The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) was enacted in the wake of the 2008 financial crisis. Although reforms under Dodd-Frank primarily targeted large banks, they have affected banks of all sizes. During the years of implementation of Dodd-Frank, it became clear that the regulatory tightening in response to the crisis was becoming onerous especially for smaller community banks. In response, Congress, led by Senate Banking Committee Chairman Mike Crapo, passed the Economic Growth, Regulatory Relief and Consumer Protection Act of 2018, Pub. L. 115-174 (the Crapo Act). As a result of the relief provided by the Crapo Act, in addition to the current market environment for smaller banks, the industry expects to see increased merger and acquisition activity for both regional and community banks.

This new law provides meaningful relief for many financial institutions while keeping the basic framework of Dodd-Frank intact. However, many commentators have focused on the regulatory relief it grants to larger regional banking organizations. Specifically, it raises the asset threshold from $50 billion up to $250 billion for the systemically important financial institution designation at which enhanced prudential standards apply. These standards include, among other things, comprehensive, company-run stress tests. Prior to the Crapo Act, banking organizations had been reluctant to undertake mergers that would create a combined company exceeding $50 billion in assets because of the additional costs and regulatory scrutiny associated with enhanced prudential standards.

Although the Crapo Act reduces the regulatory burden for about two-dozen regional banks, it has a much more widespread effect on the nation’s community banks. (Federal Reserve Statistical Release, Large Commercial Banks as of March 31, 2018; see also Federal Reserve, National Information Center (there were 4,657 commercial banks, 481 savings banks, and 167 savings and loans chartered in the United States with assets less than $10 billion as of June 30, 2018)). Regulatory relief is granted to community banks through a few different avenues. (See Gregory J. Hudson & Joseph E. Silvia, Crapo Helps Community Banks, 135 Banking L.J. 456 (Sept. 2018 (discussion on how the Crapo Act reduces the regulatory burden for community banks)). This includes capital simplification, extended examination cycles, reduced reporting requirements, and increased simplicity for small bank holding companies to finance the acquisition of banks. More specifically, the Crapo Act lays out a capital simplification scheme through the establishment of the “community bank leverage ratio,” it raised banks’ eligibility for an 18-month exam cycle from $1 billion to $3 billion in assets, and made short-form call reports available for banks under $5 billion. Banking organizations with assets less than $10 billion are also provided relief from the prohibitions on proprietary trading and relationships with hedge funds and private equity funds under section 13 of the Bank Holding Company Act—the so-called Volcker Rule.

Finally, the Crapo Act reforms expanded the number of institutions eligible to use debt to facilitate bank merger and acquisition transactions. This was accomplished by amending the Federal Reserve’s Small Bank Holding Company Policy Statement (the Policy Statement), which we review below.

Small Bank Holding Company Policy Statement

On August 30, 2018, the Federal Reserve published an interim final rule in the Federal Register, which was effective the same day and implements relevant provisions of the Crapo Act by expanding the applicability of the Policy Statement through an increase in the Policy Statement’s asset threshold from $1 billion to $3 billion in total consolidated assets. The Policy Statement also applies to savings and loan holding companies with less than $3 billion in total consolidated assets.

Almost 40 years ago, the Federal Reserve acknowledged that small bank holding companies have less access to equity financing than larger bank holding companies; therefore, the transfer of small-bank ownership often requires acquisition debt, which was previously unavailable to them. Accordingly, the Federal Reserve originally adopted the Policy Statement in 1980 to allow small bank holding companies to assume debt at levels higher than typically permitted for larger bank holding companies. (Regulation Y, 12 C.F.R. § 225, Appendix C to Part 225 (Small Bank Holding Company and Savings and Loan Holding Company Policy Statement)). Under the Policy Statement, holding companies meeting the qualitative requirements described in Regulation Y may use debt to finance up to 75 percent of an acquisition, subject to the following ongoing requirements:

1. Small bank holding companies must reduce their parent company debt consistent with the requirement that all debt be retired within 25 years of being incurred. The Federal Reserve also expects that these bank holding companies reach a debt-to-equity ratio of .30:1 or less within 12 years of the incurrence of the debt. The bank holding company must also comply with debt servicing and other requirements imposed by its creditors.
2. Each insured depository subsidiary of a small bank holding company is expected to be well capitalized. Any institution that is not well capitalized is expected to become well capitalized within a brief period of time.
3. A small bank holding company whose debt-to-equity ratio is greater than 1:1 is not expected to pay corporate dividends until such time as it reduces its debt-to-equity ratio to 1:1 or less and otherwise meets the criteria set forth in Regulation Y. (See 12 C.F.R. § 225.14(c)(1)(ii), 225.14(c)(2), 225.14(c)(7)).

This marks the third time the Policy Statement has been amended. It was previously revised in 2006 to raise the asset threshold from $150 million to $500 million. In 2015, the asset threshold was raised further from $500 million to $1 billion, and the scope of the Policy Statement was expanded to include savings and loan holding companies.

Legislation Encourages Bank M&A Activity

When the Policy Statement was first adopted in 1980, there were more than 14,000 commercial banks, according to the FDIC’s Historical Statistics on Banking. Today, there are less than 4,900 commercial banks. Bank failures play a role in the decline in the number of banks, but so do mergers and acquisitions. Over the last 10 years, there were approximately 2,300 bank mergers in the United States.

There are a number of factors beyond just regulatory relief that could drive further consolidation across the banking industry. Yet, the reforms implemented under the Crapo Act will encourage merger and acquisition activity. Regional banks have been reluctant to complete acquisitions that would push their asset size above the $50 billion threshold due to the enhanced prudential standards that would then apply. However, the Crapo Act’s increase in that threshold allows many regional banks to complete substantial acquisitions while remaining well below the new $250 billion threshold.

In addition, the revised Policy Statement allows an additional 280 small bank holding companies to use debt to facilitate acquisitions of other smaller banks. As a result, there are now 3,670 holding companies that can take advantage of the Policy Statement. The increased asset thresholds for the applicability of the enhanced prudential standards, along with the increased asset threshold for small bank holding companies to take advantage of the Policy Statement, is expected to result in further consolidation of the industry through increased merger and acquisition activity.

