While hanging around the water cooler the other day, I took an informal survey of a few colleagues. “How many of you are finding the task of addressing private information in compliance with increasingly complex laws, regulations, and corporate mandates to be hugely fun?” Unsurprisingly, the feedback was unanimous; everyone was loving it. They couldn’t get enough. They clamored for greater records management responsibilities and litigation response obligations. They also mentioned that there is no better end to a long workday than an involved information-security training, provided that their lunchtime could be interrupted for dental work with no anesthesia.

As it turns out, employees in the real world don’t really like doing anything beyond their real jobs, and certainly don’t want to have anything to do with the perceived tedium of classifying their files according to a growing set of company rules. For the vast majority of people, information management is about as fun as a root canal. And yet, effectively managing information has always been essential and is more and more a differentiator for organizations. This capability impacts a company’s reputation, risk profile, and innovation initiatives.

What can companies do? They can’t outsource their obligations—even if a third party is brought in to do some of the legwork, ultimately the obligation to comply lies with the company. Neither can they ignore the issue because there are increasingly more laws that prescribe how companies and their employees must manage information from its creation to its proper destruction. Similarly, there are far more consequences in failing to get it right. It’s an unenviable position for companies; they need their employees protecting the company’s information assets, but most employees are disinterested at best, viewing themselves to be full up with “real” work that trumps a concerted focus on these efforts.

Generally, there are two kinds of employees: the ones who are motivated by carrots, and the ones who must be inspired by sticks. There are some employees who will follow rules because they are told to and because being proactive is good for the company. However, if there is no compelling reason for employees to do something, they often fall into the latter category of needing a consequence, a penalty, or a loss of some benefit or privilege before they will dream of doing a task at work outside of their perceived job scope.

That brings us to a confluence of realities: more downside, more attacks on the IT systems, more laws dictating what is required and penalizing companies when they fail to comply, and more employees behaving badly, uninspired to lift a finger to help your company better manage information.

Here are seven keys to fix such a problem.

1. Set the Tone at the Top. The CEO in some respects is the soul of the company in that he or she sets the big-picture objectives for the organization. This is commonly communicated through a mission statement, vision, and code of ethics. These concepts and values are then seen as calls to action by others in the organization and rapidly become operationalized. When the CEO or other executives message the importance of a company initiative or action, the employees (everyone below them) are more likely to listen and follow their lead. For example, if the CEO decides that being a “greener” company is important, then initiatives that advance that idea will get more attention and funding. Employees will more likely do what it takes to make the company greener. Thus, one thing that will be essential to making information activities come to life in the company is for the executive team and others in management to support the information project or program and message its importance to all employees. Another way they can show support is by funding such activities and publicly recognizing successful efforts.

2. Make It Part of the Job. One of the best ways to get folks to take on protecting private information is to make it a part of their job responsibilities. For many businesses, at most they develop policy and expect that employees will read, understand, and follow the directives. That is usually the last time the policy is addressed until something bad happens. Then everyone wants to know what went wrong. What commonly goes wrong is that employees have a black and white view of their roles and responsibilities. They disregard policies as irrelevant to their jobs if adequate context isn’t provided.

The company can “legitimize” the activity by making it a part of the employees’ job responsibilities in writing and by making it clear that failure to do as required will, for example, impact performance incentives. When compliance with a policy is tied to compensation, it tends to get employees engaged. That would be more of the stick approach.

In terms of the carrot, why not have high-potential employees nominated by senior leadership to serve as information stewards? Formalize the role, make it a coveted position, and recognize and reward them for participating. You will find that you have inspired these employees to be your eyes and ears in the business. This causes a chain reaction whereby those around them start caring more as well.

3. Train the Employees. A policy itself, no matter how comprehensive and clear, is only as good as the training and change-management that accompanies it. Parking a myriad of policies on a website and thinking employees will search to find and master them is wholly unrealistic. Not only that, but having policies that no one follows is a liability. “Isn’t it true that your company has a privacy policy, you didn’t know about the policy, and in fact were never trained on the policy . . .” You get the idea.

Providing a written policy or other directive tells employees what is expected; training them on it helps ensure they understand what they must do in greater specificity. In other words, policy is not enough. Training and perhaps even testing on the mastery of the training is far more effective.

Remember, however, that employees can’t take in endless training sessions on one topic after another. Be mindful to not put too much in front of them at once and spread it out to maximize the training’s effectiveness. In other words, limit how much training employees receive, given the law of diminishing returns.

Training should be an important tool in your arsenal when it comes to ensuring that employees are able to digest and apply vital policy concepts. It is a stepping-stone to behavioral change. One point of consideration is to consolidate trainings where possible. Companies often have a “code of ethics” or “code of conduct” that provides high-level principles regarding the company’s position on such matters as privacy requirements, books and records management, cyber-security fundamentals, and beyond. Publishing such a code for public/external consumption bolsters a company’s reputation for being trustworthy and of sound integrity. Is it possible to consolidate your trainings on various governance topics into one large “code of ethics” training that can be taken in modular format? This then strengthens and unifies the company’s position on various interdependent information-management directives while streamlining the training experience for employees.

4. Gamify. In the last few years, gamification of training has helped create better-trained employees and kept employees engaged with longer-term retention of the topic. Gamification is a process where an employee is engaged at a deeper level to make the training like a game. This means launching awareness campaigns that involve features like points, levels, and awards. The goals of gamification are to create a sense of intrinsic motivation, achievement, and mastery. The more employees interact with the training material or policy in a game context, the more likely they are to understand the material and be able to act upon it. Bottom line is that it works.

5. Auditing/Monitoring. The only real way to know whether employees are doing what is required of them is by looking. In the workplace, that is typically done by watching their actions in real time (monitoring) or looking at what they have done after the fact (auditing). Auditing and monitoring programs help ensure that employees are getting it right. These programs also allow the company to help employees better perform tasks and fix training or implementation issues across the company as they become known.

In highly regulated industries, auditing and monitoring are part of the normal course of business. In fact, internal audit and quality assurance teams can be excellent partners in building an audit readiness program and in conducting the audits themselves.

6. Whack with Love or Not, but Be Consistent. When employees get something wrong, there may be a need to reprimand them. Thus, when policies provide that noncompliance may result in disciplinary action, the company must follow through. Failure to discipline may result in claims that such policy or disciplinary action is applied in a discriminatory fashion. Remind and follow up with employees to ensure they are getting it right, and when they don’t, act swiftly, fairly, and consistently to address the failure. Remember, word travels fast, and others will take note, which tends to change behavior in a positive way.

7. Repeat. Training, behavioral change, and the business transformation that follows are not one-time projects or instantaneous outcomes. Begin the process of training on key topics from the very beginning of an employee’s tenure at your company during orientation. For topics that are essential for employees to master, such as information security, training should be routinized and part of an established schedule. Not only that, policy principles and core concepts should be patiently and persistently reiterated via meetings with communities of practice, company newsletters, annual refresher trainings, and embedded within spotlights on governance initiatives when there has been a “big win.” Making employees care about managing information well means making these conversations part of your company’s culture.

Conclusion

Information has become the lifeblood of organizations. Oftentimes, it’s pumping life without rhyme, reason, control, or direction, and that has to change. Unless leadership institutionalizes the management of information, the employees will likely do as little as possible or nothing at all. With value, volume, growth in legal requirements, and consequences all intensifying around information management, however, companies must have their work forces engaged. The seven keys may not build love, but they will build a reasonable, repeatable, and defensible process “hook” for litigators to hang their hats on when failure occurs, and it always does.

On September 28, 2018, California became the first US state to specifically regulate the security of connected devices (otherwise known as ”Internet of Things” or “IoT devices”).

The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that in 2018 there are over 23 billion IoT devices currently in use, and this number is expected to grow to over 26 billion in 2019 (Gartner has estimated 20 billion such devices will be online by 2020). Unfortunately many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with no passwords, default passwords (think ”123”, ”admin” or even worse, ”password”) or otherwise hard-coded passwords that cannot be modified or updated. 

