The law’s definition of “good faith” is often amorphous, fact specific, and difficult to spell out. No doubt, courts and factfinders have grappled with it for centuries. Yet what explains Maryland’s aversion to interpreting it—or acknowledging it—in the “fair consideration” definition in the Uniform Fraudulent Conveyance Act (UFCA)?

New York and Maryland are the only jurisdictions still applying the UFCA (most other states—43 of them—have moved on to the modernized Uniform Fraudulent Transfer Act), and not surprisingly, New York courts have spilled a lot of ink interpreting and articulating the rights of creditors seeking to void fraudulent conveyances. At this point in New York, there is little ambiguity on what good faith means in the constructive fraudulent conveyance context when insolvent businesses are moving money and assets.

Under the constructive fraudulent conveyance statute of the UFCA,

Every conveyance made and every obligation incurred by a person who is or will be rendered insolvent by it is fraudulent as to creditors without regard to his actual intent, if the conveyance is made or the obligation is incurred without a fair consideration.

“Fair consideration” is provided in exchange for property or an obligation if:

(a) In exchange for such property, or obligation, as a fair equivalent therefor, and in good faith, property is conveyed or an antecedent debt is satisfied, or

(b) The property, or obligation is received in good faith to secure a present advance or antecedent debt in amount not disproportionately small as compared with the value of the property, or obligation obtained.

On a plain reading, the statute permits the avoidance of a transfer as constructively fraudulent even if the debtor receives equivalent value if the plaintiff can prove that the value was not provided in good faith. Striking down such conveyances is permitted regardless of the debtor-transferor’s intent.

In New York, as found in the definition, fair consideration is present when (1) the recipient of the debtor’s property either conveys property in exchange or discharges an antecedent debt; (2) the debtor receives the “fair equivalent” of the property conveyed; and (3) the exchange is undertaken in good faith. See Sharp Int’l Corp. v. State St. Bank & Trust Co. (In re Sharp Int’l Corp.), 403 F.3d 43, 53-54 (2d Cir. 2005). The New York Court of Appeals has identified a few parameters defining “good faith”—an honest belief in the activities in question; no intent to take unconscionable advantage of others; no intent to delay, hinder, or defraud others—and certain circumstances that constitute bad faith as a matter of law; notably, transfers to directors, officers, and shareholders of insolvent corporations in derogation of the rights of general creditors. Farm Stores, Inc. v. School Feeding Corp., 102 A.D.2d 249 (2d Dep’t 1984). Other courts interpreting New York law have interpreted good faith to apply to any transaction between an insolvent corporation and a corporate insider. See Hirsch v. Gersten (In re Centennial Textiles), 220 B.R. 165, 172 (Bankr. S.D.N.Y. 1998) (“under New York law, transfers from an insolvent corporation to an officer, director or major shareholder of that corporation are per se violative of the good faith requirement of DCL § 272 and the fact that the transfer may have been made for a fair equivalent is irrelevant.”); Allen Morris Commercial Real Estate Servs. Co. v. Numismatic Collectors Guild, Inc., No. 90 Civ. 264, 1993 WL 183771, 1993 U.S. Dist. LEXIS 7052, at *28-*30 (S.D.N.Y. May 26, 1993) (“it has been held that transfers from an insolvent corporation to an officer, director and major shareholder of that corporation are per se violative of the good faith requirement of Section 272.”).

Although the fact patterns are often nuanced, it’s undeniable that good faith is of great significance under New York’s UFCA when insolvent businesses are making transfers or entering into transactions with insiders.

Given the robust attention to good faith in New York, it seems safe to assume that the other UFCA jurisdiction—Maryland—might perform a similar test. Or maybe not.

Recently, in United Bank v. Buckingham, 761 F. App’x 185 (4th Cir. 2019), the Fourth Circuit Court of Appeals reversed a decision by the late Judge Roger W. Titus assessing whether fair consideration existed when an insolvent business changed the beneficiary designations on two life insurance policies the company purchased for its CEO.

The judgment creditor bank in the case was owed millions of dollars by the bankrupt debtor business, its CEO, and his wife. Prior to becoming insolvent, the company purchased life insurance policies as an employment benefit to the CEO. Upon the CEO’s death, the company would be reimbursed its premium payments (from the death benefits), and with the beneficiary designated by the CEO receiving the remainder.

After a protracted default by the company, a forbearance agreement between the parties, the CEO diminished by dementia, and his son David appointed guardian, the debtor company’s board approved a sale of the policies. The policies were sold for $110,000—a value determined by the life insurance company pursuant to an IRS formula—to a trust. The trustee of the trust was David, and the beneficiaries were David and his two siblings.

The bank alleged that the transfer of the policies to the trust for only $110,000 was fraudulent because it lacked fair consideration in that the policies were conveyed from the debtor company to the trust despite the fact that the policies were cashed in for $750,000 soon after the sale. The court disagreed with the bank and found that “the $110,000 was a ‘fair equivalent’ for the John Hancock policies.” In short, David—voting for his ill father—and his brother Thomas agreed to transfer the policies from the defunct business to a trust, of which David was both the trustee and a beneficiary, along with his two other siblings, for $110,000 despite evidence that the policies were cashed in for $750,000 after the sale.