Gregory J. Hudson is director of examinations at the Federal Reserve Bank of Dallas where he oversees the regulatory supervision of banks and holding companies. Joseph E. Silvia is senior counsel in the Banking and Financial Services Department and a member of the Bank Corporate Group in the Chicago office of Chapman and Cutler, LLP. Messrs. Silvia and Hudson currently serve as chair and vice chair of the ABA Banking Law Subcommittee on Community Banks and Mutual Savings Associations. The authors thank Mimi Connors for her assistance. The views expressed do not necessarily reflect the official positions of the Federal Reserve System.

Interpretation of the Federal Arbitration Act (FAA) has been a frequent issue considered by the U.S. Supreme Court this year. On October 29, 2018, the Supreme Court heard oral argument in Lamps Plus, Inc. v. Varela, No. 17-988. In Lamps Plus, the Court considered whether the FAA precludes a state-law interpretation of an arbitration agreement that would authorize class arbitration based solely on general language commonly used in arbitration agreements. The Court’s analysis in answering this question will necessarily implicate its prior ruling in a 2010 decision, Stolt-Nielsen, S.A. v. AnimalFeeds International Corp., wherein the Court held that in light of the fundamental differences between class and bilateral (one-on-one) arbitration, class arbitration cannot be required unless there is a specific contractual provision in the agreement that would support the conclusion that the parties agreed to arbitrate as a class. As a result of the decision in Stol-Nielsent, courts will not presume that an agreement to arbitrate exists based upon the fact that the agreement in question is silent on the issue of class arbitration or based upon the mere fact that the parties agreed to arbitrate at all.

Despite this precedent, a divided panel of the U.S. Court of Appeals for the Ninth Circuit, utilizing state contract construction canons, determined that the parties in the Lamps Plus dispute had agreed to class arbitration based upon the standard language in their agreement, which stated that “arbitration shall be in lieu of any and all lawsuits or other civil proceedings,” and which provided a description of the substantive claims subject to arbitration. The Ninth Circuit’s decision contradicts decisions by a multitude of other appellate courts, i.e., the Third, Fifth, Sixth, Seventh, and Eighth Circuits, all of which have concluded that the FAA preempts state contract law in determining this issue because the FAA requires affirmative evidence of consent as a matter of federal law.

By way of factual background, this case arose out of a class-action lawsuit initiated by Frank Varela against his employer, Lamps Plus, which had inadvertently released Varela’s personally identifiable information (PII) and that of other employees in connection with a third-party phishing scam. In response to Varela’s lawsuit filed in the U.S. District Court for the Central District of California, Lamps Plus sought to compel arbitration based upon the provisions of Varela’s employment agreement, which contained no provisions providing for class-action arbitration. The district court compelled class arbitration, finding that the mere absence of a reference to “class action” in the agreement was not alone determinative, but rather federal law required an absence of agreement on the issue.

Lamps Plus appealed, arguing that the FAA requires a specific contractual basis showing the parties’ intent to arbitrate class actions and contending that the district court could not read into the contract an agreement to class arbitration based on language relating to personal disputes. Further, Lamps Plus argued that even if the contract was ambiguous as to intent, U.S. Supreme Court precedent supported a resolution of such ambiguity in favor of arbitration. The Ninth Circuit subsequently upheld in part the district court’s ruling. Lamps Plus then filed a petition for certiorari.

Varela has opposed the appeal, contending that in the first instance, the Supreme Court lacks jurisdiction to hear the appeal. With respect to the merits, Varela argues that California contract law interpretive principles used by the district court were properly applied and, thus, should not be overturned. Although Varela agrees that interpreting private contracts is normally a question of state law and that the FAA requires enforcing agreements to arbitrate through that state law, Varela focuses on certain standards of contract interpretation. The Ninth Circuit recognized a reasonable layperson standard for interpreting the contracts. Varela thus points to specific language in the underlying contract that expressly waives Varela’s right “to file a lawsuit or other civil action or proceeding,” and argues that “proceeding” could reasonably be interpreted to include class actions according to California’s standard.

Lamps Plus contends that there are no jurisdictional issues because the dispute arises out of an appealable order dismissing Varela’s claims. Lamps Plus asserts that the district court’s decision to compel class arbitration was an adverse decision that is subject to appeal, and on matters of appellate jurisdiction, the Court must focus on the underlying substance of the dispute rather than the form. In response, Varela argued that not only did the circuit court lack jurisdiction over the appeal, but Lamps Plus lacked standing to even seek an appeal. According to Varela, section 16(b)(2) of the FAA explicitly prohibits appeals directly from interlocutory orders directing arbitration to proceed. Further, Varela contends that the determination by the Court granted Lamps Plus its desired relief—a dismissal of the individual claims brought by Varela. That the Court determined to direct class arbitration is not a decision adverse to Lamps Plus, even though it may not like the result.

Oral argument on this appeal seemed to indicate a potential split among the justices. Justice Kagan focused in particular on the language of the arbitration agreement, and her questions suggested that she believes the language of the agreement is broad enough to encompass class arbitration. Similarly, Justice Sotomayor seemed to recognize that state law controls the interpretation of arbitration agreements and did not seem inclined to embrace the “clear and unmistakable” standard put forth by Lamps Plus. However, certain of the other justices questioned Varela as to whether arbitration was the appropriate forum for resolving class claims, including a specific concern that allowing class actions to be handled in this manner could open the door for potential class members to be bound by an arbitration award even though they never agreed to arbitration in the underlying agreement.

This is the third issue involving the FAA before the Supreme Court in the past year. Looking at the one decision that has already issued may provide some guidance to where the Court could be headed when a decision on Lamps Plus issues next term. Earlier this year, the Court decided Epic Systems Inc. v. Lewis, in which the Court emphasized that Congress, through the FAA, was instructing courts to enforce arbitration agreements as written. In light of Lewis, and keeping in mind prior precedent under Stolt-Nielsen, it is possible that the Supreme Court may reaffirm the principles of Stolt-Nielsen and hold that class arbitration cannot be forced upon a party in the absence of specific and unambiguous contractual language authorizing class arbitration. Whatever the result, business lawyers must keep these recent decisions in mind when they draft arbitration agreements and contemplate the waiver of class arbitration.