These concerns are not merely speculative. By way of ‘real life’ example, beginning September 2016, massive distributed denial of service (DDoS) attacks took down various US Internet infrastructure companies/DNS providers, leaving much of the Internet inaccessible on the east coast of the United States and incapacitating popular websites (including AirBnB, Amazon, Github, HBO, Netflix, Paypal, Reddit, the New York Times and Twitter, just to name a few). Originally created by three teenaged hackers, the Mirai malware responsible for the attack was specifically designed to target and infect susceptible IoT devices such as security cameras, home routers, air-quality monitors, digital video recorders and routers using a table of more than 60 common factory default usernames and passwords.  These devices were turned into a network of remotely controlled bots that were used to launch the DDoS attacks which later spread globally, impacting such diverse organizations as OVH (a large European provider), Lonestar Cell (a Liberian Telecom Operator) and Deutsche Telekom. At its peak, Mirai infected over 600,000 vulnerable IoT devices.

These two new substantially similar IoT laws (California Senate Bill 327, chapter 886 and Assembly Bill No. 1906, “Security of Connected Devices” (2018 Cal. Legis. Serv. Ch. (S.B. 327)(to be codified at Cal. Civ. Code § 1798.91.04(a)) (collectively, the “IoT Laws”) require manufacturers of connected devices to equip the device with a ”reasonable” security feature or features that meet all of the following criteria: (i) appropriate to the nature of the device; (ii) appropriate to the information it may collect, contain, or transmit; and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. The IoT Laws broadly define a ‘connected device’ to mean any devices or other physical object that is capable of connecting to the Internet (directly or indirectly), and that is assigned an Internet Protocol address or Bluetooth address, meaning that consumer, industrial, and other IoT devices are covered.

Additionally, if the connected device is equipped with a means for authentication outside of a local area network, either of the following requirements must be met before it shall be deemed to possess a “reasonable security feature”: (i) it must have a preprogrammed password unique to each device manufactured; or (ii) the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.

The IoT Laws broadly capture “manufacturers” to include the producers of the devices themselves and those who manufacture on behalf of such organizations, connected devices that are sold or offered for sale in California. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device. Contracts with organizations or persons involving the mere purchase of connected devices or purchasing and branding a connected device are excluded. 

Manufacturers are obliged to allow users to have full control and/or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces or other means of purchasing software or applications to review or enforce compliance with these statutes.

The IoT Laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under US federal law, regulations or the guidance of federal agencies (presumably FDA-regulated medical devices, for example). They do not prevent law enforcement agencies from continuing to obtain connected device information from a manufacturer as authorized by law or pursuant to a court of competent jurisdiction. They also do not apply to the activities of covered entities, providers of health care, business associates, health care service plans, contractors, employers, or other persons subject to the U.S. federal Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA) or California’s Confidentiality of Medical Information Act.

Significantly, the IoT Laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the Attorney General, a city attorney, a county counsel, or a district attorney has the authority to enforce these requirements.

The IoT Laws are scheduled to come into force on January 1, 2020.

The enactment of the IoT Laws was clearly motivated by the desire to improve the security of smart devices and mitigate security vulnerabilities that leave such devices open to cyber-attacks such as Mirai malware. By not mandating what security features are ”reasonable,” the legislation is effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test described above. Guidance from agencies such as the National Institutes for Standards and Technology (NIST) and other industry self-regulatory guidelines can help determine what will be reasonable under the circumstances (in fact NIST is currently seeking comments on its draft guidance document which includes recommendations for addressing security and privacy risks associated with IoT devices—see Draft NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.)(“NIST Guidance”).

The new IoT Laws are not without their flaws and skeptics. Critics charge that certain aspects of the IoT Laws are vague and ambiguous given the lack of clear standards (what does “reasonable security feature or features” mean practically?) with no way to validate that the manufacturer actually designed to those standards. While the IoT Laws may address the security threats associated with hardcoded or default passwords that are easily guessable and may force manufacturers to in turn force consumers to change their passwords before using such devices (or otherwise install unique passwords), they do not address many other security concerns or truly enhance device security. These concerns include the failure of many manufacturers to routinely update the software/firmware accompanying many IoT devices (or otherwise compel consumers to update such software/firmware if patches/upgrades are actually available) to address security and other concerns. Other pre-market security means to enhance security are also ignored (device attestation, security audits for firmware from third party providers, improvements in device access, management, and monitoring, requirements to remove unnecessary insecure features, etc.). As the NIST Guidance has noted, an IoT device may be a black box that provides little or no information on its hardware, software, and firmware or may not offer any built-in capabilities to identify and report on known vulnerabilities. And users can still deploy terrible passwords. 

However, while arguably incomplete from a security perspective, California is a large market and a standard setter for the U.S., and the IoT Laws may serve as an example for other jurisdictions to follow. Accordingly any manufacturer of an IoT device that intends to ship its products into California must start employing better security features that meet the requirements of the IoT Laws; as such the IoT Laws may be the catalyst required to nudge IoT-connected devices in the right direction to better security.

Lisa Lifshitz

Blockchain technology (or as some commentators prefer, “distributed ledger technology”) is a major technological innovation that promises to significantly alter the way we do business in several fields. Those changes, in turn, will bring new legal challenges that our laws, courts, regulatory agencies, and other institutions must address. As promising as blockchain technology is, however, it is no panacea. It can offer concrete benefits over prior approaches, but it also comes with real costs that can limit or preclude its use in some applications. To better assess the legal challenges facing existing and new applications of blockchain technology, it is important to understand the benefits and costs of the technology; that, in turn, requires at least some level of understanding what blockchain technology is.

The starting point for the technology was Satoshi Nakamoto’s release in 2008 of the white paper, Bitcoin: A Peer-to-Peer Electronic Cash System (Nakamoto was a pseudonym for the real and still-unknown authors), in which Nakamoto introduced blockchain technology for the first time along with a fully conceived platform for its use to implement digital cash.

By the time Nakamoto released his white paper in 2008, digital signatures were a well-understood feature of the mathematical field of public-key cryptography. Participants generate a key pair composed of a public key and a related private key. The public key is distributed to all participants while the private key remains secret. The relationship between the two keys is such that a message encrypted with one of the keys can only be decrypted using the other key.

In this system, a participant, Alice, can digitally sign a message by encrypting it with her private key, which only she possesses. Anyone can read the message by decrypting it with Alice’s freely available public key, but the fact that the message can successfully be decrypted using Alice’s public key proves that Alice—and only Alice—digitally signed the text with her private key because only Alice possesses that key.

Like some others before him, Nakamoto began by defining a digital coin as a chain of digital signatures, but digital signatures alone could not prevent network participants from spending the same coins more than once by signing multiple but inconsistent spending transactions—the “double-spending” problem. To prevent double-spending, the system must have some way to determine whether the sender, Alice, owns a spendable coin that has not previously been sent to someone else. Prior electronic payment systems typically solved the double-spending problem by relying on a trusted central party to keep track of all transactions. In contrast to such a centralized system, Nakamoto sought a peer-to-peer system that did not assign trusted status to a special central party.

Nakamoto reasoned that a peer-to-peer system could work if each node possessed the means to evaluate for itself the validity of the transaction. Thus, each node would have to maintain its own ledger of all transactions. This ledger—with identical copies distributed to all notes—is the blockchain. All new transactions would be distributed in blocks to all nodes, which would add them to their ledgers.

With each node maintaining its own ledger, there arose a need to ensure that the separate ledgers would remain consistent. Thus, Nakamoto needed a mechanism to achieve consensus among the nodes as to which transactions should be included and in what order. Nakamoto decided to use “proof of work” to achieve consensus on the Bitcoin network. Certain nodes—miners—would validate transaction blocks by performing a time-consuming calculation, adding proof of the successful completion of the calculation to each validated block. Then, in the event a node received inconsistent blocks to add to the chain, Nakamoto specified that nodes should select the valid blocks representing the largest amount of computational work. A proof-of-work mechanism requires a lot of computation, but it is essential to the functioning of the Bitcoin consensus system. Therefore, the system provides miners an incentive payment in the form of newly created bitcoins and transaction fees offered by the sender.

People soon realized that blockchain technology could be adapted to uses beyond Bitcoin. The first such use was to create new cryptocurrencies. Today, there are thousands of “altcoins” using blockchain technology. Beyond cryptocurrencies, many other human activities are amenable to representation in a ledger system like the one underlying Bitcoin. One obvious example is a blockchain used to keep track of assets such as real property, inventory items, and government records. The blockchains in these use cases might operate similarly to the Bitcoin blockchain, but instead of coins, they would employ coin-like tokens linked to the underlying physical assets.