The district court’s decision focused solely on fair equivalence and undertook a financial valuation of the policies, ultimately agreeing with David’s position that the policies’ value was $110,000 based on overdue premium payments, negative surrender values, and the fact that the policies were in danger of lapsing and becoming worthless; the policies were also subject to a neutral evaluation from John Hancock based on an IRS-approved formula.

Although the court examined the financial considerations in great detail—and per the “fair equivalent” reference definition—no mention of good faith can be found in the opinion.

In reversing the district court, Judge A. Marvin Quattlebaum, writing for the Fourth Circuit, reversed Judge Titus because there was a genuine factual dispute “concerning the fairness of the consideration” paid for the policies; yet, instead of assessing whether the insolvent business sold the policies for a (1) fair equivalent and (2) in good faith—as the statute requires—the panel held that the trial court had “improperly weighed the evidence” in the defendant’s favor at the summary judgment stage. Indeed, Judge Quattlebaum’s opinion offers no mention of good faith of Maryland’s UFCA (to be fair, he’s not the first to omit it, nor likely the last).

Being on both sides of a transaction is usually a red flag for good faith. See Matter of Bernasconi v. Aeon, LLC, 963 N.Y.S.2d 437 (N.Y. App. Div. 3d Dep’t 2013) (“[W]here . . . a corporate insider participates in both sides of the transfer and the insider controls the transferee, the transfer will be deemed to have been made in bad faith if made to a creditor’s detriment . . . .”) But not here.

Although New York has a robust body of law evaluating good faith and arguably would have denied summary judgment had this case been decided under New York law, the failure of the Buckingham courts to undertake even a minimal good-faith examination of the sale to the trust—and ignore that those voting for the policy would receive the benefits—all raise significant and legitimate doubts as to whether courts are properly interpreting Maryland’s “fair consideration” definition in the UFCA. Although Judge Titus acknowledged Maryland’s deficiency in noting that that there is no dispositive authority as to how to determine fair consideration under specific circumstances, under his and the Fourth Circuit’s interpretation, the “and in good faith” clause may as well have been removed from the “fair consideration” definition found at Md. Code § 15-204. United Bank v. Buckingham, 301 F. Supp. 3d 561 (D. Md. 2018).

Until Maryland’s UFCA “fair consideration” definition is fully interpreted—with at least an acknowledgment to the good-faith clause—creditors may well be advised to seek a nexus to New York law, or a similarly favorable jurisdiction, if they hope to truly enforce their rights.

Since common law, stockholders have enjoyed a qualified right to inspect the corporation’s “books and records” for any “proper purpose”—i.e., a purpose reasonably related to the stockholder’s interests as a stockholder. Codified in state corporation statutes such as section 220 of the Delaware General Corporations Law (DCGL), these stockholder inspection rights were exercised infrequently until the Delaware courts began to encourage stockholders to utilize these “tools at hand” to obtain information necessary to plead demand excusal in derivative actions. As the Delaware Supreme Court noted in the seminal decision of Rales v. Blasband: “Surprisingly, little use has been made of section 220 as an information-gathering tool in the derivative context.” 634 A.2d 927, 935 n.10 (Del. 1993). Over the last 20 years, “Delaware courts have encouraged stockholders to use the ‘tools at hand’ (e.g., Section 220) to gather information before filing complaints that will be subject to heightened pleading standards.” Lavin v. West Corp., 2017 WL 6728702, at *9 (Del. Ch. Dec. 29, 2017). The significant increase in section 220 litigation over the last decade is a testament to the plaintiffs’ bar heeding the Delaware courts’ admonitions.

At the same time that section 220 books and records demands have become commonplace, rapid technological advances have driven the proliferation of the forms of media in which corporate information is kept, including, for instance, e-mails, text messages, and other electronic communications and records not traditionally viewed as a corporation’s “books and records.” The issue is only further complicated by the fact that officers’ and directors’ use of personal computers, smartphones, and personal e-mail accounts potentially renders communications beyond the direct control of the corporations whom the officers and directors serve. Until relatively recently, Delaware courts have been hesitant to compel the production of such “nontraditional” books and records in section 220 litigation, given that the extant jurisprudence dictates that a section 220 summary proceeding is far from coextensive in scope with Rule 34 discovery, and a stockholder is only entitled to those books and records deemed “necessary and essential” to achieving a proper purpose. Typically, board minutes, resolutions, and the like are deemed sufficient because the courts are mindful that a stockholder’s inspection rights must be balanced against the potential for burdensome and abusive “fishing expeditions” that mirror discovery requests in plenary corporate litigation. Nonetheless, as technological advances have expanded the range of media used to conduct business, the law has also evolved regarding access to e-mail, text messages, and other forms of communication as books and records of the corporation. Although still evolving, some general principles have emerged that generally guide when the Delaware courts will permit access to electronic communications in section 220 proceedings.

