Introduction

Cybersecurity continues to raise red flags among investment advisers and their government regulators. According to a recent Investment Adviser Association and Cerulli Associates poll, 97 percent of surveyed registered investment adviser executives cited cybersecurity compliance as a priority concern and 93 percent noted increased related regulatory pressure. Their concern is not unfounded. As a continuation of an ongoing trend over the past few years, the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) included cybersecurity among their 2017 examination priorities. This article will address the regulatory cybersecurity framework applicable to investment advisers and what steps advisers can take to combat cyber attacks.

Background

Over the past few years, the SEC and FINRA, the chief regulators of investment funds and advisers, have demonstrated continued interest in cybersecurity.

In April 2014, the SEC Office of Compliance, Investigations and Examinations (OCIE) launched a Cybersecurity Initiative, conducting a series of examinations of registered investment advisers and broker-dealers to identify cybersecurity risks. In September of the following year, OCIE announced its 2015 Cybersecurity Examination Initiative, with a focus on the following areas: (i) governance and risk assessment, (ii) access rights and controls, (iii) data loss prevention, (iv) vendor management, (v) training, and (vi) incident response. That same year, FINRA released a Report on Cybersecurity Practices, detailing practices that firms can tailor to their business models to advance cybersecurity efforts. OCIE continued to advance the efforts of its Initiatives in 2016, reviewing in particular the technical sufficiency of respondents’ security programs.

Cybersecurity will remain on regulators’ radar. On January 12, 2017, both the SEC and FINRA released their 2017 examination priorities. The SEC announced that it will continue its ongoing initiative to examine, including “testing the implementation of,” investment adviser and broker dealers’ cybersecurity compliance procedures and controls. FINRA will similarly pay close attention over the course of the year to cybersecurity risks and firms’ programs to mitigate those risks.

Governance and Risk Assessment

The best way of mitigating the impact of security breaches is to seek to reduce the number that actually occur. Investment advisers should have cybersecurity governance and risk assessment procedures to prescribe perimeter and other defenses. These procedures should include implementation of written policies tailored to business operations and communication of plans to and from senior management. While no amount of security can thwart a determined, well-equipped and sophisticated hacker, organizing and implementing even a basic defense can ward off more run-of-the-mill intruders.

Governance and risk assessment requirements are codified in the federal laws governing investment advisers. For example, the Gramm-Leach-Bliley Act (GLBA) “Safeguards Rule” requires financial institutions to establish a written information security program (WISP), designate an employee to coordinate its WISP, identify and assess risks to customers’ non-public personal information, and regularly test and evaluate the effectiveness of current safeguards. The GLBA is administered and enforced by several federal agencies, including the SEC via Regulation S-P. Rule 30 of Regulation S-P requires registered investment advisers, investment companies, and broker dealers to adopt written procedures to insure the confidentiality and protect against anticipated threats to the security of customer records or information.

In April 2015, the SEC’s Investment Management Division released a guidance based on OCIE’s 2014 examinations. In addition to periodic assessments of cybersecurity readiness, the guidance recommended that investment funds and advisers create and implement a cybersecurity response strategy through written policies that include access control, data encryption, restrictions on the use of removable storage media, data backup and retrieval, and an incident response plan. In the guidance, the SEC encouraged investment funds and advisers addressing these cybersecurity concerns to review the NIST Cybersecurity Framework, which is currently being updated. Investment advisers are required to review the adequacy of their policies and the effectiveness of their implementation at least annually pursuant to Rule 206(4)-7 of the Investment Advisers Act of 1940.

Notwithstanding the foregoing paragraph, it is important to note that while federal guidelines may be useful, there is no “one size fits all” with regard to cybersecurity compliance. Individual advisers, smaller firms, and branch offices are limited in financial and human resources allocable to cybersecurity defense. Additionally, the rapid pace of technology has engendered an ongoing technical struggle between hackers and their targets and staying on the cutting edge can be an expensive prospect. As FINRA noted in its recent Regulatory and Examination Priorities Letter, investment advisers must tailor their cybersecurity programs to their specific business model, size, and risk profile.