Taking blockchain technology beyond Bitcoin, other developers have implemented systems that offer the ability to execute user-specified programming code on the blockchain itself. For example, the Ethereum platform begun in 2013 allows users to create complex computer code linked to transactions on a blockchain. As a result, some users speak not of submitting transactions on Ethereum, but of creating “smart contracts” (also called distributed applications, or dApps), which run on the blockchain. The availability of smart contracts in a blockchain system makes it possible to envision autonomous, distributed functioning of a number of complex activities that cannot happen today without manual control and intervention, or a centralized bureaucracy.

• Autonomous trading platforms. Smart-contract code automatically matches buyers and sellers and automatically performs trading on the blockchain in securities, commodities, or other assets.
• Supply chains. Actors at each stage of a supply chain—purchasing, manufacturing, transportation, delivery, payment—enter secure transactions into a blockchain system, and smart code automatically tracks products, initiates new orders, and allocates appropriate resources at the next stage of the chain.
• Peer-to-peer insurance. The pooling of risks, the events documenting the losses and claims, and the submission and payment of claims are represented by autonomous transactions on the blockchain.
• Organizational decision making and voting. Participants in an organization vote for new policies, investments, or candidates by recording secure transactions on a blockchain, and smart-contract code automatically tallies the results and effectuates the election results.

Although blockchain technology confers many potential advantages, its nature poses potential costs as well. Not all centralized ledgers are better replaced by distributed blockchain technology. Some of the potential advantages and disadvantages are described below. The successful use cases will be ones with a favorable balance of factors.

• Many business processes involve complex interactions among multiple individual or institutional intermediaries that are intended to serve as a check on one another. In a blockchain network, careful planning can allow cryptography and consensus mechanisms to take the place of human judgments about trust, just as they do in the Bitcoin network.
• Transparency and immutability. The basic operation of a blockchain system is the creation and addition of validated blocks to a chain of prior blocks. These blocks provide a complete record of all transactions and operations processed by the system. Cryptography insures that blockchain records, once recorded, cannot be forged or altered.
• Blockchains distribute the responsibility for storing and processing information across multiple nodes in a networked system. In doing so, they reduce the number of possible points of failure or points of attack.
• Automatic rule enforcement. The nature of blockchain systems disallows certain kinds of errors and malfeasance that in other systems might require specialized code or human intervention.
• User autonomy. Blockchain systems can allow users great autonomy in the control over their own transactions. In the Bitcoin network, for example, so long as the network continues to operate, there is no way to prevent a user from transferring bitcoins or to force an unwanted transfer without the user’s private keys.
• Performance and scalability. The features that provide blockchain technology its advantages come with performance and resource costs. Even if a blockchain system does not use the proof-of-work system of Bitcoin, blockchains frequently require significant storage, computing power, and network bandwidth. As a general matter, blockchain-based systems use more computing resources and scale less efficiently than systems based on centralized ledgers.
• Complexity, errors, and vulnerabilities. Blockchain systems can be highly complex and difficult to develop. Moreover, the design and programming of smart-contract systems utilizing blockchain systems is a separate source of complexity, and almost certain to produce significant bugs and vulnerabilities that can lead to execution flaws or vulnerabilities.
• The blockchain contains a full and detailed record of every transaction processed using the system, and the consensus mechanism of the system ensures the replication of that full record across multiple nodes of the system. These risks do not necessarily prevent the use of blockchain technology for sensitive information, but they can add complication to the design of the system.

To practice law effectively, lawyers today need a basic understanding of modern technologies, which should include the fundamentals of blockchain technology.

In depositions and trials involving non-English-speaking parties and witnesses, clients represented by bilingual counsel have the clear upper hand. The advantage a bilingual attorney has over a nonbilingual attorney cannot always be offset by the services of an interpreter at deposition or trial, given that even the most skilled interpreter can make inadvertent mistakes and, more importantly, cannot comment on material credibility indicia of non-English-speaking witnesses, such as their intonation or sarcasm, while testifying. Consider these scenarios:

A plaintiff in a deposition testifies in Spanish, but neither the plaintiff’s nor the defendant’s attorneys speak Spanish. Out of necessity, both attorneys must rely on the interpreter’s translation of the plaintiff’s testimony (particularly if the proceeding is not videotaped), although neither attorney can be sure that the translation truly captured the meaning of the testimony the plaintiff gave in Spanish. Regardless, the interpreter’s translation stands without contest and becomes the official record of the deposition or trial. Clearly missing in an even accurate, verbatim translation of the testimony is an assessment of the witness’s credibility. Neither counsel will know whether the witness used certain words in a sarcastic or skeptical tone which, if known, would have prompted counsel to seek clarification or conduct follow-up questioning.

Consider another scenario, but one in which only one of the attorneys speaks the plaintiff’s native language. For this example, assume the bilingual attorney is defense counsel in the deposition of a Spanish-speaking plaintiff. Defense counsel, as the sole bilingual attorney in the proceeding, understands the plaintiff’s testimony in Spanish and understands the interpreter’s translations of counsel’s questions and plaintiff’s answers. In this scenario, the bilingual defense counsel has the ability to effectively challenge the accuracy and completeness of the interpreter’s translations during the deposition. Plaintiff’s counsel, the nonbilingual attorney, is at a clear disadvantage, unable to challenge defense counsel’s objections to the interpreter’s translations. Worse yet, the nonbilingual attorney may not be representing the client well if he or she fails to object to inaccurate translations defense counsel did not challenge. Besides the bilingual counsel’s ability to understand the Spanish testimony and translations, the bilingual counsel has another advantage. The Spanish-speaking witness may be more candid, cooperative, or feel less anxious if the witness knows the questioning attorney is bilingual.

The effectiveness of the legal representation a client receives in litigation involving non-English-speaking parties or critical witnesses often depends on the ability of a party’s counsel to understand the non-English-speaking party in his or her native language not only to ensure that the translations are correct, but more importantly, to assess witness credibility. Counsel at a deposition or trial should not rely on an interpreter for this purpose.

Just as court reporters in trials and depositions must transcribe testimony verbatim and without injecting subjective commentary, such as a witness’s intonation or sarcasm while responding to questions, interpreters in depositions and trials involving non-English-speaking witnesses must also act in neutral capacities. Interpreters can provide only verbatim translations of questions posed and answers given at depositions and trials. Interpreters may not add their own subjective commentary to translations, such as whether in a narrative response a witness used a particular word in a sarcastic, surprised, or skeptical tone. It is the responsibility of counsel to make important credibility assessments of witnesses—whether English-speaking or not—to effectively proceed with the interrogation or defense of a witness during a deposition or trial. It goes without saying that in addition to a witness’s substantive responses, a witness’s credibility involves an assessment of intonation, sarcasm, body language, and emphasis on certain words while testifying, particularly in harassment, discrimination, and other employment-related cases. The bilingual attorney who speaks the same language as the witness can pick up on important credibility subtleties and nuances (such as sarcasm, skepticism, fear, hesitation, etc.) that are not captured in interpreters’ translations and may be missed by counsel who are not bilingual. At a trial where jurors speak the same language as a witness, a bilingual attorney is in the best position to instantly gauge juror reaction to a witness’s intonation or emphasis of certain words while testifying and adjust trial strategy as necessary.

Aside from credibility assessment considerations, the bilingual attorney has other advantages. In the heat of trial or deposition, the bilingual attorney can quickly use his or her judgment in deciding whether to: pursue alternate questioning if a witness’s intonation while testifying indicates hesitation, discomfort, sarcasm, or skepticism; let awkwardly translated answers stand to avoid disrupting the flow of questioning or wasting limited time; forgo objections to certain translations of technical words or slang because they cannot be translated with precision; question a witness about foreign-language documents produced during a deposition; conclude that although testimony was not translated verbatim, an interpreter’s translation captures the essence of a witness’s testimony; call for a break upon detecting that an interpreter is becoming bored or tired as evidenced by labored or confusing translations of questions; or object to translated questions or testimony because the translations are inaccurate or incomplete.