The U.S. Supreme Court recently ended a nearly six-year legal battle regarding the constitutionality of the Professional and Amateur Sports Protection Act (PASPA). In Murphy v. National Collegiate Athletic Association, 138 S. Ct. 1461 (2018), the Supreme Court, with Justice Alito authoring the majority opinion, joined by Chief Justice Roberts and Justices Kennedy, Thomas, Kagan, and Gorsuch, held that PASPA violated the 10th Amendment’s “anti-commandeering” principle, which provides that if the Constitution does not give power to the federal government or take power away from the states, that power is reserved for the states or the people themselves.

In essence, the Supreme Court held that “PASPA’s anti-authorization provision unequivocally dictates what a state legislature may or may not do,” and further, there is no distinction between “compelling a State to enact legislation or prohibiting a State from enacting new laws.” Rather, the basic principle of anti-commandeering applies in each case, and Congress cannot issue a “direct order to state legislatures.”

Additionally, the Supreme Court held that no part of PASPA could be salvaged because it was unconstitutional in its entirety. The Supreme Court reasoned that no provision could be severed from the provisions directly at issue—the anti-authorization provision and the prohibition on state licensing of sports gambling schemes. The remaining provisions in PASPA—(1) prohibiting states from licensing or operating sports gambling schemes, (2) prohibiting private actors from operating sports gambling schemes “pursuant to” state law, and (3) prohibiting advertising of sports gambling—were too closely intertwined with the main provisions at issue and could not survive independently.

This decision has ushered in the next gold rush for the U.S. gaming industry. Delaware, Mississippi, New Jersey, Pennsylvania, Rhode Island, and West Virginia have legalized sports betting and are taking bets. Arkansas and New York[1] have legalized sports betting but have not started taking bets. In addition, one tribe in New Mexico launched sports betting in its casino in October. With this period of unprecedented sports wagering expansion, however, comes a rapidly evolving legal landscape and important hurdles of which both gaming and nongaming attorneys must be mindful as they counsel clients.

First, although PASPA has been overturned, the decision did not result in an unbridled legalization of sports betting. In the states that have authorized sports betting, it is still unlawful for individuals to conduct their own sports betting offerings without undergoing licensure and adhering to a strict regulatory framework. Moreover, as discussed below, the parties that can even obtain operational licenses are restricted. Thus, interested parties exploring this space must understand licensing requirements and operational restrictions.

Second, although interstate sports betting would be a windfall for licensed, sports book operators, interstate sports wagering remains unlawful under the federal Wire Act, 18 U.S.C. § 1084. The Wire Act currently prohibits the knowing use of a wire communication facility to transmit in interstate or foreign commerce bets or wagers, information assisting in placing certain bets or wagers, or any information that entitles the recipient to money or credit resulting from such a wager on any sporting event or contest. Until the Wire Act is repealed or amended, sports betting will be conducted on only an intrastate basis in those states that authorize sports wagering. As a result, each operator must comply with each jurisdictions’ requirements, whether regulatory or otherwise, which itself presents a host of issues. Most notably, depending on how uniform these requirements are from state to state, a multijurisdictional operator may have to develop an independent infrastructure and product in each jurisdiction to conduct its sports wagering operations.

Federal lawmakers are currently studying the various issues related to sports betting regulation. In September, the first hearing on sports betting was held by the House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations (the Committee). Chris Krepich, press secretary for Committee Chairman Jim Sensenbrenner (R-Wis.), told Bloomberg Tax in an e-mail that the Committee is considering what role Congress should have as states begin to develop policies toward sports wagering, including a potential amendment to the Wire Act.

On November 15, 2018, Sensenbrenner sent a letter to Deputy Attorney General Rod Rosenstein urging the Department of Justice (DOJ) to work with the Committee to protect the public from nefarious organizations that may use online gambling sites to launder money and engage in identify theft. The letter posed three questions to the DOJ: (1) whether the 2011 Office of Legal Counsel opinion that reinterpreted the Wire Act to permit online gambling is currently supported; (2) whether any DOJ guidance is currently provided to states interested in authorizing sports betting; and (3) whether the DOJ foresees any legal and illegal issues that may arise regarding sports betting if Congress takes no action in response to the Supreme Court’s decision. Sensenbrenner noted at the September hearing that he was presented with three viable options for Congress: (1) re-enact a federal prohibition against sports betting; (2) give complete deference to states to regulate sports betting; or (3) adopt uniform federal standards. Congress taking no action, he stated, would be the worst option.

Whether federal lawmakers will seriously consider repealing/modifying the Wire Act is uncertain. However, even if they decide to act, a complete regulatory scheme will take significant time given the current political environment and outstanding issues. For example, if the Wire Act were amended to allow interstate sports wagering, a host of questions must be addressed, such as how taxation would work if the operator is located in a state different than the bettor, and which state would be entitled to the tax revenue. In the interim, states are pushing forward with their own legalization efforts.

Not surprisingly, similar to the federal legislative process, interested stakeholders have varying degrees of power and influence on a state-by-state basis. This includes the commercial/tribal gaming operators, state lotteries, local/state governments, and trade associations, just to name a few. Similar to New Jersey’s implementation of internet gaming, which requires any internet operator to partner with a land-based operator, the land-based operators who previously spent considerable capital to develop land-based infrastructure will likely demand similar partnerships for sports wagering if a third-party operator enters their marketplace. In contrast, the District of Columbia, which does not have casinos, has a bill pending that will authorize the D.C. Lottery to act as regulator and operator of mobile sports betting. Executive Director of the D.C. Lottery, Beth Bresnahan, told GamblingCompliance that of the 408 retail lottery locations, only about 20 percent are expected to participate. This may include kiosks that allow for straight bets or parlays. The current version of the bill grants the D.C. Lottery authority to offer online and mobile sports betting throughout the district, whereas private operators could offer retail betting, and any mobile betting is restricted to the confines of the establishment.

In addition to the aforementioned stakeholders, you have the professional leagues. The leagues initially pushed for their much maligned “integrity fees,” which effectively serve as a royalty fee. In short, the leagues feel entitled to receive some form of compensation from the sports book operators because authorized sports betting is based on professional league games. Although such a fee is not unprecedented, given that professional sports leagues in France and Australia receive a percentage of wagers made in those jurisdictions, the likelihood of such fees built into U.S. regulation is dwindling due to the extensive opposition received from the industry. As a result, none of the states that have enacted legislation authorizing and regulating sports betting have incorporated integrity fees.