Consequences of failing to comply with the Safeguard Rule include loss of clients, private lawsuits from former clients, reputational damage, and civil penalties. The latter may be imposed even where no pecuniary losses can be shown. For example, in September 2015, one St. Louis–based investment adviser, R.T. Jones Capital Equities, settled an investigation with the SEC for $75,000. R.T. Jones had suffered a breach of its server, resulting in the leak of personally identifiable information (PII) of 100,000 individuals. While the SEC found no evidence that the firm’s clients were financially harmed, it concluded R.T. Jones had violated Rule 30(a) of Regulation S-P by having no written policies or procedures in place to reasonable protect client data.

Several states have gone further than federal regulators, imposing more stringent data security requirements on financial institutions. For example, while the GLBA applies only to customer information, Massachusetts’s “Standards for the Protection of Personal Information of Residents of the Commonwealth” apply to both employee as well as customer information. Massachusetts’s Standards also provide a list of items a WISP should contain, require encryption of personal information and limit the amount of information financial institutions are allowed to collect. New York’s recent “Cybersecurity Requirements for Financial Services Companies” require that financial institutions designate a Chief Information Security Officer, encrypt all “nonpublic” data and annually certify compliance with the regulations. While the regulations do not directly apply to investment advisers (which are not licensed by the New York Department of Financial Services), they may serve as a harbinger of future state-registered investment adviser requirements.

Access Rights and Controls

In its 2015 Cybersecurity Examination Initiative, OCIE noted that security breaches can stem from the failure to implement even basic controls to prevent unauthorized system or information access. Controls on onsite and offsite access to systems and data include management of user credentials and authentication and authorization methods.

“Man-in-the-middle” attacks—where a fraudster tricks (in the context of investment funds) a general partner or a limited partner into wiring a contribution intended for a fund or a distribution intended for a limited partner to a third party—are particularly threatening to investment advisers. Theft of client bank account information or an adviser’s private client list are also causes for concern, particularly where sensitive data is later exposed to the public.

Every investment adviser, large or small should ideally require multifactor user authentication to access their networks. Multifactor authentication refers to the use of at least two of the following categories: knowledge factors, location factors, time factors, possession factors, and inheritance factors. The knowledge factor is the most common type of authentication and requires users to provide an individualized piece of information, such as a password, pin code, or answers to security questions. The location factor cross-references a user’s current physical location against the user’s pre-registered location and the time factor cross-references the timing of user logins. The possession factor requires users to possess a specific item, such as a previously identified mobile device, computer, security card, or thumb drive. The inheritance factor involves biometric information that is inherently unique to each user, such as fingerprint, iris or facial pattern recognition.

Once relegated to the realm of Mission Impossible, biometric validation is now available on ordinary smartphones and is gaining traction among investment advisers and other financial institutions. For example, following a cybersecurity audit, Capital Advisors Ltd., an Ohio-based investment adviser, implemented fingerprint scans in addition to password protection for users to access its network. Validation processes are still in development however, and biometric validation is far from foolproof. Investment advisers deciding among biometric validation programs should bear in mind whether their relevant computer systems are more sensitive to false negatives (e.g., a repository of investors’ bank account information) or false positives (e.g., a system with high user traffic containing more mundane information).

As important as multifactor user authentication is the maintenance of a secure database of login information and updates to access rights based on personnel or system changes. Single sign-on software that logs into linked applications with a master identity can help investment advisers change large number of passwords at once rather than on an individual basis.

In addition to multifactor authentication and protocols for login issues, investment advisers can use firewalls and perimeter defenses to defend against breaches. Investment advisers should also conduct “hardening,” which generally refers to the reduction of security risks by removing unnecessary software, utilities, devices, or services. If a user account is compromised, multi-tiered approval processes (for example, those needed to access customer accounts or make distributions) may prevent serious harm from ensuing. On the system level, a virtual local area network segmentation, which creates a collection of isolated networks within a data center, can mitigate the damage a hacker could unleash.

Data Loss Prevention

In its 2015 Cybersecurity Examination Initiative, OCIE indicated that it would assess how investment advisers and broker-dealers monitor the volume of content transferred outside of the firm by its employees or through third parties, such as via email attachments or uploads. Customer data, especially PII, should be encrypted, whether transmitted or stored.