Counsel may opt to videotape a deposition to capture a witness’s non-English testimony and an interpreter’s translations of same. Counsel should not count on using the videotape to challenge inaccurate translations after the deposition is concluded. Aside from possibly waiving such objections because they were not made during the deposition, it may not be feasible to reopen the deposition to conduct follow-up questioning based on the witness’s actual testimony. Moreover, the deponent may attempt to use the videotape to make substantive changes to the deposition transcript based on his or her responses as reflected in the videotaped deposition.

Large percentages of employment-related litigation in the United States are brought by non-English-speaking plaintiffs, particularly in states such as California where Latinos comprise almost 40 percent of the population. Given these demographic realities and to effectively represent their clients, counsel must be prepared to address the challenges presented in depositions and trials involving non-English-speaking witnesses.

In response to increasing public attention on the small percentage of women serving on corporate boards, the California Assembly passed Senate Bill 826 (the Act). The Act requires that all public companies headquartered in California have at least one female director and, beginning in 2021, a percentage of female directors based on the size of its board. Although championed by the National Association of Women Business Owners and other activists, the Act will face legal challenges to its implementation, and its overall impact may be muted.

Background and Requirements

California’s mandate is the most recent attempt in the growing movement to increase women on corporate boards across America. The first pages of the Act offer a litany of findings outlining the current state of affairs and the widespread historical exclusion of women from corporate leadership posts. The Act reads as follows:

For companies with a market capitalization of more than $10 billion, those with women directors on boards outperformed shares of comparable businesses with all-male boards by 26 percent. . . . As of June 2017, among the 446 publicly traded companies included in the Russell 3000 index and headquartered in California, representing nearly $5 trillion in market capitalization, women directors held 566 seats, or 15.5 percent of seats, while men held 3,089 seats, or 84.5 percent of seats. . . . More than one-quarter, numbering 117, or 26 percent, of the Russell 3000 companies based in California have NO women directors serving on their boards. . . . If measures are not taken to proactively increase the numbers of women serving on corporate boards, studies have shown that it will take decades, as many as 40 or 50 years, to achieve gender parity among directors.

The Act addresses these shortcomings through a two-pronged mandate. First, any publicly held domestic or foreign corporation whose principal executive office is in California (according to its 10-K) must have one female director on its board by December 31, 2019. Second, no later than December 31, 2021, those same corporations must have at least three female directors if there are six or more board seats, or two female directors if there are five board seats. The first violation of the Act (or a failure to file the mandated disclosure information) results in a $100,000 fine; each subsequent violation is $300,000.

Champions of the Act have realized the legal challenges to come (as discussed below), but viewed its passage and signing by Governor Jerry Brown as applying much-needed pressure to accelerate the elevation of women into corporate leadership positions. In his signing statement, Governor Brown expressed a desire for firm action despite the potential obstacles to implementation, stating: “There have been numerous objections to this bill and serious legal concerns have been raised. . . . Nevertheless, recent events in Washington, D.C.—and beyond—make it crystal clear that many are not getting the message.” After highlighting that corporations have been considered “persons” since at least 1886, well before women could even vote, Governor Brown further stated, “Given all the special privileges that corporations have enjoyed for so long, it’s high time corporate boards include the people who constitute more than half the ‘persons’ in America.”

Legal Objections

Beyond policy-based objections, critics have raised at least two legal arguments against the Act: (1) it violates equal protection by facially discriminating based on sex, and (2) because it applies to companies organized outside California, it violates the dormant commerce clause and the “internal affairs doctrine,” which requires that internal company affairs be under the regulatory purview of only one jurisdiction.

Taking these complaints in turn, the 14th Amendment equal protection argument is straightforward. Any law that discriminates based on sex must survive a heightened version of intermediate scrutiny. Per Justice Ginsburg’s 1996 majority opinion in United States v. Virginia, any sex-discriminatory law must have an “exceedingly persuasive justification” and be “substantially related” to an “important” state interest. Although remedying the long-standing exclusion of women from corporate leadership is no doubt an important state interest, California may struggle to show that its chosen means are a close fit with its legitimate end goals. The Act may apply both too narrowly (to the small subset of companies that are both publicly traded and headquartered in California) and too broadly (without consideration for whether a firm has previously engaged in discriminatory conduct or whether an industry may naturally attract more men or women) to survive scrutiny.

Second, by applying the mandate to companies organized outside California (so long as the executive offices are in California), the Act imposes a burden on foreign-organized corporations beyond California’s state interest and potentially requires companies to comply with incompatible mandates from competing jurisdictions. Due to these issues, the Act’s enforceability could be judicially limited to firms that are organized and located in California. If so, the Act would apply only to a small subset of local companies—one estimate puts the number at 72—and only one of the Fortune 500. See Joseph A. Grundfest, Mandating Gender Diversity in the Corporate Boardroom: The Inevitable Failure of California’s SB 826, Rock Center for Corporate Governance at Stanford University Working Paper No. 232 (Sept. 12, 2018).

Potential Impact on Board Composition and Governance

Although the number of companies directly impacted is relatively small (enforcement may well be limited to companies both chartered and located in California), the real value is in sending a signal that may prompt other states to begin pushing for and requiring more equitable board composition. The Act may also help to add momentum to diversity efforts undertaken by investors. Before the Act was passed, CalPERS sent a letter in 2017 to certain Russell 3000 companies asking each of them to “develop and disclose its corporate board diversity policy and implementation plan to address the lack of diversity.” State Street also attracted much attention for its diversity advocacy efforts when it installed “Fearless Girl” across from the “Charging Bull” in lower Manhattan at the center of the Financial District and announced that it would be engaging with companies about the importance of diversity. BlackRock likewise announced in 2017 that it would hold nominating and governance committees accountable if they do not achieve results. Passage of the Act keeps this issue at the forefront and may encourage other investors to follow suit.

California is blazing a new trail in the United States, but European countries began adopting quotas more than a decade ago when Norway adopted a 40-percent quota and France and Italy passed similar measures. Today, the composition of the boards of Norway’s public companies includes 41 percent women, a number well above that currently achieved in the United States. Whether the United States will be able to realize similar results will depend upon whether the Act and any other similar legislative efforts will be able to overcome legal challenges that are sure to make their way through the courts.

This two-part series of articles has been abridged and adapted from the chapter “Analysis of Cost Behavior” by Elizabeth A. Eccher, Jeffrey H. Kinrich, and James H. Rosberg, in the book Lost Profits Damages: Principles, Methods, and Applications, edited by Everett P. Harry III and Jeffrey H. Kinrich (Valuation Products and Services, 2017).

In Part One of this series, we discussed concepts relevant to calculating avoided costs, a key step in calculating lost profits. In this article, we illustrate the use of these concepts in determining avoided costs.

Identifying the Cost Objects Comprising Lost Sales

The analysis of avoided costs logically follows, and depends on, an analysis of lost sales revenue, which is in turn a function of the quantity of products or services that were not sold and the price that would have been received if the sales had occurred. Therefore, for each cost object comprising the lost sales, the cost analysis requires consideration of the following questions:

• How many units of each product or service would have been sold?
• Over what time period(s) would the sales have occurred?
• At what prices would sales have occurred?

The total amount of any costs that are determined to be variable—and hence potentially avoided—will depend directly on the quantity of product that would have been manufactured and sold. In addition, because fixed costs may be fixed only with respect to a relevant range of time and activity, it is important to know whether the quantity of lost sales falls within or outside of that range. As discussed further below, the price of a lost sale may be relevant for certain incremental marketing costs, such as sales commissions.

Identifying Resources Involved in Producing the Product or Service

As discussed in Part 1, costs arise through the consumption of resources. Therefore, the analyst should gain an understanding of the resources and activities required to make the lost sales products or services. To gain this understanding, the analyst should consider the following:

• Are direct materials required?

These may include raw materials, such as steel or silicon, as well as components, such as batteries or circuit boards. Direct materials almost always result in variable, and thus incremental or avoidable, costs.

• Is direct labor required?

Labor costs depend on the nature of the contracts between employer and employees, which may affect the variability of these costs.

• Are productive assets (i.e., capital investments) used in the production process?

Machinery use, for example, can give rise to indirect costs, such as set-up, calibration, operating supplies, and routine maintenance. Similarly, the use of a factory or other building can give rise to indirect costs related to ongoing maintenance and other operating overhead costs, such as for electricity, other utilities, and security.

