fourth article in a series on intersections between business law and the rule of law, and their importance for business lawyers, created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.
Growing investor concern for Environmental, Social, and Governance (ESG) issues has business lawyers scrambling to advise clients on an ever-expanding list of norms, best practices, and regulatory and reporting requirements. This advice tends to focus on the immediate ESG dimensions and impacts of a given client’s business activity, but the broader rule of law context in which companies hire, buy, manufacture, and sell has significant ESG implications that business lawyers need to incorporate into their advice.
The 2021 Rule of Law Index® from the World Justice Project (an American Bar Association spinoff for which I work) shows rule of law declining globally and underscores the challenges these trends pose to the private sector ESG movement. The data reveal persistent widespread corruption, growing discrimination, and failing justice systems, among other rule of law issues confounding ESG compliance. Businesses looking to make meaningful and sustainable ESG progress need strategies that not only protect them against these rule of law realities but also help reverse the negative trends and strengthen the rule of law over the long term.
The Rule of Law Context for ESG Advice
The mushrooming field of ESG compliance encompasses everything from recruiting and supporting a diverse workforce to minimizing environmental impact and safeguarding against corruption and human rights abuses. Business lawyers advising on these issues tend to focus on the direct ESG impacts of and risks to their clients’ operations, but the state of rule of law in the broader society provides important context for this advice. Where the rule of law and governance are strong, the private sector benefits from state action on a wide range of fronts, from combating discrimination and corruption to protecting rights, maintaining security, and enforcing environmental regulations. Good governance of this nature complements and reinforces corporate best practices and internal controls. By contrast, contexts in which rule of law is weak present significant ESG challenges to which even the best compliance program is vulnerable. For this reason, comprehensive ESG advice incorporates a strong understanding of the broader rule of law context for business operations and provides specific strategies for addressing risks that context presents.
New data from the World Justice Project provide a valuable—and concerning—input to such ESG advice. For the fourth year in a row, the recently published 2021 WJP Rule of Law Index® shows the rule of law declining in a majority (74.2%) of the 139 countries studied. The Index reflects the views of 138,000 households and 4,200 legal practitioners surveyed about how the rule of law works in practice. The study scores and ranks jurisdictions on the following eight factors of the rule of law: constraints on government powers, absence of corruption, open government, fundamental rights, order and security, regulatory enforcement, civil justice, and criminal justice. The Index is widely regarded as the leading source of original rule of law data, relied upon by a range of governments, intergovernmental organizations, corporations, scholars, civil society, and the media. An interactive Rule of Law Index data site enables users to probe the data for particular jurisdictions, identify comparative weaknesses in specific dimensions of the rule of law, and observe trends over time.
Since the last Index was published in March 2020, a majority of countries studied declined in all factors except “order and security.” The negative trends hold in all regions of the world and in both developed and developing countries. Of particular concern to business lawyers is the decline in the Index measures of open government, regulatory enforcement, and civil justice, areas in which we had seen modest improvements in recent years.
From an ESG perspective, the persistent, broad, and deep deterioration in Index measures of constraints on government powers, corruption, and respect for rights is a wake-up call. While businesses have in recent years made important strides to improve governance, compliance, and accountability in their boardrooms, factory floors, and supply chains, powerful negative rule of law forces have been pulling in the opposite direction and risk undermining private sector ESG gains. Business lawyers advising clients on ESG matters should be helping them develop strategies for contending with these broader negative rule of law developments.
Proactive Strategies for Addressing Rule of Law Issues
Specific strategies for mitigating rule of law-related ESG risk depend on the context, the nature of the relevant governance weaknesses in the business operating environment, and the vulnerabilities of the particular business operation. Companies and the lawyers who advise them generally prioritize prophylactic measures, putting in place training, safeguarding, assessments, controls, and other policies and practices to protect their operations from the risks posed by the operating environment. While such approaches are important, they do little to address the underlying rule of law conditions generating ESG risk. Too often, such approaches amount to a privatization of governance, letting governments off the hook for failing to uphold the rule of law. Over the long term, even the best compliance programs leave businesses susceptible to risks posed by an operating environment characterized by weak rule of law. As the data outlined above underscore, that risk is only growing. For that reason, a business lawyer’s advice on ESG matters should not just entail defensive strategies to ensure compliance in a client’s operations but also include proactive approaches to strengthen the rule of law more broadly in society.
A proactive business strategy for advancing the rule of law can have many different elements. Company leaders can signal publicly and privately that the rule of law matters, that they track government performance on rule of law metrics such as the WJP Rule of Law Index®, and that this performance affects business decisions. When private sector leaders say that the rule of law matters to their business—as Microsoft President Brad Smith did on the occasion of the Index launch—it creates powerful incentives for government actors to embrace reform. It can be challenging for an individual business to take on what can be politically sensitive rule of law issues. But businesses can make the point effectively through trade and professional associations and networks, such as the US Chamber of Commerce Rule of Law Coalition or the Corporate Alliance for the Rule of Law. In this regard, the American Bar Association Business Law Section’s Rule of Law Working Group is developing a valuable new initiative to encourage its lawyers to join with business organizations and clients in crafting strategies and engaging in direct action to strengthen the rule of law.
Beyond broadly signaling concern about the rule of law, businesses can engage government counterparts to address specific governance issues that affect the operating environment. This can entail supporting and promoting research on international standards, best practices, and model reforms and advocating their uptake by governments. Again, this can be done by individual companies or in association with others. Transnational businesses can also engage their home government to address rule of law issues in its bilateral and multilateral dialogue with other countries. Finally, businesses can provide financial and in-kind support to organizations working to address rule of law weaknesses. The World Justice Project’s World Justice Challenge competition identifies hundreds of such change-makers working across a wide range of issues of concern to the private sector.
The new Rule of Law Index® data underscore the urgency of these kinds of proactive strategies to strengthen the rule of law as a critical bulwark for ESG progress. Without such strategies, ESG efforts provide little more than a flimsy shelter against a growing, powerful storm. Private sector action to take on the negative rule of law trends and work to reverse them promises sunnier days and sustainable ESG progress.
As the M&A market breaks records, the pandemic wears on, and new market trends emerge, deal lawyers are likely to continue to confront a host of drafting challenges and reassess routine provisions in mergers and acquisitions contracts. From buzzwords to vaccines, here are some thoughts on what deal agreements might look like in 2022.
Pandemic Year Three
2022 will be the third year of the Covid-19 pandemic. Deal lawyers have adjusted quickly to the crisis, both in how they have conducted the deal process (see, for example, the discussion below on remote closings) and how they have addressed the complex collection of evolving pandemic-related issues that impact businesses and transactions in the body of their agreements.
As the pandemic continues to evolve, contract provisions will continue to do the same. One of the newer issues, which has only recently begun to show up in publicly available agreements, is Covid-19 vaccines. With government and corporate vaccine mandates increasing in prevalence, and the administration of Covid-19 booster shots just getting underway, agreements will increasingly need to address the vaccines—potentially in a wide range of provisions from representations and warranties to post-closing covenants. (By way of example, the definition of “fully vaccinated” could at some future time include the notion of booster shots or new health measures that protect workers against future variants, potentially impacting a variety of representations, covenants, and other provisions.)
With some pandemic issues, what we have seen is less evolution and more vacillation: the easing, then tightening, then easing again of health measures like masking and social distancing due to a variety of reasons, including the availability of new data and the emergence of new virus variants. Also, businesses are navigating a patchwork of conflicting guidance and best practices. This continuing state of change will undoubtedly impact how provisions, such as those regarding the ordinary course of business vis-à-vis Covid-19 and Covid-related exceptions to access-to-information covenants, are drafted. It could also impact how reasonableness is interpreted, as well as which, if any, reasonableness requirements parties elect to include in their references to Covid-19 responses.
On a related issue, will we get to a point where we are so deep into the pandemic that parties don’t feel the need to make qualifications to the definition of the ordinary course of business anymore, because pandemic ordinary course has already been in place for years?
There’s also a potential scenario none of us wants to consider, but given the events of the past year, it’s hard not to: What if, goodness forbid, the pandemic unexpectedly gets worse (again)? What if it gets really really bad? Right now, the pandemic market standard is to exclude pandemics generally, with it being very common to also explicitly exclude the current pandemic from the scope of the definition of “Material Adverse Effect” (MAE). Many of these exclusions go as far as to also exclude “worsening” and “future waves” of the pandemic. So with respect to these deals that exclude the pandemic from the MAE scope, especially those also explicitly excluding the worsening thereof, the answer would be that in such a doomsday scenario, those deal parties will most likely still be on the hook to close the deal, depending on the specifics of the agreement.
The pandemic has already caused legal scholars to take a more critical look at MAE definitions and MAE-related provisions. On one hand, changes in the severity of the pandemic could imaginably lead to shifts in the current MAE-exclusion trends. On the other hand, the legal scholarship and practitioner discourse that has been sparked by Covid-19 could introduce some new innovative approaches to MAEs with the potential to solve problems with the standard framework that long predate the pandemic.
The Future Arriving
In the the world of M&A, everything is up this year. So are references in M&A agreements to certain emerging issues and trending market topics that make it feel like, in some areas, the future is already arriving. “Future words” feels like an appropriate label for these, though some might call them “buzzwords.”
According to Bloomberg Law Precedent Search, which is an advanced search of M&A agreements filed with the SEC via EDGAR, references to “remote work” in publicly available agreements first appeared in 2017. But the numbers clearly reflect that it didn’t become a thing until last year. Only one agreement containing the phrase appeared in 2017, and we found zero in 2018. References to “remote work” have jumped from only one agreement containing the exact phrase in 2019 to 13 agreements in 2020, and 24 agreements in 2021 thus far. Considering the slow pace of return to the office, we expect to continue to see “remote work” show up in deal agreements in 2022.
As discussed above, the issue of Covid-19 vaccines is an emerging one, and while our search yielded only three agreements containing a reference to Covid vaccines in 2020, we have found seven such agreements in 2021 as of October 26.
Corporate and market interest in cryptocurrency and blockchain are on the rise, and so are the number of agreements containing these exact phrases. “Crypto”—which, according to our search, has never appeared in more than five publicly available agreements in any prior year—has appeared in 12 M&A agreements this year, marking a significant leap in presence.
Corporations are incorporating sustainability, diversity, human rights, and other corporate social responsibilities (CSRs) into their contracts. Thus far, in M&A, references to “ESG” or “environmental, social, governance” are still found in very few publicly available agreements. Based on our search, 2020 and 2021 have had the highest number of agreements referencing ESG yet, and we expect to see more in 2022, especially if ESG is incorporated into regulatory frameworks and financial systems. Potentially a related indicator for ESG is “climate change,” which had a consistent level of references in agreements over the past decade before reaching an all-time high in 2021.
Remote Closings
According to our search of publicly available M&A agreements, which was crafted to capture agreements that allow for “remote” or “virtual” closings, the number of agreements explicitly allowing this type of closing has surged this year.
In 2021, we found 506 agreements allowing for remote closings. This number is way up from 279 agreements in 2020 and 200 in 2019. Some are saying virtual dealmaking is here to stay, and these numbers make that stance hard to ignore.
PE Deal Drafting
There has been a massive amount of private equity M&A activity this year. When recently asked about the drafting trends he has been seeing in PE M&A deals, Andrew Nussbaum, corporate partner of Wachtell, Lipton, Rosen & Katz, noted that PE deals, both on the buy side and the sell side, “look more and more like a public company M&A transaction.” Nussbaum also noted that when the pandemic caused some deals to be renegotiated or terminated, it reminded sellers that “the boilerplate never matters until it does.” (The full discussion from August 2021 can be accessed here.) More public-style deal terms and closer attention to the boilerplate are trends to watch in PE deals into 2022.
This article was originally published on Bloomberg Law as “ANALYSIS: Predicting M&A Drafting Innovations in 2022” on Nov. 1, 2021.
Reproduced with permission. Bloomberg Law, Copyright 2021 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bloombergindustry.com
Project Chair: Matthew R. Kittay, Fox Rothschild LLP Key Contributors: Haley Altman, Litera; Anne McNulty, Agiloft; David Wang, Wilson Sonsini Goodrich & Rosati Peer Reviewer: David Albin, Finn Dixon & Herling LLP Committee Chair: Wilson Chu, McDermott Will & Emery LLP Subcommittee Chair: Daniel Rosenberg, Charles Russell Speechlys LLP
“We’re often and in fact almost always way behind the curve on what is actually happening in the market. As a result, we’re backing into the regulation of the market by observing what is actually happening in the market.” — David Wang, Chief Innovation Officer, Wilson Sonsini Goodrich & Rosati
Goal. The goal of this guidance is to review the ethical implications of the use of legal technologies by M&A lawyers. While the group that developed this guidance understands that negotiating changes to contracts with many popular service providers is impractical in most scenarios, we believe that there are safe, productive and client-focused steps that can and should be taken by all attorneys to improve their workflows and their clients’ legal product. Faced with the fact that most readers probably will accept this general premise, this guidance focuses on how to effectively counsel clients and provides items for action and consideration by attorneys, for example when clients (or lawyers on the other side of a transaction) ask to use a particular technology on a transaction.
Although the examples given in this guidance refer to M&A, much of this will be of wider implication including the concise list of key issues set out in Appendix A.
Key questions addressed include:
What ethical duties must lawyers discharge when engaging these technologies?
What are the ethical and practical considerations regarding “automation” and the “unauthorized practice of law”?
Where is data that lawyers upload onto technology platforms hosted, and what are the data sovereignty implications?
What rights (IP and other) do the technology platforms take over the data that lawyers upload?
What level of security/confidentiality should lawyers require from technologies that we use?
How can lawyers effectively evaluate software?
1.0. Framework.
In order to provide guidance and some best practices to consider in leveraging technology in an M&A practice, we must start with the key ethical frameworks that underlie the use of technology and may encourage or require its usage in certain contexts. The American Bar Association’s Model Rules of Professional Conduct (the “Model Rules”), case law, and statutes help define the lawyer’s professional responsibility for utilizing technology in the practice of law, as well as the risks that must be addressed when certain technology is leveraged in the practice.
1.1. ABA Model Rules of Professional Conduct.
The specific Model Rules which govern or implicate requirements to use technology include: Rule 1.1 Duty of Technological Competence; Rule 1.5 Obligation not to collect unreasonable fees; and Rule 1.6 Duty of Confidentiality.
1.1.1. Model Rule 1.1 — Duty of Technological Competence (Comment 8):
“Tomaintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
The profession has increasingly recognized a two-fold duty with respect to the use of technology. Namely, these are the obligations to assess technology and determine whether the technology improves the services and benefits to a client, and also to understand the technology and ensure its use does not jeopardize the confidentiality of client information.
1.1.2. Model Rule 1.5(a) — Obligation not to collect unreasonable fees:
“A lawyer shall not make an agreement for, charge, or collect an unreasonable fee or an unreasonable amount for expenses…”
For example, if a client needs exactly the same agreement duplicated, except with altered party names, dates, and contact information, a lawyer must consider what are reasonable fees to collect for the work.
1.1.3. Model Rule 1.6 — Confidentiality of Information:
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary [as listed[1]];
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
When applying this Model Rule, the information may require additional security measures, and potentially could prohibit the use of technology depending on criteria including: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not employed; the cost of employing additional safeguards; the difficulty of implementing the safeguards; and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Furthermore, when considering Model Rule 1.6, attorneys should consider obligations of confidentiality with respect to client data specific to the platform in question, taking into consideration, for example:
that technology platforms take different intellectual property rights over the data uploaded;
Opinion Number 477, which evaluates data breaches and possible ethical considerations;[2]
and in addition to ethical obligations with respect to the data:
contractual obligations, regulatory and compliance obligations, IP rights, training, diligence of the vendors and client expectations and other business considerations.
Practically speaking, this means attorneys should, at a minimum, know where the data is; know that they protected client data; know that they own it, and maintain the ability to remove it from systems in a secure manner. By way of example, using cloud service could violate non-disclosure agreements and potentially result in heavy fines and a loss of trust among clients, as discussed immediately below in Section 1.2.[3]
1.2. Laws and Regulations.
In addition to the ethical obligations imposed by the Model Rules, there are several key legislative acts and case law decisions which lawyers need to consider.
1.2.1. Stored Communications Act (SCA).
The Stored Communications Act (SCA), 18 U.S.C. §§ 2701 et seq., governs the disclosure of electronic communications stored with technology providers. Passed in 1986 as part of the Electronic Communications Privacy Act (ECPA), the SCA remains relevant to address issues regarding the privacy and disclosure of emails and other electronic communications.
