A federal statute, 28 U.S.C. § 1782, empowers a district court to authorize discovery from persons or entities located in the United States “for use in a proceeding in a foreign or international tribunal.” In recent years, circuit courts across the country have split on the issue of whether a “foreign or international tribunal” includes private arbitration panels. On June 13, 2022, the U.S. Supreme Court answered the question squarely. It decided two consolidated cases, ZF Automotive US, Inc. v. Luxshare, Ltd. and AlixPartners, LLP v. Fund for Protection of Investors’ Rights in Foreign States. The Court held unanimously that Section 1782 only permits discovery in connection with proceedings involving “governmental or intergovernmental adjudicative bodies.” This includes courts, of course, but also regulatory agencies or arbitral bodies clothed with governmental authority.
This holding means that parties in private arbitrations in other countries may no longer use Section 1782 to obtain discovery from persons in the US. Before this decision, savvy parties could seek out a friendly district court in a part of the country where Section 1782 was authorized for private arbitrations. Now that is no longer an option.
Background
ZF Automotive concerned a dispute between a Michigan company and a Hong Kong company over the sale of certain business units. The parties had agreed that disputes would be submitted to arbitration before the German Institute of Arbitration (“DIS”), a private arbitral institution in Berlin. The United States District Court for the Eastern District of Michigan granted the Hong Kong company’s request to take discovery from the Michigan company under Section 1782, and the Sixth Circuit Court of Appeals declined to disturb the district court’s decision. (The Sixth Circuit had decided in 2019 that Section 1782 could be used to obtain discovery for private arbitrations.[1])
AlixPartners was a dispute between the Republic of Lithuania and a Russian investment fund over a failed bank. The Russian fund initiated arbitration under the Lithuania–Russia bilateral investment treaty, claiming that Lithuania had expropriated an investment in a failed Lithuanian bank without appropriate compensation, in violation of the treaty. After the fund commenced arbitration proceedings, it petitioned the Southern District of New York for an order authorizing discovery from AlixPartners LLP and its Chief Executive Officer, who had served previously as temporary administrator of the failed bank. In opposing the application, AlixPartners argued that the arbitration was not a “foreign or international tribunal” under Section 1782. The district court granted the Section 1782 discovery request, and the Second Circuit affirmed.
The Supreme Court’s Decision
The Supreme Court reversed the decisions in both ZF Automotive and AlixPartners. It reversed ZF Automotive because it held that Section 1782 only authorized discovery for governmental tribunals. It reversed Alix Partners because, although the arbitration in that case was proceeding pursuant to a treaty between two governments, the arbitration panel itself was not created by governments and was not exercising sovereign power.
The unanimous decision authored by Justice Barrett looked to the language of the statute in light of both the statute’s history and the context of other statutes. Standing alone, the word “tribunal” ordinarily might mean a court or court-like body, but could plausibly be read more broadly as well. But the word should not be read alone. It is part of the phrase “foreign or international tribunal.” A “foreign tribunal” is more naturally viewed as one that owes its existence to a foreign government. In other words, a “foreign tribunal” is a tribunal of a foreign country, not merely a tribunal in a foreign country. This conclusion was reinforced by internal evidence of Section 1782’s language, which refers to the “the practice and procedure of the foreign country or the international tribunal.” In the Court’s view, this language does not easily apply to private arbitral panels.
Other evidence supported this conclusion as well. The current version of Section 1782 had come about as a result of Congress establishing a Rules Commission in 1958 to “recommend procedural revisions ‘for the rendering of assistance to foreign courts and quasi-judicial agencies.’” Both courts and quasi-judicial agencies are, of course, creatures of government. Private arbitral panels are not. Note also that the Federal Arbitration Act does not permit discovery for private arbitrations in the US that is anywhere near as broad as permitted under Section 1782. There is no reason to believe that Congress wanted to authorize broader discovery for private arbitrations abroad than domestically. The upshot is that a “foreign tribunal” is created by one sovereign, and an “international tribunal” is created by more than one sovereign.
In both the cases it was addressing (ZF Automotive and Alix Partners), the Supreme Court held that foreign governments had not created the arbitral panels to exercise sovereign power. The panel in ZF Automotive was created by contract, so no governmental power was involved at all. The panel in Alix Partners was convened pursuant to treaty—but although the treaty was between two governments, the panel authorized to hear the dispute was not a creature of any government. That meant Section 1782 could not be used for the treaty-based arbitration, either.
Key Takeaways
As a result of these decisions, parties in strictly private foreign or international arbitrations cannot use Section 1782 to obtain discovery from persons or entities in the United States. The Supreme Court foreclosed any future arguments that an arbitration is governmental just because “the law of the country in which it would sit . . . governs some aspects of arbitrations” or local courts enforce the arbitral agreement. But it did leave the door open just a bit:
None of this forecloses the possibility that sovereigns might imbue an ad hoc arbitration panel with official authority. Governmental and intergovernmental bodies may take many forms, and we do not attempt to prescribe how they should be structured.
As a result of this caveat, we can expect some amount of future litigation about what may constitute a “foreign or international tribunal” for Section 1782 purposes, though not as much as may have occurred had the Supreme Court made a somewhat less restrictive decision (say, one that permitted using Section 1782 for treaty-based arbitrations but not contract-based). It is also reasonable to expect that arbitration clauses in a number of foreign contracts—and certainly in treaties—may be crafted deliberately either to come within or to stay outside the parameters of Supreme Court’s definition of tribunals that qualify for Section 1782 assistance.
Abdul Latif Jameel Transportation Co. v. FedEx Corp, 939 F.3d 710 (6th Cir. 2019) ↑
Our newest collection of videos takes a deeper dive into our recent Hybrid Spring Meeting CLE programs, covers chats with authors of newly released Business Law books, and provides insight into business law practice areas. Watch now!
Read more about the three business law video series and eleven videos in the collection below.
Shannon “A.J.” Singleton and Alicia Still delve into the ethical requirements for in-house counsel and outside counsel, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). Their conversation hits on the in-house implications of ABA Model Rule of Professional Conduct 4.2, what it takes to forge relationships with colleagues on the business side and why it matters, and more.
Neera Chatterjee, E. Christopher Johnson, Jr., and Martina E. Vandenberg explore the ins and outs of environmental, social, and governance (ESG) risk criteria, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). “They’re not their own silos with separate strategies,” Chatterjee said. “Everything is interconnected… you’ve got to think across the organization.” In this video, they discuss dealing with climate-related financial risks in the banking world, addressing forced labor from multiple perspectives, and companies’ role in looking toward solutions.
A dynamic panel including a top journalist, legal practitioners, and senior executives in sports dives into social justice issues in the field and their legal implications, extending the discussion of a Showcase CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). With Jeffrey Schlerf leading the discussion, the panelists—Sterling Hawkins, Terence Moore, Ashley Hibbett Page, and Ty Thomas—weigh in on a broad range of trends. Their conversation ranges from athlete activism and discrimination lawsuits, to league policies that contribute to DEI issues, to legal developments in the realm of name, image, and likeness for collegiate athletes, and more.
Alexander Denton and Stephanie Maxwell explore the state of gaming law in Tennessee and Georgia and how it fits into developments across the country, extending the discussion of a CLE program at the ABA Business Law Section’s 2022 Hybrid Spring Meeting (now available as on-demand CLE). “Tennessee is on the forefront of a national conversation that’s happening about the authorization of legal sports wagering,” Denton said. Their conversation touches on the unique features of Tennessee’s sports wagering regulations, skill gaming in Georgia, the speed of recent changes, and more.
“Artificial intelligence with human intelligence really works together to increase productivity, check for error, keep everything cost-effective,” says Ingeuneal C. Gray. In this video, Gray—Commercial Vice President of the American Arbitration Association and chair of the CLE program “Artificial Intelligence in International Arbitration” at the ABA Business Law Section’s 2022 Hybrid Spring Meeting—provides an incisive overview of AI’s power and growing effects on the legal profession.