Who cares? Corporations and their officers and directors absolutely should. Section 220 demands have become virtually a necessary prerequisite to any stockholder derivative action, and the books and records that stockholders receive and use to draft their complaint can be outcome-determinative on a motion to dismiss. Whereas board minutes and more “formal” corporate records will allow little room for “creative interpretation” by the plaintiffs’ bar, the same cannot be said of e-mail communications where plans and decisions are informally deliberated in real time, perhaps satirically or within a context that may not be evident when portrayed with hindsight by counsel whose objective is to prove a breach of fiduciary duty. Although producing e-mails in a books and records case cannot always be avoided, there are steps corporations can take on a clear day to mitigate the risk.

The seminal decision granting access to e-mails is a 2013 nonpublished transcript ruling, Ind. Elec. Workers Pension Tr. Fund IBEW v. Wal–Mart Stores, Inc., 7779–CS, at 97–98 (Del. Ch. May 20, 2013) (Strine, C.), which ironically does not directly address the issue of whether e-mails are corporate records subject to section 220 inspection rights. In Wal-Mart, then-Chancellor Strine ordered the production of private communications between officers and directors concerning an alleged bribery scandal under investigation by the plaintiff. In the process, the issue arose as to whether e-mails and electronic documents created or maintained on personal devices were the appropriate subject of a section 220 demand. The court drew no distinctions between e-mails and documents created by employees upon their personal devices verses those generated within the company’s official systems, concluding that where the documents were created or maintained was not controlling: “In terms of this issue of the home devices . . . if you use your home computer to handle Wal-Mart information, I don’t think that many companies would believe that . . . that makes it their personal information.” Given that the e-mails were deemed corporate records necessary for the plaintiff to conduct its investigation, they were to be produced irrespective of where they were physically created or maintained. Although the unpublished Wal-Mart decision did not directly address when the production of e-mails is appropriate in a section 220 action, its affirmance on appeal was routinely cited by the plaintiffs’ bar for that principle.

The issue arose again in Chammas v. Navlink, Inc., 2016 WL 767714 (Del.Ch. 2016), a case involving a director’s demand for books and records pursuant to the more expansive rights that directors have as compared to stockholders. In Chammas, the director plaintiff sought to “investigate whether ‘the other members of the Board and management are excluding them from board business and related communications,’ including emails prior to Board meetings and alleged Secret Meetings.” Consistent with Wal-Mart, Vice Chancellor Noble first observed that whether a document or communication is stored on the company’s servers is “not necessarily determinative of whether it constitutes a book or record of the company.” More important, the court concluded, is whether the book or record must be “in the possession or control of the corporation.” Second, recognizing the importance of burden considerations in the section 220 context, the court disclaimed that although its “holding is not to be interpreted as a blanket prohibition against inspection of private communications among directors, subjecting Section 220 proceedings to such broad requests, even by directors, runs contrary to the ‘summary nature of a Section 220 proceeding.’” Finally, the court observed that the books and records of the company are “those that affect the corporation’s rights, duties, and obligations . . . .” The court’s ultimate rejection of the demand for e-mails turned on the insufficiency of the plaintiff’s evidence of wrongdoing to warrant their production: “Mere suspicions of pre-meeting collusion among board members or board members and management, in the context of a Section 220 action, is insufficient to compel the production of private communications between such officers and directors . . . .”

The same year Chammas was decided, Vice Chancellor Laster analyzed whether e-mails may be within the scope of books and records obtainable pursuant to section 220. In Amalgamated Bank v. Yahoo! Inc., 132 A.3d 752 (Del. Ch. 2016), a stockholder sought to investigate the hiring of Yahoo’s chief operating officer, and in that connection sought e-mails from the company’s CEO. The court began its analysis by categorically rejecting the argument that e-mails are per se beyond section 220’s scope. Vice Chancellor Laster observed the evolution of corporate record-keeping and the modern reality that virtually all books and records are now kept electronically: “Limiting ‘books and records’ to physical documents ‘could cause Section 220 to become obsolete or ineffective.’” The court then relied upon Wal-Mart to reject the argument that the company’s search for documents would be limited to the company’s devices, as opposed to a custodian’s personal device, holding that “a corporate record retains its character regardless of the medium used to create it.” As for the test to determine whether e-mails must be produced, the court limited itself to a single consideration: “As with other categories of documents subject to production under Section 220, what matters is whether the record is essential and sufficient to satisfy the stockholder’s proper purpose, not its source.”

A few years later in Schnatter v. Papa John’s International, Inc., 2019 WL 194634 (Del. Ch. 2019), Chancellor Bouchard addressed the test suggested in Chammas as to whether e-mails (or any documents) are deemed books and records of the company—i.e., whether they are “those that affect the corporation’s rights, duties, and obligations . . . .” The defendant in Papa John’s resisted production of e-mails between directors discussing former director Schnatter, citing Chammas and claiming that “Schnatter is just curious about what his fellow fiduciaries were saying about him.” The court rejected the argument because the scope of documents ordered to be produced would be limited to those related to the plaintiff’s proper purpose, thus satisfying the standard. Commenting further, Chancellor Bouchard then effectively agreed with Vice Chancellor Laster’s reasoning for producing e-mails as articulated in Yahoo, albeit qualified by consideration of the additional costs inherent in producing electronic communications:

A further word is in order regarding emails and text messages from personal accounts and devices. The reality of today’s world is that people communicate in many more ways than ever before, aided by technological advances that are convenient and efficient to use. Although some methods of communication (e.g., text messages) present greater challenges for collection and review than others, and thus may impose more expense on the company to produce, the utility of Section 220 as a means of investigating mismanagement would be undermined if the court categorically were to rule out the need to produce communications in these formats.