In lieu of integrity fees, leagues have begun to partner with sports book operators for branding purposes. For instance, in August the NBA became the first major U.S. sports league to partner with a sports book operator, namely MGM, in a deal that is estimated to be worth $25 million. Pursuant to this exclusive partnership, MGM was named the exclusive official gaming partner of the NBA and receives the rights to use league highlights, logos, and a direct data feed. Additionally, to further promote sports betting integrity, stakeholders in the betting industry, including Caesars and MGM, formed the Sports Wagering Integrity Monitoring Association in November for the purpose of partnering “with state and tribal gaming regulators; federal, state and tribal law enforcement; and other various stakeholders to detect and discourage fraud and other illegal or unethical activity related to betting on sporting events.” See https://www.bna.com/nevada-sports-books-n57982093300/.

The other opportunities created by the recent decision that are often overlooked are those that have availed themselves in tribal gaming jurisdictions. In addition to the massive opportunities for commercial gaming jurisdictions, the same potential for success exists among tribal gaming jurisdictions. Some tribes have a monopoly on gaming in certain states pursuant to tribal-state compacts entered into between each sovereign nation and the state. Compacts often offer tribes within the state the exclusive right to offer gambling, with the exception of state-operated lotteries or limited amounts of racetracks. As such, many tribes have successfully operated casinos for many years and are capable of offering sports betting. Given the large amount of market share tribes hold, along with their established gaming facilities, there is great potential for sports betting success in tribal gaming jurisdictions.

These are just a few examples that highlight the significant lobbying and advocating in every jurisdiction by the stakeholders to maximize the potential benefits that each would enjoy.

Although the stakeholders and regulatory environment may vary from state to state, certain regulatory components, e.g., standards to ensure integrity, are fundamental to the make-up of an effective sports betting regulatory regime. So, although the regulations may vary based on the particular policy goals in each jurisdiction, the universal policy goal should be ensuring the operations are conducted in a fair and honest manner, and that the integrity of the industry is vital to its success. Without an effective regulatory framework, any short-term success will be followed by increasing issues that will weaken public confidence and support for the industry.

In summation, the Supreme Court’s decision is a big step forward for the sports wagering industry in the United States. That said, several impediments still exist, the largest of which is the Wire Act. Until the Wire Act is amended or repealed, sports book operators will be required to undergo licensing and establish sports wagering infrastructures in each jurisdiction where they operate. Additionally, interested operators will have to account for any interested stakeholders and their varying degrees of power and influence. For instance, in certain states such as New Jersey, sports book operators must partner with existing land-based casinos. In other states they must partner with the lottery or racetracks.

Lewis Roca Rothgerber Christie LLP’s gaming practice has been at the center of these issues in Nevada, the United States, and internationally. If you need assistance, whether it is providing advice, analysis, and/or evaluation of the numerous opportunities, regulatory frameworks, and issues that will arise in the coming years as legalized sports wagering expands, please do not hesitate to contact the authors: Karl Rutledge at [email protected], Glenn Light at [email protected], or Mary Tran at [email protected].

[1] Legislation to permit full-scale sports betting in New York failed in June 2018, but New York passed a law in 2013 to allow sports betting at four on-site locations. This law could be revived, and the New York State Gaming Commission is aiming to complete regulations “in the short term” for the four locations specified in the 2013 law. http://www.espn.com/chalk/story/_/id/19740480/gambling-sports-betting-bill-tracker-all-50-states.

Commercial real estate markets have experienced significant challenges over the last decade in all regions and sectors of the country, from retail to office to medical to senior living to golf courses. Some facilities and developments have thrived and continue to thrive, while others are subject to relentless external changes and influences in our economy. Every real estate sector in the country has experienced changes in their markets due to increases in internet and online sales, shifts in spending habits and interests, changes in demographics, declines in revenues, increases in over-built areas, increases in virtual offices, and declines in population centers, among other factors. Given these market challenges, the repurposing of commercial properties will likely focus on who the ultimate owner is to solve them, what the obstacles are in reshaping the property, and what some of the solutions to the challenges include. No doubt, innovation, creative thinking, and capital investment will be needed for the repurposing of spaces in these sectors.

As for retail, news articles are full of stories reporting that over 8,000 stores were closed in 2017, and 2018 is on track to see the same or a higher number of store closures. Some retailers have gone out of business completely; others have downsized significantly, decreasing the number of stores and concentrating on their more profitable areas. On the other hand, Amazon and other similar types of businesses with increasing online sales have expanded their distribution centers and are experimenting with ventures with other businesses in brick-and-mortar areas to fill in their business models. Consumers have changed their spending trends, which has caused retailers to chase them via online sales, thus choosing a different kind of shopping cart.

Landlords have been significantly impacted by store closings and have had to change their tenant mix and repurpose their shopping centers. The owner, the landlord, the lender, and the ultimate buyer of the property have all had to adjust and evolve to repurpose and redevelop their projects. Capital investment of course is needed. In some limited situations, shopping malls have been razed or “de-malled.” In others, significant renovations and redevelopment have taken place. There are multiple examples of landlords and owners changing the mix of shops and restaurants and activity centers to include theaters, gyms, walk-in medical centers, entertainment spaces, museums, aquariums, bowling alleys, arcades, and other experimental and service-oriented tenants in what has traditionally been retail sales space. Other changes include nonretail uses, such as charter schools, community colleges, call centers, libraries, multifamily housing, medical space, and a mix of uses to increase traffic and neighborhood involvement. Some proposals require zoning and other entitlement changes. It is plain to see that creativity, flexibility, and capital are needed to repurpose the changing landscape in retail space.

As for healthcare and senior living space, the aging population will continue to drive this sector for years to come. Trends toward more outpatient care have grown in order to provide lower costs and have impacted the traditional healthcare space. Medical office space has continued to increase, and hospitals have seen growth in metropolitan areas, although declining revenues have impacted community and rural hospitals. Driving the pressure were problems such as payment delays, bad mergers, overexpansion, reimbursement changes, rapid changes in the healthcare environment, and tort litigation, among others. Some of the senior living facilities also experienced challenges with deferred maintenance, capex constraints, slow revenue increases, and competition in increased outpatient care. In addition, the industry is complex due to nonprofit ownership, state regulatory structures, single tenant usage, and public financing. Solutions exist, including consolidation of uses and administrative costs, expansion into independent living, and repurposing of facilities to include other, additional medical usages, and where appropriate closing facilities or buildings and repurposing the property for nonmedical uses. Struggles continue, but like the other real estate areas, creativity, capital, and community involvement can give this sector a much-needed shot in the arm.