The COVID-19 pandemic brought “the kind of supply chain disruption that really had not been contemplated on such a scale before,” says Susan A. Maslow. Maslow is deeply knowledgeable about supply chain complexities; she and David V. Snyder are vice chair and chair of the ABA Business Law Section’s Working Group to Draft Model Contract Clauses to Protect Human Rights in International Supply Chains. In their conversation, they discuss their work on the Model Contract Clauses (MCCs) as a means to bring human rights policies into practice, the tricky commercial law issues at play, shifts between the first version and recent second version of the MCCs, and more.
A draft of amendments to the Uniform Commercial Code to address emerging technologies is nearing completion. In this conversation, vice chair of the drafting committee Juliet Moringiello, R. Marshall Grodner, and Christopher Odinet discuss the amendments’ effort to provide a broad framework for transacting with digital assets, from cryptocurrency to non-fungible tokens and “just about any other digital thing that we may not think of right now.” Delving into consumer concerns related to NFTs, the challenges of enacting UCC amendments in the states, and more, these experts provide a perceptive look at the nuts and bolts behind digital assets’ hype.
Special purpose acquisition companies, or SPACs, have attracted tremendous attention in recent years, with a spike in SPAC IPOs in 2021 since tempered by increased litigation and scrutiny from regulators. In this video, Business Law Today author Frantz Jacques, who has written about the evolution of the SPAC landscape, delves into the driving forces behind SPACs’ meteoric rise; recent developments including the SEC’s SPAC rules proposal; and what’s next in the SPAC world.
“There is no such thing as a company that isn’t a technology company today,” says Michael Fleming, contributor to Director’s Technology Handbook: Tips and Strategies for Advising Corporate Directors. “Even if you’re making buggy whips, you’re running a website on Buggy Whip Dot Com, or whatever the case may be.” Designed to be a practical reference tool, Director’s Technology Handbook provides guidance to help boards of directors and lawyers who advise them to decipher critical technology issues and the legal implications that can affect the organizations they serve. In this conversation, Fleming discusses the book’s origins, the range of expertise of its contributors, and its attempt to empower corporate directors to ask the right questions.
With ESG, CSR, and sustainability now a dynamic and critical focus of corporate governance, ESG in the Boardroom: A Guidebook for Directors provides needed insight on ESG matters, including discussions on the role of the board, ESG landscape, litigation and risk management, corporate culture and governance, and more. In this conversation, editors Katayun I. Jaffari and Stephen A. Pike discuss the shifts that put ESG on the radar, the increased sophistication of stakeholders and asset managers in engaging with businesses, and the depth of knowledge among the book’s contributors.
The Model Business Corporation Act Annotated, Fifth Edition, is an invaluable resource for understanding developments under the MBCA, the general corporation statute for 30+ states and the source of many provisions in the general corporation’s statutes of states that have entirely adopted it. The annotation is created by the ABA Business Law Section’s Corporate Laws Committee, which promulgates the MBCA. In this conversation, Jonathan C. Lipson of the Corporate Laws Committee explains the development and uses of the annotation, which surveys “all of the important case law, all the important analysis of each provision of this Model Act,” as well as the comprehensive, searchable online site that accompanies purchases of the four-volume set available from the ABA.
Are you adding “discrimination” to your #MeToo representations alongside “sexual harassment?” Have you considered employing the “has investigated” alternative to the popular “no allegations” variation?
We last conducted an in-depth review of #MeToo representations and warranties when they were still new in 2019, and, because we have continued to see these provisions included in even some of the largest M&A deals, we recently took a fresh look. We reviewed 311 billion-dollar M&A agreements signed between January 2018 and March 2022 containing #MeToo representations and warranties.
We have identified the most common approaches deal parties have taken in drafting these provisions over the past four years, as well as new and emerging approaches worth considering.
These Are Not Mere ‘Compliance With Laws’ Reps
The #MeToo representation and warranty, also referred to as a “Weinstein clause,” is a provision in mergers and acquisitions agreements that emerged around 2018 along with the #MeToo movement. These provisions were designed to address heightened liability risks associated with sexual harassment incidents—especially risks associated with allegations of sexual harassment against C-suite level employees—and are now commonly included in M&A agreements across industries, transaction structures, and deal sizes.
These clauses are typically included alongside labor and employment reps in M&A agreements in which the representing party, usually the target, makes a statement regarding its involvement in and/or handling of allegations of sexual harassment, sexual misconduct, or other similar incidents. They are distinct from “compliance with laws” representations—which may state that a party is in compliance with all laws including those regarding sexual harassment—in that #MeToo representations separately and specifically address the involvement of the party (including, typically, the party’s directors, officers, and employees) in incidents of sexual harassment or misconduct, and/or how the party has responded to such incidents.
Although, as discussed below, there is a wide variety of these provisions used by parties, covering a spectrum of conduct and events related to incidents of sexual harassment, as with representations and warranties in M&A agreements generally, parties also use qualifiers and delimitations to tailor and narrow the scope of coverage of the representation.
The result is often that each individual #MeToo rep and warranty found in an agreement covers a very specific and constrained set of circumstances and period of time. And there are practical reasons for this.
Ideally, a party should be making a representation regarding facts and events that it has actually verified to be true and for which exceptions can be disclosed if specific disclosures are being made in the deal. In transactions involving parties with extensive multi-jurisdictional operations—like those we reviewed involving household-name parties—specific, delineated, and qualified parameters for the types of conduct and events covered by a #MeToo representation are likely a practical necessity. Without a narrower scope, the representation cannot realistically be verified to be true, and exceptions cannot be identified and disclosed.
We found a very small number of provisions containing a reference to disclosures in our review, which may be a result of the tailored and constrained construction of these provisions.
Target or Seller Reps Qualified by Knowledge
As mentioned above, we reviewed 311 M&A agreements with a value of $1 billion or greater containing #MeToo representations and warranties dated between January 1, 2018, and March 28, 2022. More than half the agreements we reviewed were executed in 2021 or 2022. Though we didn’t limit our search by jurisdiction, the majority of the agreements we reviewed (85%) were governed, at least in part, by Delaware law.
Using Bloomberg Law’s Precedent Search, we conducted an advanced search of M&A agreements filed with the Securities & Exchange Commission via EDGAR. (Note: The search results we reviewed can be accessed here. The total number of search results is greater than 311 due to duplicate filings made by different parties and unrelated keyword hits. These were excluded from our review.)
The results of our review reflect some of the same basic characteristics we first observed in 2019, shortly after alert deal lawyers first began drafting these provisions. For example, the vast majority (87%) of the #MeToo reps reviewed were made only by the target or seller (not mutually with the acquirer); nearly three-quarters (72%) contained some form of knowledge qualifier (often as a defined term with a capital “K” for Knowledge); 83% contained a lookback period (typically three to five years); and 66% contained a limitation as to the level of employees involved in, or subject to, the allegations or claims of sexual harassment or misconduct (most commonly “directors, officers, or employees at the level of Vice President or above”).
Of the 311 agreements reviewed, thirty-nine (13%) contained mutual #MeToo representations made by both the target and/or seller and the acquirer.
Surprisingly, only twenty-seven of the 311 agreements reviewed (9%) contained a reference to disclosures (most typically such references are framed as exceptions to the representation being made, e.g., “Except as disclosed in Schedule [X] . . .”).
A small number of provisions contained two different lookback periods that were applied to different portions of the same representation. For example, some had a longer lookback period for a knowledge-qualified “no allegations” representation and a shorter lookback period for a non-qualified statement that there have been no settlement agreements. In these instances, the parties seem to have balanced the burden posed by unqualified representations on the party making the representation by shortening the time period covered, and, conversely, the party to which the representation was being made negotiated a longer lookback when it was qualified by knowledge. These examples may illustrate the extent to which these provisions can be subject to negotiation.