Citing then-Chancellor Strine’s decision in Wal-mart, the court held that “if the custodians identified here . . . used personal accounts and devices to communicate about changing the Company’s relationship with Schnatter, they should expect to provide that information to the Company.” Expressly disclaiming the promulgation of any bright-line rule, Chancellor Bouchard grounded the analysis in “balanc[ing] the need for the information sought against the burdens of production and the availability of the information from other sources, as the statute contemplates.”

If there were any question about whether e-mails are properly within the scope of section 220 demands, the Delaware Supreme Court resolved it in KT4 Partners LLC v. Palantir Technologies Inc., 203 A.2d 738 (Del. 2018). In Palantir, after a potential sale of the company fell through because Palantir allegedly thwarted the deal and KT$ sought information pursuant to its far-reaching rights under an “Investors Rights Agreement,” Palantir allegedly amended the agreement to curtail KT4’s rights. KT4 made a demand to inspect Palantir’s books and records under section 220 of the DGCL for the purpose of investigating “fraud, mismanagement, abuse and breach of fiduciary duty.” Palantir rejected the demand, and KT4 commenced a section 220 action in the Delaware Court of Chancery. Following trial, Vice Chancellor Slights held that KT4 had shown a proper purpose of investigating potential wrongdoing in multiple areas, including Palantir’s amendment of the Investors’ Rights Agreement in ways that “eviscerated” KT4’s contractual information rights after KT4 sought to exercise those rights. The court specifically held that KT4 was entitled to “all books and records relating to” the amendments to the Investors’ Rights Agreement. After the parties were unable to agree on whether the books and records to be produced were to include e-mails, the court issued a final order that excluded e-mails from the documents that Palantir would be required to produce. The court reasoned in part that e-mails were not essential to fulfill KT4’s stated investigative purpose, based on the (mistaken) understanding that Palantir possessed and would produce formal board-level documents relating to the amendments of the Investors’ Rights Agreement, rendering a further production of e-mail unnecessary for KT4’s purpose. 

KT4 appealed the Court of Chancery’s ruling. Importantly, on appeal, Palantir conceded that other than the amendments to the Investors’ Rights Agreement themselves, responsive nonemail documents did not exist, and that e-mails related to the amendments did exist. The Delaware Supreme Court held that the e-mails plaintiff sought were necessary and essential to investigating the alleged wrongdoing because the defendant admitted other, more traditional forms of books and records did not exist. Insofar as being required to produce e-mails was concerned, the Supreme Court viewed Palantir’s obligation as a self-inflicted wound. As the Supreme Court made clear, “if a company observes traditional formalities, such as documenting its actions through board minutes, resolutions and official letters, it will likely be able to satisfy a Section 220 petitioner’s needs solely by producing those books and records.” The court conversely cautioned that “if a respondent in a § 220 action conducts formal corporate business without documenting its actions in minutes and board resolutions or other formal means, but maintains its records of the key communications only in emails, the respondent has no one to blame but itself for making the production of those emails necessary.” 

* * *

The foregoing cases illustrate several principles inherent in any analysis of whether electronic communications will be ordered produced in section 220 litigation. First, electronic communications are deemed corporate records that may be ordered in section 220 proceedings, but only to the extent that they are “necessary and essential” to the plaintiff’s investigation. Second, whether or not the electronic communications reside on the corporation’s servers or personal devices, if they are necessary and essential to the plaintiff’s investigation, they may subject to an order compelling production. Third, although e-mails may be ordered to be produced in section 220 litigation, the cost and burden of such a production will weigh considerably in the court’s final determination. And finally, Palantir serves as an admonition to corporate boards and their counsel to be mindful to observe corporate formalities and appropriately document board meetings and actions through minutes, resolutions, and other official materials, and avoid conducting “formal corporate business . . . through informal electronic communications.” Absent proper recordkeeping and formal documentation of the board’s decisions, there is risk that a corporate respondent in a section 220 action may be ordered to produce e-mails as “necessary and essential” to satisfying a stockholder’s books and records demand.

Mr. Blanchard is a partner at Morgan, Lewis & Bockius LLP. He represents clients in all facets of shareholder litigation, class actions, securities enforcement matters, investigations, and business disputes. The views expressed by the author are his alone and are not the views of Morgan Lewis or the firms’ clients. This article is for information purposes only and does not constitute legal advice.

The following is excerpted from Chapter 16 of Law of Artificial Intelligence and Smart Machines: Understanding A.I. and the Legal Impact.