As for golf courses and recreational properties, the challenges to the industry appear to be caused by factors such as overbuilt facilities, extensive costs for maintenance of facilities, declining demographics, and flat markets, among others. However, membership alternatives and a variety of users seem to be the keys to driving improvements in golf and recreational properties. Expansion of categories of membership, expansion of family facilities, reconfiguration of the course, or even consolidation of other clubs and courses into a new program all seem to be in the mix to repurpose this sector.

In sum, innovation, creative thinking, and capital investment are necessary to surviving and repurposing the changing landscape in all of these sectors of commercial real estate. Owners must challenge their traditional thinking on uses and users and try different concepts. In today’s market, there are a growing number of creative ideas, innovation, and applications of capital that appear to be part of the solutions that must be made to make the properties and industries profitable and productive again.

Blockchains reduce the need for “trust” in legal transactions. From a legal perspective, trust has some specific meanings with respect to custody, control, and transactional risk. It can be accurately defined as “reliance on assurance of others to reduce transactional risk.” Blockchains radically shift the economics of providing transactional assurances.

For example, blockchains reduce the cost and complexity of obtaining assurances of asset ownership and control. Blockchain offers a cheaper and more reliable mechanism of creating, storing, and proving evidence.

Commercial and financial legal processes currently rely on numerous systems to reduce overall transactional risk and give people enough confidence to transact. A critical legal inquiry regarding any kind of property is, who owned title, when, and what is the transactional history? In asset transactions, property registries provide custodial and financial histories. To risk buying an item or making a loan secured by property, a buyer or creditor must be able to verify that the person purporting to own the property really does have title, and that there are no other enforceable inconsistent claims.

For high-value, complex transactions, this means obtaining assurances of (1) proof of authoritative title to an asset (title is clean and untampered), and (2) proof that the proof of title is reliable (the source of assurance (1) is clean and untampered). Underpinning it all is property law. Rules of property law apply whether the object in question is a house, a retail installment contract, or a digital token. Critical to property law is the concept of title, or ownership of property.

Legal systems have developed multiple property registries and custodial systems to manage information and give buyers, lenders, and invested parties the ability to verify whether a specific deal represents an enforceable obligation. Financial market infrastructure spends tremendous sums to maintain structures that provide assurances of things like chain of custody and title.

Registries. Creditors and other interested parties file notices with deeds registries, secretaries of state, departments of motor vehicles, and places a creditor checks for notice of an adverse interest. Common examples are land registries and, in the United States, the U.C.C.-1 filing registry within a state. The registry record is deemed authoritative for legal enforcement of contracts, and insurers, lenders, buyers, and sellers rely on it equally to track rights and obligations. The records produced by central property registries supply chain of title and custody details.

Registries like these developed out of need: without a reliable system for registering, or “perfecting,” one’s interest in property, market confidence in buying, selling, and lending is disincentivized. Functional registries make functional markets.

Custody and Control of Intangibles. Second-and-third order monetization of a value stream often involves intangible property. For example, financial products leverage contract rights and obligations to create additional assets and revenue streams like securities and derivatives. In pre-internet commerce, custody and control of intangible assets were proved by “possession”; a lender holding a note as a security pledge against a loan might actually take possession of the note. It is impractical to run valuable paper instruments from holder to holder in real time, so the notes were placed with a trusted third party who acted as intermediary, for example, holding the notes in custodial trust, matching and settling promises to pay. The market assigned possessory rights to custodial agents who held assets “in trust” and maintained their chain of title so deals were free to flow without paper slowing them down.

Electronic Contracts. With the advent of electronic contracts, the law evolved a new method of perfecting a security interest in digital originals of notes and chattel paper. The key, when vaulting an electronic contract, is to prevent multiple copies that might result in adverse claims, or “double spends” of the same obligation. Sounds familiar!

Electronic contracting laws like Uniform Electronic Transactions Act (UETA) established standards for vaulting and proving custody and control of digital assets. The UETA drafters, however, noted that their recommendations were based on late-20th-century technological capabilities to establish “control.” UETA’s custodial “control” requirements substitute for possession to perfect electronic contracts in the absence of a unique digital “token” to represent a contract. The drafters looked to the market to develop better systems of digital asset control.

Where Blockchain Comes In

A better property registry. Blockchain gives us a decentralized, tamper-evident record of what happened and when with respect to data stored in specific tokens. This tamper-evident ledger means less reliance on central authorities to prove the integrity of assets. A blockchain-based property registry proves its own transactional history.

Assets that prove their own chain of custody. Blockchain-based data objects can represent any number of property types extrinsic to the blockchain, as well as assets that are native to digital technology, e.g., tokens. A blockchain-native asset represented by a token is inherently and immutably tied to its transaction history. This means assets stored in a blockchain can prove their own titles, chains of custody, and transactional records.

Blockchains can get chain of custody right. Without structures that prove chain of custody, the lack of reliable proof structures has a chilling effect on legitimate commerce. Blockchain offers a low-cost way to scale legal infrastructure and build commercial rails on the bedrock of rule of law.

Poorly controlled legal proof structures are also a problem with existing custodial systems. For example, after the 2008 recession, we learned of multiple frauds in the system of keeping chain of custody of loan records. Many assets were so poorly tracked that when it came time to enforce legal rights, creditors were left holding assets with chains of custody any lawyer could challenge to defeat the creditor’s claim. Blockchain storage of contract assets solves this problem, ab initio.

Blockchain proof of title, custody, and transaction history reduces the need to rely on external assurances. This opens economic potential wherever there was previously a lack of reliable legal infrastructure. Along the way, blockchain will shed light upon, and drive the transition to, more efficient methods of proof in digital infrastructure.

Nina Kilbride

Introduction

On October 17, 2018, the Cannabis Act came into force in Canada, establishing a comprehensive legislative scheme governing the licensing, production, distribution, and sale of cannabis and related products for recreational use. Canada’s nascent recreational cannabis industry has faced its share of growing pains, but there is reason for optimism moving forward. Statistics Canada estimates that the illicit market for cannabis was worth approximately CDN$5 – $6 billion (US$3.79 – $4.55 billion) in 2015, while a 2018 Deloitte report suggests that the total Canadian cannabis market could generate up to CDN$7.17 billion (US$5.44 billion) in sales in 2019. If the sales figures forecast by the Deloitte report are achieved, that would put the cannabis market on the same footing as both the Canadian wine industry and the Canadian spirits industry.