Investment advisers can address OCIE’s concerns by implementing a data loss prevention (DLP) strategy. DLP refers to the process for preventing the transfer of information outside of a corporate network. DLP software products use algorithms to classify and protect confidential and critical information. For instance, if an employee attempted to forward a business email outside of the firm’s email domain or upload a file to cloud storage (such as Dropbox or Google Drive), the employee would be automatically denied access, or an administrator password would be required. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

Two particular areas of DLP that OCIE emphasized are patch management and system configuration. Patch management and system configuration involves acquiring, testing, and installing multiple code changes (“patches”) to an investment adviser’s computer systems. System administrators should (i) maintain an updated inventory of all production systems (including operating system types, IP addresses, physical location, custodian, and function); (ii) standardize (to the extent possible) production systems to the same operating system and software; (iii) assess and compare reported vulnerabilities against inventory (e.g., estimating the cost of mitigation or recovery or checking whether an affected system is within a perimeter firewall); and (iv) deploy patches as needed.

As the name implies, patches are “patch-up jobs,” rather than comprehensive overhauls of a firm’s computer network, and can sometimes cause more problems than they fix. System administrators should take simple measures to avoid issues, like performing backups and testing patches on non-critical systems. In addition to running patches, investment advisers should regularly update their cybersecurity programs, whether configuring software to automatically download security updates or keeping on the lookout for newer and more advanced programs.

The importance of DLP to investment advisers has seen recent publicity. In June 2016, Morgan Stanley Smith Barney LLC (MSSB) was fined $1,000,000 for having violated the Safeguards Rule. Between 2011 and 2014, a MSSB employee impermissibly accessed and transferred data regarding 730,000 MSSB accounts to his personal server, which was then hacked by third parties. The SEC found that while the firm used modules to operationalize the restrictions set forth in its security policy, the modules did not effectively limit employee access to data and MSSB failed to test the modules or monitor user activity in applications where PII was stored.

Vendor Management

“Vendor management,” in the context of the Investment Management Division’s guidance, refers to an investment adviser’s actual vendor due diligence, monitoring and oversight, as well as the terms of the adviser’s vendor contracts. Appropriate vendor management and oversight is an area of critical importance, especially to larger firms that engage a large number of third-party service providers.

The first line of defense in vendor cybersecurity risk are vendor contracts. Investment advisers’ vendor contracts should include data security-specific representations and warranties, as well as nondisclosure provisions. Once vendors are retained, as threshold matter investment advisers should identify all vendors that have access to personally identifiable data and ascertain what data is visible to each vendor. In accordance with system segmentation policies described above, vendors should only have access to the data needed to perform their contracted services.

Investment advisers should ideally vet vendors (especially smaller vendors) with a systematic review process, which may include (in the case of larger advisers) interviews by cybersecurity consultants, as well as questionnaires examining the vendors’ operational and security procedures. Vendors that routinely use or hold the PII of their clients’ customers should report on the key security measures they employ, and in fact many larger vendors publish white papers explaining their security standards. Established investment advisers with leverage over certain vendors may subject those vendors to an information technology audit. For larger vendors this could take the form of an AICPA Service Organization Controls report but for smaller vendors, it could be a substitute report guaranteeing satisfactory compliance with applicable security protocols.

The minimum security protocols that investment advisers should require of vendors should include password parameters, multifactor authentication for unidentified devices and encryption of data, both in transmission and at rest. Finally, while data security is the overriding concern, data availability also is critical. Data that is not available is not worthless if it cannot be accessed. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan. In some cases, vendors may be required to purchase cyber security insurance to provide some compensation payout in the wake of a breach.

The aforementioned best practices may apply not only to vendors but also to subcontractors and third parties that host or have regular access to investment advisers’ data, including computer support vendors. A vendor questionnaire thus should verify to what degree a vendor uses subcontractors to handle sensitive data, and in some cases, an investment adviser may conduct direct sub-contractor due diligence in addition to vendor due diligence.

Training

Training efforts focus on ways in which the investment adviser prevents data breaches result from unintentional employee actions. Often, the most egregious of consequences can be prevented when employees are attentive to detail and know how to identify warning signs.

Cyber threats have been caused by such mundane lapses in security as misplaced laptops, attachments downloaded from unknown sources, and access of client accounts through an unsecured Internet network. On March 12, 2016, a nearly $1 billion cyber theft was blocked at the last minute by a bank employee who noticed a typo in the wire instructions from a foreign bank.