Robots, and autonomous vehicles (AVs) in particular, act in the physical world.  Accidents involving these systems are inevitable.  Some of these accidents will cause catastrophic injury for those involved in the accident.  Even worse, if a defect or cyber attack could compromise every instance of a particular robot or an entire network, fleet, or industry, the defect or attack could cause widespread simultaneous accidents throughout the country or even the world.  Imagine, for instance, a future in which regional transportation centers in metropolitan centers control the dispatch and navigation of AVs in the region.  Imagine further that a sudden defect causes all the AVs under control of the system to crash all at once in a major metropolitan area like New York.  The impact of such an event in terms of harm, property damage, injury, and deaths could easily exceed an event like the attacks on September 11, 2001.

In 2012, I had the opportunity to speak at the Driverless Car Summit presented by the Association of Unmanned Vehicle Systems International.  The conference organizers polled the audience which, although admittedly unscientific, did provide a data point about industry views on product liability.  One polling question asked attendees to identify the chief obstacle to the deployment of AVs, and the top answer was “legal issues.”  The proceedings of the conference identified this issue as well.[1]  Although the poll did not break down the issues among compliance and liability, I suspect that liability is the larger perceived issue.  Indeed, some people have identified product liability suits are an existential threat to autonomous driving.[2]

In the worst-case scenario for the industry, manufacturers could face numerous suits that force some of them to exit the robotics market and cause others to decide not to enter the market in the first place.  They could perceive that the sales are not worth the risk.  Such an outcome could be tragic if it results in manufacturers not bringing otherwise life-saving and socially beneficial robots to the market.  Manufacturers, however, can implement practices to minimize the likelihood, frequency, and magnitude of accidents, and thereby control the risk of liability.  By implementing these practices, manufacturers can maintain the profitability they would need to offer robots in the market.

Managing the Risk of Robot Product Liability

Given the large human and financial consequences of defective products, manufacturers seek to manage the risk of product liability litigation and costly recalls.  What can a robot, AV, or AI system manufacturer do to reduce the likelihood of company-ending product liability litigation?  Most importantly, if manufacturers can proactively prevent defects and resulting accidents from occurring in the first place, they can prevent the need to defend product liability claims.  Planning for improved safety can enable manufacturers to make safer products that are less likely to cause accidents and trigger product suits.

Of course, accidents may occur anyway and with any widely-deployed robot, AV, or AI system, a manufacturer can foresee that accidents are inevitable.  Nonetheless, a proactive approach to risk management would permit a manufacturer to put itself in the best position possible to prevail in product liability cases based on the inevitable accidents.  A proactive approach to design safety means that the manufacturer takes the steps today to implement a commitment to safety, which will minimize its risk from future suits.  History shows that juror anger fuels outsize verdicts.  If a proactive manufacturer takes the concrete and effective steps to implement a commitment to safety, it will be able to tell a future jury why its products were safe and how it truly cared about safety.  Such actions will place the manufacturer in the best possible light when, despite all these safety measures, an accident does occur.

Making the commitment to safety upfront is crucial.  As one commentator stated, “The most effective way for [counsel for] a corporate defendant to reduce anger toward his or her client is to show all the ways that the client went beyond what was required by the law
or industry practice.”[3]  Going beyond minimum standards is important because, first, juries may look at minimum standards skeptically, thinking that the industry set the bar too low.  Moreover, juries expect that manufacturers know more about their product than any ordinary “reasonable person,” which is the standard for judging a defendant in a negligence action.  Juries expect more from manufacturers.  “A successful defense can also be supported by walking jurors through the relevant manufacturing or decision-making process, showing all of the testing, checking, and follow-up actions that were included.  Jurors who have no familiarity with complex business processes are often impressed with all of the thought that went into the process and all of the precautions that were taken.”[4]  The most important thing to a jury is that the manufacturer tried hard to do the right thing.[5]  Accordingly, a manufacturer that goes above and beyond minimum industry standards is in the best position to minimize the likelihood of juror anger and minimize possible product liability risk.

Any proactive approach to product safety should begin with a thorough risk analysis.  A risk analysis would look at the types of problems that could arise with a product, how likely these problems could occur, and the likely frequency and impact of these problems.  After completing this analysis, a manufacturer can analyze its robot or AI product design in light of the risks.  It can change design and engineering practices to address potential issues and prioritize risk mitigation measures based on what it sees as the most significant risks.  In implementing this risk management process, a manufacturer may obtain guidance from a number of standards relevant to robots and AI systems.  In the field of AVs, examples include:

• ISO 31000 “Risk management – Guidelines” (regarding the risk management process).
• Software development guidelines from the Motor Industry Software Reliability Association.
• IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems (safety standard for electronic systems and software).
• ISO 26262 family of “Functional Safety” standards implementing IEC 61508 for the functional safety of electronic systems and software for autos.

Adherence to international standards may not insulate a manufacturer from liability, whether in front of a jury or as a matter of law.  Nonetheless, following international standards increases the credibility of a manufacturer’s risk management program.  Also, following standards helps a manufacturer create a framework of controls for its risk management process.  Such a framework would make implementation and assessment easier.  Therefore, organizing a risk management program based on the methods specified in international standards provides an important basis for defending later product liability litigation.