Identifying the Resources Involved in Selling and Delivering the Product or Service

In addition to production costs, the company may incur costs related to delivering and selling the product or service in question, as well as costs related to future obligations resulting from a sale. The following considerations will be relevant to this assessment:

• How are sales generated? Is there a direct sales force that receives a sales commission?
• Does the seller bear the cost of transporting the products to buyers? If so, the behavior of transportation/delivery costs should be analyzed.
• Is the product or service covered by a warranty or other contract that will give rise to expected costs in the future? Warranties obligate the seller to guarantee certain aspects of product performance after delivery.
• Is additional capital required to produce a good or service and, if so, at what cost? For example, the company may have accounts receivable or may purchase and hold relevant inventory. Whether the funds are provided by the company or sourced externally, the company is incurring a cost by using funds from which it could otherwise earn a return on investment.

Identifying the Cost Data Available for Analysis

For financial reporting under generally accepted accounting principles (GAAP), firms must calculate the cost of products they produce or purchase and transfer those costs from an inventory account to an expense called cost of goods sold (COGS) as the products are sold. COGS often include, however, both direct costs that can be traced to products and indirect costs, such as warehousing or depreciation costs, that may be unlikely to change as sales volume increases, at least within a relevant range. Nevertheless, the unit costs calculated under GAAP can provide a useful starting point, particularly if the underlying financial records allow the analyst to disaggregate unit costs into components (such as materials, labor, and various types of overhead) that can be further analyzed.

Beyond the cost systems used for financial reporting, firms sometimes maintain internal records and systems to support their own cost-management efforts.

Developing Hypotheses about Likely Cost Behaviors

When developing hypotheses about cost behavior, the central question is: What incremental costs must be incurred to develop, produce, and sell the good or service within the relevant time frame and range? In some cases, strong hypotheses about cost behavior exist at the outset of the analysis.

As mentioned in Part 1, though, expected cost behavior may not be as clear-cut for other resources. Consider direct labor costs in automobile manufacturing. Unlike direct materials, labor is not usually purchased by the unit (e.g., by the hour or even by the day). Rather, employees often have labor contracts that limit the firm’s ability to terminate employment over short periods. Thus, labor is one example of a cost for which it is important for an analyst to carefully assess cost behavior in order to determine whether the cost can be expected to vary (or not) with incremental sales volumes over specific periods.

Testing the Hypotheses

Two of the most common methods used to test cost behavior and estimate avoided costs are account analysis and regression analysis. We discuss and illustrate each in turn.

Account Analysis

Account analysis (sometimes called the direct assignment method) is a simple but often valuable method for identifying fixed and variable costs. The analyst reviews the historical income statements or a detailed general ledger and judges whether costs reflected in each account are fixed or variable based on experience, observation of the accounts’ behavior, review of the business’s contracts, and consultation with other sources of expertise. This background provides valuable information about how costs relate to activities and how both activities and costs behave with respect to changes in production or sales volumes.

Although account analysis can be a useful tool for analyzing cost behavior, accounting data are often “messy” due to changes in accounting practices over time, the presence of amortized or allocated costs, and end-of-quarter or end-of-year adjustments, among other issues. These data problems can lead to nonsensical results; thus, it is often informative to combine account analysis with other tools, such as regression analysis.

Regression Analysis

Regression analysis is a generally accepted statistical method used to measure the degree and nature of association between a dependent variable (the variable the analyst seeks to explain) and one or more independent variables (the variables hypothesized to cause the behavior of the dependent variable). That is, the analyst seeks to measure the association of the rate of change of a dependent variable with the rate of change of independent variables.

In the context of lost-profits analysis, costs are typically the dependent variable, whereas measures of activity (such as inputs to or from manufacturing processes or units sold) are typically among the independent variables. Analysts might use regression analysis when they have data for a dozen or more time periods for two or more particular costs or volumes and want to find a relation that can predict one value given the others.

Although the mathematics behind regression analysis may be complex, it is a powerful tool with which to measure the extent of the correlation between dependent and independent variables.

Developing Conclusions, Subjecting Them to “Sanity Checks,” and Revising

A common refrain in scientific analyses is that “correlation is not causation.” Regression analysis may yield spurious results, such as finding a statistically significant relationship between cost and sales (or production) that does not reflect a causal relationship, or failing to find a statistical relationship when a causal relationship does exist. Moreover, regression analysis may fail to identify an actual incremental cost when measures of cost are not recorded when they are incurred. For example, depreciation of capital equipment is typically recorded according to a preset formula, not according to the intensity of use of the machinery. Therefore, a regression analysis of depreciation cost will typically not find a statistically significant relationship with production even if machinery does wear out in proportion to its usage.

Given the potential for spurious results, the analyst must confirm any cost estimate, statistical or otherwise, as reasonable. Accepted testing methods include:

• Comparing the results of more than one estimation method. If the results are reasonable, both methods should yield approximately the same results; if results differ, reasonable explanations should exist for any discrepancy.
• Comparing the results to actual experience. For example, compare estimated costs at historical volumes to actual historical costs. Compare results at an assumed but for volume with historical results (at some other date) for roughly the same volume. The results need not be identical, but differences should be reasonable.
• Comparing the results to independent cost estimates. The company may have forecast costs as part of a business plan before the alleged misconduct. Industry statistics can also provide a useful baseline.
• Considering the intrinsic reasonableness of the results. Do costs increase with volume? Do they behave appropriately compared to changes in production capacity? In short, do the results make sense?
• Considering the insights and experience of company management, industry analysts, and experts on the particular production process.

Conclusion

Cost estimation is an important part of a lost-profits analysis. By understanding cost behaviors and using the tools of cost accounting, statistics, economics, and industrial engineering, the analyst can produce defensible estimates of incremental costs. If the tools are applied by rote or without sufficient consideration of the context, the results of the analysis will not be reliable.

Read Part One of this series.

Elizabeth A. Eccher is a principal in the Chicago office of Analysis Group, Inc.; Jeffrey H. Kinrich is a managing principal in the company’s Los Angeles office; and James H. Rosberg is a vice president in the San Francisco office.

This two-part series of articles has been abridged and adapted from the chapter “Analysis of Cost Behavior,” by Elizabeth A. Eccher, Jeffrey H. Kinrich, and James H. Rosberg, in the book Lost Profits Damages: Principles, Methods, and Applications, edited by Everett P. Harry III and Jeffrey H. Kinrich (Valuation Products and Services, 2017).

In many lawsuits, a plaintiff may recover damages for lost profits. For a given time period, profit equals the difference between sales revenues and the costs or expenses required to generate those revenues. When revenues are (wrongfully) diminished, costs are often reduced as well. Therefore, computing lost profits requires computing not only lost sales revenues, but also the resulting avoided costs that would have been required to generate those sales (also referred to as saved expenses or incremental costs). Think of it as a simple equation:

Lost Profits = Lost Revenues – Avoided Costs

Although proper calculation of avoided costs is thus essential to calculating lost profits, it is not as straightforward as it may seem, and it often becomes a point of contention between damages experts. The higher the costs that can be attributed to a sale, the lower the profit from that sale. This can lead to disagreements between a defendant’s expert and a plaintiff’s regarding both the nature of the costs associated with lost sales and the amount of those costs.

In what follows, we lay out the basic concepts behind avoided costs and offer analytical guidelines as to their proper calculation.

Fundamental Cost Concepts

We begin with costs themselves, which are measures of resources used or foregone to achieve a particular objective. A cost object is something that a cost measures—it could be a physical object, a service, or an activity.

An example of a physical product that is a cost object is a bicycle. Costs associated with manufacturing and selling the bicycle would arise from acquisition or production of the bicycle’s components, labor used to assemble the components into a bicycle, distribution of the bicycle to retailers, and so on.

An example of a service that is a cost object is the customization of a database software package. Here, the relevant costs could include those associated with sales and marketing, developers’ time to do the required development work, and ongoing development to maintain and update the program.

An understanding of the different ways to classify costs is essential for an accurate calculation of avoided costs. We describe some of the basic distinctions below.

Variable, Fixed, and Semi-variable Costs

The first important dimension to consider is whether costs are variable or fixed. Variable costs vary with respect to changes in the underlying activity or volume/quantity. In the bicycle example, if each bicycle requires two pedals, and the company purchases each pedal for $3, the pedal cost is a variable cost of $6 per bicycle. This cost is variable because the total cost varies in constant proportion to the number of bicycles produced.