As a privacy statute, diverse circumstances can give rise to SCA issues:
Direct liability. The SCA limits the ability of certain technology providers to disclose information. It also limits third parties’ ability to access electronic communications without sufficient authorization.
Civil subpoena limitations. Because of the SCA’s restrictions on disclosure, technology providers and litigants often invoke the SCA when seeking to quash civil subpoenas to technology providers for electronic communications.
Government investigations. The SCA provides a detailed framework governing law enforcement requests for electronic communications. SCA issues often arise in motions to suppress and related criminal litigation. For example, a growing number of courts have found that the SCA is unconstitutional to the extent that it allows the government to obtain emails from an internet service provider without a warrant in violation of the Fourth Amendment. See S. v. Warshak, 631 F.3d 266 (6th Cir. 2010).
1.2.2. Microsoft Case.
Microsoft had data hosted in one of its Ireland data centers. Microsoft was sued by a US government entity, and the prosecutors wanted to pull data from the Microsoft servers in Ireland. The case affirmed that the US government cannot access data in a foreign country. See S. v. Microsoft Corp., 584 US ___, 138 S. Ct. 1186 (2018).
1.2.3. The CLOUD Act.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in March 2018 in response to the Microsoft Case, and clarified related data sovereignty issues, confirming that a company can determine data residency by designating where information must be stored or resides as part of contract and company policies. This legislation added to the complexity of the data sovereignty laws (the laws to which a company’s data is subject) for multinational companies that store data in different regions, as it can conflict with US, UK (GDPR), EU, and Chinese data storage regulations.
1.2.4. Consumer Data Protections.
There are of course also consumer protection laws and regulations protecting data and determining ownership. These regulations limit disclosure of information and protect people’s data. The General Data Protection Regulation (GDPR) is an excellent precedent for the tension between surging forward with automation of legal processes, and protecting against legal ethics and malpractice concerns. GDPR’s purpose is to give personal control of data back to the individual through uniform regulation of data and export control.
1.2.5. Global Problems for Global Law Firms.
For law firms with offices in different regions and with different carriers, each office may be subject to different data storage rules applicable to a particular office. This requires law firms consider data sovereignty rules in connection with their cloud services providers and the related data licenses for global entities.
2.0. Taxonomy of Data.
For any particular technology, lawyers need to take a step back and consider several issues, including: what is it actually trying to accomplish; what is the business goal of that technology; what is your goal in the representation; and how do those things interact. The professional responsibilities and consequences implicated will differ depending the technology and the type of interaction.
2.1. Automation.
There is no practice too complex to be at least partially automated; it is a matter of cost. It’s not impossible for technology to solve many of the inefficiencies involved in drafting documents; it’s a matter of costs and the costs are decreasing over time. Drafting a complex, well-functioning and technically coherent merger agreement, for example, may be very hard and beyond the limits of technology even theoretically. But it is not a requirement for automation that the automation must “fully” automate everything about a process before the technology fundamentally disrupts the status quo. If even 50% of a merger agreement became automatable, it will change how these agreements are done and how the business of mergers are priced.
2.2. Ethical Issues Arising from Structured Data.
2.2.1. Process elements, workflow management, due diligence software—all create deal process efficiencies but also have ethical implications. Often, a lawyer can invite collaborators—which can involve confidentiality breaches as well as eliminate attorney-client privilege. And closing automation tools require the data to be structured to automate the closing process, which requires the software to store facts about the specific transaction to close the deal. Likewise, transaction technology for populating contracts must process data of how a document is assembled and then incorporate some rules in its system. Initial data storage, active management during the deal, data retention and ultimately data destruction all need to be considered.
2.2.2.Examples of Implications for “Reasonable” Fees and the “Unauthorized Practice of Law” — Automated Cap Tables and NDAs. Cap tables’ inputs, outputs and procedures used in a transaction are largely the same as what computer programs and programmers use in data. There exists now working software that manages cap tables for private companies, public companies, and the individuals at these companies. A CEO or HR manager of a startup can access information directly, live at any time and handle transactions on the platform themselves if they choose. There are rules that go into the system and then there are processes—data inputs in a digitalized transaction to automatically populate form documents, check automatically whether a company is complying with limitations such as available shares in the plan, generate consents directly, and go back into the cap table automatically and update it. Other software, for example, undertakes automatic reviews of an NDA. The non-lawyer client or lawyer uploads the NDA, and the software will mark up the document, spot all the issues, produce an issues list by comparing it against the company’s playbook, and recommend edits to strengthen the client’s position.
2.2.3. No lawyer is involved in either the cap tables system or NDA review, and these technologies are deployed hundreds of times a day all over the country. There may be a one-time licensing fee or monthly contract for this service, no matter how times it is utilized. How much can a law firm charge? If it’s more than a minimal amount per issuance, is the firm’s fee reasonable and consistent with the Model Rule 1.5(a)? And furthermore, are software developers or the individuals and companies that license the software engaged in the unauthorized practice of law? In reality, clients will likely always want their attorney to scrutinize and augment the output to ensure accurate and excellent legal work, but these questions should still be considered.
3.0. Ownership of Data, IP Rights and Client Rights.
3.1. Types of Data.
When evaluating ownership issues, there are three types of “data” to consider, and the critical and harder questions relate to Mixed Data:
3.1.1. User-Created Data.
For example, a photographer is clearly the owner of a picture they take, and ownership is protected by copyright laws. In the legal-services context, the attorney work product—the documents themselves, any work done on those documents, comments, tags, as well as any record that are generated on the basis of that work—are User-Created data.
3.1.2. Servicer-Created Data.
Data created before uploading into the cloud has clear ownership and intellectual property claims by the creator or someone working on a paid basis for a business or organization, either licensed or sold to the end-user.
3.1.3. Mixed Data.
“Gray areas” that are the result, for example, of data that is modified or processed. In these cases, data that has been created within the cloud could come with some strings attached. It’s incumbent on the end-user to properly claim and protect this data and intellectual property. This is difficult as the legal processes have not kept pace with the developed technology.
3.2. Laws and Lawyers Protecting Data Rights.
3.2.1. Laws and Regulations.
There are of course laws and regulations protecting data and determining data ownership. These regulations limit disclosure of information and protect people’s data (infra, Section 1.2). Relying on laws and regulations, however, is not sufficient for an attorney to discharge their ethical obligations.
3.2.2. Contractual Protection.
Underlying ownership needs to be clarified in license agreements—where that data needs to be located, the privacy that needs to be retained, and how that data can be used. Key concerns include:
protection of the confidential data, particularly if it pertains to client confidential information, and
controlling what technology providers do when they receive a lawyer’s data, including what happens to pieces of information they need to collect and store to provide the contracted service.
To protect confidentiality, privilege and work product, lawyers need to own the derivative works that the technology produces, and therefore usage terms and conditions need to be reviewed very carefully.
3.2.3. Artificial Intelligence (“AI”) Tools.
AI tools are key digital assets for lawyers. But most software, and the software that is most easily accessible, is built for consumers, not lawyers. These tools are typically free, and produce mixed data. Foreign language translation tools (a machine and a human may be doing the translation together to teach the software to be more accurate over time), have presented specific concerns. These “derivative works” often have meaningful, even beneficial, intents. The vendor may want to analyze and use the customer data to provide tailored services to the customer, or process and aggregate the customer data for commercial exploitation by creating new products and services; using the processed data to enhance its internal operations, products or services; or licensing the data to third parties. “Free” tools, however, may collect and use data in ways the end-users did not contemplate when they used the software.[4]
In addition, lawyers often need to review large volumes of contracts (and other documents) in the context of transactions or in regulatory reviews, or for the purpose of producing market intelligence or deal term studies. AI-assisted contract review software can facilitate these processes. When using this kind of software, there are two possibilities: the system can find what the lawyers need it to find out of the box, or the lawyers will need to embed their own knowledge into the platform by “teaching” it to find the information they need it to find. Lawyers can teach AI systems to find custom information by identifying examples of that information in a document set that is representative of the types of documents they will need to review in practice. The software will then study those examples, figure out the pattern, and produce a “model.” This model would then be used to find that information in new documents imported into the software. The process for using AI-assisted contract review software to review contracts is generally straightforward: upload the contracts for review into the software. The platform then automatically extracts information from those contracts (via either pre-built models or custom models built by the lawyer’s organization) for the lawyer to review. If more junior lawyers are doing the initial review, they can flag problematic provisions for second-level review.
In considering the implications of using this kind of software, both rights to the uploaded documents and rights to the custom models must be considered. While in-house lawyers may be comfortable with giving software providers copies of or rights to their documents where contractually permissible to do so, law firm lawyers providing services to their clients likely would not be (at least not without their clients’ consent). Any software provider that serves professional services organizations would have an uphill battle if they attempted to take ownership or have rights to the data that is typically from their customers’ customers. It is also important to consider how the software license agreements deal with any intellectual property created when lawyers embed their own knowledge into the software by creating custom models. Custom models may represent the knowledge of expertly trained lawyers, and those lawyers’ organizations may want to control any use and/or sharing of that knowledge. While the code underlying the model may be retained by the software provider, it is important to confirm that the rights to use and share custom built models match the firm’s expectations around this issue.
To assist in review and negotiation of license agreements, please see attached Appendix A: Issues for Lawyers to Consider in Legal Technology Agreements.
4.0. Conclusion.
There is no “one size fits all” solution to solve for the ethics issues presented when lawyers engage technology. This guidance, however, captures the issues and serves as a framework for evaluating these issues as they continue to develop. By focusing on these issues, law firms and their attorneys can continue to work with their clients and the legal industry, not just in compliance with their ethical obligations, but also as thought leaders at the intersection of law and technology.
APPENDIX A
Issues for Lawyers to Consider in Legal Technology Agreements
Legal technology agreements are not always abundantly clear, but consider addressing the following issues:
Three types of data—original, derived and usage data
How this data can be used, other than for the benefit of the system
What “access rights” non-lawyers have
What can the software provider aggregate and extrapolate from the data?
How data is being delivered between the parties
Where it is being stored to inform compliance with sovereignty requirements and data residency requirements?
Specify how data can be stored for each of your different regions and then the global framework
How does the user access the data across different regions without pulling data inadvertently from one location to other privacy policies and other protocols?
How does the information get into the system?
Storage requirements
Data retention requirements
Removal requirements and controls
Control of data the lawyer inputs
Control of new data and right to remove (complicated by cloud technology from different providers), and as implicated by GDPR
Specific provisions regarding how data can be used, what derivative works can be created, what sort of aggregated de identified data can be leveraged in any sorts of contracts
If the agreement is silent, assume this information can be used in different way
“Derivative Works” provision, critical because part of the benefit of the solution is to provide the lawyer a derivative work, such as a fully compiled PDF version of the document with its appropriate signature pages; this is difficult because the vendor wants to make sure that the lawyer can do everything needed or promised by the technology
Clarify no other uses of the data
Add specific permissions around client confidential information
Data residency requirements that tell the lawyer exactly where the data will be and cannot be shifted between regions
Specify that all “Customer Data” (or “Company Content”) is owned by the customer and define customer data; any exceptions must be clearly spelled out.
[1] (1) to prevent reasonably certain death or substantial bodily harm; (2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services; (3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services; (4) to secure legal advice about the lawyer’s compliance with these Rules; (5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client; (6) to comply with other law or a court order; or (7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.
[2] ABA Formal Opinion 477R: Securing Communication of Protected Client Information.
[3] Note, however, various potential benefits from technology: lower fees for clients; increased client retention; more accurately priced projects and the ability to show the breakdown of such fees; recruitment—associates want technology efficiencies, and they may prefer to perform tasks offsite and/or through automated systems instead of manually.
Many, perhaps trending to most, commercial licensors and licensees are utilizing delivery models other than the historic on-premised method (i.e., using computer hardware located at the end user’s location) for providing and accessing software applications. Most commonly illustrated through the use of “cloud computing,” these delivery models raise many of the same issues involved in traditional software licensing, while at the same time creating issues unique to the respective delivery model. Cloud computing provides on-demand delivery of IT resources and applications via the Internet with substantially pay-as-you-go pricing, allowing customers to reduce initial IT expenses while having the ability to quickly increase or decrease IT resources to meet their perhaps varying needs.
Under a “SaaS” model, access to a software application is provided to the customer as a service. The vendor/cloud provider or another party hosts the software application on its web servers or via a third-party application service provider, allowing customers access to the software using web browser software via a portal and/or the Internet. The customer does not license a copy of the software but accesses the software as a service on an as-needed basis.
(a) Overview
(i) Benefits
From a software cloud provider’s perspective, SaaS allows the cloud provider to reduce its support costs by maintaining a single version of its software on a single platform. A SaaS model allows cloud providers to monitor how their customers use the application, bring improvements to the market, and address uniformly for all customers any problem that arises. The cloud provider’s support staff is able to evaluate a customer’s problem as each customer is using the same application on the same platform. Updates are automatically made available to customers instead of customers having to wait to receive, install, integrate and pay for, the newest update. In addition, SaaS allows the cloud provider to sell to customers who may not be able to afford the upfront fees required to procure the software and/or the infrastructure to support it.
From the customer’s perspective, the customer is able to reduce its information technology costs by not having to purchase an application license, the hardware required to run it, as well as fees for updates and technical support. All of these costs are built into the fee for accessing the application, allowing the customer to direct its technology budget to those technologies that will provide a competitive advantage in its industry.
For cloud provider–owned applications, the customer’s cost to access the application should be reduced as the price is amortized among several users and the subscription fee is often based on usage. By paying only for its proportionate share of computing power and other resources that it uses, the customer avoids paying for excess capacity. The usage fee is amortized over the period of the customer’s use as differentiated from the purchase of a software license where payment in full is usually due immediately upon acquisition of the license. This payment mechanism evens out the user’s payments over the course of a year, potentially helping cash flow.
The customer will also avoid the significant time and cost of installing an application. In essence, application management has been outsourced, allowing the customer’s IT staff to focus on other projects. Because the software is already operating on the cloud provider’s system, the time to begin using the new application is dramatically reduced. The customer’s software usage is fully monitored by the cloud provider, allowing the cloud provider to instantaneously receive “feedback,” speeding the pace of improvements to the application, and allowing customers to benchmark against their peers. Further, the customer is able to automatically access the most recent updates and enhancements to the application without the risks inherent in transitioning to a new version.
(ii) Limitations
SaaS does have several limitations/reasons for concern. The greatest is that the customer has relinquished control over its IT to a third party and is totally dependent on the third party to consistently deliver access without interruption while using a secure environment. Although the customer is purchasing a service not a software license, a customer still needs contingencies that address sudden cessation of the cloud provider’s business or an event of force majeure, as application continuity is necessary to enable end user business continuity (contingency) plans. The customer also lacks the ability to customize the applications for its needs as most cloud providers will only modify the application for very large customers.
Another challenge for customers is that many cloud providers require customers to use the cloud provider’s non-negotiable template agreement to purchase the cloud provider’s services. These cloud providers argue that pro forma contracts are industry standard and reflect the nature of lower margins and shared services, thus negating the need to negotiate the contract. Although a cloud provider’s contract may be non-negotiable, customers should carefully review the agreement to make sure it meets their needs. For example, does the agreement provide the use rights the customer requires, such as allowing the customer, its contractors, and the customer’s customers to access and the software?
(iii) Delivery Models
SaaS is usually delivered through one of two models: a hosted application model or a software-on-demand model. In the hosted application management model, a hosting provider hosts the desired application, delivering the application to its customers over the Internet. Under the software-on-demand model, the cloud provider (i.e., the software cloud provider/licensor or cloud provider) provides its customers network-based access to a single copy of an application modified for SaaS over a network. Software on demand is also known as the “application service provider” model. In both cases, the customer is paying for access to the application. The cloud provider may choose to have someone else host it, but delivery is the same and essentially “on-demand.” In most situations, the cloud provider will provide, maintain and host an application while providing the customer access to the application. The application may be held in a dedicated environment with its own instance of the application, or alternatively, the application may be hosted in a multi-tenant environment with a common version of the application running on a logically partitioned environment.
A shared multi-tenant environment uses a single instance of the application to provide access to multiple customers. All customers access and use the same instance of the application, creating an efficient means of implementing patches, upgrades, fixes and maintenance. A single tenant environment provides access by a single customer creating a more expensive service that cannot be easily scaled. A shared environment creates greater security risks as many clients’ data may be hosted on a single server. Thus, clients with sensitive data will often insist on dedicated servers. The language below reflects the potential convers of customers.
Dedicated/Partitioned Environment. Any time Services are performed at the Customer Facilities, Vendor shall provide the Services using hardware, software and related resources dedicated solely to supporting Customer. Unless otherwise expressly provided in this Agreement, all Services provided from the Vendor’s Facilities shall be provided using partitioned or dedicated Equipment. Vendor shall not provide any Services from a shared processing environment unless specifically approved in writing by Customer.