The majority of the #MeToo representations we reviewed were framed as statements that certain events have not occured. “No allegations” was, by far, the most popular phrasing (contained in 70% of the agreements we reviewed), with “no settlement agreements” coming in second (59%). (As discussed below, these two are most often paired together in these representations.)
There is a wide range of other types of events that parties stated have not occurred—“no actions,” “no claims,” and “no complaints,” among others. All of these “no [events]” statements can be qualified either by materiality (e.g., “no material allegations”), by the form of the event or how it occurred (e.g., “no written allegations” or “no written or oral allegations”), and even by how such events were communicated to the representing party (e.g., no allegations made “through the Company’s anonymous employee hotline or any formal human resources communication channels”).
More than one-third of the provisions we reviewed contained some form of materiality qualifier, and roughly one-tenth included a blanket materiality qualifier applying to the entire representation (e.g., “Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect. . .”). In a manner very familiar to M&A lawyers, multiple materiality and other qualifiers were applied at once in some instances.
A Different Approach
The most common combination of events covered in the #MeToo representations we reviewed was “no allegations” and “no settlements.” (Other types of agreements, such as tolling agreements, non-disparagement agreements, confidentiality agreements, nondisclosure agreements, or other out-of-court arrangements were sometimes listed alongside settlement agreements). Sample language reflecting this common variation can be found in the graphic below as well as with annotations here.
Some parties, however, have begun to take a very different approach. Rather than making a “no [events]” statement, in 14% of the agreements we reviewed, the party making the representation stated that it had investigated any allegations of sexual harassment it was aware of, typically without making any representation that “no [events]” such as allegations have occurred—on that they are silent. This “has investigated” formulation is most commonly combined with a statement that the party has also undertaken corrective action in response to the misconduct, represented in 10% of the agreements we reviewed. Sample language reflecting this common variation can be found in the graphic below as well as with annotations here.
Because this “has investigated” variation is framed positively in terms of actions the party has taken, and does not address whether any allegations had been made in the first place, the scope of exceptions that would need to be disclosed here is more limited. As typically drafted, only situations in which the party became aware of an allegation and then did not investigate and/or take corrective action would need to be disclosed as exceptions, whereas a “there have been no allegations” clause variation would require any instances of allegations to be disclosed. In short, this variation is a smart choice for targets and sellers making #MeToo representations if they are confident in the consistency of their policies and procedures relating to the handling of such incidents and are in a position to verify the accuracy of the representation. This variation is also, arguably, favorable from an acquirer’s perspective, because it addresses how the target handles and responds to incidents, not just whether they have occurred.
Discrimination, Too
In addition to a wide range of events (e.g., allegations, suits, claims) covered, the current research revealed a broader spectrum of misconduct covered by these representations than we found in our 2019 research. In addition to the typical “sexual harassment” and “sexual misconduct” covered by #MeToo representations, nearly half of the provisions we reviewed also covered some form of discrimination.
Some of these instances covered sex or gender discrimination only, others called out racial discrimination specifically, and there were others that covered discrimination broadly without a limitation as to the type. And some representations covered more specific forms of workplace misconduct such as “hostile work environment” or “retaliation.”
While grouping sexual harassment together with discrimination is not new to M&A agreements—as they have been commonly seen together in “compliance with laws” labor and employment representations for decades—these provisions are different. In these instances, it appears the parties have built upon the classic #MeToo representation and warranty, following the same structure and explicitly referencing sexual harassment, by simply adding discrimination and other categories of misconduct.
This shift may be interpreted as an increasing recognition by deal parties of a need to explicitly address this type of misconduct outside the bounds of the typical “litigation” and compliance with laws (or similar) representations and warranties.
Key Takeaways
#MeToo representations and warranties, much like the movement itself, are very much alive and well, and continue to be a common inclusion even in very large deals. There is a wide variety of drafting options available to parties that are tailorable to parties’ circumstances. And our review shows that some parties are taking creative approaches and even totally rethinking the classic formulation.
This work was originally published on Bloomberg Law as “ANALYSIS: A Fresh Look at #MeToo Reps & Warranties in M&A Deals” on Jun. 7, 2022. Copyright 2022 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bloombergindustry.com. Reproduced with permission.
On June 14, 2022, the Minister of Public Safety of Canada, Marco Mendicino, introduced into Parliament the first reading of Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts (the “Bill”). The Bill amends the Telecommunications Act and enacts a new Act: the Critical Cyber Systems Protection Act (“CCSPA”), establishing a new cybersecurity compliance regime for federally regulated private industries and new powers for the Governor-in-Council and the Minister of Industry to order Canadian telecommunication services (“Telcos”) to take action to secure the protection of the Canadian telecommunications system, including against threats of interference, manipulation, or disruption. Noncompliance with either regime may result in high monetary penalties or imprisonment for individuals.
The Critical Cyber Systems Protection Act
The CCSPA introduces a new cybersecurity compliance regime for designated operators of critical cyber systems related to vital services and systems (“Designated Operators”). A critical cyber system is defined as a cyber system that, if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or system. Currently, the list of vital services and systems is comprised of the Canadian telecommunications system, the banking systems, and other federally regulated industries, such as energy and transportation. However, the Governor-in-Council may add new vital services and systems, and such Designated Operators will be governed by the CCSPA.
Under the CCSPA, Designated Operators must:
establish a cybersecurity program (details of which are more fully provided in the CCSPA and its regulations) within ninety days of an order being made by the Governor-in-Council;
implement and maintain a cybersecurity program, as well as annually review it;
mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties;
share their cybersecurity programs and notify appropriate regulators (namely, the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transportation) (the “Appropriate Regulators”) of material changes related to the business of Designated Operators and their cybersecurity programs;
report cybersecurity incidents to the Canadian Security Establishment (the “CSE”);
comply with and maintain the confidentiality of directions from the Governor-in-Council; and
keep records related to the above.
To enforce these new obligations, the CCSPA grants to the Appropriate Regulators investigatory, auditing, and order-making powers, including issuing administrative monetary penalties (“AMPs”) of up to $1 million per day for individuals (such as directors and officers), and $15 million per day for other persons. Additionally, Designated Operators, and their directors and officers, may also be fined—or imprisoned if a director or officer—if either contravene specific provisions of the CCSPA; the amount of a fine is at the discretion of the federal court.
Telecommunication Act Amendments
The amendments to the Telecommunications Act (the “Amendments”) establish new order-making powers for the Governor-in-Council and the Minister of Industry (the “Minister”) to direct Telcos to take specific actions to secure the Canadian telecommunications system. Specifically, the Governor-in-Council may, by order,
prohibit a Telco from using all the products and services offered by a specified person; and
direct a Telco to remove all products provided by a specified person.
The Minister, after consultation with the Minister of Public Safety and Emergency Preparedness, may, by order,
prohibit a Telco from providing services to a specified person; and
direct a Telco to suspend any service to a specified person.
Additionally, the Amendments grant the Minister the power to direct Telcos to do anything or refrain from doing anything that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including the following:
prohibiting Telcos from using any specified product in or in relation to Telcos’ network or facilities, or part thereof;
prohibiting Telcos from entering service agreements for any product or service;
requiring Telcos to terminate a service agreement;
prohibiting the upgrade of any specified product or service; and
subjecting the Telcos’ procurement plans to a review process.
Interestingly, Telcos will not be compensated for any financial losses resulting from these orders.
The Amendments introduce new enforcement powers for the Minister of Industry to monitor the Telcos’ compliance with the orders or future regulations, including investigatory powers and issuing AMPs of up to $25,000–$50,000 per day for individuals (such as directors and officers), and up to $10–$15 million per day for other persons. Moreover, contravention of orders or regulations may result in prosecution whereby the Telcos, and their directors and officers, may have to pay fines (whose amount is at the discretion of the court) or face imprisonment.