Excitement surrounding legalization has led to a flurry of capital markets activity in Canada, resulting in billion dollar market capitalizations for several Canadian cannabis companies traded on the Toronto Stock Exchange (“TSX”), as well as the one Canadian cannabis company that currently trades solely on the NASDAQ.

Investor optimism is not fueled exclusively by the market potential that exists within Canada’s borders; rather, international opportunities represent a significant growth target. A 2018 report published by CIBC suggests that the global cannabis market could reach approximately CDN$25 – $30 billion (US$18.96 – $22.75 billion) in 2020. The U.S. could play a significant role in the global cannabis economy, as a study conducted by the Brightfield Group estimates that Canada and the U.S. will account for more than 86% of global cannabis sales in 2021.

Although cannabis is currently legal for recreational use in ten U.S. states and for medical use in 33 states and the District of Columbia, cannabis remains a Schedule 1 narcotic under the U.S. federal Controlled Substances Act. This classification has prevented Canadian cannabis companies from entering the U.S. market. Although cannabis may be exported from Canada for medical or scientific purposes under the Cannabis Act, an export permit may be refused if such exportation would contravene the laws of the country of import, or if such exportation would not comply with the permit for importation issued by a competent authority of the country of import.

Notwithstanding these obstacles, enthusiasm regarding the U.S. market was on full display when Tilray Inc.’s shares jumped 28.95% on the same day it was reported that the Canadian cannabis producer had received approval from the U.S. Drug Enforcement Agency to export cannabis to California for a clinical trial.

What does this mean for U.S. cannabis companies?

U.S. stock exchanges are regulated by federal legislation and, as a result, you will not find any pure play U.S. cannabis companies listed on the major American stock exchanges. Similarly, the TSX and its affiliated TSX Venture have taken the position that companies with operations or investments in the U.S. cannabis industry will be in violation of the listing requirements of their exchanges and thus subject to de-listing.

However, Canada’s more junior exchange, the Canadian Securities Exchange (the “CSE”), has welcomed Canadian and U.S. cannabis companies alike, listing 116 companies that operate in the cannabis industry, as of the date of this writing. Rather than prohibiting issuers with ties to the U.S. cannabis industry, the CSE has taken a disclosure-based approach, requiring its issuers to disclose the extent of its activities in the U.S. and the risk that its activities present from a U.S. legal standpoint.

Investor response to CSE listed cannabis companies has been extremely positive, with investors showing a particular appetite for companies offering exposure to the U.S. cannabis market. While historically being considered a “third-tier” Canadian stock exchange, the CSE is gaining notoriety, attracting industry-leading U.S. cannabis companies that have been denied access to more traditional exchanges.

For example, in May 2018, MedMen Enterprises Inc., a leading cannabis retailer in the U.S., began trading on the CSE at an implied value in excess of US$1.6 billion and on November 16, 2018, filed to raise CDN$75 million (US$56.88 million) via bought deal.  In October 2018, Curaleaf Holdings Inc., a vertically integrated cannabis cultivator and retailer, closed a private placement on the CSE which raised approximately US$400 million, implying a valuation close to US$4 billion. The most recent debut on the CSE was that of Acreage Holdings, a multi-state cannabis producer that boasts former House Speaker John Boehner and former Canadian Prime Minister Brian Mulroney as board members. Acreage Holdings began trading on the CSE on November 15, 2018, shortly after raising US$314 million in a private placement, implying an enterprise value of approximately US$2.1 billion.

How are U.S. cannabis companies becoming listed?

The most popular approach to listing on the CSE  by far is the reverse takeover, or “RTO”. RTOs involve the entity acquiring a publicly-listed shell or dormant company to pursue listing. RTOs are typically completed by way of a statutory amalgamation or arrangement and may require approval of each company’s shareholders, depending on the structure of the transaction and constating documents of the companies.

Compared to an IPO, RTOs are generally less time consuming and expensive and do not necessarily need to be accompanied by a concurrent equity financing—although MedMen, CuraLeaf and Acreage Holdings each completed private placements connected to their respective RTOs.

Another primary driver of expediency in RTOs is that they do not require regulatory review by securities regulators, and rather only require approval of the stock exchange. While a document with prospectus-level disclosure is still a requirement, eliminating the review of the securities regulators is one less obstacle to face in an RTO process.

Looking forward

There has been growing support to amend federal cannabis laws in the U.S. On June 7, 2018, Senators Cory Gardner and Elizabeth Warren introduced the Strengthening the Tenth Amendment Through Entrusting States (STATES) Act in Congress, which would amend the Controlled Substances Act to make it impossible to prosecute individuals and corporations who are in compliance with U.S. state laws on cannabis. A companion bill was introduced on the same day in the House of Representatives by Representatitives Earl Blumenauer and David Joyce.

The STATES Act would not remove cannabis as a Schedule 1 narcotic, meaning that cannabis would remain federally illegal. However, the STATES Act provides that compliant transactions would not be considered trafficking and would therefore not result in the proceedings accompanying an unlawful transaction. With this distinction in mind, it remains unclear what impact the STATES Act, if passed, may have on the willingness of U.S. stock exchanges and federally regulated banks to participate in the U.S. cannabis industry.

While much uncertainty remains with respect to the long-term outlook of the U.S. cannabis market, there appears to be a significant appetite among investors to participate in this burgeoning industry. As of right now, the most attractive way for U.S. cannabis companies to capitalize on this enthusiasm and to access capital markets is to look north of the border, where the CSE awaits with open arms.

While hanging around the water cooler the other day, I took an informal survey of a few colleagues. “How many of you are finding the task of addressing private information in compliance with increasingly complex laws, regulations, and corporate mandates to be hugely fun?” Unsurprisingly, the feedback was unanimous; everyone was loving it. They couldn’t get enough. They clamored for greater records management responsibilities and litigation response obligations. They also mentioned that there is no better end to a long workday than an involved information-security training, provided that their lunchtime could be interrupted for dental work with no anesthesia.