The cloud provider may choose to deliver SaaS either by hosting the application itself or by outsourcing the hosting of the application to a hosting provider. Usually, the cloud provider will use its own proprietary software which it provides to its customers. In some cases, a hosting provider will license a copy of the software from the cloud provider and set up a SaaS model with its own customers. In the latter case, the hosting provider acquires rights from the software cloud provider and provides access and use of the application to customers. This approach is often co-defined through a “reseller” situation.
(b) Contractual Provisions
(i) Services
The underlying SaaS agreement between the parties should clearly set forth the cloud provider’s obligations and the services it will provide. In a SaaS relationship, most cloud providers will provide:
Access to an identified application,
Technology updates,
Data storage,
Data back-up,
Data security, and
User support.
To the extent a service is not listed, the customer should assume it is not included. For example, if data back-up is not listed, the customer should assume the cloud provider will not be providing such services and the customer should back-up its own data on a regular basis. To the extent the cloud provider desires to implement a material change in the provided services, the cloud provider should be required to provide the customer advance notice of any material change, and the customer should have the right to terminate the agreement for convenience without penalty.
If applicable, proof of concept or beta testing should be conducted prior to making any long-term commitments to the cloud provider. The customer should ensure that the data created by the application is compatible with the customer’s legacy systems (e.g., that the data schema are susceptible to “extract transform and load” (“ETL”) modification and injection to other current systems) and thus avoid any potentially costly and time-consuming data migration project. The cloud provider should also be willing to provide the customer a written commitment as to the application’s future features and functionality that will be made available to customers. A prudent cloud provider may be hesitant to do so, however, to retain the maximum flexibility to operate its business.
(ii) Ownership of Data
From the customer’s perspective, the agreement should clearly state:
the customer owns its data (and all intellectual property rights related thereto);
the customer will have immediate access to its data without charge upon demand;
upon termination of the agreement the customer may take its data to a new cloud provider; and
the format in which the data will be returned to the customer.
The agreement should also describe how and in what format the data will be returned and prohibit the cloud provider from withholding data for non-payment. Return of the data should be prompt and not conditioned on the customer meeting a payment demand by the cloud provider.
Sometimes it is the customer’s responsibility to remove the data, i.e., to copy it onto its own system. If this is the case, the customer should make sure that once the data has been copied and the customer has confirmed it has a reliable copy of its data, the cloud provider destroys the data that remains on the cloud provider’s systems. Usually, the cloud provider will want to do so in accordance with its own practices, e.g., by overwriting, etc. To the extent any data is contained on backup tapes, the backup tapes should be immediately destroyed, and an authorized officer of the cloud provider should certify that the tapes have been destroyed. Finally, the agreement should set strict time frames for the destruction or return of the data.
Some customers may require the cloud provider to issue a “destruction certificate” as proof of action by the cloud provider. However, there may be issues with respect to multi-tenancy environments where redundant data sets or similar copies of data continue to exist. Unless the relationship is managed in a single tenant database, it may not be possible to assure total destruction of the data. Contrary to the point above, it is also critical from the customer’s perspective that the cloud provider be prohibited from destroying the customer’s data in the event of non-payment until the customer has provided written instructions to do so.
Prudent cloud providers should develop an internal guidance/checklist setting forth the actions to be completed prior to executing a destruction certificate to avoid unintentionally creating liability on the cloud provider’s behalf. To avoid potential problems, the certificate should be signed by the team lead for the team that completed the work, usually a member of the IT department.
(iii) Cloud Provider Access and Use of Customer Data
Cloud providers often seek access to the customer’s data for many reasons including the cloud provider’s desire to aggregate and resell the customer’s data to third parties. Under no circumstances should the cloud provider be able to sell the customer’s data to a third party even if it has been “cleansed” of any identifying information. The cloud provider should be contractually prohibited from accessing or disclosing the customer and customer data. While prudent customers should seek to limit the cloud provider’s use of their data, the cloud provider should have the ability to collect and analyze usage data to improve the quality of the cloud provider’s services including as input for its product/services “roadmap.” The agreement should clearly state that all customer data, including customer data, is confidential regardless of whether it is displayed or accessible by the cloud provider. Allowing the cloud provider to access customer data may raise antitrust issues as well as limit the customer’s ability to claim trade secret protection for such data. For a discussion of trade secrets in the cloud see Sandeen, Lost in the Cloud: Information Flowsand the Implications of Cloud Computing for Trade Secret Protection, 19 Va. J.L. & Tech. 1 (2014).
The customer should not agree to amorphous language such as the cloud provider will “comply with industry standards” or the cloud provider will “use commercially reasonable efforts to protect the customer’s confidential information.” A prudent customer will also seek to prohibit the storage of users’ credentials and passwords by the cloud provider.
Model language favoring the cloud provider:
We routinely collect and analyze metadata regarding your usage of the Cloud Services, excluding any personal data. We may use this information to gauge Cloud Services usage levels and application performance, as well as to create anonymized statistics for our own marketing purposes.
The following language provides the cloud provider even greater leeway to utilize the customer’s data.
Vendor may use and reproduce Company Data at the direction of Company (such direction taking the form of the terms of this Agreement and the relevant Schedules) for the limited purposes of providing, operating, and maintaining the Services provided to Company. Company will secure for Vendor the right to use and reproduce Company Data, including any Personal Information therein, solely to the extent necessary to provide the Services to Company, without creating any obligations for Vendor beyond those set forth in this Agreement. Vendor may use usage patterns, trends, and other statistical data derived from use of the Services (but not Company Data itself) for the purposes of providing, operating, maintaining, or improving the Services and any Vendor products and services used to deliver the Services.
Compare the preceding language to the following language which favors the customer:
Customer grants Vendor a limited, royalty-free, non-exclusive, non-transferable and non-sublicensable license to process the Customer Data only in the United States as instructed by Customer and only to provide the services for Customer’s benefit so long as Customer uploads or stores Customer Data in the System, subject to all terms and conditions of this Agreement.
(iv) Data Retention
Given significant numbers of customers, relatively short contract lengths, and the commoditized nature of cloud computing, many cloud providers retain customer data for very short periods of time. To the extent the customer has specific concerns, it should ensure the underlying agreement allocates not only responsibility for data retention and backup but also the time period in which data will be retained. The period of retention will depend on RTO/RPO’s, requirement for the retention of metadata and the cost of doing so. RTO and RPO are common terms used to measure “Recovery Time Objectives” or how long it will take to recover data and resume using an application that has gone down. “Recovery Point Objectives” speaks to data freshness at the time of recovery. Sometimes, companies can recover data that is a week old meaning all the data from the current week would be lost. For mission critical applications, RPOs of less than one hour are standard.
Another issue for consideration is litigation holds for litigation, including the ability of the cloud provider to retain metadata. A prudent customer will contractually provide how it will notify the cloud provider of any litigation hold and how the cloud provider will preserve the relevant data. The failure to do so may lead to discovery sanctions on the customer in the event of any litigation.
Further, to the extent a cloud provider is required to destroy or retain the customer’s data, the parties should realize that it is virtually impossible to destroy all data as customers’ data will be inevitably retained in backup tapes and the memory of the servers. As a result, some negotiated transactions include provisions for ongoing but secure storage by the former cloud provider of former customer data for specified, tax, quality control, or other purposes.
(v) Pricing and Payment
Customers may be charged through various means, including on a per-user per-month basis, on a monthly subscription for the customer’s entire company, and results for a customer’s use of the application. For example of the last, infrequent pricing metric, a marketing software company is paid according to the number of solid leads generated through the customer’s use of the software.
Customers should carefully evaluate a contract’s pricing model to ensure the pricing structure is clearly delineated and that the customer has the ability to independently verify any amounts that it is billed by the cloud provider. If access is based on the number of seats or users, the definition of “users” will serve as the basis for establishing the aggregate fee paid by the customer. As such, the customer should clearly understand how the application will be used and who will be accessing and using the application.
For example, if a cloud provider defines a “user” as a named individual accessing the system, the “named user” terminates their employment, and a replacement employee is hired, is the customer is required to purchase a new license of the new employee or may it transfer the license from the old employee to the new employee? Like a traditional license, the price should be fixed for a set period of time, and the amount of any future price increases should be capped.
Further, if the customer’s customers will be indirectly accessing the application, do they need a license? The customer’s failure to obtain the rights it requires or understand its use rights may prevent it from achieving the synergies it expected from using the application as well as cause the customer to incur significant unforeseen costs. SeeSAP UK Limited v. Diageo Great Britain Ltd [2017] EWHC 189 (TCC) February 16, 2017 (SAP successfully sought additional compensation for Diageo’s customers access and use of SAP’s software).
Most cloud providers require the customer to pay quarterly or annually in advance, eliminating any payment risk.
Service levels are very important as they establish the cloud provider’s minimum performance obligations and the degree of access that the customer will have to the application or services, including the customer’s own data. Many cloud providers, however, do not offer meaningful SLAs, arguing the application must meet the demands of multiple customers. Most cloud providers will at least offer availability service levels, and some may be willing to provide additional remedies beyond service credits for an additional fee. If appropriate, customers should seek to negotiate additional SLAs including response times, bandwidth and security breaches, although most cloud providers will only agree to meet minimum legal requirements. SLAs almost never cover failover guarantees or contingencies that address issues beyond the cloud provider’s control, such as the sudden cessation of the cloud provider’s business or an event of force majeure. Cloud providers should avoid being measured on any customer-dependent elements such as location processing capability.
Service levels should reflect the usage of the application. For example:
How is the application being used?
Where are the employees using the application located?
What time of day will the employees be accessing and using the application?
A successful service level should be objective, critical to the successful performance of the services, tailored to the services, and achievable by the measured party. Common service levels include:
Availability (both network and application)
Remedies (including financial penalties/credits)
Problem response time
Issue resolution/Escalation Procedures, including status reporting
User support
Data return (Recovery Time/Recovery Point Objectives)
Simultaneous visitors/users
Page response times
(vii) Data Security
Security is important when utilizing a SaaS model, but it is especially important for those customers utilizing a public cloud. By centralizing a party’s data in a secure data center, a party may actually increase its security (e.g., via the greater skills, resources, oversight, and testing that may be enabled by greater scale, i.e., a cloud provider testing and optimizing cybersecurity on behalf of multiple customers and its overall business model, versus a single entity attempting to achieve cybersecurity excellence only on its own behalf and outside its core focus or competencies). On the other hand, the customer has ceded control over its data and now is dependent on the cloud provider for protection.
There are three aspects of security: physical security, technical security and administrative security. Prudent customers should undertake a comprehensive risk assessment that evaluates the scope of the purchased services and seek to identity any threats and vulnerabilities to receiving those services. It should assess the cloud provider’s security policies and ascertain the potential risk of a threat triggering a vulnerability as well as the potential impact if such a threat occurs. Customers will typically address their concerns with the cloud provider and incorporate its security requirements in the underlying agreement—often as a detailed, separate exhibit to the contract. Depending on the value of the contract and the importance of the application, the customer should visit the facility from which the cloud services are provided, if applicable and allowed, and request a written copy of the cloud provider’s security protocol for the building’s physical security and the security of the network from intrusion, and viruses, as well as annual updates. The customer should closely examine and vet the cloud provider’s policies as well as ascertain the specific type of infrastructure used by the cloud provider to provide the hosting services.
The cloud provider should undertake an external and internal security analysis several times a year. The results of these efforts should be provided to the customer without the customer having to request it.
Most important, however, is the definition of “data,” as the definition will establish the cloud provider’s security, confidentiality, and privacy obligations. Is “data” limited to information stored by the cloud provider, or does it include data created and collected by the cloud provider in the course of delivering services to the cloud provider? Customers should seek to draft the definition of “data” as broadly as possible to ensure that its data is completely secured.
Security Standards
Multi-tenancy creates significant risks that other customers may be able to access or extract a customer’s data, increasing the risk of viruses and malware entering the customer’s environment as well as other security lapses. As such, customers should carefully negotiate the agreement’s security standards after identifying potential risks and potential approaches to mitigate the identified risks. Such risks, both internal and external, as well as the agreed upon risk mitigation controls, must be continually monitored during the term of agreement.
To avoid ambiguity, the parties should specify the specific security standard the cloud provider must adhere to. The customer should ensure that the data center is ISO compliant as well as SSAE 18/ ISAE 3402 compliant. SSAE 18 SOC 2 and SOC 3 set forth significantly more stringent audit standards and are specifically focused on data centers. ISAE 3402 is the international equivalent of SSAE 18 and should apply and be reported against whenever data is kept in a global environment. See Chapter 7.E of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of SSAE 18 and its requirements.
The cloud provider should maintain a written comprehensive information security program that includes reasonable security procedures and practices to ensure the security, confidentiality, privacy, availability and integrity of user content and other information if transmitted through or stored in connection with the services. Sophisticated customers seek to negotiate these cybersecurity specifications, attaching the agreed upon standards as a detailed exhibit to the agreement.
Location of Data
Prudent customers should consider contractually specifying the jurisdiction in which their data must be housed, or alternatively require that all data remain within the continental United States to avoid subjecting the customer to the laws of those jurisdictions in which the data resides, including the jurisdiction’s privacy laws, data transfer laws and jurisdictional discovery rules. The European Union has very restrictive laws as to data protection and prohibits the transfer of data to countries with inadequate data protection laws. To the extent a customer allows its data to be removed from the United States, a customer should monitor the data’s location to avoid any potential prohibition by the jurisdiction to which its data was moved from relocating the data back to the United States. Savvy customers will include an audit provision allowing the customer to audit the cloud provider’s compliance with its contractual obligations related to data location.
The citizenship of the owners of the data will dictate which state laws govern the vendor’s privacy and security obligations.
Physical Security
Physical security should not be overlooked. The cloud provider should be able to provide the customer with a written security plan setting forth the protections implemented at its data centers including:
limiting and segmenting physical access,
restricting physical access to required personnel,
personnel background checks,
badging, and
training.
The customer should carefully evaluate the cloud provider’s security protections. The customer should understand who has access to its confidential information and data and under what circumstances.
Who has the ability to modify such data?
What controls are in place to protect the customer from an unauthorized individual accessing and modifying the customer’s data?
Where is the cloud provider’s data center located?
Does the data center have adequate physical and virtual security?
Does the cloud provider have appropriate virus protection software and appropriate security measures to protect the customer’s data and internal systems?
What particular testing and validation processes and third-party certifications, if any, will be required?
May the customer initiate periodic “penetration testing” and if so under what parameters?
What if any cybersecurity-specific insurance coverage(s) must the cloud provider procure and maintain on the customer’s behalf, at what levels and for what duration? The customer should ensure the required protections are maintained 24x7x365 days a year.
Technical Security
The cloud provider should utilize advanced software to detect any attempted and any actual intrusions to its network, as well as eliminate viruses and similar problems. A customer should require that its data be encrypted not only at rest (storage) but also during transmission (i.e., both “at rest” and “in transit”). Not all cloud provider applications are encrypted, making data stored on such applications vulnerable to misappropriation or theft. A customer should insist that the cloud provider comply with specific encryption standards for the encryption of the customer’s data. The language below illustrates this point:
Customer will encrypt the Data using the AES-256 standard and store on Vendor Simple Storage Service (S3) devices within the Vendor east coast and west coast data centers. When needed, the encrypted Data will be replicated to Elastic Band Storage (EBS) devices and made available during the boot process to server instances and associated server user accounts with proper credentials. The credentials will be stored and maintained within the Customer-managed data center and presented to the Vendor server instances only during the boot process. No credentials will be stored in the Vendor cloud environment.
The cloud provider should be required to utilize sophisticated intrusion protection and detection software as well as peripheral equipment and be required update it on a continuous basis to ensure it remains current with the latest technology. The cloud provider should be contractually obligated to provide detailed reports for any attempted intrusions of material significance as well as any resulting data breaches. The agreement should establish a change-of-custody log and tightly control and restrict access to any data as well as provide an audit procedure for auditing network and user transactions. In cases where the nature of the customer’s data warrants it, the parties should also consider the use of a virtual private network (VPN) to further reduce security risks.
The parties should establish stringent requirements for the storage of customer credentials and passwords outside of the cloud, including strong access controls. In addition, the agreement should address other common-sense security controls, such as staff screening, firewall standards, access logs and the ability of third-party contractors to access the system. Priority should also be given to preservation of security controls as part of any disaster recovery plans.