Information Sharing and Secrecy
The CCSPA and the Amendments require Designated Operators, Telcos, and any other person to share confidential information with the Appropriate Regulators, and Governor-in-Council and Minister, respectively, in furtherance of the objectives of the Bill. This confidential information may be shared with multiple federal government organizations, provincial and foreign counterparts, as well as international organizations, to pursue the objectives of the CCSPA and the Amendments. While these information exchanges will be governed by agreements and memorandums of understanding between the parties, the Minister may disclose the information if is necessary in the Minister’s opinion to secure the telecom system.
Given the national security purpose underlying this Bill, the secrecy of the orders is paramount. The orders from the Governor-in-Council and Minister may be subject to non-disclosure requirements. Moreover, for the sake of secrecy and expediency, the orders and directions of the Governor-in-Council and Minister do not follow the complete process outlined in the Statutory Instruments Act, and thus, are not registered, published, or debated in an open manner.
Recommendations
Given that the Bill has just been introduced, its passage is not guaranteed, and additional changes to the draft law may occur. However, and in the interim, if you are a provider of vital services and systems as described in the Bill, we recommend that you consider taking the following steps to improve your cyber resilience:
Preemptively improve your security posture and processes to conform with the CSE’s best practices and guidance, or industry practices, and ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
given the secrecy and potential immediacy of Government orders and directives, Telcos and Designated Operators should draft contracts to flow down potential cyber security risks appropriately.
If you are a supplier of products and services related to the critical cyber systems of Designated Operators as described in the Bill, we recommend that you consider taking the following steps:
Preemptively improve your security posture and processes as described immediately above in anticipation of more strenuous cybersecurity requirements requested by Designated Operators; and
anticipate shouldering more risk when contracting with Designated Operators and consult with your insurance provider accordingly.
Among Hank’s pet peeves? It was the insistence of Major League Baseball officials, along with team executives and scouts, that they really did want more African Americans in the game. While forming sad faces, those baseball folks said they couldn’t find them, hadn’t discovered how to retain them, or believed African American athletes were more interested in football, basketball, and other stuff, or they said the dog ate the homework after somebody forgot to set the alarm clock.
Eight percent. Eight percent! On the high side, eight percent represented the number of African American players in Major League Baseball during most seasons in the 21st century, and franchises often had rosters with zero African American players, including the Atlanta Braves, Hank’s team of nearly 70 years as a player and executive. In contrast, when Hank broke Babe Ruth’s home run mark on April 8, 1974, the percentage of African Americans in Major League Baseball was three times higher than eight percent. His 1974 Braves were on the low side since he was one of seven African Americans on their 40-man roster, but that was still 18 percent, and that was more than twice baseball’s 21st century average for teams.
“They’re trying to get all these people from all over the world to come here to play Major League Baseball. (Those who run MLB) don’t give a hoot, not one hill of beans, about (an African American) person. Not one thing whether we play baseball or not,” Aaron told me during a 2007 interview, revealed for the first time in the book. “This game of baseball, and you have to look at it, that this game was so, it was just folding until Jackie Robinson came in and lifted it to another playing level and trying to make it exciting for the fans—both Black and White.”
Aaron then sighed heavily and slowly raised his voice, “Terence, it is amazing how this game has changed for the benefit of how they want [the public] to perceive it to be, you know? Yeah, just keep your eye on it. Watch what I tell you about this game. I guarantee you [what I say is true].”
It was true. By the 2021 baseball season, which began three months after Hank’s death, the game’s biggest star was Shohei Ohtani, a pitching and hitting sensation from Iwate Prefecture, Japan, located 6,700 miles, a Pacific Ocean, and several times zones west of Mobile, Alabama, the old stomping grounds of an African American who became the greatest Major League player ever. Now baseball has virtually no African Americans.
Courtesy of Hank’s personal experiences as a player and as an executive in Major League Baseball since the early 1950s, combined with my 1982 research for the San Francisco Examiner on the state of Blacks in the game to commemorate the 35th anniversary of Jackie Robinson breaking baseball’s color barrier, Hank had splendid reasons to believe the game he cherished wasn’t loving African Americans as much as it claimed. This vanishing act involving African American players in baseball happened too fast, too dramatically, and too blatantly after the 1970s for The Myth to be more than a myth by the 21st century.
About The Myth: To hear many folks tell it, especially those involved with Major League Baseball, African Americans rolled out of bed one day and just didn’t like the sport anymore.
For more, check out The Real Hank Aaronby Terence Moore: “A heartfelt portrait of Hank Aaron, featuring nearly 40 years of stories plus never-before-told insights from the home run king.”
On May 10, 2022, Connecticut Governor Ned Lamont signed Substitute Bill No. 6 (the “Connecticut Data Privacy Act” or “CTDPA”) into law. The CTDPA will become effective on July 1, 2023.
By enacting the CTDPA, Connecticut becomes the fifth state in the nation to implement a generally applicable consumer data privacy law, following the California Consumer Privacy Act and California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Utah Consumer Privacy Act. While the CTDPA is similar to these other state laws, small differences between these laws can have a large and variable impact on a business’s data processing, considering data processing regulation is so fact-specific. The increase in the number of states passing data processing laws raises the stakes for businesses. Business attorneys should continue to monitor developments in other states, including regulatory developments in California related to changes to its data privacy laws set for January 2023.
The CTDPA applies to persons that either (A) conduct business in Connecticut, or (B) produce products or services that are targeted to residents of Connecticut; and that during the preceding calendar year: (1) controlled or processed the personal data of not less than 75,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The CTDPA applies to information that is linked or reasonably linkable to an identified or readily identifiable individual. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status. Sensitive data also includes the processing of genetic personal data or certain biometric data, if the processing is for the purpose of uniquely identifying an individual, as well as precise geolocation data. The CTDPA employs a broader definition for “biometric data” than other state laws.
However, the CTDPA does not apply to, among other things:
financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act;
certain activities regulated by the Fair Credit Reporting Act;
de-identified data; or
certain publicly available information.
The CTDPA also does not restrict a controller’s or processor’s ability to comply with other law, engage in certain fraud prevention and detection and security activities, or engage in certain internal processing uses, among other limited activities.
Consumer Rights
The CTDPA provides consumers with a number of rights related to their personal data. Under the CTDPA, consumers have the right to:
confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
access their personal data;
correct inaccuracies in their personal data;
delete personal data that the consumer provided or the controller obtained about the consumer;
obtain a portable copy of personal data that the consumer previously provided to the controller in a format that is readily usable and allows the consumer to transmit the data to another controller without impediment; and
opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
The first five rights listed above do not apply to pseudonymous data, provided the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing such information. “Pseudonymous data” is defined by the CTDPA as personal data that cannot be attributed to a specific individual without the use of additional information provided such additional information is subject to the safeguards addressed above.
The CTDPA also requires controllers to adopt and offer, by July 1, 2025, a platform, technology, or mechanism that allows consumers to opt-out through an opt-out preference signal sent to the controller indicating such consumer’s intent to opt out of the sale or processing of personal data for the purposes of targeted advertising.
Controller Obligations
The CTDPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is (according to the CTDPA definitions) acting as a controller or a processor when engaging in any personal data processing.