In addition to adhering to international standards, insurance will play an important role in managing robot and AI product liability risk.  Insurance functions to shift product liability risk to insurance carriers.  In exchange for paying a premium, a manufacturer’s insurance carriers will defend and indemnify manufacturers for losses and pay for settlements or judgments to resolve third party claims.  The insurance industry is in the early stages of understanding robot and AI risk and creating coverage that effectively manages risk.[6]  As businesses and consumers deploy robots and AI systems more broadly, insurers will create insurance programs for third party accident and liability risks.  Some of those risks may include privacy and security breaches.  One barrier to effective insurance programs is the lack of loss experience data to assist in the underwriting process.  To start writing policies for given robots or AI systems, however, insurance carriers are likely to look at analogous conventional products.[7]  In the short run, manufacturers may need to tailor-make insurance coverage with bespoke policies that fit their risk profiles.  Over time, carriers will enter the market and create standard policies, reducing premium costs over the longer run.

Beyond the most immediate internal safe design steps and insurance programs, manufacturers of a given type of robot or AI system may be able to act jointly to mitigate risk to the entire industry sector (subject to possible antitrust issues involving joint action).  For instance, they may work on safety and information security standards to promote safe practices within the industry sector.  Trade groups and purchasing consortia can help manufacturers promote the safety among component manufacturers.  Finally, an industry sector may want to create and maintain information sharing groups to develop and promote safety practices among industry participants.

During the design process, effective records and information management (RIM) will help a manufacturer document and evidence its commitment to safety.  Documents generated contemporaneously with the design process can memorialize a manufacturer’s safety program and the steps it takes to fulfill its commitment to safety.  In any product liability suit, a witness could certainly testify about the manufacturer’s safety program.  Nonetheless, without corroborating contemporaneously recorded documentation, there is a risk that the jury would find any such testimony to be self-serving and thus disbelieve it.  In this vein, wholesale destruction of all design documents of a certain age may be as bad as retaining too many documents.  Archiving the right documents in preparation of future litigation will help the business defend itself in the future.  Effective RIM may win cases, while poor RIM may lose cases.

Finally, some pre-litigation strategies may further reduce product liability risks.  For example, manufacturers can work with jury consultants to advise the manufacturer in the defense of a product liability case.  They can focus on ways the manufacturer can place its safety program in the best light to avoid impressions that would anger a jury.  Moreover, a manufacturer may want to create a network of defense experts familiar with their robotics or AI technologies.  These experts can help educate jurors about various engineering, information technology, and safety considerations.  Further, attorneys representing AI and robotics manufacturers may work within existing bar groups or form new ones to share specialized knowledge, sample briefs, case developments, and other information helpful to the defense of product liability cases.

[1] E.g., Autonomous Solutions Inc., 5 Key Takeaways From AUVSI’s Driverless Car Summit 2012 (Jul. 12, 2012) (“Some of the largest obstacles to autonomous consumer vehicles are the legalities.”).  Reports from Lloyd’s of London and the University of Texas listed product liability as among the top obstacles for AVs.  Lloyd’s, Autonomous Vehicles Handing Over Control:  Opportunities and Risks for Insurance 8 (2014) [hereinafter, “Lloyd’s Paper”]; University of Texas, Autonomous Vehicles in Texas 5 (2014).

[2] See, e.g., Tim Worstall, When Should Your Driverless Car From Google Be Allowed To Kill You?, Forbes, Jun. 18, 2014 (“the worst outcome would be that said liability isn’t sorted out so that we never do get the mass manufacturing and adoption of driverless cars”), http://www.forbes.com/sites/timworstall/2014/06/18/when-should-your-driverless-car-from-google-be-allowed-to-kill-you/.

[3] Robert D. Minick & Dorothy K. Kagehiro, Understanding Juror Emotions:  Anger Management in the Courtroom, For the Defense, July 2004, at 2 (emphasis added), http://www.krollontrack.com/publications/tg_forthedefense_robertminick-dorothyhagehiro070104.pdf.

[4] Id.

[5] See id.

[6] See generally Lloyd’s Paper, supra note 1.

[7] Cf. David Beyer et al., Risk Product Liability Trends, Triggers, and Insurance in Commercial Aerial Robots 20 (Apr. 5, 2014) (describing the development of insurance coverage for drones), available at http://robots.law.miami.edu/2014/wp-content/uploads/2013/06/Beyer-Dulo-Townsley-and-Wu_Unmanned-Systems-Liability-and-Insurance-Trends_WE-ROBOT-2014-Conference.pdf.

Introduction

A plaintiff is seeking class-action status in his lawsuit against Square, the electronics payments company. The facts as alleged are that the plaintiff received treatment from a medical provider who used Square to execute a credit-card payment for the medical service. Inexplicably thereafter, “Square allegedly sent a text message linking to a digital invoice with information about the treatment he received to a friend (of the patient allegedly without authorization).”