Administrative Security
Administrative security refers to the management operational controls and procedures implemented to protect the system’s security, including:
Authentication of HTTP clients
Administrative console security
Naming security
Use of SSL transports
The common user registry
The authentication mechanism
The authentication protocol
Security Breaches and Incidents
The cloud provider should be obligated to notify the customer immediately in the event of a data breach or suspected breach and provide a detailed written explanation of the nature of such breach/suspected breach and the actions it has taken to remedy such breach. The agreement should address the parties’ respective responsibilities for complying with all federal, state, and local data breach notification laws, including which party has responsibility for drafting a notice to any affected parties, sending the notice, paying for all costs associated with doing so, and identifying costs the responsible party must assume. In addition, the agreement should address which party must pay for any costs associated with complying with new laws enacted after the execution of the agreement.
The most important aspect in framing the parties’ obligations is the definition of “data breach,” as the definition will establish the scope of each party’s obligations. Both parties should ensure they understand the ramifications of the definition and how it will impact their obligations and potential liability.
The agreement also should set out in detail the necessary response on the part of the cloud provider to a data breach, including how quickly the cloud provider must contact the customer to disclose the existence of an intrusion or breach, via what means, how much information the cloud provider must provide the customer, what steps the cloud provider must take to investigate, if the cloud provider will interface with law enforcement and how, how often the cloud provider will update the customer on actions taken to mitigate the effects of any breach, and what remedies the cloud provider will offer, if any. From the customer’s perspective, the customer does not want the affected individuals or entities or its board of directors and executives to first learn that there has been a security breach involving its data from the media or a third party.
(viii) Disaster Recovery
Disaster recovery differs from business continuity in that business continuity addresses issues that may arise in the ordinary course of business such as bugs, hacking, general down time and other service interruptions. Disaster recovery addresses incidents more akin to an event of force majeure such as a natural disaster. The cloud provider’s disaster recovery plans should be carefully reviewed by the customer and include the level of redundancy for the application, i.e., the availability of the application in the event of a failure of the primary server or application (such as a geographically distant “hot” site), the cloud provider’s protocol for backing up data (e.g., what frequency, testing, passwords, chain of custody, etc.), the storage of such data offsite, as well as the duration for which it will retain the backups. See Chapter 7.F of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of disaster recovery issues. The cloud provider should be able to provide a detailed plan addressing a power outage, natural disaster, equipment failure, the sudden cessation of its business (bankruptcy notwithstanding) and so on, as well as service level agreements for uptime and the ability to log onto the application independently of the cloud provider (for more information, see Chapter 9, Section A.5 of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, discussing SaaS Escrow). Finally, the cloud provider should disclose any audit protocols it has adapted to ensure its existing protocols and methodologies are followed. The customer should also ask the cloud provider about any previous security problems or service interruptions.
(ix) Indemnification
As with any commercial agreement, indemnification plays an important role in allocating and managing the parties’ risk. While indemnities have traditionally addressed third-party claims, both parties should provide a direct cross-indemnity to the other, although the breadth of their respective indemnification obligations will likely differ. Many parties will seek an indemnity for breach of contract but doing so cannot be justified as each party’s remedy should lie in a breach of contract claim.
Customers should seek to have the cloud provider indemnify them for:
Intellectual property infringement claims arising from intellectual property selected and used by the cloud provider
Compliance with laws
Breach of confidentiality
Breach of the agreement’s security obligations and standards by the cloud provider
In those situations where the cloud provider will not agree to indemnify the customer, the customer should seek to have the cloud provider pay for any costs associated with a party’s notification obligations under law or the terms of the contract. These may include investigating the breach, notifying the affected individuals and entities of any breach or security incident, staffing any help desk assisting with questions regarding the breach or security incident and the cost of any credit monitoring.
Model language for the cloud provider’s indemnity obligations follows:
Vendor will defend, indemnify and hold Customer and its respective officers, directors, employees and agents (each an “Indemnified Party”) harmless from and against all liabilities, damages, claims, costs and expenses (including reasonable attorneys’ fees and costs and expenses of expert witnesses) or other losses (collectively, “Losses”) brought by a third party against an Indemnified Party arising from the acts or omissions of Vendor, its employees, affiliates, subcontractors or agents in the performance of the Services.
Vendors should seek to have the customer indemnify them for:
Intellectual property infringement claims arising from the customer’s content as well as any intellectual property selected and used by the customer
Compliance with laws
Breach of confidentiality
Defamatory statements
Violation of law
Breach of the cloud provider’s Acceptable Use Policy (AUP) including non-compliance with the cloud provider’s security policy
Model language for the customer’s indemnity obligations follows:
You agree to indemnify, defend and hold Us, our affiliates and licensors, each of our and their business partners and each of our and their respective employees, officers, directors and representatives, harmless from and against any and all claims, losses, damages, liabilities, judgments, penalties, fines, costs and expenses (including reasonable attorneys’ fees), arising out of or in connection with any claim arising out of:
Your use of the Services in a manner not authorized by this Agreement, and/or in violation of the applicable restrictions, AUPs, and/or applicable law,
Your Application, Your content, or the combination of either with other applications, content or processes, including but not limited to any claim involving infringement or misappropriation of third-party rights and/or the use, development, design, manufacture, production, advertising, promotion and/or marketing of Your Application and/or Your content,
Your violation of any term or condition of this Agreement, including without limitation, Your representations and warranties, or
You or Your employees’ or personnel’s negligence or willful misconduct.
(x) Limitation of Liability
To understand and quantify its risk, the customer should undertake due diligence that includes a review of the cloud provider’s technology platform and security practices. Doing so will allow the customer to potentially mitigate any risks associated with the purchased services. By purchasing SaaS services, the customer is outsourcing a service that it did not want to provide itself as well as a set of operational, compliance, and legal risks that it did not want to assume. Thus, a cloud provider should not be expected to assume a risk that the customer itself was unwilling to assume, as the cloud provider is not an insurer of the customer’s risks.
It is in both parties’ interest to limit risk. The mere fact that personally identifiable information (PII) is exposed does not necessarily mean that the cloud provider (as opposed to the customer or a third party) did anything wrong or that it could have prevented the breach. Some industry commentators assert that no cloud provider (or government agency or non-profit) can guarantee against sophisticated intrusions and all technology failures. One solution may be to have the parties share any potential liability. Although the structure of any compromise is subject to negotiation, one compromise may be to have the cloud provider assume liability up to a certain dollar amount, with the customer assuming any excess liability.
Some breaches should naturally result in greater liability on the cloud provider’s behalf. If a cloud provider fails to follow its stated security procedures, there is justification to seek a larger or even unlimited liability. In many contracts, intentional actions impose unlimited contractual liability on the cloud provider’s behalf, at least after negotiation by knowledgeable customers.
The actual limits of liability will depend on the facts of the underlying transaction:
What is the nature of the stored/processed data?
Is the data highly confidential and proprietary, or a mere aggregation of data that may be re-assembled from other sources?
To what extent does the data set include data owned by third parties who have entrusted it to the customer, who may have its own obligations and liability under such arrangements?
How much revenue is the cloud provider receiving?
How much risk is arising from the underlying technology platform?
Is the customer utilizing a public or a private cloud?
If the cloud provider offers premium services and/or additional security protection at a higher fee, has the customer elected same?
Almost all cloud providers insist on a waiver of any special incident or consequential damages and seek to limit the cloud provider’s liability to any service level credits. Any overarching cap is usually tied to a multiple of the monthly fees received by the cloud provider within a set time period, e.g. three months (though many customers will negotiate seeking longer durations). Common exclusions to the limitation of liability include intellectual property infringement, gross negligence, willful misconduct and some indemnification obligations.
Customers should carefully consider whether a disclaimer of indirect damages is appropriate, as in the event of a breach, a significant portion of the customer’s damages may be indirect damages. For example, the destruction or loss of data will result in substantial consequential or indirect damages. The sensitivity of the data in question will likely determine the importance for a customer to recover its consequential/indirect damages.
At least one court has voided a limitation of liability where the cloud provider acted in a reckless or grossly negligent manner resulting in a substantial loss of the customer’s data. Clark Street Wine and Spirits v. Emporos Systems Corp., Italy, 754 F. Supp.2d 474, 481–82 (E.D.N.Y. 2010) (“In view of great damage to customers and business that breaches of a computer system may cause, a jury may find that the responsible entities, such as [the cloud provider], should take special precautions to protect these systems.”).
(xi) Term
SaaS agreements often have a relatively short term as opposed to on premise licenses. Given the trend of failing prices over the last several years, a fixed priced, shorter term (1–2 year) cloud agreement is often favored by the customer.
Many cloud providers require buyers of subscription-based services to commit to purchase a minimum volume or dollar amount for a set period of time. In doing so, cloud providers argue that “revenue recognition” rules require the cloud provider to seek revenue minimums and committed term lengths to recognize the associated revenue. Contractual minimums also allow the cloud provider to recover its upfront research, development, infrastructure, and other service-enabling costs incurred in establishing the software availability. From the customer’s perspective, minimum commitments create the potential for significant financial risk. Therefore, prudent customers will seek to negotiate shorter minimum terms and favorable termination rights to ensure financial flexibility and avoid limiting their options.
(xii) Suspension and Termination
Most cloud providers insist on the contractual right to immediately suspend access or use of the services in the event the customer undertakes any actions that:
violate the law,
violate the cloud provider’s acceptable use policy (AUP),
adversely impact the ability of other customers to use the service,
access other customers’ data,
spam,
create offensive content,
cause intellectual property infringement, or
endanger the security of the system.
While most cloud providers will not relinquish the right of suspension, prudent customers often try to limit suspension solely to material violations of the underlying agreement that threaten the security of the cloud service. In addition, they seek to negotiate a notice and cure period for inadvertent violations to avoid an immediate interruption of the customer’s access to the services. While some cloud providers will agree to provide notice and a very short cure period, other cloud providers are unwilling to do so.
Some large customers take the position that the cloud provider may not terminate the agreement for any reason, including the customer’s nonpayment, arguing that the cloud provider’s remedy lies solely in a suit for breach of contract. Further, the customer’s access and use rights shall continue during the termination process. They do so in the belief that the services are mission critical and cannot be easily transferred to a new cloud provider. From the cloud provider’s perspective, the requirement to bring a suit delays its remedy and increases its costs while creating a significant administrative and financial burden.
Many customers seek the ability to terminate their agreement for convenience. While termination for convenience provisions are common in many services agreements, the customer’s ability to terminate the agreement and the cost to do so will depend on a number of factors, including the pricing model used by the cloud provider and the cost of any capital expenditures the cloud provider made on the customer’s behalf.
If the cloud provider is providing services under a metered model without a commitment, the customer may have the right to terminate the agreement for convenience, but under a subscription model, where pricing discounts are provided based on volume commitments that termination for convenience would negate, cloud providers are unlikely to accept a termination for convenience provision. If the cloud provider purchased hardware and software on the customer’s behalf, another factor that will impact the customer’s ability to terminate for convenience is the amount of any unamortized capital expenditures. In such cases, cloud providers will most likely require the customer to pay the cost of any unamortized capital expenditures as a condition precedent to any termination for convenience.
Also important from the cloud provider’s perspective, revenue is recognized ratably over the life of the contract, and if the contract may be terminated for convenience, the cloud provider will likely be unable to potentially recognize the total contract value to investors, lenders or other constituents.
If the underlying agreement provides the cloud provider the right to make unilateral changes to the parties’ agreement or the underlying application, the customer should insist on the right to terminate the agreement for convenience without charge in the event any such change has a material impact on the services purchased by the customer.
(xiii) Transition Rights
Perhaps the most important issue, but perhaps under-managed, for the customer is transition rights. In the event of the early or natural termination of the agreement, the customer wants to ensure an orderly transition of its business to a new cloud provider. Also known as the “Exit Strategy” or “Exit Plan,” most good customer Program Management Offices (PMOs) contemplate an exit strategy as a part of their Governance, Risk and Compliance (“GRC”) policy; that is, if they have a GRC policy.
The agreement should set out in detail the time period during which the cloud provider must provide transition support to the customer, the cost of such services and preferably the process for coordinating the parties (possibly including not only the end user and initial cloud provider, but also the successor cloud provider, if any). The cloud provider should be contractually obligated to provide services during the transition period at the same service level as it did during the agreement term and to fully cooperate with the customer during the transition of its data to an alternative provider or back in-house. In the event the agreement was terminated due to the customer’s breach, the cloud provider should strictly limit the length of any transition period to limit the time and effort it is required to exert in the transition effort and possibly require pre-payment including any professional services necessary to extract and migrate data to a new solution.
Finally, a prudent customer should ensure the underlying agreement sets forth in detail the customer’s rights upon the termination of the agreement and that any such transition will not interrupt its business. To that end, the customer should obtain:
a contractual commitment regarding its right to continue to use the services during the transition period,
the right to the immediate return of its data in the contractually agreed format so that it can be utilized by any subsequent cloud provider,
an agreement on a rate card establishing the rates for any transition assistance fees, and
a commitment to cooperate with any new cloud provider, preferably for a specified duration.
At the same time, prudent customers will want to require the cloud provider to retain their data for some period of time (30–60) days while they are identifying a new cloud provider or in transition. Cloud providers are hesitant to store data for any length of time due to the cost of storage unless they are compensated for doing so.
In the event the cloud provider is also providing a license to a specific application, the agreement should address ownership and use of the license after termination of the agreement. From the cloud provider’s perspective, the underlying agreement between the cloud provider and the customer should clearly state that the customer does not receive any rights for future use of the application and that upon termination, the customer’s only right is to port its data to a new cloud provider. If the customer purchased a software license as part of the services, the customer should be contractually entitled to transfer the license to the new cloud provider. At the time the agreement is negotiated the customer should understand its rights, including its transfer rights, if it is “purchasing a license.” Although the customer may have paid to “purchase” a license and the cloud provider granted the customer access to use software through a license, the license may terminate with the agreement and prohibit the customer from taking the software to the new cloud provider.
(xiv) Compliance Obligations
Customers often seek to transfer their compliance and regulatory obligations to the cloud provider. Prudent cloud providers will reject the customer’s efforts to do so, as the obligation legally rests with the customer, and the customer cannot escape its liability by contractually requiring the cloud provider to assume such obligations. Agreeing to assume such responsibility is very risky for the cloud provider as, in most cases, the cloud provider lacks the requisite industry knowledge to fully understand the risk it is assuming as well as the cost to comply with such obligations. This is especially true with consumer data laws such as HIPAA, where the cloud provider may not know the type of data being stored by the customer or the citizenship of the data owners.
(xv) Acceptable Use Policies (AUPs)
Acceptable Use Policies (AUPs) are used by cloud providers to establish the parameters of the customer’s access and use of the cloud provider’s network and services. The customer’s failure to abide by these requirements may result in the suspension of the customer’s ability to access the cloud provider’s network and services and in extreme cases the termination of such rights. Cloud providers usually set forth a list of prohibited activities which may include:
Any activities that are illegal, that violate the rights of others, or that may be harmful to others.
Content that infringes or misappropriates the intellectual property or proprietary rights of others.
Content that is defamatory, obscene, abusive, or invasive of privacy.
Content that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, and time bombs.
Actions that violate the security or integrity of any network, computer or communications system, software application, or network or computing device.
Accessing or using the cloud provider’s network without permission, including attempting to probe, scan, or test the vulnerability of the cloud provider’s network or to breach any security or authentication measures used by the cloud provider’s network.
Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route.
Monitoring or crawling of the cloud provider’s network that impairs or disrupts the cloud provider’s network being monitored or crawled.
Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
Interfering with the proper functioning of the cloud provider’s network, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
Using manual or electronic means to avoid any use limitations placed on the cloud provider’s network, such as access and storage restrictions.
Distributing, publishing, sending, or facilitating the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (“spam”), including commercial.
The corporation laws of every U.S. jurisdiction permit corporations on the “clear day” (i.e., before an adverse claim arises) to agree to advance defense costs, indemnify, and insure presumptively innocent directors and officers against risks of liability that arise out of their good faith service to the corporation. States’ laws governing alternative entities generally leave the matter of “executive protection” for managers to the law of contracts. In both situations, courts justify protection programs as encouraging responsible and talented individuals to accept the weighty responsibilities these positions impose.
In 2012 and 2013, Business Law Today published checklists created by the Business Law Section’s Director and Officer Liability Committee to assist counsel in supervising the creation or renewal of executive protection programs. Both before and after its first publication, the checklist was vetted through exposure to and comment by attendees at ABA live and webinar programs and at a webinar given to members of the Association of Corporate Counsel. Case law, commentary, and further education in this area have continued to evolve since 2013. The Committee promised that it would update the checklists periodically to reflect changes in the law and insurance markets. This is the 2021 update.