Fixed costs, by contrast, do not change in response to changes in the volume of activity over a specified time period or range of volume. Consider rent for factory space under a lease that requires a monthly payment of $2,000. Although the company’s production volume may fluctuate from one month to another, the rent remains a constant fixed cost of $2,000 per month.

Fixed costs, however, may not always remain fixed. A lease may expire, causing the rent to increase or decrease. Over a long enough period of time and a large enough change in volume, nearly every cost becomes variable. Thus, fixed costs are typically fixed for a limited period (e.g., the monthly rent can increase or decrease after the lease expires), and only over a relevant range of activity (e.g., a large change in production volume may require a change in production facilities or equipment).

Therefore, in assessing whether a cost is fixed, a critical consideration is “fixed with respect to a particular period and a relevant range of activity.” Costs that are fixed over a certain range but change outside that range are sometimes referred to as step costs.

Finally, the term semi-variable costs refers to those costs that have both a fixed and a variable component, for example a telephone service contract that charges an “access” cost of $10 per month that includes 300 minutes of connection time plus a usage cost of $0.05 for each minute beyond 300.

Direct and Indirect Costs

Another important distinction is between direct and indirect costs. Direct costs are those that can be traced in an economically feasible or cost-effective way to a particular cost object, whereas indirect costs cannot. Typically, companies record indirect costs in cost pools and then make allocations from these pools to calculate the full cost of a product or service.

Continuing with our bicycle example, the direct costs for the product include the pedals and other components that are purchased from outside vendors. The cost of each pedal is directly traceable to the cost object (the bicycle). By contrast, consider a production supervisor whose job entails oversight of a number of projects, one of which involves bicycles. The supervisor’s salary is an indirect cost that cannot be traced directly to the cost object (the bicycle) in a straightforward way. Such indirect costs have become a greater proportion of total product costs in recent years, making their analysis and estimation increasingly important.

Analysis of Cost Behavior

Why are these distinctions important? Why should they matter for the project of determining lost profits?

The answer is that, as a general rule, fixed costs should not be deducted from lost sales during the lost profits calculation. In a simplified case, only variable costs that change according to the volume of lost sales should be taken into account. Similarly, indirect costs that cannot be traced to the lost sales of a particular cost object should be excluded from the avoided costs calculation; only direct costs and those indirect costs that can be traced to lost sales of a particular cost object should be included as saved expenses. This is because, in many cases, traceable costs tend to behave as variable costs, whereas untraceable costs tend to behave as fixed costs.

To take a rather basic example, think of our bicycle manufacturer, which claims it has lost sales of a specific number of bicycles due to a competitor’s allegedly illegal actions. If the company does not purchase the pedals that would have gone into the manufacture of those bicycles, the cost of those pedals is a direct (traceable to the cost object of the bicycle) variable (with the number of bicycles that were not sold) cost, and hence an avoidable cost. By contrast, the rent on production space, which would have to be paid regardless of the disruption, is a fixed cost that is not avoidable. A portion of a production supervisor’s salary that cannot be traced to bicycle production in a straightforward way is an indirect cost that also may not be relevant for the saved expenses calculation.

Although this may sound straightforward, these distinctions are rarely so clear-cut when it comes to multifaceted, real-world businesses. In particular, the line between fixed and variable costs may prove especially complex in certain cases. Consider a business that has suffered a disruption and wants to argue that it would have significantly ramped up its production volume (and hence its profits) but for the disruption.

In this scenario, certain costs that would have been considered as fixed in the existing circumstances should be considered as variable in the “but for” world; examples could include increased rent for a larger factory space, or additional labor costs to meet the new production demands. These costs should now be considered step costs because the alteration in range has made a portion of the costs variable instead of fixed; this portion should now be considered as part of the avoided costs calculation.

The broader point is that the calculation of avoided costs is a complex task that requires a set of sophisticated tools in order to produce a plausible assessment in litigation.

Analyzing Avoided Costs: A Step-by-Step Methodology

As we have seen, a key cost question in a lost-profits analysis is: What incremental costs would the plaintiff have incurred to realize the additional sales revenues but for the unjust disruption to the business? The following steps are helpful in making this calculation:

1. identify the cost objects (i.e., the products or services) comprising the lost sales;
2. identify the resources involved in producing the product or service;
3. identify the resources involved in selling and delivering the product or service;
4. identify the cost data that are available for analysis;
5. develop hypotheses about cost behaviors using the data and knowledge gathered from the steps above,;
6. test these hypotheses; and
7. develop conclusions, subject them to “sanity” checks, and revise conclusions as necessary.

We discuss and illustrate each step in Part Two of this series.

Elizabeth A. Eccher is a principal in the Chicago office of Analysis Group, Inc.; Jeffrey H. Kinrich is a managing principal in the company’s Los Angeles office; and James H. Rosberg is a vice president in the San Francisco office.

In the bankruptcy case of In re Fisher, 584 B.R. 185, 199–200 (N.D. Ohio Bankr. 2018), the United States Bankruptcy Court for the Northern District of Ohio disallowed a lender’s proof of claim on a mortgage based on “the well-settled law in Ohio that the same statute of limitations governs enforcement of a note and a mortgage.” At least one other district court in Ohio has since followed Fisher’s lead, relying on the same supposedly “well-settled law in Ohio” to cancel a lender’s mortgage and hold the lender liable under the FDCPA for seeking to collect time-barred debt. Baker v. Nationstar, No. 2:15-cv-2917, 2018 U.S. Dist. LEXIS 121686 *31, *35–*39, 2018 WL 3496383 (S.D. Ohio July 20, 2018).

The bankruptcy court in Fisher and the district court following Fisher both openly rejected multiple opinions from Ohio’s Eighth District Court of Appeals applying a longer statutory limitations period to foreclosure actions than actions seeking judgment on the note. See id. at *30–*35; Fisher, 584 B.R. at 199. They also contradict the Ohio Supreme Court’s century-old ruling in Fisher v. Mossman, 11 Ohio St. 42, 45–46 (1860), which held that an expired statute of limitations barring judgment on a mortgage’s underlying debt did not similarly bar an action to foreclose the mortgage.

This tale of two Fishers tells the story of how Ohio’s statute of limitations jurisprudence evolved from an accepted legal proposition derived from one Fisher opinion to “well-settled law” stating the complete opposite in another Fisher opinion. It is the best of legal analysis and the worst of legal analysis . . . .

The Holden Reset

In 2016, the Ohio Supreme Court reaffirmed several longstanding doctrines governing mortgage foreclosure in Ohio, reminding that lenders “may elect among separate and independent remedies to collect the debt secured by a mortgage.” Deutche Bank Nat’l Trust Co. v. Holden, 2016-Ohio-4603, ¶ 21 (2016). As the Holden court explained, these remedies include: (1) a personal judgment against the borrower to recover the amount due on the note; (2) an action “in ejectment” to take possession of the property and apply income derived from the property to the loan, returning the property to the borrower once the loan is paid; and (3) an action to foreclose the mortgage, which cuts off the borrower’s redemption rights and sells the property to satisfy the debt. Id. ¶¶ 21–24.

Thus, under Ohio law, actions for personal judgment on the note and actions to enforce the mortgage, whether by ejectment or foreclosure, “are separate and distinct remedies.” Id. ¶ 25 (internal quotations omitted). The court confirmed that, “[b]ased on the distinction between these causes of action . . . the bar of the note or other instrument secured by mortgage does not necessarily bar an action on the mortgage.” Id. (internal quotations omitted). Holden discussed these well-accepted principles in the context of loans discharged in bankruptcy, but nowhere did it limit them to only the bankruptcy context.

After the Ohio Supreme Court issued its Holden decision, Ohio’s Eighth District Court of Appeals recognized that Holden “casts serious doubt” on Ohio cases that applied the six-year statute of limitations on notes to foreclosure actions. Walker, 2017-Ohio-535, ¶ 19. Accordingly, it held that a lender may still seek to enforce the obligations in a mortgage even when it is barred from seeking judgment on the note. Id. at ¶ 23. See also U.S. Bank N.A. v. Robinson, 2017 Ohio 5585, ¶ 11 (8th Dist.).