Under the CTDPA, controllers must, among other things:
provide a privacy notice containing specific disclosures, including the categories of personal data processed, the purposes for which personal data are processed, how a consumer may exercise a right, the categories of personal data that the controller shares with third parties, the categories of third parties with whom the controller shares personal data, an active electronic email address that the consumer may use to contact the controller, and—if selling personal data or processing personal data for targeted advertising—a clear and conspicuous disclosure of how a consumer can opt out;
establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
not process sensitive data without first obtaining the consumer’s consent or, in the case of a child, processing the data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 et seq., setting out specific standards for adequate consent;
provide an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request;
not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than eighteen years of age;
not discriminate against a consumer for exercising a right by denying a good or service to the consumer, charging the consumer a different price or rate for a good or service, or providing the consumer a different level of quality of a good or service; and
establish a process for a consumer to appeal the controller’s refusal to take action on a request to exercise the consumer’s rights.
The CTDPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of consumer harm includes:
processing of personal data for the purposes of targeted advertising;
sale of personal data;
processing of personal data for profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
the processing of sensitive data.
Processor Obligations
A processor must follow a controller’s instructions and must assist the controller in meeting the controller’s obligations, including obligations related to data security and breach notification, as well as provide necessary information to enable the controller to conduct and document data protection assessments. Persons processing personal data must also be subject to a duty of confidentiality.
The CTDPA imposes requirements for contracts between controllers and processors as well as requirements for engaging subcontractors, including requiring the subcontractor in writing to meet the obligations of the processor regarding personal data.
Enforcement
The Connecticut Attorney General has the exclusive authority to enforce the CTDPA. From July 1, 2023, until December 31, 2024, the attorney general must issue a notice of violation to the controller if the attorney general determines that a cure is possible. The controller will have sixty days to cure the violation. Beginning on January 1, 2025, the attorney general will have the authority to decide whether to grant a controller or processor the opportunity to cure an alleged violation, taking into consideration the number of violations, the size and complexity of the controller or processor, the nature and extent of the controller’s or processor’s processing activities, the substantial likelihood of harm to the public, and the safety of persons or property. A violation of the CTDPA will constitute an unfair trade practice. Penalties for engaging in an unfair trade practice include imposition of a restraining order, civil penalties of up to $5,000 for willful violations, and, in the case of private litigation, actual and punitive damages as well as court costs and attorneys’ fees.
The CTDPA does not provide for a private right of action by consumers.
After nearly twenty years, considering the increase of cyber attacks and the advent of crypto currency, the Federal Trade Commission (FTC) enacted a radically different Safeguards Rule that became effective January 10, 2022.[1] Cybercriminals choose their targets wisely because they want maximum impact and profit. Financial institutions make juicy targets for cybercriminals due to their vast and ever-growing digitally stored, sensitive, non-personal information and the undeniable transformation of financial transactions of all types being conducted online. For example, the 2017 Equixfax data breach impacted 147 million customers and, as a result, Equifax agreed to pay at least $575 million (and potentially up to $700 million) as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and fifty U.S. states and territories. The settlement alleged the credit reporting company’s failure to take reasonable administrative, technical, and physical safeguards to protect consumers’ information from unauthorized use or access caused the data breach.
The Equifax data breach was a disaster on multiple fronts. The four primary flaws that facilitated the security breach were:
The company failed to patch a well-known vulnerability (CVE-2017-5638) for its Open Source developing framework Apache Struts. At the time of the breach, the patch for CVE-2017-5638 had been available for six months.
Equifax failed to segment its ecosystem, allowing the attackers to seamlessly access multiple servers after gaining access through the web portal breach.
Usernames and passwords were stored in plain text, which the hackers used to escalate privileges to achieve deeper access.
Equifax failed to renew an encryption certificate for one of their internal tools, which allowed the hackers to exfiltrate data undetected over a period of months.
Additionally, over a month went by before Equifax finally publicized the breach. During this period, top executives sold company stock, giving rise to insider trading accusations. This is just one of the many recent examples of data breaches that exposed millions of people’s private data.
The importance of consumer financial privacy drove Congress to enact the Gramm-Leach-Bliley Act (“GLBA”) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. The GLBA imposed both the Privacy Rule (customer notification requirements) and the Safeguards Rule (standards for safeguarding certain information) on financial institutions. The original Safeguards Rule (16 CFR part 314) became effective on May 23, 2003, and the FTC has administered the Safeguards Rule ever since.
Under the new, revised Safeguards Rule the definition of “financial institutions” has been broadened to focus on business activities that are financial in nature.[2] Moreover, “nonpublic personal information” now covers all customers who provide the covered business with such records, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. Additionally, the Safeguards Rule identifies nine elements that a covered business’s information security program must include:
Designate a qualified individual responsible for overseeing and implementing a financial institutions information security program and enforcing their information security program. Qualifications will depend upon the size and complexity of a financial institution’s information system and the volume and sensitivity of the customer information that the financial institution possesses or processes.
Conduct and continuously monitor systems and data inventories.
Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest.
Implement multi-factor authentication (MFA) for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution.
Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates.
Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution.
Regularly test, or otherwise monitor, the effectiveness of the safeguards’ key controls, systems, and procedures, including those used to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months.
Oversee service providers by requiring financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.
The revised Safeguards Rule has some limits. First, the Safeguards Rule applies only to financial transactions “for personal, family, or household purposes.” Second, the Safeguards Rule exempts financial institutions that collect information on fewer than 5,000 customers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors. Lastly, key provisions, including the appointment of a qualified individual and conducting a written risk assessment, do not become effective until December 9, 2022.
The FTC’s strengthening of financial privacy protections is part of a larger societal and governmental awakening to the need for greater information privacy and security protections. This revision, among other changes, is a signal to all businesses that use nonpublic personal information to begin to assemble their data teams, including privacy counsel, to assess their data governance requirements and cybersecurity hygiene.
Covered financial institutions include: mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, some travel agencies, automobile dealerships, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, non-SEC regulated investment advisors, entities acting as “finders,” and other entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. ↑
The Mendes Hershman Student Writing Contest is a highly regarded legal writing competition that encourages and rewards law students for their outstanding writing on business law topics. Papers are judged on research and analysis, choice of topic, writing style, originality, and contribution to the literature available on the topic. The distinguished former Business Law Section Chair Mendes Hershman (1974–1975) lends his name to this legacy. Read the abstract of this year’s second-place winner, Nicholas Mack of Vanderbilt University Law School, Class of 2022, below. The full article has been published in Volume 30 of the University of Miami Business Law Review.
At the conclusion of 2020, assets under management in sustainable funds—funds typically characterized by analyses of companies’ nonfinancial environmental, social, and governance (ESG) factors—hit a record high of nearly $1.7 trillion, with Bloomberg forecasting that total ESG investments may reach $53 trillion by 2025. Investments in sustainable index funds saw record highs in the first quarter of 2020 despite the overall financial downturn caused by the COVID-19 pandemic. Sustainable funds have gained significant traction over the last few years as US ESG funds outperformed conventional funds in 2019. Further, research conducted during the COVID-19 pandemic suggests that investing in ESG-focused funds mitigates financial risks, providing for a safer and perhaps overall better investment opportunity during times of financial crisis. Moreover, companies with robust ESG policies have demonstrated resilience during the COVID-19-induced financial crisis, providing further evidence of the benefits of ESG investing. Although ESG-focused funds and companies with robust ESG policies demonstrate economic resiliency and potential for outperforming conventional funds, federal securities laws generally do not require ESG-related disclosures.
Current US law mandates disclosure of certain environmental and social information under Regulation S-K and other banking and securities acts, but the vast majority of ESG reporting remains largely optional and market-driven. Most ESG information does not reach investors, regulators, or corporate stakeholders in a company’s typical annual report or other SEC-mandated filings; instead, companies typically opt to release a separate voluntary report aimed at sustainability and other ESG initiatives, which may be subject to greenwashing due to lack of oversight and regulation. More troubling is that the select few nonfinancial ESG-related disclosure requirements hinge on materiality, which evinces a nonfinancial regulatory regime that is principles-based, rather than rules-based. This requires investors to “trust” companies to act objectively and precisely when gauging the materiality of complex ESG issues. This causes both uncertainty in reporting requirements on the discloser side and the need for private actors to draw attention to sustainability issues and enhanced ESG disclosures.