The checklist was initially created by the Committee in response to requests by corporate counsel of major U.S. entities. These counsel had communicated their practical inability to master the nuances of this ethically dangerous, highly complex, and specialized area and to keep up with new developments in the law and the insurance market. They asked for a compendium of issues that they could give their risk manager, insurance broker, and outside counsel so that entity counsel could vet the adequacy and breadth of the entity’s protection program. The goal was to permit entity counsel to meet their ethical duty to advise the entity’s unrepresented “constituent” board members, executives, and managers of the extent to which the program might meet their future needs or might fall short.
This need has become increasingly urgent over time. In particular, the personal exposures of corporate directors and officers and entity managers (sometimes referred to here collectively as “executives”) to governmental administrative and criminal risk have expanded through the “cooperation revolution” in white-collar criminal law that formally began in 1999.[1] The Committee believes that if an executive protection plan is adequate to address the increasing criminalization of executive and managerial risk, it ought to be sufficient to protect against non-criminal legal risks as well.
The updated checklist below highlights issues and suggests alternatives intended to meet the legitimate goals of executive protection from the standpoint of the protected individuals and independent of the “stormy day” potential that the entity may “cooperate” against a protected individual with a governmental enforcement authority. The checklist attempts to do so in a commonsense and balanced manner. It is intended to provide entity counsel with some comfort that he or she has met the “clear day” duty to both the entity and protected managers to provide protection to affected individuals to the “fullest extent permitted by law,” while suggesting possible ways to scale back such protection if such is the desire of the board or other governing authority. The suggestions are designed to meet the ethical rules that govern entity counsel whom the board or other managing authority has charged with creating or supervising the renewal of a protection program for the benefit of otherwise unrepresented entity directors, officers or managers. A comprehensive article on the ethical aspects of “clear day” protection programs is being prepared for publication in The Business Lawyer.
* * *
I. Entity Authority
A preliminary issue arises before the careful practitioner attempts to draft any protection program. Does the statute applicable to the creation of the entity require particular language in the entity’s formation document before the entity’s directors, officers, or managers can be protected by mere board action? Some jurisdictions characterize the issue of executive protection as one dealing with the entity’s “internal affairs.” They may require that the entity’s formation document expressly permit its board or governing body to adopt certain resolutions in order to effectively “legislate” protection that is effective to bind otherwise non-consenting shareholders and creditors. The careful practitioner must ascertain whether the entity’s jurisdiction of formation requires appropriate enabling language in the entity’s formation or other governing document and, if so, whether such language in fact appears.
II. Exculpation, Advancement, and Indemnification
Once the issue of authority has been resolved, the practitioner turns to the merits of the protection to be offered. A comprehensive directors’ and officers’ protection program has four elements, regardless of whether the entity is for-profit or not-for-profit:
statutory immunity of a corporation’s directors (and in some jurisdictions, officers) from shareholders’ claims for damages resulting from directors’ failure to exercise “due care,” and statutory protection against liability for (typically) volunteer executives of non-profits;
contractually mandatory advancement of defense costs and expenses to selected executives until the underlying claims are resolved and then relief from any duty to repay the amounts advanced in a proper case;
indemnity from the entity for any amount an executive may agree to pay to settle a claim arising from his or her service to the entity or that the executive may be compelled to pay by judgment in a proper case; and
a comprehensive program of D&O insurance that properly meshes with the entity’s advancement and indemnity undertakings.
This checklist addresses these elements in turn.
A. Exculpation under Certificate/Articles of Incorporation; Statutory Protections for Volunteers of Non-Profits
The careful practitioner will investigate whether the statute governing the entity permits exculpation of its directors and officers and, if so, whether the statutory requirements for providing exculpation have been met through the inclusion of appropriate language in the entity’s governing document. In most jurisdictions, exculpation for money damages for breaches of a director’s or (sometimes) officer’s fiduciary duty of due care (akin to simple negligence) must be included in the entity’s articles or certificate of incorporation. Exculpation for damages for breach of a similar standard, if permitted, will typically be found in the operating or other base agreement for an alternative entity. Is the required language present? If not, can the governing document realistically be amended to provide for exculpation?
If an alternative entity is involved, should a provision be inserted to provide exculpation or clarify the standard of care that managers and members must meet to avoid liability to the entity and other members for both non-fiduciary and fiduciary breaches? Can fiduciary duties be otherwise limited or eliminated under the governing law of the particular entity and is doing so wise and intended by entity participants?
B. Advancement and Indemnification
Under the law applicable to the entity, may its executives and managers be given a right—whether by contract or under the entity’s governing documents—to mandatory advancement of reasonable defense costs for all claims against them arising from their service? May the executives and managers be given a mandatory right to be relieved from repaying these advances so long as facts are not found in the underlying litigation that they breached the applicable jurisdiction’s standards for breach of fiduciary duty or committed other prohibited misconduct? May the executives and managers also be mandatorily indemnified for any ultimate settlement or judgment against them under the same limits? Does the applicable statute governing the entity permit these rights to be expanded by agreement? Should bylaw or operating agreement provisions providing for contractually mandatory advancement and indemnification specifically provide that the provisions constitute contractual obligations intended to expand on rights otherwise merely permitted by statute?
Case law that has arisen since the beginning of the white collar “cooperation revolution” in 1999 has cast a harsh light on all of the following:
the law of advancement and indemnification in respect of corporate internal investigations;
the effect of Fifth Amendment assertions in internal investigations and advancement proceedings;
the law of privilege as it relates to descriptions in billings that are the subject of advancement proceedings;
a former executive’s right of access to entity documents to assist in his or her defense where the entity is cooperating with prosecutors; and
whether a charged executive must make at least a preliminary merits showing of innocence of breach of fiduciary duty as a condition to obtaining advancement.
In most cases, an executive’s need for advancement is urgent. This means that advancement provisions should be drafted in as airtight a manner as possible as mere litigation delay can be sufficient to moot needed relief. All these critical issues are subject to drafting by the careful practitioner. Many issues of this kind have arisen in litigation following publication of the 2013 checklist. A non-exclusive list of salient issues to address includes:
Are the advancement and indemnity rights provided truly contractually mandatory, or does the governing statute only permit mandatory advancement rights to be conferred by separate action of the board on a discretionary basis after a claim arises? Is the right to mandatory indemnification contractually guaranteed so long as the indemnified person is not found guilty of disabling conduct in the underlying proceeding for which defense costs are sought? If so, is indemnification automatic, or must the executive prove anew his or her compliance with the required standard of indemnification just because he or she was charged with misconduct that could not be in the legitimate discharge of his or her responsibilities to the entity? If so, does the executive or the entity have the burden of proof?
If mandatory rights are granted in corporate bylaws, is the board prohibited from amending the bylaws to eliminate protection for circumstances that accrue during the executive’s tenure but before a claim is made? (Some state statutes cover this question, but many do not.)
As a matter of balance, does the right to advancement accrue at a sufficiently early stage to protect the executive involved in an internal investigation without causing premature “lawyering up” that is detrimental to corporate collegiality and informal communication?
Generally, the right to advancement covers not just third-party claims but also claims by the entity itself, derivative claims, and internal investigations not instigated by a government enforcement authority or derivative claim, such as claims and investigations precipitated by an internal whistleblower. Has the board or other managing body granting the protection been fully advised of this?
Is the board or other managing body clear about the meaning of protection granted “to the fullest extent permitted by law,” the customary formulation of the scope of protection? Is the board or other managing body made aware before it grants “fullest extent” or other expansive protection that a promise to advance can include, unless excluded or limited, claims against an executive for embezzlement, diversion of corporate opportunity, insider trading, and other instances of unauthorized self-enrichment? Is the board informed of the increased likelihood of claims following a change-in-control when the incumbent board is no longer making decisions concerning entity litigation and may itself be the target of claims from its successor?
In jurisdictions that statutorily extend the scope of a promise by a corporation to indemnify “to the full[est] extent permitted by law” to include a promise to advance, is it certain in that jurisdiction that there is no requirement that the applicant for advancement make any kind of merits showing as to his or her prospective right to indemnification and/or innocence of the allegations of misconduct made in the underlying case? Is the board or managing body aware of the absolute distinction the law makes between indemnification on the one hand, and advancement (or advance indemnification) on the other? Is the requirement that an executive make a preliminary merits showing expressly eliminated in the promise of advancement in every case?
Accusations of misconduct against a putative advancee that go to the merits of the underlying claim can impugn the character of the executive seeking advancement and prejudice the fact-finder. Since the merits of the underlying claim have no bearing on advancement, should allegations of misconduct and bad character be expressly prohibited in the protection plan documents—both as a matter of evidence and professionalism—from any advancement proceeding?
Most alternative entity organizational statutes omit detailed provisions for advancement and indemnification. Indemnification and advancement, thus, must be specifically contractually included in the operating or other governing agreement if they are to exist at all. Does the operating agreement specifically provide that contractually mandatory indemnification will be given “to the fullest extent permitted by law,” or is the scope of that promise limited as discussed above? Does the agreement provide a standard of conduct by which non-mandatory indemnification is to be measured analogous to standards employed in corporate contexts to avoid public policy challenges? Does the language specifically extend indemnification to match the breadth of cover granted by the Delaware cases interpreting the phrase “by reason of the fact,” even if no governing statute uses the term? Does the agreement specifically provide for mandatory indemnification without any requirement to re-litigate the underlying case if the executive is “successful on the merits or otherwise” in the underlying case?
Do all agreements provide for “fees on fees” as a central feature of advancement and indemnification as opposed to a simple prevailing party fee provision? In jurisdictions that have statutes that make one-way fee provisions reciprocal, is such language sufficient to avoid reciprocity? If not, has a suitable and enforceable waiver of a reciprocal right been obtained from the entity?
If the corporation has foreign subsidiaries on whose boards executives are expected to serve, or if they are expected to otherwise supervise foreign operations, is the corporation obligated to post bonds or otherwise pay to secure the release of the executive’s person from physical arrest and his or her personal assets from sequestration as a result of orders issued by a foreign court or governmental agency? May the corporation indemnify and advance defense costs, or even buy insurance for such executives, if the substantive law governing the foreign subsidiary forbids advancement, indemnification, or insurance?
If the executive (or former executive or manager) is in any way implicated in a matter that creates potential personal criminal exposure, does the executive:
have access to (but not possession, custody or control of) all relevant corporate documents to which he or she had access during her tenure?
have the express contractual right to assert Fifth Amendment privileges (and his or her lawyer work-product privileges) without jeopardizing his or her advancement and indemnity rights or limiting the amount of defense costs for which he or she is entitled to advancement? Does any bylaw specify a mechanism for resolving privilege disputes?
have the right to receive advancement of defense costs until “final adjudication” (i.e., after appeal) of facts that forbid the corporation from indemnifying him or her under the protection plan in the criminal or civil case for which advancement is sought? Is the corporation prohibited from instituting or continuing any civil case against the executive that requires her to waive her Fifth Amendment rights or the executive’s counsel work-product privileges before final adjudication of the case that gives rise to the need for advancement?
have the right to subrogate herself to the corporation’s Side B coverage should the corporation refuse to advance defense costs and the executive pays such a cost directly?
have the right to judicially compel advancement at the corporation’s expense using summary procedures, i.e., without having to make any assertions of fact, good faith, or innocence that can prompt an evidentiary hearing?
Does the most likely jurisdiction in which a suit to compel advancement will be heard treat advancement as a discrete, independent cause of action available for summary judgment, or must it be brought in equity to compel “advance indemnification” by way of preliminary injunction? If the latter, may a bond be required, even though the contractual right to advancement is free of any duty to give security? May the posting of a bond as a condition to advancement be waived in advance by agreement? Should compliance with other standards for awarding preliminary injunctive relief be eliminated by agreement? Will a stipulation that any advancement proceeding be treated as a “summary” proceeding be respected in the enforcing court? Should all defenses other than those going to the existence of a contract for advancement or indemnification and whether the claimant is a covered person asserting a covered claim, be denied the status of defenses to an advancement claim? Should the entity be prohibited from asserting res judicata or collateral estoppel in respect of any ruling made in an advancement case in any later case for indemnification? Should a provision be inserted in the protection plan mandating expansive interpretation of the agreement in favor of covered executives and managers?
Should the entity leave its advancement and indemnity exposure unlimited in amount in respect of third-party claims in which the corporation and executive cooperate in the defense? In cases where the interests of the entity and its executives are adverse so as to prohibit a joint defense, should the entity limit its advancement and indemnity duty to the sum of insurance cover and the corporation’s insurance retention, particularly if the entity is not-for-profit?
Are executives permitted to be advanced and indemnified against all legal costs in any matter that includes non-indemnifiable claims or parties so long as the facts or issues relevant to the covered and uncovered claims overlap? Where cover is excluded by the agreement and the exclusion is found to apply, must defense costs be allocated, and, if so, by what standard?
III. D&O Insurance
A corporation may obtain Side B insurance to cover its advancement and indemnity obligations to its executives. Such cover “protects its own balance sheet,” as the saying goes. A corporation also typically purchases Side A cover to protect its executives directly from claims for matters in which the corporation and executives are joint defendants and are united in the defense. This cover is principally intended to protect the executive where the entity is insolvent or where the law prohibits the entity from advancing or indemnifying the executive as a matter of law (so called “non-indemnifiable loss”), but does not prohibit insurance from doing so. Finally, Side C or “entity” coverage provides protection for claims against the company. The company’s Side ABC policies, thus, are written to cover claims where the interests of the executive and the corporation are not in conflict.
A corporation may also purchase separate standalone Side A-only/difference-in-conditions (DIC) insurance for its executives. This insurance gives executives a separate limit of cover that the entity may not invade. It may “drop down” to cover defense costs and settlements where the ABC insurers become insolvent; where the underlying Side ABC limits are exhausted; where the entity refuses to advance (sometimes forcing the executive into extensive litigation as to his or her right to advancement or indemnification); or where any underlying insurer fails or refuses to pay or attempts to rescind coverage. DIC insurance is particularly valuable to executives because, among other reasons, it often lacks certain exclusions, such as the “insured vs. insured” exclusion or “pollution” exclusion, typically found in traditional Side ABC D&O policies.
Of course, the appropriate structure, scope, and amount of D&O coverage for both entities and executives varies greatly between industries, entity sizes, exposures, and a multitude of other factors impacting risk profiles and likely claims arising from those risks that could be mitigated through insurance. Checklist items to consider when evaluating D&O coverage include:
Are all individuals that the board wishes to insure in fact covered? Are those it does not wish to cover excluded from the policy definition of “Insured” so as not to prematurely exhaust policy limits?
As a practical matter, will executives—particularly former executives or those whose interests diverge from those of the company—have access to the D&O policies purchased to protect them when a claim arises? What information may or must a risk manager or in-house attorney provide to its former executives in the event of a claim or potential claim implicating the company’s D&O policies? Is the company or its independent broker the authorized representative of all insureds, even individual insureds, for all purposes, including the receipt of policies and the giving of notice? Do individual insureds have the right to notice claims or instruct the entity to do so?
Has the board made a reasoned and appropriate decision on policy limits, particularly given that under its Side B coverage, it seeks to cover its complete advancement and indemnity exposure to all covered executives beyond an agreed retention? Are all parties cognizant of the phenomenon of competition among insureds for access to policy limits and the accepted means for reducing such competition? Does the Side ABC policy have a priority of payments provision contemplating such a situation? Are executives’ Side A coverage limits provided exclusively through the Side ABC policy, or has the company also purchased dedicated, standalone Side A-only coverage to mitigate the risk of competition for scarce insurance resources in the event of insolvency or large exposures? Are litigation costs covered when they are incurred in board members’ efforts to preserve policy limits for themselves?
Does the policy cover defense costs within overall limits or through sublimits for matters such as derivative investigations (both those that arise immediately after demand and those that arise after the creation of a special litigation committee) and corporate internal investigations?
Where advancement coverage incepts before a defined “claim” arises, does the policy give each insured the separate option of not treating the event as a reportable claim or mandatorily reportable circumstance? May individual insureds give a “notice of circumstance” to cement cover under the policy in effect for that year over the objection of the entity?
Does the policy cover employment practice claims, crisis management costs, searches, and raids by enforcement authorities, and claims against employed lawyers? If the latter have separate professional liability cover, is it clear which cover is primary?
How does the policy respond to government investigations by enforcement authorities prior to the institution of formal enforcement action (e.g., obtaining documents or testimony through subpoenas or informal requests)?