FINRA, recognizing the importance of this issue, has given detailed guidance for effective staff cybersecurity training programs. First, investment advisers should clearly define their cybersecurity training needs. Second, advisers should identify appropriate cybersecurity training update cycles, such as offering training on a periodic basis. Third and finally, advisers should deliver interactive training that has been tailored to their history of cybersecurity incidents, risk assessments and cyber intelligence. Employee training will likely focus on password and confidential information (especially client PII) protection, physical and mobile security, and escalation policies.

Bearing in mind that an overload of information can be detrimental rather than helpful, FINRA suggests that investment advisers consider whether staff trainings will be mandatory or optional and whether they will be tailored towards a target audience, such as general topics for the entire firm and specific topics for management. Investment advisers without dedicated in-house training personnel may wish to consult cybersecurity consultants that offer programs and platforms to help employees become a barrier against cyber threats.

Incident Response

As important as preventing security breaches is dealing with the aftermath. Investment advisers should identify the most likely types of cybersecurity incident and attack vectors, from DDoS attacks to a network or customer account intrusion, and outline tailored response plans in their WISPs.

A response plan will include steps to contain and mitigate the collateral damage from a cybersecurity breach. Employing intrusion detection systems and intrusion prevention systems can help detect compromises in their early stages. Firms should be prepared to shut down key elements systems, disconnect attached network devices, and, where possible, remove admin rights of compromised user accounts. A response plan should not just encompass a firm’s IT department (if there is one) but should be a collaborative effort on the part of all departments. In one enforcement matter, a factor considered by FINRA was the “firm’s failure to rapidly remediate a device the firm knew was exposing [client] information to unauthorized users.” Consequently, firms must see to the prompt recovery and restoration of systems to normal operations as soon as possible.

In addition to damage mitigation, investment advisers will need to investigate the source of the attack and provide a prompt damage assessment. OCIE learned from its 2014 study that while over 80 percent of investment advisers had implemented WISPs, less than 15 percent of those WISPs addressed how advisers will determine if they are responsible for client cyber-related losses. A WISP should therefore allocate resources to conducting an investigation, determine the extent of data and monetary loss and should identify when client reimbursement is required.

Importantly, investment advisers are obligated to notify clients and regulators in the event of certain breaches. With regard to notices to clients of the loss or misuse of personally identifiable information and other sensitive data, this obligation takes on a fiduciary nature. Although not required by Regulation S-P, mandatory customer and regulator notices have been codified in the regulations of the District of Columbia and 47 states. Consequently, WISPs should allocate resources for the conduction of a timely reporting of cybersecurity incidents to clients and regulators.

Conclusion

Investment advisers have both a legal and a practical obligation to affirmatively protect their clients’ data. While an investment adviser’s size, industry, and other factors will determine what degree of protection is appropriate within the context of federal and state privacy laws, all advisers can and should take some protective measures, such as consulting a cybersecurity consultant, using authentication and encryption tools and preparing a WISP. With so much public focus on the issue and future regulations likely, taking cybersecurity precautions may be well worth the cost.

Introduction

Whether fighting for or against policy agendas, providing support to communities affected by policy changes, or fighting for their existence due to a lack of funding or legislative action specifically targeting an organization or its activities, charities often find themselves more engaged in advocacy activities during periods of significant political shifts. For some organizations, the change in political climate just means more or less advocacy activities in certain areas than normal. For other organizations, advocating for their communities means working to support their clients and communities in ways that require more attention to compliance in order to continue operating within the confines of their tax-exempt status. As a result, it is more important than ever that advisors to nonprofits understand the range of advocacy-related activities organizations can conduct, and the considerations organizations must take into account when conducting those activities. Charities will often avoid some types of advocacy activities, or at least do far less than is allowed by their tax-exempt status, because of the fear and misunderstanding that exists around the restrictions imposed on section 501(c)(3) organizations. This article provides an overview of the most common advocacy activities charities conduct, and the issues with those activities that could endanger an organization’s federal tax-exempt status.