But would investors even use this information if it was mandated by the SEC? Various studies seem to think so. McKinsey & Company claims that investors and asset owners adjust their investment strategies based on corporate sustainability disclosures. Ernst & Young’s 2016 report on ESG also indicates a global trend toward an increased interest in nonfinancial information by investment professionals. Investors have shown a clear proclivity towards using ESG information in investment decisions, exemplifying the need for a regulatory framework dedicated to ESG disclosure. These claims are only amplified by an examination of the public sector. A July 2020 Government Accountability Office report on ESG disclosures found that most institutional investors seek information on ESG issues to better understand investment risks. SEC Commissioner Allison Herren Lee stated in response to the Commission’s passing of a final rule in August 2020, “It has never been more clear that investors need information regarding, for example, how companies treat and value their workers, how they prioritize diversity in the face of profound racial injustice, and how their assets and business models are exposed to climate risk as the frequency and intensity of climate events increase.” Information, survey results, and public statements from both the private and public sectors recognize the importance of ESG disclosures and the incessant use of such information by investment professionals today. So, what should be done about this?
With robust firm-level ESG policies gaining notoriety as a driver of value for a firm due to its impact on company operations and efficiency, the SEC should consider mandating an ESG-disclosure regime based around this very specific principle. The current nonfinancial disclosure regime exists as a principles-based, materiality-focused framework; any recommended solution to the lack of ESG disclosures must fit this framework for the SEC to even consider it. Thus, the SEC should adopt mandated disclosures for certain ESG factors that materially impact a company’s operations. By mandating a principles-based disclosure regime based on a very specific principle, disclosers are less likely to face uncertainty in their reporting requirements and investors are better able to pinpoint the value drivers within the firm’s ESG initiatives. This “fix” is a starting point that addresses the SEC’s repeated neglect to adopt mandated ESG disclosures by framing such disclosures in a principles-based manner—thus, conforming to the SEC’s current nonfinancial disclosure regime while supplying investors with true, accurate, and influential nonfinancial ESG information.
Companies must consider environmental, social and governance (“ESG”) factors in their mergers and acquisitions (“M&A”) transactions to achieve maximum value and monitor risks. ESG matters are becoming increasingly significant in M&A transactions as businesses are facing mounting scrutiny and pressure for transparency on climate risk, social justice, sustainability, and corporate governance.
To address ESG considerations in the context of an M&A transaction, buyers—including private equity funds and strategic acquirers—should conduct ESG-focused due diligence, allocate ESG risk in the transaction agreement, and perform post-close ESG integration. This article addresses factors contributing to the increased focus on ESG along with commentary on how purchasers can integrate ESG factors in their next M&A deal.
Importance of ESG in M&A
A focus on ESG can be a competitive advantage for companies, private equity funds, and other strategic acquirers. It assists organizations in creating value, mitigating risk, and becoming more resilient. Consideration of ESG factors in M&A transactions is undeniably rising. Bain & Company recently conducted a global survey that found 65% of M&A executives expect their own company’s focus on ESG to increase over the next three years, with 11% stating that they currently regularly assess ESG extensively in the deal-making process. Failing to account for critical ESG elements can undermine success and lead to poor business outcomes.
Reputational Risk
Shareholders and investors are becoming increasingly attuned to ESG issues. By directing their investments to companies with comprehensive and established ESG disclosures, shareholders and investors globally are a key driving force behind growing ESG disclosure. Since ESG factors overlap with core corporate values, failure to address ESG issues may have a disproportionately negative reputational impact on a business. When considering a transaction, buyers should understand all ESG matters associated with the transaction, evaluate how to mitigate any reputational risks, and ensure that processes are in place to monitor the business’s reporting method.
Fiduciary Duties
Directors have a fiduciary duty to act in the best interests of the corporation, which has generally been thought of as a duty to act in the shareholders’ interests. The duty of care requires directors to exercise the care, diligence, and skill that a reasonably prudent person would exercise in comparable circumstances. To fulfill their fiduciary duties, directors must consider what will maximize shareholder value in the long term. Businesses must account for ESG risks to achieve lasting commercial viability. Shareholders have been more vocal and involved in the governance of a business, demanding changes to leadership and the board of directors. We are starting to also see examples of shareholders successfully removing directors as a result of their discontent with the company’s approach to climate change. This surge of ESG-related activity is driving corporations to urgently transform their core strategies.
Financial Implications
Considerable shifts in consumer awareness, spending patterns, employee expectations, regulatory frameworks, and industry perception have prompted investors to reallocate a notable amount of investments in light of ESG trends. Climate change has significantly impacted the operations and value of numerous companies, and we believe this trend will continue as the frequency and scale of natural disasters continues to increase. Natural disasters have caused an estimated US$280 billion worth of losses in 2021. ESG factors pose a real risk to shareholders now that losses are tangible and quantifiable, directly impacting M&A activity. Businesses must also consider the effects of ESG on financing. Access to capital for businesses may be limited by poor ESG ratings and performance. Lenders and institutional investors have made it clear that businesses must make ESG a priority or risk losing financing.
Regulatory Compliance
Across jurisdictions, the ESG regulatory landscape is steadily evolving. Regulators along with other oversight bodies have been expending resources to monitor and create rules and guidance on ESG matters. For example, in Canada, the Canadian Securities Administrators (“CSA”) recently published guidance for investment funds on their disclosure practices as they relate to ESG factors. The CSA has indicated that it will monitor ESG-related disclosure as part of its ongoing continuous disclosure review program. The US Securities and Exchange Commission (“SEC”) is evaluating current disclosure practices of climate-related risks. Recently, the SEC issued a press release on proposed rule changes that would require registrants to include certain climate-related disclosures in their registration statements and periodic reports, including information about climate-related risks that are reasonably likely to have a material impact on business, operations, and financial condition, and certain climate-related financial statement metrics. ESG factors will be a key consideration for both the buyer and target, as various regulatory bodies continue to bring additional ESG rules and regulations into force.
ESG Considerations in M&A
ESG Due Diligence
Buyers should consider broadening the scope of their due diligence to include performing targeted ESG investigations. ESG due diligence will look different for each transaction and will depend on the nature and type of business the target is conducting and the relevant operating jurisdictions. Due diligence should go beyond a routine examination of organizational performance and consider wide-ranging impacts and dependencies across the global value chain.
The due diligence process must integrate ESG into each stage of the deal and should inform the buyer of any potential impact of the merger or acquisition on its sustainability strategy and the long-term value of the combined entity. Red flag checks may include assessing the future fitness of the target and relevant assets and media scans to understand any major ESG-related risks. Due diligence should identify any human rights violations, corruption, environmental degradation, privacy breaches, data breaches, harassment, workplace misconduct, workplace diversity, gender inequity, greenhouse gas emissions, previous instances of non-compliance, the target’s ESG ratings, the use of ESG standards, and the target’s level community engagement. This will identify potential liabilities or cultural concerns that can be investigated further. Other due diligence considerations may also flag physical and transitional risks associated with climate change.
Targeted ESG due diligence will assist buyers in identifying ESG risks that may influence a target’s price and overall deal structure. Once fully cognizant of the potential liabilities and risks of a transaction, companies may mitigate ESG risk through the transaction agreement.
Transaction Agreement
M&A transaction agreements, such as share purchase agreements and asset purchase agreements, are already reflecting the growing importance of ESG factors. Since the beginning of the COVID-19 pandemic, the majority of M&A agreements adopted provisions for COVID-19 in material adverse effect clauses and interim operating covenants. COVID-19 tested the resilience of corporations, globally, and has shown investors that ESG matters now more than ever.