Is the policy definition of “wrongful act” sufficiently expansive so that “all risk” coverage is obtained, assuming such is the desire? Does the insurer agree that such cover includes claims by opposing parties for attorney’s fees? Does the policy cover claims for personal injury and property damage arising from a wrongful act as defined? Does the policy cover Section 11 and 12 securities law liability? Is there coverage for all insurable fines and penalties and punitive, moral, and multiple damages to the extent permitted by law—and where there is a dispute as to which law may apply, as determined by the law most favorable to the insured? Does the policy allow for recovery of amounts paid to mitigate or reduce the likelihood of a claim? Does coverage exist for personal liability for corporate taxes and statutory insurance contributions?
Does advancement coverage expressly continue until there has been a final adjudication of facts in the underlying proceeding adverse to the insured for which advancement is given that permits the application of the “willful or intentional act” policy exception? Is the insurer prohibited from bringing a suit to accelerate that process? Are the “deliberate and intentional act” or “improper personal benefit” exclusions limited to cases where the act or gain was the result of deliberate misconduct? Is the insurer prohibited from recovering its advances should the executive’s conduct fall within the “willful or intentional act” exclusion?
Is the insurer’s obligation to advance defense costs prior to a final judgment or settlement subject to a right to recoupment or repayment in the event it is later determined that the policy did not provide coverage? Does the insurer get the benefit of hindsight to try to recoup legal fees and expenses advanced based on the potential for coverage based on a later-discovered fact not known at the time the insurer determined that advancement was appropriate under the circumstances or from a criminal admission made after the policy limits have been paid out? Can the policy be negotiated so that the insurer has a right of recoupment against the entity but not individuals?
Is the definition of “loss” sufficiently expansive? Does it exclude the types of claims against which the board may not wish to insure such as insider trading, embezzlement, diversion of corporate opportunity, and other claims in which the executive is accused of receiving an improper personal gain or benefit?
Does the policy contain an exclusion for claims against executives that seek to recover amounts that the corporation should have paid in addition to amounts it did pay in a merger, share exchange, or sale transaction? If so, are executives entitled to advancement and indemnity if personally sued in such a case without being required to allocate their defense costs between other covered claims and the claims seeking an increase in consideration? Generally, are executives permitted to be advanced and indemnified against all legal costs in any matter that also includes uncovered claims or parties so long as the facts or issues relevant to the covered and uncovered claims overlap?
Are the exclusions for illegal conduct, “other insurance,” and timing of claims (including the provisions relating to giving of notice of claim or circumstance), reasonable and readily understandable? Are the “notice of circumstance” provisions objective, subjective, or both; and are such provisions mandatory or permissive? Does the policy provide for an extended notice period should the corporation become insolvent?
Is there an “insured-versus-insured” exclusion and, if so, is it phrased narrowly to exclude only truly collusive claims?
Does the policy contain a clause that conditions or otherwise bases the executive’s Side A cover on the corporation’s fulfillment of an obligation to advance and indemnify “to the fullest extent permitted by law” or comparable language? Is this provision limited to prohibit the insurer from placing on the insured executive the duty to assume the corporation’s Side B retention or deductible in a case where the corporation breaches its statutory or by-law advancement or indemnity obligations?
Does the insured corporation have reporting mechanisms in place to ensure that the risk manager is kept fully informed of any potential claim or circumstance requiring notice to the insurer? Does the insurer bear the burden of establishing prejudice from late notice, and is its remedy for late notice limited to the actual damage it sustains as a result? Do the executives have the ability to notice claims or circumstances directly to the insurer under their Side A cover and are executives entitled to receive notices of cancellation or changes in coverage?
Does the policy permit an executive subject to potential or actual criminal charges to assert Fifth Amendment privileges against the insurer, and the executive’s counsel work-product privileges, without violating the policy or limiting the executive’s recovery of defense costs due to a claim by the insurer that the executive’s counsel has provided insufficient billing detail or breached a duty to cooperate? Is there an agreed mechanism for resolving privilege disputes by a court (not an arbitration) that requires advancement while any dispute is being resolved? Is there a severability clause that protects “cooperating” executives should “non-cooperating” executives be held to violate the policy’s cooperation clause?
Is the policy’s definition of “application” reasonably narrow and understandable? Are the covenants and representations made by the corporation and any insureds in either the application or the policy reasonable and understandable?
Is there a broad severability provision that insulates innocent executives from a claim of application fraud due to the guilty knowledge of less than all of their number?
Is there an incontestability or similar clause that limits the insurer’s right to rescind a policy? Is the insurer’s right to cancel the policy appropriately limited? Must it notify all affected insureds, or at least all current insureds?
Is there a settlement “hammer” clause and has it been appropriately drafted to avoid unfair and unintended results?
Does the policy sufficiently define the parameters of the consent-to-settlement clause and the clause permitting the insurer to associate counsel to eliminate micro-management of the defense? Do these clauses specifically exclude criminal matters and matters where the insurer pays defense costs while reserving its right to deny coverage?
Does the policy contain an “order of payments” provision sufficient to reasonably mitigate the effects of a corporate insolvency?
Are the claim reporting requirements reasonable? Does a broad definition of “claim” result in an undesirable expansion of the insureds’ duties to give notice of claims or circumstance? Does the right to advancement of defense costs arise within a period of less than 60 days after demand is made on the underlying insurer or corporation? How does the policy address “related” or “interrelated” acts for the purposes of giving notice, and how should the company approach notice of “circumstances” likely to give rise to a claim in light of those related-claim provisions?
Have the implications of DIC or “dedicated limits” coverage been explored to provide advancement and indemnity coverage:
for risks that the corporation and the underlying Side ABC policy do not cover;
where the corporation refuses or is unable to advance defense costs and indemnify;
to mitigate the risk of program failure due to competition among competing insureds for policy limits;
to avoid loss of coverage in respect of criminal matters in which the executive (or his or her counsel) asserts Fifth Amendment or work-product privileges;
to cover cases where an underlying carrier may not a pay a claim arising in a foreign country due to its unlicensed status; and
to provide reinstated limits or separate limits for boards?
Does the policy insure executives for the costs of obtaining release from incarceration and release of sequestered personal assets if they act as directors or agents of a foreign subsidiary or for the parent corporation in a foreign country? Does the policy contain coverage for reputation restoration and cover crisis management public relations services?
Does the policy contain appropriate cover for the costs of resisting Dodd-Frank/SOX claw-back claims?
Does the carrier selected have a reasonable financial rating and a good reputation for claims handling and payment? If the D&O program has excess insurers, how is excess coverage impacted by insolvency of the primary insurer?
Do the insureds have the right to recover their attorneys’ fees under applicable law should they be required to litigate coverage with the insurer?
If a DIC policy contains a choice of law clause, does it choose as the applicable law the law of the underlying Side ABC policy? What law is chosen in the Side ABC policy? If the policy contains an arbitration clause, is the legal seat of the arbitration (not just the hearing locale) a venue that understands American plea-bargaining practices?
Are there to be one or more excess policies above the negotiated first-tier policy that do not “follow the form” of the first-tier policy? If so, have all questions above been asked in respect of each of the excess policies? Do these policies have appropriate provisions relating to when each layer of excess coverage attaches to avoid gaps in protection, including provisions requiring that upper tiers “drop down” should insureds reach a settlement with the lower tier carrier below its policy limits?
Have the appropriate locally issued D&O policies been obtained in respect of foreign subsidiaries and operations and will all applicable foreign taxes be paid?
Conclusion
The time has long passed when executive protection programs could be evaluated by boards based simply on an inquiry into the limits of Side ABC insurance cover and the amount of the premium. The number and complexity of the issues listed above, together with the potentially catastrophic results that can obtain when criminal charges are threatened against companies and individual executives, prove that this is no longer an issue that can safely be treated cavalierly (if it ever was). The amelioration of these risks can only be left to professionals. The boards and executives that such insurance policies are intended to protect have a vested interest in maintaining a D&O program that is both robust and tailored to the company’s current business operations and exposures. The Committee hopes that both corporate counsel and practitioners will find the Checklist a useful resource to guide their professional advice in this age of “cooperation.”
[1]See Bennett, LoCicero & Hanner, “From Regulation to Prosecution to Cooperation: Trends in Corporate White Collar Crime Enforcement and the Evolving Role of the White Collar Criminal Defense Attorney,” The Business Lawyer, Vol. 68, p. 411 (Feb. 2013).
The ongoing pandemic and resulting consequences have created a new normal. The short- and long-term effects are far-reaching and touch upon a number of societal issues and functions. The financial services industry has been far from immune to these ongoing consequences. COVID-19 has forced the industry to fundamentally alter the way in which it operates and focus on ways to evolve current product offerings through technology. In the process of this transition, financial institutions have been tasked—both directly and indirectly—with helping small businesses and consumers navigate this economic storm. The burden falls on them to ensure that affordable credit and other services are readily available and accessible. Many fintech companies and banks have already been doing this, but the pandemic provided a demonstration of those abilities and a specific reason for additional focus and investment. As the evolution of the industry continues to unfold, institutions must work to increase access and financial inclusion and ensure that traditionally underserved communities are not left behind.
Like in previous crises, during the pandemic, the federal government has provided relief to help ensure families and businesses could weather the economic storm. Direct stimulus, relief opportunities and moratoriums on student debt, rent and mortgage obligations, are just a handful of the measures the government has implemented to help those most directly impacted. Additionally, the government and regulatory agencies have used their full powers to provide financial institutions with the flexibilities they need to deploy capital in a safe and responsible way, to ensure credit markets did not dry up and that hard-working families still had access to the financial system and credit products they needed.
While the government has heavily leaned on the financial industry to serve as a partner during this period of uncertainty, financial institutions and their fintech partners have stepped up, working hand in hand to provide access to the Paycheck Protection Program (PPP), Main Street Lending Program (MSLP) and a number of other relief efforts. The partnerships created during this pandemic provide important insight into the growing role of technology in the financial services industry and have truly highlighted how embracing responsible innovation can be utilized to deliver efficient and effective products. By capitalizing on each party’s expertise (banks’ regulatory compliance and controls, with fintech’s innovative models), tech-forward banks and fintechs are able to use partnerships to expand their offerings to a larger, more diverse base and maximize the benefits to consumers and small businesses.
This is not only true in times of crisis, but in the day-to-day offerings small businesses and consumers have come accustomed to expecting from their financial institutions. The pandemic has shown how important it is for all banks to adapt to the evolving nature of the industry in order to facilitate increased financial inclusion and to continue to serve businesses and consumers, particularly those who are traditionally underserved. According to the Federal Reserve Bank of New York, fintech lenders like Cross River were critical in providing PPP loans to underserved borrowers, including Black-owned businesses. Further, the research demonstrates that 95% of those who applied for PPP loans through a large bank had prior relationships with their financial institutions. Effectively leveraging technology and automation was a key way in which banks and their fintech partners were able to originate PPP loans in a safe and compliant manner to underserved communities, especially for borrowers who had no pre-existing relationship.
The financial services and banking industries are no strangers to adaptation—they’ve often had to shift in the face of potential and ongoing crises, from those caused by natural disaster to economic recessions to public health concerns. The lessons learned from each previous crisis, have in part, helped to reshape the way the industry operates, its offers for the next wave of products and its preparation to mitigate any future disasters. Technology and innovation have been strong driving forces pushing the industry forward, creating solutions that empower consumers with faster, safer and more convenient options. The ongoing digital transformation alone is not enough to ensure that communities that have been traditionally underserved are made whole or gain equal access following the pandemic, however. Access to broadband, transparency in product offerings, consumer education and financial literacy efforts are all equally important in achieving the goal of improving financial inclusion and equality throughout the country.
This pandemic has specifically highlighted the need for institutions to offer more digital options that allow customers to get paid, move money and obtain loans without needing to physically enter a bank branch. Whether it be retail banking offerings, deposits, payments, point-of-sale lending or small business lending, the combination of the crisis and the advancement of technology has inspired companies to innovate. Many are creating products to fill gaps in the industry, ultimately expanding financial equality and leading to a more inclusive and resilient financial system. Bank-fintech partnerships in the Marketplace Lending and Buy Now Pay Later ecosystem are prime examples of responsible, transparent offerings that provide consumers with the necessary flexibilities and alternatives to legacy products and often assist those who would not qualify for traditional credit products. Without this innovation filling the gaps, it is hardworking families who are hurt the most, and often forced to turn to high-interest predatory debt traps as the only alternative.
As the industry moves forward, recovers from the latest crises, and continues to evolve, it is essential that equity and inclusion are made a central tenet of the industry’s mission. If we are to truly learn and improve from previous crises, we must ensure that we are working to expand access and create a more inclusive financial system.
Have you ever asked yourself how someone becomes a general counsel? Have you ever had any interest in one day becoming a general counsel? If you answered yes to either of those questions, whether you are in law school, private practice, government or in-house, the new podcast series Conversations with GCs is for you.
Purpose
The In-House Subcommittee of the ABA’s Corporate Governance Committee created this podcast to help aspiring general counsel (“GCs”) find practical and actionable guidance as they pursue the top in-house legal role. The podcast facilitates conversations with leading GCs that explore the paths that led them to the role of GC, essential GC skills and characteristics, current GC hot topics and advice for those aspiring to be GCs.
The First Three Conversations
The first three episodes capture the inspiring and helpful stories of Chad Perry, Brady Long and Jacqueline Lee. As the host of Conversations with GCs, I am grateful that I was able to sit down with these three remarkable people and talented lawyers; you don’t want to miss out on hearing their stories and learning from their unique perspectives. I’m confident that these conversations will leave a mark on you like they did on me. There were so many insights and takeaways from these rich conversations, but I have pulled out some of the highlights below. To dig deeper into the conversation, click the links to the episodes and listen in!
Chad Perry is the Executive Vice President, General Counsel and Secretary of Tanger Factory Outlet Centers, Inc., a public REIT and leading operator of upscale open-air outlet centers. I genuinely enjoyed my conversation with Chad, which was sprinkled with wisdom and laughter. The theme of curiosity ran through our conversation as it was central to Chad’s openness to new opportunities outside of practicing law within a firm, learning the industries where he found himself, and growing in areas that are outside his areas of expertise.
While most of us will not enjoy Chad’s experience of getting the GC nod while vacationing at the beach, we can all take his advice to keep our eyes open for new opportunities, stay curious where we are and allow that curiosity to take us to new places. He also highlighted the importance of asking good questions to challenge the status quo and remaining flexible as we progress throughout our careers.
Chad’s advice for those advancing our journeys to the GC role included not jumping at the first offer that comes our way, and to look for opportunities in our current roles to expand our perspective and areas of expertise.
Brady Long is the Executive Vice President and General Counsel of Transocean, a leading international provider of offshore contract drilling services for oil and gas wells. The first theme that permeated our conversation was always maintaining a focus on adapting. From the collapse of Enron and enactment of SOX at the beginning of his career, to the current changes in the ESG space, Brady emphasized the need to adapt to the ever-changing legal landscape.
A second theme was remembering the human element in every relationship and fighting the current of reducing relationships to merely a means to an end. Brady framed his attention to meaningful relationships in terms of being a good partner to those above him, those who report to him, and the law firms who help him navigate the legal issues facing his company. Brady’s genuine concern for the people and projects that have been entrusted to his care was easy to discern and inspired me to push back against the transactional current that flows so strongly in the legal profession.
Brady’s primary piece of advice for those seeking the GC role was to intentionally develop our networks. In keeping with the theme of remembering the human element, Brady’s take on networking was focused on being respectful to everyone in that network, whether they are ahead or behind us in our journeys to GC sphere, being aware that the chairs can (and often do) turn quite quickly.
Jacqueline (“Jaci”) Lee is the General Counsel of Flynn Restaurant Group, America’s largest restaurant franchisee with over 2,300 restaurants nationwide. Jaci’s story and perspective were so unique that I lost track of time, and our conversation went much longer than I intended.
As a litigator, Jaci has a passion for storytelling, and she demonstrated that talent as she discussed her path. The first theme that ran through Jaci’s story was the joy that she took in each step of her journey. In a striking moment, she commented that she has loved every job that she has ever had (including her time in Big Law). I had never heard anyone say that, and I’m still pondering the perspective needed to make such a statement.
The second theme that surfaced during our conversation was the unexpected nature of her journey to becoming a GC. She was so happy at her role in Big Law that she never thought that one day she might make the shift to in-house, let alone become a GC. However, one of her law firm mentors took the GC role at Flynn Restaurant Group and asked Jaci to consider joining her. After only a year in-house for Jaci, her mentor went on to another adventure, and Jaci was tapped to take over the GC role. The unique journey of being pulled into the role, rather than pursuing it, was striking to me.