Nevertheless, despite the Eighth District’s clear application of Ohio law as expressed by the Ohio Supreme Court in Holden, the United States Bankruptcy Court for the Northern District of Ohio and the United States District Court for the Southern District of Ohio both rejected the Eighth District’s opinions. See Baker, 2018 U.S. Dist. LEXIS 121686, *30–*38; Fisher 584 B.R. 197–201.

In Fisher, the bankruptcy court focused on the Ohio Supreme Court’s statement in Kerr v. Ledecker, 51 Ohio St. 240, 254 (1894), that “when a note is secured by mortgage, the statute of limitations as to both is the same.” See Fisher, 584 B.R. at 200. Noting that Holden cited Kerr favorably, the bankruptcy court determined that the same statute of limitations governs actions for personal judgment on the note and actions to foreclose the mortgage. Id. In Baker, the district court picked up where Fisher left off, finding that Holden never intended to overrule Kerr. See Baker, 2018 U.S. Dist. LEXIS 121686, *33–*34. The district court therefore felt that because Kerr remained good law, the Eighth District’s opinions in Walker and Robinson are not. Id.

The problem with the federal courts’ analyses in Fisher and Baker is not that they are wrong about Kerr remaining good law, but that they are wrong about the law according to Kerr.

Reading Kerr in Context

The Ohio Supreme Court in Kerr did not rule as a matter of law that the statute of limitations for actions seeking judgment on the note always applied to actions seeking to foreclose the mortgage. Rather, it explained as a matter of fact that the statutes then in effect were the same. See Kerr, 51 Ohio St. at 254.

In Kerr, the lender brought a foreclosure action against a borrower. The borrower argued that Ohio’s 15-year statute of limitations on specialties and written contracts barred the foreclosure. The trial court rejected the defense, finding that Ohio’s 21-year statute of limitations governing actions to recover real property applied. The Ohio Supreme Court reversed. Id. at 247–55.

Noting that an action to foreclose a mortgage does not seek title or possession of the property but instead seeks to cut off the borrower’s right of redemption and sell the property, the court held that an action to foreclose a mortgage is a specialty governed by Ohio’s statute of limitations on specialties. Id. at 251–53. The court distinguished this from an action in ejectment, which seeks to dispossess the borrower until the mortgage is paid and is governed by Ohio’s statute of limitations on recovering possession of property. Id. at 250.

In ruling, the court in Kerr discussed its prior decision in Fisher v. Mossman, 11 Ohio St. 42 (1860), confirming that Fisher “correctly holds that the bar of the note, or other instrument secured by mortgage, does not necessarily bar an action on the mortgage.” Id. at 253. In Fisher, the lender sought to foreclose against purchasers from a judicial sale held on judgment liens inferior to its mortgage. The purchasers argued that the lender could not foreclose his mortgage due to a statutory bar preventing him from enforcing the underlying debt, and the trial court agreed. The Ohio Supreme Court reversed. Fisher, 11 Ohio St. at 47.

Acknowledging that the lender could not enforce the underlying obligation due to the expired limitations period, the court in Fisher nevertheless held: “[D]oes it follow that because an action on the notes secured by the mortgage is barred by the statute [of limitations], that therefore the remedy in equity on the mortgage is also lost? We think not.” Id. at 45. Rather, the court confirmed, “where a security for a debt is a lien on property, personal or real, that lien is not impaired in consequence of the debt being barred by the statute of limitations.” Id. at 46 (internal quotations omitted).

Kerr relied on its earlier holding in Fisher to determine that different statutes of limitations apply to the different causes of action founded on notes and mortgages. See Kerr, 51 Ohio St. at 253–54. Kerr also clarified the impact its ruling would have in situations where the statute of limitations for the underlying debt differed from the mortgage securing the debt. Id. at 254. Using actions on an account as an example, the court found that “[a] mortgage may be made to secure an account, and an action on account may be barred in six years, while an action on the mortgage would not be barred short of fifteen years.” Id.

Concerning the account scenario, the Kerr court explained further:

The payment of the account would extinguish the right of action on the mortgage, and in an action for the foreclosure of the mortgage after action on the account is barred, the presumption of payment of the account arising from the lapse of time, might be used as an item of evidence to prove payment, but such presumption would not be conclusive and might be overcome by satisfactory proof showing that in fact such account remains unpaid. In such case the lapse of six years is not the equivalent of payment. The condition of the mortgage is for payment of the account, and not for its bar by the statute of limitations.

Id. at 254 (emphasis in original).

Translating this from 19th century judge to 21st century lawyer, the court explained that if the borrower paid the account, then the lender could not foreclose the mortgage securing the account. Id. If the lender sought to foreclose the mortgage after the account’s six-year statute of limitations expired, then the lender’s failure to sue on the account could establish a presumption that the borrower paid the account—a presumption the lender could overcome with evidence showing the account remained unpaid. Id. Nevertheless, the expired limitations period barring an action on the account is not the same as payment, and the lender could still foreclose the mortgage if it demonstrated the account remained unpaid. Id.

In the context of this discussion, the Kerr court then stated:

But when a note [as opposed to an account] is secured by mortgage, the statute of limitations as to both is the same; and therefore the mortgage will be available as a security to the note in an action for foreclosure and sale until the note shall be either paid or barred by statute; but in such case an action for foreclosure and sale cannot be maintained on the mortgage after an action on the note shall be barred by the statute of limitations.

Id. at 254–55 (emphasis in original).

Read in this context, Kerr plainly did not issue a new rule that the statute of limitations for actions to enforce a note is always the same as the statute of limitations for actions to foreclose a mortgage. Id. It instead contrasted the situation where the mortgage secured a note as opposed to where the mortgage secured an account, and it recognized the factual reality that—as Ohio law existed at the time—the same 15-year statute of limitations governed actions to enforce notes and actions to foreclose mortgages, as opposed to the different statute of limitations that governed actions on accounts. Id.

Indeed, a rule that the limitations period to enforce the note is always the same as the limitations period to foreclose the mortgage would have directly conflicted with Kerr’s opposite conclusion in the two immediately preceding paragraphs on accounts. Id. It would also have conflicted with the court’s previous holding in Fisher—which Kerr cited with approval and confirmed was correct—where the court expressly held that “[it does not] follow that because an action on the notes secured by the mortgage is barred by the statute [of limitations], that therefore the remedy in equity on the mortgage is also lost.” Fisher, 11 Ohio St. at 45.

The Ohio Supreme Court later confirmed this analysis and harmonized Kerr with prior rulings that recognized the oft-stated proposition that the mortgage “is a mere incident to the debt.” Bradfield v. Hale, 67 Ohio St. 316, 321–25 (1902). In Bradfield, the lender brought an ejectment action more than 15 years after the underlying debt secured by the mortgage became due. The trial court refused to allow the mortgage into evidence on statute of limitations grounds, and the appellate court reversed. The Ohio Supreme Court affirmed the reversal. Id. at 323–25.

Determining that the 15-year statute of limitations barring the mortgage foreclosure action did not also bar the ejectment action, the court indicated that it fully covered the same question in Williams v. Englebrecht, 37 Ohio St. 383, 386–88 (1881), where the court held that the illegality of promissory notes secured by a mortgage did not constitute a defense to an ejectment action on the mortgage even though it could be used as a defense against the notes. See Bradfield, 67 Ohio St. at 323–24.

In other words, Bradfield confirmed that a defense against foreclosing the mortgage does not necessarily constitute a defense against ejectment based on the mortgage, just as a defense against enforcing the note does not necessarily constitute a defense against enforcing the mortgage. See id. at 324. This makes sense because all three are separate and distinct actions with separate and distinct remedies. See, e.g., Holden, 2016-Ohio-4603, ¶¶ 21–25.

Applying the Old Rules Today

These early Ohio Supreme Court rulings perfectly align with Holden and the Eighth District’s decisions in Walker and Robinson, as well as with commonly recognized legal principles in Ohio.

Under Ohio law, a statute of limitations—like a bankruptcy discharge—creates an affirmative defense to a complaint. See Ohio Civ. R. 8(C). In the context of promissory notes, the statute’s lapse acts as a procedural bar to obtaining a personal judgment against the borrower on the note, but the underlying debt continues to exist. See, e.g., Summers v. Connolly, 159 Ohio St. 396, 402 (1953). However, these defenses against an action on the note do not transfer to an action on the mortgage. See, e.g., Bradfield, 67 Ohio St. at 321–25; Williams, 37 Ohio St. at 386–88.