Through ESG diligence, buyers can understand the potential risks and pitfalls that relate to the target’s operations and industry. The buyer can then look to address any ESG risks in the transaction agreement through specific indemnities, targeted representations and warranties addressing ESG matters, or through various pre-closing conditions or post-closing covenants of the sellers. The transaction agreement will typically contain customary representations and warranties relating to the various aspects of the operations of the business and the regulatory environment in which it operates. These customary representations and warranties may address several ESG factors. Yet, these representations and warranties should be reviewed and revised in light of specific regulations or codes of conduct that apply to the operations of the business and any ESG factors. Buyers should therefore consider and look to negotiate the inclusion of applicable ESG representations, which may include “MeToo” representations requiring targets to disclose misconduct allegations, compliance with specific codes or principles that the target has voluntarily complied with, or compliance with recommendations of applicable codes of conduct or guidelines issued by oversight bodies.
For ESG risks that are identified in diligence, buyers should consider the materiality of these identified risks and consider how these issues can be addressed. The purchase agreement should be tailored to suit the needs of each transaction. Depending on the issue identified, the vendors may be able to address the concerns pre-closing. This could include adding provisions such as special pre-closing covenants requiring detailed reporting and disclosure of any new ESG issues that may arise.
If the issue cannot be addressed pre-closing, such as non-compliance with ESG-related regulations, the buyer may wish to negotiate a reduction in the purchase price to reflect the risk assumed. In addition, the buyer may wish to consider a specific indemnity to address the risk for known ESG issues and holdback of a portion of the purchase price that the purchaser can set off against any losses it incurs due to the issues identified. The parties may also look to restructure the transaction to assist in mitigating the risk.
Post-closing Matters
Post-close, the buyer should continue its review of ESG factors while looking to integrate the target into the buyer’s operations. The integration process should aim to align the target’s ESG policies and values with those of the buyer. To ensure that the target’s ESG culture and values meet the expectations of the buyer, the buyer should confirm that the proper policies are in place and communicated to all employees, suppliers, and contractors. If the target has ESG policies that are more robust in certain areas compared to the buyer’s existing policies, the buyer may use this as an opportunity to grow and strengthen their reputation and performance.
The buyer should also develop an action plan to address any material ESG risk of the target that was identified through the due diligence process. The buyer will be better positioned to monitor and track future remedial efforts and compliance.
Conclusion
As companies, investors, and shareholders are becoming increasingly conscious of social and environmental factors, it is critical to evaluate investment opportunities through an ESG lens. For the foreseeable future, ESG-assessed M&A will be an important tool to generate growth and provide companies with a competitive edge. It will also be crucial in establishing stakeholder trust. For corporate and fund-based dealmakers, decisive steps are needed in risk reduction and long-term value generation. Organizations that take initiative and embrace ESG in M&A will be better positioned to achieve sustainable growth and adapt to constantly evolving expectations.
As the company’s information treasure trove grew, two things were clear: With more information in more places, with more value, traveling across the globe at the speed of light, something bad was eventually bound to happen. And the consequences of failing to manage information assets began to have greater implications for stock value, reputation, executive’s careers, customers, regulators, courts, and the court of public opinion.
The US Department of Justice recently updated its “Evaluation of Corporate Compliance Programs,” which guides prosecutors and courts in the adequacy and effectiveness of a corporation’s compliance program. Implicit in a good compliance program is that companies can’t babysit all their employees all day, every day. But if a company constructs an artifice to help employees comply with company policy, for example, the consequences of failure may be reduced or nothing at all. In that sense, good compliance is like insurance—you may never need it, but it provides solace just knowing it exists and is good. So, knowing the criteria a company may be evaluated against someday should help it bolster its corporate compliance programs. More specifically, this article is about information governance compliance programs that are becoming increasingly important with corporate information growing at 23% each year (per IDC), the increase in privacy regulations, and the adoption of big data projects.
We live in a world that requires companies to use data to better to understand their customers’ needs, improve products and services, reduce costs, and improve business efficiency, all while complying with laws and regulations that dictate how long information must be retained among other things. According to The Economist, data is one of the most valuable resources in the world today.
ABBYY recently polled thousands of office workers across the globe, and found that 64% of UK employees have difficulty accessing data. In fact, a quarter (27%) lose a full day of productivity every week (ABBYY).
Organizations are generating as much as 7.5 septillion gigabytes of data per day, which is why laws and regulations that govern the management of data are increasing. To put that in context, we create roughly the data equivalent of 50,000 years of continuous movies every few hours, all day, every day. Now more than ever you should consider creating or reviewing your information governance policies and practices to ensure they address the information your organization generates, receives, and manages. This might sound like a daunting task, but it doesn’t have to be.
Let’s start with defining information governance: It is the management, retention, and disposition of information that an organization creates and collects. Information is the lifeblood of most companies today and should be managed as a valuable asset. Given the overlapping influences of contractual obligations, preserving customer trust, and laws and regulations, companies can’t afford to ignore information governance.
Many confuse information governance with records management, but there is a huge difference. Traditional records management compliance programs typically had policies that outlined the official records (purchase orders, personnel files, contracts, etc.) that needed to be retained in accordance with laws and regulations and business needs. Typically, most programs had “minimum” retention periods established to ensure records were not disposed of too quickly in case a regulator wanted to inspect them. Addressing official records by imposing a minimum retention is no longer considered reasonable or good enough. Instead, companies must govern all information that the organization generates, receives, and manages regardless of the medium or storage location (e.g., onsite, AWS, SAS provider, mobile device) and if it is the official record or not. For most organizations, a vast amount of information that is under their management may not have any law or regulation mandating its retention or disposal and may have short-term business value. This vast amount of information requires governance and management, too. It must have a predictable end of life, especially if it contains high-risk data.
Over two decades ago, the Kahn Consulting firm developed the Seven Keys to Information Management Compliance based on Federal Sentencing Guidelines. The Seven Keys takes the Federal Sentencing Guidelines and adapts them for the information space. The Department of Justice guidance to prosecutors can be used as a roadmap to implement or validate the key components of your company’s information governance compliance program. Summarized below is a roadmap to implement or augment your compliance programs, focusing specifically on information governance.
Summary of Roadmap
1. Risk Assessments
A compliance program’s key components should consist of a risk assessment process to identify, analyze, and address particular risks. This process should be documented and consist of metrics that will be used to address compliance. Based on the risk profile, there should be resources, funding, and scrutiny allocated appropriately based on the level of risk. Risk assessments should be conducted routinely and based upon operational data.
Actions taken to address risk (policy modifications, training, etc.) should be documented and monitored. The risk assessment process should incorporate lessons learned from actions taken within the company and other companies with similar business profiles. As it relates to information governance, a risk assessment should include structured information, unstructured information, third parties storing information, outsourced business processes that have an information component (i.e., benefits, 401(k), retirement), communications and messaging environments, end user productivity environments such as Microsoft 365 and Google Workspace including collaboration and meetings, robotic generated data, etc.
2. Policies and Procedures
Policies and procedures must be part of a well-designed compliance program. Policies and procedures should address identified risks and directives that must be followed, as well as strive to establish a culture that promotes compliance. The company should have a policy management process in place that dictates how corporate policies should be designed, approved, published, implemented, and maintained over time. Information management policies and procedures should address the retention of information (records and non-records), disposition rules, preservation obligations, and protection of specific classes of information.
3. Training and Communications
A key component of a well-designed compliance program is the training of employees and the communications used to integrate the policies within the company. Training and communication messages should be tailored for specific audiences. High-risk areas may require more training and/or more detailed examples during training. The training should take into consideration the form and language(s) that are used. Training should be an ongoing activity and incorporate lessons learned from past noncompliance events. Communications should include the leadership’s position on misconduct or non-compliance (i.e., warning, termination, discipline). Training and communications should provide guidance for employees to identify when they should seek assistance and where they can get that assistance.