Jaci’s primary advice for those seeking the GC role was to expand areas of expertise, seek stretch projects in our current roles that allow us to contribute beyond our core competencies, and intentionally work on strengthening (not just expanding) our network through introducing people to each other where we think they would benefit from the connection.
It has been said that the best podcasts are those that feel like you are listening in to an interesting conversation taking place at the table next to you at Starbucks. I was fortunate enough to be part of these interesting conversations and invite you to grab your favorite cup of coffee or tea, sit down at the table next to us, and listen in!
Finally, we would love to hear from you. Please send any comments or questions, including any expressions of interest in being a part of the ABA Corporate Governance Committee or its small, but mighty, In-House Subcommittee, to [email protected].
The importance of environmental, social, and governance (ESG) factors—especially environmental considerations—in financial services has increased over the past several years. Recently, ESG considerations have garnered increased attention in the United States as a key platform and policy focus of the Biden administration. New ESG financial policies are expected in both the European Union and the United States, though the exact scope or depth of any particular regulation is still unclear at the moment. Further, while regulators and independent standard-setters all seem to be mindful of the benefits of a unified international regulatory regime, significant risk still remains that different environmental standards and requirements will end up hindering the cross-border activities of various market participants.
This article briefly summarizes recent, notable regulatory developments in various financial regulatory regimes.
U.S. Regulatory Developments
On 20 May 2021, President Joseph Biden issued the Executive Order on Climate-related Financial Risk (the Executive Order), which stated that the Biden administration would prioritize the development of a government-wide strategy for mitigating climate-related financial risk, including by encouraging various financial regulators to better assess such risks. The Executive Order did not create any enforceable rules; however, it lays the groundwork for future federal financial policy by directing federal entities to develop and report on strategies that promote sustainability.
The Executive Order also instructed the Department of Labor (DOL) to reconsider its ESG Rules. The ESG Rules refer to two final rules that the DOL Employee Benefits Security Administration (EBSA) bureau published in late 2020, at the end of President Trump’s term: the “Financial Factors in Selecting Plan Investments” final rule and the “Fiduciary Duties Regarding Proxy Voting and Shareholder Rights” final rule. The ESG Rules required fiduciaries to make investment and shareholder decisions based on “pecuniary factors” and not subordinate investment returns to further nonpecuniary goals. The EBSA under President Biden had already announced, in March 2021, that it would not enforce the ESG Rules. The Executive Order extended that previous announcement and signaled a political willingness to undergo the administrative process to rescind or substantially amend the ESG Rule. On 14 October 2021, the EBSA published a proposed rule that clarifies the consideration of ESG factors by fiduciaries under the Employee Retirement Income Security Act of 1974 (ESG Proposed Rule). The comment period for the ESG Proposed Rule closes on 13 December 2021.
On 24 February 2021, then-Acting Chair of the Securities and Exchange Commission (SEC), Allison Herren Lee, stated that SEC staff would enhance its focus on climate-related disclosure in public company filings and would update its existing 2010 guidance on disclosure of climate change matters. From mid-March to mid-June 2021, the SEC received over 300 comment letters in response to their Request for Comment. Commenters were mixed on many key issues, such as the following:
Whether the disclosure regime should be principles based or prescription based;
To what degree disclosures should be qualitative or quantitative;
Whether climate-related disclosures needed to be audited;
Whether the disclosure regime should also apply to private companies; and
Whether the SEC should adopt the metrics and standards of independent standard setters, such as the Financial Stability Board’s Task Force on Climate-related Financial Disclosures or the Sustainability Accounting Standards Board.
On 7 July 2021, the SEC Asset Management Advisory Committee’s ESG Subcommittee issued its recommendations regarding ESG disclosures. On 28 July 2021, SEC Chairman Gary Gensler stated that the SEC intends to issue a mandatory climate risk disclosure rule proposal for public issuers by the end of 2021. On 22 September 2021, the SEC Division of Corporate Finance published a letter with sample comments that could be issued to companies regarding their climate-related disclosures. The comments ask companies to, among other things, identify material effects on the business from pending or existing climate-related legislation, regulations, and international treaties, as well as to disclose material past or future capital expenditures on climate-related projects.
The SEC is also reorienting its various divisions’ focus on ESG. According to the Division of Examination, its 2021 priorities include an enhanced focus on climate-related risks. The Division of Enforcement created a Climate and ESG Task Force to develop initiatives to proactively identify ESG-related misconduct, particularly regarding material gaps or misstatements in issuers’ disclosure of climate-related financial risks.
The Commodity Futures Trading Commission (CFTC) established a Climate Risk Unit, which is intended to help ensure that new climate- or ESG-related products fairly facilitate hedging, price discovery, market transparency, and capital allocation. The Climate-Related Market Risk Subcommittee of the CFTC’s Market Risk Advisory Committee issued its often-referenced Report on Managing Climate Risk in the U.S. Financial System on 9 September 2020.
On 23 March 2021, the Board of Governors of the Federal Reserve System (the Fed) announced the creation of the Financial Stability Climate Committee, which is charged with developing a program to assess and address climate-related risks to financial stability and coordinate its implementation with the Financial Stability Oversight Council and its member agencies. Two months earlier, the Fed announced the creation of a Supervision Climate Committee to study the implications of climate change for banks and financial markets. Additionally, the Fed co-chairs the Basel Committee on Banking Supervision’s Task Force of Climate-Related Financial Risks, which is charged with addressing climate-related financial risks in order to maintain the global financial system’s stability and security.
On 3 August 2021, the heads of the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) testified in front of the Senate Banking Committee regarding their respective agencies’ approach to climate change risk supervision. The written testimonies, as well as a recording of the hearing, are available on the Senate Banking Committee’s website.
The Biden administration has appointed many lead financial regulators who have an extensive history with ESG. Additionally, the Biden administration has also established new regulatory positions to address climate-related matters as they pertain to the financial services industry. Notable regulators and their positions are as follows:
Janet Yellen, Secretary of the Treasury
Wally Adeyemo, Deputy Secretary of the Treasury
Didem Nisanci, Chief of Staff to the Secretary of the Treasury
John Morton, Climate Counselor for the Department of Treasury
Brian Deese, Director of the National Economic Council
Bharat Ramamurti, Deputy Director of the National Economic Council
Mika Morse, Climate Counsel for the SEC
Rostin Behnam, Acting-Chairman for the CFTC
Darrin Benhart, Climate Change Risk Officer for the OCC
John Kerry, Special Presidential Envoy for Climate
State regulators have also been active in the ESG space. For example, the New York State Department of Financial Services (NYDFS) issued an industry letter to New York state-regulated financial institutions on 29 October 2020 that, among other things, set forth the regulator’s expectation that financial institutions will integrate risks from climate change into their governance and risk management frameworks. NYDFS also hired its first Director of Sustainability and Climate Initiatives in 2020. On 9 February 2021, NYDFS announced that it will provide credit under the New York Community Reinvestment Act for financing activities that (in general) reduce or prevent the emission of greenhouse gases.
EU Regulatory Developments
On 21 April 2021, the European Commission issued the Sustainable Finance Package, which is comprised of a proposed Corporate Sustainability Reporting Directive (CSRD), the EU Taxonomy Climate Delegated Act, and the Six Delegated Acts on fiduciary duties, investment, and insurance advice (the Delegated Acts). The measures in the package are intended to help improve capital flows towards sustainable EU businesses and technologies. The proposed CSRD amends the Non-Financial Reporting Directive (NFRD), widening the scope of the nonfinancial and diversity-related disclosure rules to cover all large EU companies and all companies listed on regulated markets (except listed micro-enterprises). The proposed CSRD also mandates additional reporting requirements as well as requirements that all information reported under the NFRD to be audited. The EU Taxonomy Climate Delegated Act clarifies which economic activities most contribute to the European Union’s environmental objectives. The Delegated Acts ensure that financial advisers, asset managers, and insurers include sustainability in their procedures and their investment advice to clients.
On 10 March 2021, Level 1 of the Sustainable Finance Disclosure Regulation (SFDR) became effective. The SFDR imposes mandatory ESG disclosure obligations on asset managers and other financial market participants. A significant number of these disclosure obligations apply to asset managers regardless of whether an express ESG- or sustainability-focused investment strategy is offered. Level 1 disclosures are entity-level disclosures regarding that entity’s policies on the identification and prioritization of principal adverse sustainability impacts. The effective date of the supplemental Level 2 disclosures, which generally consist of detailed pre-contractual and annual reporting disclosures, was recently postponed from 1 January 2022 to 1 July 2022.
Also on 10 March 2021, the European Parliament adopted a resolution stating that the EU should urgently adopt binding requirements for businesses to conduct environmental evaluations of their value chain.
On 8 March 2021, the European Financial Reporting Advisory Group (EFRAG) published a road map for the development of sustainability reporting standards, which are nonfinancial reporting standards. The recommendations in EFRAG’s report likely reveals, in broad strokes, the policy objectives that EU regulators will prioritize in the near future.
Many U.S. climate leaders look to the EU for guidance on ESG policy (some in the industry contend that this is one manifestation of the “Brussels Effect”). Consequently, U.S. financial market participants may wish to consider strategizing for a similar widening of the scope of ESG policy and increased reporting requirements, including nonfinancial disclosures. In contrast, ESG proponents in the United States should closely monitor and learn from the EU’s recent implementation problems. For example, many mandated disclosures have not yet been implemented due to the data protection and privacy measures in the General Data Protection Regulation. Such implementation hurdles reveal that, while political statements and policy mandates can be made relatively quickly, the development of practical implementation processes most likely will take many years.
Third-Party Stakeholders
Third-party stakeholders have played, and continue to play, important roles in addressing climate-related risks.
On 7 July 2021, the Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system to various regulators, published a report titled FSB Roadmap for Addressing Climate-Related Financial Risks. The report focuses on four near-term goals: (1) having firm-level disclosures as the basis for the pricing and management of climate-related financial risks, (2) establishing a consistent set of metrics and disclosures that can provide the raw material for the diagnosis of climate-related vulnerabilities, (3) establishing vulnerability analysis practices that can help serve as the basis for the design and application of regulatory and supervisory frameworks and tools, and (4) supporting the establishment of regulatory and supervisory practices and tools that allow governments to address identified climate-related risks to financial stability.
On 21 April 2021, the Glasgow Financial Alliance for Net Zero (GFANZ) was launched. GFANZ is a coalition of over 160 finance firms with total assets under management in excess of USD $70 trillion. GFANZ is chaired by Mark Carney, the United Kingdom’s Special Envoy on Climate Action and Finance to the United Nations. U.S. Special Presidential Envoy for Climate Kerry and Treasury Secretary Yellen are also involved.
On 14 April 2021, the Bank for International Settlements, an international financial institution that operates as a bank for central banks, released two reports regarding the climate’s potential impact on the financial system. The first report, titled Climate-related Financial Risks – Measurement Methodologies, provides an overview of conceptual issues related to climate-related financial risk measurement and methodologies, as well as practical implementation considerations, by banks and supervisory agencies. The second report, titled Climate-related Risk Drivers and their Transmission Channels, explores how climate-related financial risks can impact the banking system.
In April 2021, the International Financial Reporting Standards Foundation, a nonprofit organization that promotes the development of international financial reporting standards through its International Accounting Standards Board, announced the establishment of the new International Sustainability Standards Board (ISSB). The ISSB is tasked with writing baseline rules for climate change disclosures that aim to replace the various patchwork voluntary disclosure frameworks currently in use. The International Organization of Securities Commissions, an association of national securities regulators, has announced its support for the ISSB. The ISSB is set to be launched by COP26, the UN climate change summit scheduled for the first two weeks of November 2021.
Conclusion
New regulatory policy initiatives are developing rapidly around the world, led by a variety of regulators and third-party stakeholders. Although these actors are aware of the benefits of international coordination, and are currently expending much focus and effort on unifying different standards, it is also clear that there are still many differences that certain financial market participants must navigate.
The financial services team at K&L Gates continues to follow the ESG regulatory developments around the world. This article was prepared at the beginning of October 2021, and there may be many other developments in the weeks prior to its publication. Our financial services team stands ready to assist market participants in navigating these developments.
Mr. Humenik is a partner and Mr. Lee is an associate at K&L Gates, LLP. This article is not intended to be an offer to represent any person. Use of this article does not give rise to a lawyer-client relationship. Please do not consider there to be any lawyer-client relationship between you and K&L Gates or any of its lawyers unless or until: (1) you have sought to retain us, (2) we have had an opportunity to check and clear any conflicts, and (3) you have received a letter from us confirming the retention and its scope.
While most income of nonprofit, tax-exempt organizations is exempt from federal and state corporate income tax, certain income of nonprofits is subject to tax—a tax known as the unrelated business income tax (UBIT). The rules governing UBIT are complex and confusing. This article provides an overview of the basic UBIT rules and examines three key exceptions to UBIT that enable nonprofits to strategically plan to maximize their revenues and minimize their income taxes.
Background
Although nonprofit, tax-exempt organizations (hereinafter referred to as nonprofits) are granted a general exemption from federal corporate income tax by the Internal Revenue Code (the Code) for income from activities that are substantially related to the purposes for which the nonprofit’s tax-exempt status was recognized by the IRS, they nevertheless are potentially taxable for income derived from unrelated business activities. The Code defines an unrelated trade or business as “any trade or business the conduct of which is not substantially related (aside from the need of such organization for income . . .) to the exercise or performance by such organization of its . . . purpose or function constituting the basis for its exemption . . .”
The tax on unrelated business income first appeared in the Code in 1950. Congress’ principal purpose in enacting UBIT was to provide a level competitive playing field for tax-paying business—so that tax-exempt organizations could not use their privileged tax status to unfairly compete with tax-paying businesses in activities unrelated to their purposes. But instead of prohibiting tax-exempt entities from engaging in any business activities at all (and denying or revoking tax exemption because of such activities)—which it had considered doing—Congress chose to specifically permit a certain degree of business activity by tax-exempt organizations, but tax that activity like any other for-profit business. Thus, such business activities are permissible, so long as the activities are not a “substantial part of [the nonprofit’s] activities.” The tax applies to virtually all tax-exempt entities.
The most common form of unrelated business income for nonprofits, by far, is advertising income (e.g., in periodicals, on websites, on social media).
UBIT is imposed at the 21% flat federal corporate income tax rate. Deductions are permitted for expenses that are “directly connected” with the carrying on of the unrelated trade or business, and net operating losses are allowed to be carried forward and backward (with certain limitation). Losses from one unrelated business activity are not able to offset gains in another; profits and losses are determined per activity.
Three-Prong UBIT Test. It is important to note that not all business income is subject to taxation or to limitations: only “unrelated business income” as defined in the Code. Unrelated business income will only exist if three conditions are satisfied; if any one of the three is not present, then income from the activity will not be taxable. Unrelated business income must be:
from a trade or business;
that is regularly carried on; and
that is not substantially related to the purposes which form the basis of the organization’s tax-exempt status.
Exclusions. Even if all three conditions of the UBIT test are satisfied, there are numerous statutory exclusions both (A) from the definition of an unrelated trade or business, and (B) in the computation of unrelated business taxable income, which can exempt otherwise taxable income from UBIT. Many such exclusions are potentially applicable to nonprofits, although many are not. The most relevant exclusions for nonprofits typically include:
qualified corporate sponsorship income
royalties
qualified convention or trade show income
interest, dividends, annuities, and certain capital gains
certain rental income
volunteer labor exception
Taxable Subsidiaries. If the gross revenue, net income, and/or staff time devoted to unrelated business activities become “substantial” in relation to the tax-exempt functions of a nonprofit (thereby jeopardizing its tax-exempt status), the nonprofit can “spin off” one or more of the unrelated activities into a separate, but affiliated, wholly-owned entity, commonly referred to as a taxable subsidiary. Such a taxable subsidiary will pay corporate income tax on its net income but can remit the after-tax profits to the parent nonprofit as tax-free dividends; however, the dividends are not tax-deductible for the taxable subsidiary as business expenses.
Note that there is a significant tax advantage to housing unrelated business activities in a taxable subsidiary. For tax-exempt organizations, the expenses of a particular unrelated business can only be used to offset the gross unrelated business income of that particular unrelated business in calculating net income and the corresponding UBIT. However, if the same activities are conducted in a taxable subsidiary, all of the subsidiary’s expenses can be used to offset its gross income before any corporate income tax is imposed on its overall net income, meaning that losses from one activity can be used to offset gains from another activity.