Relatedly, a statutory bar to obtaining judgment on the note does not destroy the underlying obligation. See, e.g., Summers, 159 Ohio St. at 402. The debt continues to exist, and the mortgage continues to secure the debt. This is why lenders can still foreclose even after borrowers discharge their debt in bankruptcy. See, e.g., Blue View Corp. v. Gordon, 2007-Ohio-5433, ¶¶ 19–23 (8th Dist. 2007).

If the lender can prove it is entitled to enforce the note, then it can prove that the borrower owes the lender money. See, e.g., Fannie Mae v. Hicks, 2015-Ohio-1955, ¶¶ 31–32 (8th Dist. 2015). If the borrower proves some valid defense to the lender’s action on the note, then the defense prevents judgment on the note. However, the borrower’s obligation to repay the money still exists, and the mortgage—an incident to that obligation—also still exists.

Once the lender proves that the borrower owes it a debt, the lender can enforce the mortgage securing that debt. See, e.g., Hicks, 2015-Ohio-1955, ¶¶ 31–32; Blue View Corp., 2007-Ohio-5433, ¶¶ 19–23. As the Ohio Supreme Court expressly recognized in Holden: “There is a significant difference between being a party that cannot obtain judgment on the note and being a party that is not entitled to enforce the note.” Holden, 2016-Ohio-4603, (internal quotations omitted). Expiration of the note’s statute of limitations prevents the lender from obtaining judgment on the note; it does not prevent the lender from proving it is entitled to enforce the note.

Explaining Ejectment

The different treatment of statutes of limitations for ejectment and foreclosure also makes sense under current Ohio law.

Under Ohio law, ejectment and foreclosure arise from property rights given in the mortgage. See, e.g., id. ¶¶ 23–24. A mortgage is effectively a conditional deed conveying a property interest that the borrower can redeem by paying back the loan. Id. ¶ 23. When the borrower defaults on the mortgage, title to the property as between the borrower and the lender automatically transfers to the lender, and only the borrower’s equitable right to redeem remains with the borrower. Id.

In a foreclosure action, the lender seeks to cut off the borrower’s redemption rights and sell the property to satisfy the debt. See id. ¶ 24. In an ejectment action, the lender seeks to take possession of the property until the profits pay off the loan, or until the borrower redeems. Id. ¶ 23. In the statute of limitations context, the lender has eight years (previously 15 years before 2012 statutory amendments) to cut off the borrower’s redemption rights and have the property sold in foreclosure, but the lender has 21 years to take possession through ejectment. See O.R.C. §§ 2305.04, 2305.06.

In other words, even if the lender fails to timely foreclose, it can still take possession of the property. See, e.g., Bradfield, 67 Ohio St. at 324–25. It just cannot cut off the borrower’s redemption rights or sell the property, meaning the property will eventually return to the borrower once the loan is paid. The inability to obtain a personal judgment on the note does not impact either of these rights under the mortgage. See id. at 323–25; Kerr, 51 Ohio St. at 253–55; Fisher, 11 Ohio St. at 45–46.

A “Well-Settled Law” Is Born

So how did Ohio get from Fisher’s 1860 Ohio Supreme Court ruling that the statute of limitations barring the underlying debt does not impair mortgage rights to Fisher’s 2018 bankruptcy court ruling that it does? Like most things, the devil is in the details.

In Fisher 1860, the lender could not collect the underlying debt due to a four-year statutory bar involving probate administration. Fisher, 11 Ohio St. 45–46. The Ohio Supreme Court determined that the four-year limitations period did not also bar an action to foreclose the mortgage, and it specifically said it saw no reason the analysis would change for nonprobate statutes. Id. at 45. Later, in Bradfield, the court similarly held that expiration of the limitations period governing foreclosure did not also bar an action in ejectment. Bradfield, 67 Ohio St. at 323–25.

In between these two rulings came Kerr, which confirmed that the six-year statute of limitations on actions to collect an account would not bar an action foreclosing a mortgage securing the account. Kerr, 51 Ohio St. at 254. This analysis perfectly aligned with the court’s earlier analysis from Fisher 1860 and its later analysis in Bradfield. Nevertheless, the line from Kerr destined to ring through the ages was its recognition that “when a note is secured by mortgage, the statute of limitations as to both is the same.” Id. (emphasis in original).

Importantly, Kerr’s description of the statutes of limitations governing notes and foreclosure actions was true when made in 1894, and it stayed true for over 100 years afterward. Then, in 1994, Ohio amended its Uniform Commercial Code to create a six-year statute of limitations for promissory notes. See O.R.C. § 1303.16(A) (eff. Aug. 19, 1994). This changed the applicable statute of limitations on the note from the then-15-year period governing written contracts to the newly enacted six-year period governing negotiable instruments. See O.R.C. §§ 1303.16(A), 2305.06. The statute governing specialties like mortgage foreclosures remained the same. See O.R.C. § 2305.06.

About 10 years after the amendments to Ohio’s U.C.C., the Twelfth District Court of Appeals declared that, “it has long been settled in this state that when a debt that is secured by a mortgage is barred by the statute of limitations, the mortgage securing the debt is also barred.” Barnets, Inc. v. Johnson, 2005-Ohio-682, ¶ 16 (12th Dist.). In Barnets, the lender sought to foreclose a mortgage securing an account despite expiration of the six-year statute of limitations governing actions on the account. The Twelfth District reversed the trial court’s order of foreclosure, holding that the expired limitations period on the account also barred the mortgage foreclosure action. Id. ¶ 18.

Confusingly, Barnets specifically discussed Kerr while simultaneously contradicting Kerr’s detailed explanation for how an expired statute of limitations on an account would impact an action to foreclose the mortgage. The Ohio Supreme Court in Kerr clearly explained that expiration of the statute of limitations on an account would not prevent the foreclosure of a mortgage securing the account. Kerr, 51 Ohio St. at 254. The appellate court in Barnets held the opposite. Barnets, 2005-Ohio-682, ¶ 18.

Further clouding its analysis, the Barnets court went on to “parenthetically” note that “in most instances, the debt secured by the mortgage will often be a promissory note, which, as a written contract, has a 15-year statute of limitation.” Id. ¶ 18. Oddly, this clarification was as incorrect as it was unnecessary because the Ohio legislature had already amended the applicable U.C.C. provision governing notes a decade earlier. See R.C. § 1303.16(A).

In short, the court in Barnets made a mistake. It misread Kerr, and its misreading birthed a previously nonexistent legal rule that eventually grew into “well-settled law in Ohio” that was neither well settled nor the law in Ohio.

The End of the Tale

A careful examination of the underlying cases shows that the Ohio Supreme Court never intended to create a hard and fast rule that the same statute of limitations governing actions on the note also governs actions to foreclose the mortgage. In fact, it appears the court intended the opposite.

As one Ohio trial court explained: “[T]he previously ‘well settled proposition’ [that when a debt . . . secured by a mortgage is barred by the statute of limitations, the mortgage securing the debt is also barred] was derived from the fact that prior to 1994, the same statute of limitations applied to notes and mortgages.” Deutsche Bank Nat’l Trust Co. v. Kalista, Case No. CV-2016-03-1477, 2017 Ohio Misc. LEXIS 6506 *12 (Summit C’ty Common Pleas Sept. 27, 2017) (internal quotation omitted). “Therefore, while there has been some confusion on this issue, Holden and Walker are consistent with long-standing Ohio law.” Id. at *13.

Yet according to at least two federal courts in Ohio, a statutory bar preventing judgment on the note will also bar foreclosure of the mortgage. See Baker, 2018 U.S. Dist. LEXIS 121686, *30–*38; Fisher 584 B.R. 197–201. In fact, according to one of these courts, seeking to foreclose the mortgage under the statute of limitations applicable in state court could even subject a lender to liability under the FDCPA in federal court. See Baker, 2018 U.S. Dist. LEXIS 121686, *35–*39.

Hopefully, as the tale of two Fishers draws to a close, federal courts interpreting Ohio law will correct course and begin to apply the proper statute of limitations to mortgage foreclosure actions. The current confusion on this issue deserves a far, far better rest than it has ever known.