I know nothing about what happened with the Square technology, what information to which Square had access from the patient’s credit card, how Square uses the information it garners, or whether Square has access to user’s personal contacts, including their phone numbers. What I do know is that Square most assuredly did not want the alleged event to form the basis of a lawsuit and did not want negative coverage from the news outlets. Worse, as reported in the Wall Street Journal on July 2, 2019, “misfired receipts issued by Square have ruined surprise gifts, spilled secrets, informed spouses of the spending habits of their significant other and unnerved consumers who wonder how stores got their contact information when they don’t remember providing it . . . .”

Self-preservation and stock valuations would seem to dictate that these news reports and lawsuits are not good for business. I believe Square is a good corporate citizen. I also believe Square, like so many other businesses, do not actually know how they handle all of the information to which they have access in every given situation. It is easy to be critical of Square’s alleged failure but much more difficult to be perfect when managing information today because there is so much of it, and it is moving at the speed of light through networks the company does not necessarily own or control.

Most companies are at a tipping point as they collect, grab, mismanage, misdirect, expose, lose, and improperly share electronic information day in and day out with greater downside, and they are not fixing the problem because most businesses do not have a good sense of the electronic information assets in their “care, custody or control.” However, there are constructive measures that businesses can take that won’t break the bank, can add value, and can even be accretive to the bottom line.

This article is meant for every business because every business has information, and every business could be doing a better job at wrangling it.

Why Every Company Should Know More About Its Information

Like any company asset, the company and its executives are remiss if they mismanage any company information asset. That is why every container moving through the global shipping network is tagged, monitored, and essentially babysat so that the owner of the container or its contents—or the truck, train, or ship on which the container sits—know its whereabouts at all times. Similarly, produce growers who sell their products through a major retailer, for example, are using blockchain technology to create an immutable record that travels with the plant from sprout to plate to document provenance and safety. Such technology would allow immediate recall if claims of product adulteration are alleged. Payments to vendors above a certain amount require the approval of higher-level executives who are specifically tasked with managing company assets. Company inventories are generally tightly controlled with sophisticated barcoding and GPS because loss or pilferage impacts the bottom line.

When it comes to managing information assets, however, most companies are not managing information like other company assets, and that must change. After all, information allows the company to better respond to customer needs, plan for the future, and generally advance business while protecting legal interests. That is just the beginning: information is increasingly a commodity that is sold, traded, and transformative for a business. That is certainly worth protecting, but information is still the often-discussed valuable “step-child” to whom companies do not show nearly enough real love.

What Is “Care, Custody, and Control” in 2020?

In the old days before the widespread use of computers, having control over company information was not really an issue. Information existed in paper form at employees’ desks or in banker’s boxes at a storage facility. The proliferation of information was limited to the copy machine, and companies did not really have to worry much about having their information exposed or stolen in wholesale form.

Then came the roaring 1990s with the growth of the internet, e-mail, and networked systems that changed the calculus completely. Information became transportable and easily misdirected or misappropriated. Controlling information was a completely new paradigm. Further confounding matters was that more business processes were outsourced, which meant that third parties working on behalf of companies arguably now had “care, custody, and control” over company information and may have believed that the information was theirs. The move to the Cloud complicated things still further as more and more company information was stored in another company’s servers, and doing business in social media environments meant that evidence of those transactions was “trapped” in someone else’s software and/or hardware. In other words, in this brave new information world, knowing what information is yours, where it is, who else has access to it, and what contracts give others rights to use it has created a completely new challenge.

Six Steps to Take Stock

Not surprisingly, getting a handle on your information assets to take back control is essential, but is not so simple. Businesses should take the following six steps to better control their electronic information.

1. Take an Inventory

The only way to know what information resources a company possesses is by looking. That doesn’t mean that the company can inventory each and every file, but rather use tools (some of which the company likely already owns) to understand what information exists, the business units to which it relates, and the storage locations and servers on which it is parked, etc. What is in the structured databases, and what information resides in unstructured share drive environments? What is the aging and continued use of the data? Do records retention rules allow the information to be disposed? This can do several valuable things. Knowing where your information lives will promote a methodical and less burdensome litigation response and discovery process. Assessing content using analytics tools can help unearth trade secrets and personally identifiable information (PII) that is stored in locations that pose a greater risk of exposure. Mostly, however, knowing what information assets the company possesses and where the information is promotes a better business in various ways.

2. Understand What Contracts Dictate

Every business unit likely has various business relationships with partners and third parties working on behalf of the company. Those relationships likely have been memorialized in contracts, which may delineate who owns the information, what rules apply to it, who can use it and how and with whom it can be shared, what happens when litigation arises, etc. The company should develop a process to understand what contracts exist that implicate company information. Thereafter, the company should develop standardized language for contracts that deal with all relevant information issues, such as access, ownership, responsibilities, and costs in responding to requests for information and so on. Building consistency in contracts through proactive, well-thought-out, boilerplate language will begin to build a better information ecosystem.