Filing and Payment Requirements. In computing UBIT, a specific deduction of $1,000 is permitted. If a nonprofit has gross unrelated business taxable income of $1,000 or more during its fiscal year, it must file IRS Form 990-T to report such income and pay any tax due. The Form 990-T is due at the same time as the Form 990, however, if a nonprofit expects its annual UBIT (after certain adjustments) to be $500 or more, then it must make estimated tax payments throughout the year. The Form 990-T is subject to public disclosure like the Form 990; however, certain schedules, attachments and supporting documents that do not relate to the imposition of UBIT do not have to be made available for public inspection.
Corporate Sponsorships
Overview. “Qualified corporate sponsorship payments” are excluded in computing the unrelated business taxable income of tax-exempt nonprofits. A “qualified sponsorship payment” is defined as “any payment [of money, property or services] by any person engaged in a trade or business with respect to which there is no arrangement or expectation that the person will receive any substantial return benefit.” In determining whether a payment is a qualified sponsorship payment, it is irrelevant whether the sponsored activity is related or unrelated to the recipient organization’s tax-exempt purposes. It also is irrelevant whether the sponsored activity is temporary or permanent.
Definition of Substantial Return Benefit. A “substantial return benefit” is defined as any benefit other than: (A) goods, services or other benefits of “insubstantial value”; or (B) a “use or acknowledgment”. A substantial return benefit includes:
advertising;
providing facilities, services or other privileges to the sponsor (or persons designated by the sponsor), unless such privileges are of “insubstantial value”;
granting the sponsor (or persons designated by the sponsor) an exclusive or non-exclusive right to use an intangible asset (e.g., name, logo, trademark, copyright, patent) of the tax-exempt organization; note that while payment for providing a sponsor with the right to use such an intangible asset will not constitute a qualified sponsorship payment, it may constitute a tax-free royalty; or
designating a sponsor as an “exclusive provider.”
Insubstantial Value. Goods, services or other benefits of “insubstantial value” are those that have an aggregate fair market value of not more than 2% of the amount of the payment. Note that if the fair market value of the benefits exceeds 2%, the entire fair market value (as opposed to the cost) of such benefits, not merely the excess amount, is considered a substantial return benefit.
Use or Acknowledgment. A substantial return benefit does not include a “use or acknowledgment” of the name or logo (or product lines) of the sponsor’s trade or business in connection with the activities of the tax-exempt organization. Use or acknowledgment does not include advertising, but may include:
sponsor logos and slogans that do not contain qualitative or comparative descriptions of the sponsor’s products, services, facilities, or company;
a list of the sponsor’s locations (e.g., street addresses), telephone numbers, or website URLs;
value-neutral descriptions (including displays or visual depictions) of the sponsor’s product line(s) or services;
sponsor brand or trade names and product or service listings; and
designating a sponsor as an “exclusive sponsor.”
Logos or slogans that are an established part of the sponsor’s identity are not considered to contain qualitative or comparative descriptions. Mere display or distribution (whether for free or remuneration) of a sponsor’s product by the sponsor or the tax-exempt organization to the general public at a sponsored activity will not be considered an inducement to purchase, sell or use the sponsor’s product and thus will not affect the determination as to whether a payment constitutes a qualified sponsorship payment.
Advertising. “Advertising” is defined as any message or other programming material that is broadcast or otherwise transmitted, published, displayed, or distributed, and that promotes or markets any trade or business, or any service, facility, or product. Advertising includes:
messages containing qualitative or comparative language;
price information or other indications of savings or value;
an endorsement; or
an inducement to purchase, sell or use any company, service, facility, or product.
A single message that contains both advertising and an acknowledgment is considered advertising. The above rules do not apply to activities conducted by a sponsor on its own.
Royalties
Overview. Royalties are excluded in computing the unrelated business taxable income of tax-exempt organizations. This exclusion does not apply to debt-financed income or to royalties received from a “controlled subsidiary.” The IRS defines a “royalty” as any payment received in consideration for the use of a valuable intangible property right, whether or not payment is based on the use made of the intangible property. Payments for the use (even on an exclusive basis) of trademarks, trade names, service marks, copyrights, photographs, facsimile signatures, and members’ names are ordinarily considered royalties and are tax-free. However, payments for services (such as marketing or administrative services) provided in connection with the granting of this type of right are not royalties—and are generally taxable as unrelated business income (unless such services are substantially related to the nonprofit’s purposes, which, in most cases, they are not).
Examples. In an example provided by a federal appeals court in the Sierra Club case, if the Sierra Club manufactured and sold T-shirts with the organization’s logo or other designs on them, the income earned from the sale of such T-shirts would be taxable, as the activity of manufacturing and selling T-shirts is not substantially related to the Sierra Club’s tax-exempt purposes. However, if the Sierra Club created the designs to be screened onto the T-shirts and then licensed those designs to a T-shirt manufacturer in exchange for a fee (perhaps calculated as a percentage of gross T-shirt sales), that income would constitute tax-free royalty income. Sierra Club, Inc. v. Comm’r I.R.S., 86 F.3d 1526 (9th Cir. 1996).
In an example provided by the IRS in a Revenue Ruling, payments for the use of a professional athlete’s name, photograph, likeness, and/or facsimile signature (provided by and through a tax-exempt organization) are generally considered royalties. However, payments for personal appearances and interviews by the athlete (similarly provided by and through a tax-exempt organization) are not excluded as royalties and must be included as income from an unrelated trade or business. Rev. Rul. 81-178, 1981-2 C.B. 135.
Endorsements. When a nonprofit endorses a vendor’s product or service (often referred to as a nonprofit “affinity” program) but does nothing to market the product or service to its members (leaving this task to the vendor), this can be viewed as, in essence, nothing more than an exclusive license of the nonprofit’s name, logo and (sometimes) membership list to the vendor (in connection with the vendor’s promotion and sale of that product or service to the nonprofit’s members, and possibly to others in the industry or profession as well). As stated above, if the nonprofit gets paid for this exclusive license—even if such payments are calculated as a percentage of gross sales of the endorsed product or service to the nonprofit’s members—then the payments will constitute royalties and will be tax-free to the nonprofit. If, however, the nonprofit does market the product or service to its members, then the tax issues become more complex, as described below.
Endorsements can be a useful means for nonprofits to generate non-dues revenue from both members and non-members, promote the nonprofit’s name and brand, and, by extension, the industry or profession in general, and provide a service (e.g., “tailored” products and services, discounted rates/fees, etc.) to nonprofit members.
Options for Structuring Endorsement Arrangements.
Royalties-Only. The endorsement or licensing contract that carries the lowest risk of UBIT liability is one in which the nonprofit licenses its name, logo and/or membership list, exercises quality control over the use of its intangible property by the vendor, and not much more. However, even under this scheme, the IRS and the courts have indicated that the nonprofit may engage in certain limited activities without jeopardizing the tax-free royalty treatment of its income.
Royalties to Nonprofit; Services Income to Third-Party or Taxable Subsidiary. If administrative and/or marketing services are required, from a tax perspective, it is generally preferable to outsource such services to an unrelated third-party, or to the nonprofit’s taxable subsidiary (with the nonprofit and subsidiary entering into separate, independent contracts with the vendor). In a 1999 Private Letter Ruling issued to AARP (Ltr. Rul. 200149043), the IRS validated the use of an AARP-wholly owned taxable subsidiary to provide such administrative and/or marketing services, provided it is done on an arm’s length basis (e.g., fair market valuation of the payments to each entity, financial separation, employee time records, etc.).
Royalties to Nonprofit; Services Income to Nonprofit. If such services must be provided by the nonprofit directly, then nonprofit contracts with the vendor should provide for separate, distinct provisions of the contract—one for the name, logo and/or membership list licensing on the one hand, and one for the administrative and/or marketing services. The fees earned by the nonprofit should be divided between the two sections pursuant to a fair market valuation. The former should be treated as tax-exempt royalty income; the latter as taxable unrelated business income.
Convention and Trade Show Income
Background. Since 1976, one of the Code’s exceptions to unrelated business taxable is for income received from “qualified convention and trade show activities.” In order to qualify for the safe harbor exception, the nonprofit must “regularly conduct as one of its substantial exempt purposes a show which stimulates interest in, and demand for, the products of a particular industry or segment of an industry or which educates persons in attendance regarding new developments or products and services related to the exempt activities of the organization.” The exception applies to 501(c)(6) tax-exempt entities, as well as to 501(c)(3), (c)(4) and (c)(5) organizations. Prior to 1976, the IRS had started to treat nonprofits’ trade show exhibit fees as subject to UBIT, arguing that such fees were akin to taxable advertising income. Note that these UBIT issues generally do not apply to most of the non-trade show-related convention activities of nonprofits—such as the provision of educational content—as such activities are usually substantially related to the tax-exempt purposes of the nonprofit.
2004IRS Revenue Ruling. In 2004, the IRS issued Revenue Ruling 2004-112 on the subject of virtual trade shows. With the then-increasing prevalence of the Internet and the ability to offer virtual trade shows, questions began to arise as to whether the offering of a web-based trade show is the type of activity that is “of a kind traditionally conducted at … trade shows” (quoting from Section 513(d) of the Code). The guidance describes two hypothetical scenarios—one involving a Section 501(c)(6) nonprofit that offers a semi-annual virtual trade show in connection with each in-person trade show; the other involving a Section 501(c)(6) nonprofit that offers a virtual trade show not in relation to any in-person trade show.
The Revenue Ruling made clear that the key factor in the analysis of whether virtual trade show activity will be considered subject to the Code’s safe harbor is whether or not the virtual show is conducted ancillary to a live show.
In the first hypothetical scenario, a nonprofit conducts two trade shows a year. In conjunction with such shows, the nonprofit has a separate virtual trade show section of its website available for viewing at all times during such shows as well as for three days preceding and three days following such shows. The in-person shows in this first scenario are similar to most trade or professional nonprofit shows—they include members of the nonprofit and suppliers to the industry and exhibitors are charged a fee by the nonprofit in order to participate. The website contains “information and visual displays…and links to the websites of exhibitors represented at the [in-person] trade show.” The website also contains order forms and a function that allows on-line purchases from exhibitors. The nonprofit charges a fee to exhibitors that desire to have information listed on this web page.
According to the IRS, the virtual activities described above fit within the safe harbor for qualified convention and trade show activities because:
The web activities are “ancillary” to the in-person trade shows;
The content of the web section serves to “augment and enhance” the in-person trade shows by making available “in an alternative medium the same information available at the show”; and
The web page is available “during essentially the same limited time period that each trade show is in operation.”
Thus, income generated by the web page will not be subject to UBIT in this scenario.
The second hypothetical scenario provided by the IRS is very similar to the first, except that the organization in the second scenario offers two-week-long virtual trade shows without any connected in-person events. According to the IRS, such activity will not qualify for the safe harbor. The IRS reasoned that the website in this example is “not itself a convention, annual meeting or trade show” within the meaning of the Code, due to the lack of an in-person, face-to-face component.
Current-Day Virtual Trade Shows. Fast forward to 2021. The virtual trade shows of 2021—compared to 2004—are much more interactive. As those nonprofits who have had to transition in 2020 and 2021 from in-person conferences and trade shows to virtual (or hybrid) ones due to the COVID-19 pandemic know, the educational and networking aspects of these virtual trade shows were notable and done in a way not possible in 2004. Today’s virtual conferences and trade shows resemble in many respects their in-person counterparts for which the safe harbor was written. But with no guidance from the IRS since 2004, it is very difficult to say how the IRS would interpret the safe harbor today and apply it to the 2021 virtual (or hybrid) trade show.
Hybrid Trade Shows. Due to the COVID-19 pandemic, it is likely that at least for 2021, and perhaps into 2022, nonprofits will plan to hold many hybrid in-person and virtual conferences and trade shows. The virtual trade show in the first example of the Revenue Ruling featured only “the same information that is available at the [in-person] show” and a function that allows purchases from “members and suppliers represented at the trade show.” But if a nonprofit offered a virtual show in connection with a live show and allowed companies that are not exhibiting at the live show to participate in the virtual show, would this cause the IRS to determine that the virtual show is no longer “ancillary” to the live show and thus not able to qualify as part of the safe harbor? It is simply unclear—as is the application of the 2004 Revenue Ruling to the modern-day virtual-only or hybrid trade show.
No Safe Harbor Does Not Necessarily Mean UBIT. It should be noted that a failure to qualify for the safe harbor does not necessarily mean that the income generated from a virtual trade show will be subject to UBIT. While, in most instances, the IRS likely would take the position that the net income is generated by the sale of advertising-type services and thus subject to UBIT, there may be instances when a nonprofit is able to demonstrate that its activity is substantially related to its tax-exempt purposes even without the help of the safe harbor. Further, if the arrangements with otherwise-exhibiting companies are restructured accordingly, other Code exceptions from UBIT—such as exceptions for corporate sponsorship payments and royalties—may apply to some or all of the income in question.
Conclusion. While the analysis of whether and how the safe harbor applies to current-day virtual or hybrid trade shows is as clear as mud, the ongoing fallout from the pandemic will continue to force nonprofits to consider alternatives to in-person-only conferences and trade shows. The existence of the 2004 Revenue Ruling—unless and until modified by the IRS, which is not likely anytime soon—will continue to pose UBIT risks to nonprofits in the virtual or hybrid trade show environment.
That being said, the 2004 Revenue Ruling, although on the books, does not supersede the clear intent of the Code to provide a safe harbor exception to unrelated business income where a nonprofit conducts an event to educate persons or stimulate interest and demand for products or services of the membership. Therefore, it is arguable that it may not matter whether the activities traditionally conducted at trade shows are done in person or virtually. It would certainly be helpful if the IRS provides guidance in a new and updated Revenue Ruling. Until then, it would be advisable to document how the activities of the trade show meet the Code definitions of the safe harbor.
* * * * *
While paying UBIT is certainly not a bad thing—and nonprofits generally should not let the federal tax laws be the tail that wags the dog—having a thorough understanding of the rules in this area can help nonprofits to plan strategically and attempt to mitigate UBIT to the greatest extent possible.
Most companies will never deal with such a large volume of documents as they might post-acquisition. For compliance teams, managing this data all remotely is even more of a challenge.
So far, 2021 has been an exceptionally busy year for dealmakers and M&A professionals. In just the first half of the year, global mergers and acquisitions totaled $2.8 trillion, up 131% from the same period in 2020, with the strongest showing through June of any year on record, according to Refinitiv. The same report showed that M&A activity in the U.S. more than tripled to $1.3 trillion, another first half record. In the last few months alone we’ve seen the completion of numerous powerhouse deals, including AT&T’s WarnerMedia and Discovery merger and Amazon’s astounding $8.45 billion purchase of MGM Studios.
Most companies will never deal with such a large volume of documents as they might post-acquisition. And with more deals being closed remotely, the increased use of remote work apps is adding to this challenge, expanding troves of data across a multitude of platforms and creating a storm of fragmented and unstructured data that makes information more difficult to find, process and derive valuable insights from.
According to market intelligence company IDC, the worldwide volume of data is set to grow from 33 zettabytes in 2018 to 175 zettabytes (or 175 billion terabytes) by 2025, with 80% of it unstructured. From the lens of an M&A professional, unstructured data may mean information buried in existing contracts, old vendor agreements, or IP information, stored within emails and instant messages, virtual meetings, customer interactions, collaborative documents, official records, and almost anything else you can think of with a digital footprint. Combing through these documents manually can risk human error and will certainly cost teams valuable time in searching, processing and understanding all the information that lives across different applications.
This is where it makes sense to look to technology—and in particular, knowledge integration tools—to help manage this process.
The power of knowledge integration within the document review process
Unifying information from various applications within a single repository unleashes the potential for rapid search across several data sources, all at once. While this is beneficial during the pre-acquisition stage—to streamline due diligence, for instance—it can also be a powerful capability for supporting a business post-acquisition, by connecting employees of the newly merged company with knowledge and insights that can boost their productivity. Documents (and even specific text within certain documents) that may have previously taken weeks to collect can now be found instantly, on day one post-acquisition.
Knowledge integration can also help with cutting cost and risk—for instance, by consolidating acquired applications to reduce license costs while retaining the data in one place.
Overall, knowledge integration can help ensure teams are more prepared, responsive, and empowered. Instead of manually sifting through thousands of documents, dealmakers and their teams can shift their focus toward the bigger, more strategic task at hand: successfully meshing two organizations’ cultures and day-to-day operations to become a new entity.
The old adage stands true: You don’t know what you don’t know. This is why it’s so important to understand what constitutes your new world of data after a deal is completed; only then can you begin to identify opportunities to generate greater business value.
For dealmakers, becoming educated on the challenges that unstructured data poses and how that data can be more effectively accessed and managed in a post-acquisition stage is critical. Armed with the right tools, organizations can speed up post-deal day one operations by delivering the information needed to run the business.
Connect with a global network of over 30,000 business law professionals