As it turns out, employees in the real world don’t really like doing anything beyond their real jobs, and certainly don’t want to have anything to do with the perceived tedium of classifying their files according to a growing set of company rules. For the vast majority of people, information management is about as fun as a root canal. And yet, effectively managing information has always been essential and is more and more a differentiator for organizations. This capability impacts a company’s reputation, risk profile, and innovation initiatives.

What can companies do? They can’t outsource their obligations—even if a third party is brought in to do some of the legwork, ultimately the obligation to comply lies with the company. Neither can they ignore the issue because there are increasingly more laws that prescribe how companies and their employees must manage information from its creation to its proper destruction. Similarly, there are far more consequences in failing to get it right. It’s an unenviable position for companies; they need their employees protecting the company’s information assets, but most employees are disinterested at best, viewing themselves to be full up with “real” work that trumps a concerted focus on these efforts.

Generally, there are two kinds of employees: the ones who are motivated by carrots, and the ones who must be inspired by sticks. There are some employees who will follow rules because they are told to and because being proactive is good for the company. However, if there is no compelling reason for employees to do something, they often fall into the latter category of needing a consequence, a penalty, or a loss of some benefit or privilege before they will dream of doing a task at work outside of their perceived job scope.

That brings us to a confluence of realities: more downside, more attacks on the IT systems, more laws dictating what is required and penalizing companies when they fail to comply, and more employees behaving badly, uninspired to lift a finger to help your company better manage information.

Here are seven keys to fix such a problem.

1. Set the Tone at the Top. The CEO in some respects is the soul of the company in that he or she sets the big-picture objectives for the organization. This is commonly communicated through a mission statement, vision, and code of ethics. These concepts and values are then seen as calls to action by others in the organization and rapidly become operationalized. When the CEO or other executives message the importance of a company initiative or action, the employees (everyone below them) are more likely to listen and follow their lead. For example, if the CEO decides that being a “greener” company is important, then initiatives that advance that idea will get more attention and funding. Employees will more likely do what it takes to make the company greener. Thus, one thing that will be essential to making information activities come to life in the company is for the executive team and others in management to support the information project or program and message its importance to all employees. Another way they can show support is by funding such activities and publicly recognizing successful efforts.

2. Make It Part of the Job. One of the best ways to get folks to take on protecting private information is to make it a part of their job responsibilities. For many businesses, at most they develop policy and expect that employees will read, understand, and follow the directives. That is usually the last time the policy is addressed until something bad happens. Then everyone wants to know what went wrong. What commonly goes wrong is that employees have a black and white view of their roles and responsibilities. They disregard policies as irrelevant to their jobs if adequate context isn’t provided.

The company can “legitimize” the activity by making it a part of the employees’ job responsibilities in writing and by making it clear that failure to do as required will, for example, impact performance incentives. When compliance with a policy is tied to compensation, it tends to get employees engaged. That would be more of the stick approach.

In terms of the carrot, why not have high-potential employees nominated by senior leadership to serve as information stewards? Formalize the role, make it a coveted position, and recognize and reward them for participating. You will find that you have inspired these employees to be your eyes and ears in the business. This causes a chain reaction whereby those around them start caring more as well.

3. Train the Employees. A policy itself, no matter how comprehensive and clear, is only as good as the training and change-management that accompanies it. Parking a myriad of policies on a website and thinking employees will search to find and master them is wholly unrealistic. Not only that, but having policies that no one follows is a liability. “Isn’t it true that your company has a privacy policy, you didn’t know about the policy, and in fact were never trained on the policy . . .” You get the idea.

Providing a written policy or other directive tells employees what is expected; training them on it helps ensure they understand what they must do in greater specificity. In other words, policy is not enough. Training and perhaps even testing on the mastery of the training is far more effective.

Remember, however, that employees can’t take in endless training sessions on one topic after another. Be mindful to not put too much in front of them at once and spread it out to maximize the training’s effectiveness. In other words, limit how much training employees receive, given the law of diminishing returns.

Training should be an important tool in your arsenal when it comes to ensuring that employees are able to digest and apply vital policy concepts. It is a stepping-stone to behavioral change. One point of consideration is to consolidate trainings where possible. Companies often have a “code of ethics” or “code of conduct” that provides high-level principles regarding the company’s position on such matters as privacy requirements, books and records management, cyber-security fundamentals, and beyond. Publishing such a code for public/external consumption bolsters a company’s reputation for being trustworthy and of sound integrity. Is it possible to consolidate your trainings on various governance topics into one large “code of ethics” training that can be taken in modular format? This then strengthens and unifies the company’s position on various interdependent information-management directives while streamlining the training experience for employees.

4. Gamify. In the last few years, gamification of training has helped create better-trained employees and kept employees engaged with longer-term retention of the topic. Gamification is a process where an employee is engaged at a deeper level to make the training like a game. This means launching awareness campaigns that involve features like points, levels, and awards. The goals of gamification are to create a sense of intrinsic motivation, achievement, and mastery. The more employees interact with the training material or policy in a game context, the more likely they are to understand the material and be able to act upon it. Bottom line is that it works.

5. Auditing/Monitoring. The only real way to know whether employees are doing what is required of them is by looking. In the workplace, that is typically done by watching their actions in real time (monitoring) or looking at what they have done after the fact (auditing). Auditing and monitoring programs help ensure that employees are getting it right. These programs also allow the company to help employees better perform tasks and fix training or implementation issues across the company as they become known.

In highly regulated industries, auditing and monitoring are part of the normal course of business. In fact, internal audit and quality assurance teams can be excellent partners in building an audit readiness program and in conducting the audits themselves.

6. Whack with Love or Not, but Be Consistent. When employees get something wrong, there may be a need to reprimand them. Thus, when policies provide that noncompliance may result in disciplinary action, the company must follow through. Failure to discipline may result in claims that such policy or disciplinary action is applied in a discriminatory fashion. Remind and follow up with employees to ensure they are getting it right, and when they don’t, act swiftly, fairly, and consistently to address the failure. Remember, word travels fast, and others will take note, which tends to change behavior in a positive way.