Information management programs should have an annual required training program, and periodic communications should be sent out from senior leadership reminding the organization of the value of information and the potential risk of non-compliance with policies and procedures. Furthermore, training and communications should be targeted for specific audiences such as application owners, Google Workspace users, network/fileshare users, email users, third-party contract business owners, etc. The messages and training must be specific to the actions that are required. For example, if the company’s policy is to purge email after one year, define the specific action that must be taken in the rare event that an email would rise to the level of a record requiring longer retention.
4. Confidential Reporting Structures and Investigation Processes
Confidential reporting structures and investigation processes are essential in compliance programs. Employees must be able to report non-compliance and misconduct anonymously and confidentially. The company’s culture and processes should promote and measure the workplace environment to ensure that fear of retaliation doesn’t exist. Processes need to route issues quickly to a few, appropriate people so they may be dealt with in a timely manner. Employees must be made aware of how to report non-compliance and what happens once they report it. There should be a robust process including metrics, to investigate, manage, and discipline non-compliance.
The information gathered during non-compliance should be tracked, analyzed, and used for lessons learned. Information governance non-compliance can have serious consequences to the organization. The over-retention of private information can have reputational damage and financial consequences. Destruction of potentially relevant information that has been placed on a legal hold may not only cause fines and penalties but may also impact the outcome of litigation or a regulatory investigation.
5. Management of Third-Party Relationships
Third-party relationships should include a strong risk-based diligence process. The diligence should be appropriately aligned with the level of risk. As part of the risk assessment, sub-contractors to the third party should be assessed, and contract terms and conditions should be reviewed. Ongoing monitoring of the third-party relationship should be documented, audited, and tracked. Specifically related to information governance, any third party storing, managing, or accessing information on behalf of your company should have a risk assessment completed. Third parties with personal information, highly confidential information, or IP should have additional scrutiny and corresponding controls established.
Real actions and consequences need to take place when non-compliance exists. Follow up to non-compliance is required to ensure that the third party has addressed the issues. As it relates to information governance, all contracts should clearly identify the third party’s roles and responsibilities as they relate to retention, disposal, and preservation of information, including the redaction or anonymization of personal information.
6. Mergers and Acquisitions
Mergers and acquisitions need to be included in a well-designed compliance program to ensure timely and orderly integration of any acquired entity into the company’s compliance regime. Divestitures need to be evaluated to ensure the appropriate compliance activities are moved to the acquiring company in a timely manner. There should be a due diligence process, integration process, and implementation plan prepared prior to the actual transaction taking place. Information governance responsibilities need to be clearly outlined so the segregation of information can take place, claw-back clauses can be incorporated into contracts as necessary, and information related to open litigation, audits, or investigations can be addressed. Identification of all the information that is impacted by an acquisition or divestiture is becoming more complex as it relates to big data projects, privacy laws, and the expanding number of third parties storing the information.
7. Adequate Resources and Empowerment
Companies must adequately resource and empower their compliance programs. Issuing policies is no longer good enough. Compliance programs must have implementation plans to ensure appropriate staffing is in place to audit, document, analyze, and continuously improve compliance programs. This key component can be time-consuming when it comes to information governance compliance programs.
A few examples of areas requiring automated or manual plans for managing information are: applications, third parties managing information on the company’s behalf, end user information storage locations, communication systems, and off-site storage boxes. You should automate as much as you can, but there are realities where rules cannot be automated and will require manual intervention. Implementation cannot start until the company develops and enacts a documented retention schedule that outlines the rules for retaining specific categories of data. The retention schedule needs to be based on up-to-date legal research for each jurisdiction where the company conducts business. It must also address the business value of the information.
8. Commitment from Senior and Middle Management
For a compliance program to be successful, senior and middle management commitment and messaging is a necessity to foster a culture of compliance within the company. The C-suite and the board set the tone for the rest of the organization by messaging the importance of compliance and by demonstrating adherence. All leaders in the company need to take ownership and accountability for their employees when it comes to monitoring and checking for compliance with policies. When management finds non-compliance, management needs to address the matter and perhaps use it as a teaching moment for the rest of the staff.
9. Autonomy and Effective Resources
Program autonomy and effective resources are essential in a well-designed compliance program. Compliance programs need to have day-to-day oversight, and those responsible for that oversight must have adequate autonomy authority, seniority, and access to the Board of Directors. Team members should have the appropriate experience to address non-compliance issues. Internal audits should also be conducted to ensure that compliance personnel are in fact empowered and positioned to detect and prevent non-compliance. As for information governance programs, there should be a governance board that is represented by Legal, IT, Security, Privacy, Compliance, Audit, and select business units.
10. Incentives for Compliance and Disincentives for Non-Compliance
Implementation of a compliance program should consist of incentives for compliance and disincentives for non-compliance. Clear disciplinary procedures should be in place, consistently enforced across the organization, and commensurate with the violations. Communications from senior leadership should inform employees that unethical conduct and policy violations will not be tolerated and will have consequences. A company can consider implementing an incentive system that rewards compliance and ethical behavior. Information governance programs should be treated as equally as important as other compliance program.
11. Proof that the Compliance Program Works in Place
A compliance program should have the ability to prove that is it working, and more importantly, that it was working when a violation occurred. Documentation and evidence of actions taken is important—always document how a misconduct was detected, how the investigation was conducted, what resources participated in the investigation, and the remediation efforts. The compliance program should also document how the program has evolved over time and maintain an audit trail of changing risks and continuous improvements to the program to address new risks or non-compliance issues. The following should be part of a well-designed compliance program to prove that the program was working at the time of a non-compliance event:
Continuous Improvement, Periodic Testing, and Review: An effective compliance program must have the ability to improve and evolve.
Internal Audit: Internal audits must have a rigorous process that is followed and routinely conducted.
Control Testing: Testing controls should be established, and collection of compliance data must be routinely collected and analyzed, and necessary actions taken.
Evolving Updates: Risk assessments, policies, procedures, practices should routinely be improved to reflect the current risk profile and based on lessons learned.
Culture of Compliance: Companies should routinely measure their culture of compliance through all levels of the organization.
12. Investigations of Misconduct
All examinations of allegations and suspicions of misconduct by the company, its employees, or third-party agents must work effectively and be appropriately funded to ensure a timely and thorough investigation that includes a documented response of its findings, disciplinary actions, and remediation measures. Investigations must be conducted by an objective party. For information governance compliance, automating monitoring for non-compliance should be considered. As an example, monitoring the volume of data leaving your organization can be an indication of an employee transferring data to a private account outside of the company. You can use tools such as MS 365 to both automate compliance and detect non-compliance. After evidence determines a questionable act, people, process, and technology should be in place to assess the alleged infraction and take necessary action.
13. Analysis and Remediation of Any Underlying Misconduct
Lastly, a well-designed compliance program that is working in practice must have a thoughtful root cause analysis of misconduct, and the company must timely and appropriately take action to remediate the root cause. Root cause analysis should consider what control failed (policy, procedure, training, etc.), the amount of funding provided, what vendors were involved, any prior indications of failure, what prior remediation efforts were taken to address a similar compliance issue, and any failures in supervision of employees. Information governance compliance often finds failures in generalized “off-the-shelf” training programs. Training programs must be 100% aligned with policy directives, practices, and procedures. Employees need to clearly understand where they are allowed to store certain types of information and how disposal of the information will happen in accordance with policy and business unit or IT practices and procedures.
Summary
Now more than ever, companies need to make an honest effort to do the right thing and comply with laws and regulations. However, in the event that employees or third parties managing data on your company’s behalf inadvertently (or intentionally) violate a law or regulation, a well-designed information governance compliance program can be used to demonstrate “reasonableness” and the company’s good faith efforts to comply with laws and regulations, which ultimately may be the difference between winning and losing.
Connect with a global network of over 30,000 business law professionals