There is another contract activity that should be undertaken as well. Companies should know what “agreements” exist between the company and customers or potential customers. If a company tells employees information will not be shared, then the company must comply. Saying the company is complying and making sure everyone is actually complying is a different story. Conduct routine audits to ensure the company and all of its movable parts are following suit. One last thing is that contract language telling nonlawyers about what the company may do with information should be devoid of legalese and should be brain-dead simple. In this environment, saying the customer “waived” his or her right to object to the company selling information because the customer could have reviewed the linked legal language (which is multiple pages of lawyerly drivel) is not prudent.

3. Assess Third-Party Actions

Separate but related to step two is getting a handle on what is being done with your information. Beyond contract language, what third parties have access to or use of your company information? Once it is determined who, it’s important to understand what others are doing with that information. The Facebook/Cambridge Analytica fiasco is a good reminder of why it is important to understand not only what your employees are doing, but also what others may be doing as well.

Additionally, your company should understand what its own employees are doing with other companies’ or individuals’ information inside your company. If a business unit shares information from a partner it did not realize should not be shared, there could be substantial consequences. In other words, your company should be on top of where its information comes from and where it goes at a macro level to help promote less information chaos, mitigate liability, and better its business.

4. Assess What Employees Do in the Company’s Name in the Social World

If your company is like most today, multiple business units are doing real business in various social network or media environments. Maybe it is looking for new hires or marketing products and doing competitive analysis. That is great for business, but invariably the company is parking company information in an environment that is outside its control. The social environments are not inclined to accommodate your information needs and apply your information rules, even if you are paying for their service.

5. Understand Where Employees Park Company Information

With the proliferation of cloud computing and working from home came the reality that company information moves to myriad places without the company knowing. With data loss prevention (DLP) tools and similar monitoring applications, companies increasingly can watch and stop the movement of data leaving it, but the reality is that more and more information is parked outside a company computer by more and more employees for various reasons. Efforts should be undertaken to reign that in through policy and technology to monitor and audit the flow of information.

6. Understand Information Created by IoT Devices

Increasingly, noncomputing devices that assess, collect, or distribute information in many business processes (commonly referred to as IoT) are being added to companies usually without much thought about the information output created. Companies must assess each and every business process that is using an IoT device or appliance and determine what information is collected, by whom, where the information is stored, and who has access to and use of it.

Create an Information Asset Register

Whether it is inventorying databases, understanding what third-party applications are used to conduct business, or applying IoT devices likely transforming your business, keeping track of this organically growing and morphing ecosystem of information is increasingly complex and begs for management. One of the concrete steps companies can take to address the chaos is to centralize the process of sizing up all the information inputs and outflows in an Information Asset Register (IAR). This process will routinize the collection of information, and the IAR will provide a centralized view of all things information that can drive business efficiency and mitigate risk.

Avoiding Things That Explode

The information landscape of most companies looks like the data equivalent of a “yard sale”—stuff everywhere without rhyme or reason; chaos that does not reflect the true value of the objects. What we have learned from so many horror stories is that every company is on the brink of disaster if it does not get its informational act together. Put another way, mismanagement has no upside, loads of downside, and there are ample horror stories to prove it.

For example, Facebook regularly graces the front cover of many news outlets with yet another story of how it is “breaching the public trust” or exposing, selling, or otherwise misusing personal information. Because of prior issues, Facebook must now deal with a steady diet of U.S. and foreign regulators seeking to ensure it is following past agreements and not running afoul of the law anew.

Whether it is a litigation headache with a cloud provider who does not have the technical personnel available to accommodate helping with discovery requests on your tight timeframe, or the inability to find the final contract documenting in an important transaction, information mismanagement is bountiful, inconvenient, and expensive.

The Tale of Two Companies

A client recently realized that it had tens of thousands of information storage tapes on which it had never conducted discovery despite the fact that the company has hundreds of active lawsuits at any given time. That’s a company problem waiting to explode. As the head of an information governance consultancy, we have helped many companies clean up their information chaos, sometimes reactively and sometimes proactively. In the process, we have learned that being proactive is much less costly and painful.

Another client is migrating to Office 365 and rather than move outdated digital data detritus, we helped them clean out the crud. That’s a company taking stock now so that it doesn’t explode later. That same client just finished a project to crawl their share drive environments and e-mail to find and lock down all PII. Although this client used our help, great companies have great employees who can get a lot accomplished with thought, planning, and guidance from their lawyers. In other words, just because cleaning up the past is tough doesn’t mean you can’t or shouldn’t do it.

Conclusion—The Gift That Keeps Giving

If you have had any bad information event, what you quickly realize is that problems tend to be more painful than originally expected. For example, a west coast gas and electric company penalized by the state for failing to properly manage records now has a regulator routinely in the company’s “shorts,” ensuring it takes the necessary corrective action for years to come. Additionally, an attack on the way your company managed information on one occasion can be extrapolated to all situations if the same process and technology is always used. Finally, Facebook is a reminder that breaching the trust of users or customers comes with a heavy price. The court of public opinion is difficult to change, and the last thing your company wants to lose is its customers. Information flows and customers vote with their feet. Take stock now.

Randolph Kahn’s forthcoming book The Executive’s Guide to Navigating the Information Universe will help companies understand the opportunities and risks presented by harnessing and harvesting information.