7. Repeat. Training, behavioral change, and the business transformation that follows are not one-time projects or instantaneous outcomes. Begin the process of training on key topics from the very beginning of an employee’s tenure at your company during orientation. For topics that are essential for employees to master, such as information security, training should be routinized and part of an established schedule. Not only that, policy principles and core concepts should be patiently and persistently reiterated via meetings with communities of practice, company newsletters, annual refresher trainings, and embedded within spotlights on governance initiatives when there has been a “big win.” Making employees care about managing information well means making these conversations part of your company’s culture.

Conclusion

Information has become the lifeblood of organizations. Oftentimes, it’s pumping life without rhyme, reason, control, or direction, and that has to change. Unless leadership institutionalizes the management of information, the employees will likely do as little as possible or nothing at all. With value, volume, growth in legal requirements, and consequences all intensifying around information management, however, companies must have their work forces engaged. The seven keys may not build love, but they will build a reasonable, repeatable, and defensible process “hook” for litigators to hang their hats on when failure occurs, and it always does.

On September 28, 2018, California became the first US state to specifically regulate the security of connected devices (otherwise known as ”Internet of Things” or “IoT devices”).

The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that in 2018 there are over 23 billion IoT devices currently in use, and this number is expected to grow to over 26 billion in 2019 (Gartner has estimated 20 billion such devices will be online by 2020). Unfortunately many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with no passwords, default passwords (think ”123”, ”admin” or even worse, ”password”) or otherwise hard-coded passwords that cannot be modified or updated. 

These concerns are not merely speculative. By way of ‘real life’ example, beginning September 2016, massive distributed denial of service (DDoS) attacks took down various US Internet infrastructure companies/DNS providers, leaving much of the Internet inaccessible on the east coast of the United States and incapacitating popular websites (including AirBnB, Amazon, Github, HBO, Netflix, Paypal, Reddit, the New York Times and Twitter, just to name a few). Originally created by three teenaged hackers, the Mirai malware responsible for the attack was specifically designed to target and infect susceptible IoT devices such as security cameras, home routers, air-quality monitors, digital video recorders and routers using a table of more than 60 common factory default usernames and passwords.  These devices were turned into a network of remotely controlled bots that were used to launch the DDoS attacks which later spread globally, impacting such diverse organizations as OVH (a large European provider), Lonestar Cell (a Liberian Telecom Operator) and Deutsche Telekom. At its peak, Mirai infected over 600,000 vulnerable IoT devices.

These two new substantially similar IoT laws (California Senate Bill 327, chapter 886 and Assembly Bill No. 1906, “Security of Connected Devices” (2018 Cal. Legis. Serv. Ch. (S.B. 327)(to be codified at Cal. Civ. Code § 1798.91.04(a)) (collectively, the “IoT Laws”) require manufacturers of connected devices to equip the device with a ”reasonable” security feature or features that meet all of the following criteria: (i) appropriate to the nature of the device; (ii) appropriate to the information it may collect, contain, or transmit; and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. The IoT Laws broadly define a ‘connected device’ to mean any devices or other physical object that is capable of connecting to the Internet (directly or indirectly), and that is assigned an Internet Protocol address or Bluetooth address, meaning that consumer, industrial, and other IoT devices are covered.

Additionally, if the connected device is equipped with a means for authentication outside of a local area network, either of the following requirements must be met before it shall be deemed to possess a “reasonable security feature”: (i) it must have a preprogrammed password unique to each device manufactured; or (ii) the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.

The IoT Laws broadly capture “manufacturers” to include the producers of the devices themselves and those who manufacture on behalf of such organizations, connected devices that are sold or offered for sale in California. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device. Contracts with organizations or persons involving the mere purchase of connected devices or purchasing and branding a connected device are excluded. 

Manufacturers are obliged to allow users to have full control and/or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces or other means of purchasing software or applications to review or enforce compliance with these statutes.

The IoT Laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under US federal law, regulations or the guidance of federal agencies (presumably FDA-regulated medical devices, for example). They do not prevent law enforcement agencies from continuing to obtain connected device information from a manufacturer as authorized by law or pursuant to a court of competent jurisdiction. They also do not apply to the activities of covered entities, providers of health care, business associates, health care service plans, contractors, employers, or other persons subject to the U.S. federal Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA) or California’s Confidentiality of Medical Information Act.

Significantly, the IoT Laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the Attorney General, a city attorney, a county counsel, or a district attorney has the authority to enforce these requirements.

The IoT Laws are scheduled to come into force on January 1, 2020.

The enactment of the IoT Laws was clearly motivated by the desire to improve the security of smart devices and mitigate security vulnerabilities that leave such devices open to cyber-attacks such as Mirai malware. By not mandating what security features are ”reasonable,” the legislation is effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test described above. Guidance from agencies such as the National Institutes for Standards and Technology (NIST) and other industry self-regulatory guidelines can help determine what will be reasonable under the circumstances (in fact NIST is currently seeking comments on its draft guidance document which includes recommendations for addressing security and privacy risks associated with IoT devices—see Draft NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.)(“NIST Guidance”).

The new IoT Laws are not without their flaws and skeptics. Critics charge that certain aspects of the IoT Laws are vague and ambiguous given the lack of clear standards (what does “reasonable security feature or features” mean practically?) with no way to validate that the manufacturer actually designed to those standards. While the IoT Laws may address the security threats associated with hardcoded or default passwords that are easily guessable and may force manufacturers to in turn force consumers to change their passwords before using such devices (or otherwise install unique passwords), they do not address many other security concerns or truly enhance device security. These concerns include the failure of many manufacturers to routinely update the software/firmware accompanying many IoT devices (or otherwise compel consumers to update such software/firmware if patches/upgrades are actually available) to address security and other concerns. Other pre-market security means to enhance security are also ignored (device attestation, security audits for firmware from third party providers, improvements in device access, management, and monitoring, requirements to remove unnecessary insecure features, etc.). As the NIST Guidance has noted, an IoT device may be a black box that provides little or no information on its hardware, software, and firmware or may not offer any built-in capabilities to identify and report on known vulnerabilities. And users can still deploy terrible passwords. 

However, while arguably incomplete from a security perspective, California is a large market and a standard setter for the U.S., and the IoT Laws may serve as an example for other jurisdictions to follow. Accordingly any manufacturer of an IoT device that intends to ship its products into California must start employing better security features that meet the requirements of the IoT Laws; as such the IoT Laws may be the catalyst required to nudge IoT-connected devices in the right direction to better security.

Lisa Lifshitz