Background

Charities receive significant levels of public subsidy, both in the form of tax deductibility for gifts and in exemption from tax on most forms of income. As a result, charities are subject to significant restrictions on their activities to ensure that they exist to benefit public rather than private interests. Those restrictions include an absolute prohibition on engaging in campaign intervention activities for or against a candidate, a requirement that a public charity can conduct only insubstantial amounts of lobbying, and a prohibition on private foundations conducting any lobbying activities. By comparison, other types of organizations that do not receive the same level of tax benefits, such as section 501(c)(4) social welfare organizations or section 501(c)(6) chambers of commerce and professional associations, can conduct political activities so long as those activities are not their primary activity, and they can conduct unlimited amounts of lobbying supporting their exempt purpose(s). Organizations exempt under sections 501(c)(4) and 501(c)(6) are also likely to get more involved in lobbying and other activities during periods of political shifts, although because the restrictions on these organizations are less stringent, they are less likely to cause problems for an organization’s tax-exempt status. For those seeking to fund or fundraise for advocacy activities, section 501(c)(3) organizations are often more desirable vehicles than other types of tax-exempt organizations because their activities can be funded with tax-deductible contributions. In addition to the funding advantages charities provide, they arguably should also have an even stronger drive to engage in policy and advocacy activities because the constituencies charities serve are often some of the least likely to have a voice in the policy arena.

Lobbying Activities

One of the most common types of advocacy activities that charities conduct is legislative lobbying. Lobbying is understood to occur when an organization contacts, or urges the public to contact, legislators in order to propose, support, or oppose legislation or otherwise advocates the adoption or rejection of legislation. Legislation includes an act, bill, resolution, or similar proposal before Congress, a state legislature, local councils, or similar governing bodies (including legislative bodies in foreign countries), or before the public in a referendum, constitutional amendment, or similar procedure. As mentioned above, whether a charity can lobby depends on its foundation status. Public charities can lobby, but the amount of lobbying they can conduct depends in large part on which lobbying test they are under (see below). Private foundations cannot engage in any lobbying.

The default test that all charities are subject to unless they affirmatively elect otherwise is the no-substantial-part test. There is no clear definition of “substantial,” but it is generally understood that, if lobbying activities are anywhere from five percent to 20 percent of an organization’s total activities, it may be determined to be substantial. It should also be understood, however, that the no-substantial-part test is not a pure percentage or expenditure test of an organization’s lobbying activities. The no-substantial-part test looks at other factors, including time spent on lobbying activities, physical space devoted to lobbying activities, volunteer labor used for lobbying activities, and other factors that help understand the scope of lobbying activities as compared to the organization’s other activities. For some types of public charities, such as governmental units and churches and their related organizations, the no-substantial-part test is the only test of lobbying activities that applies. If a public charity governed by the no-substantial-part test is determined to have exceeded its lobbying limits, the penalty is revocation of its tax-exempt status. Public charities under the no-substantial-part test may use certain exceptions found in the private foundation regulations to exclude certain activities from the definition of lobbying. Those exceptions are discussed in further detail below.

Other public charities may elect to be governed by the expenditure test under sections 501(h) and 4911 (and the associated Treasury Regulations), which provide a specific calculation of the total amount of lobbying activities that may be conducted, capped at $1 million, and with a separate limitation on expenditures for reaching out to the general public to urge them to lobby their legislators (grassroots lobbying). The expenditure test provides additional definitions that are not available under the no-substantial-part test that help to exclude a much broader array of activities from the definition of lobbying. A 25-percent excise tax is imposed on organizations that exceed the total or grassroots lobbying amounts, but the organization’s exempt status is not subject to revocation unless they “normally” exceed the limits. “Normally” in this context is looked at over a four-year period and requires exceeding the lobbying limits by at least 150 percent during any given four-year period.

Private foundations are prohibited from lobbying unless the activity falls under one of the specific exceptions provided in section 4945 and its associated regulations: nonpartisan analysis, study, or research provided to the public or legislative officials; examinations and discussion of broad social, economic, and similar problems; requests for technical advice or assistance to a requesting legislative body; and self-defense lobbying communications. Currently, the exception for self-defense communications has been relied upon by many of the private foundations involved in opposing any repeal or change to the prohibition against political activities by section 501(c)(3) organizations (commonly referred to as the Johnson Amendment). If a private foundation engages in lobbying activities, it has engaged in a taxable expenditure under the private foundation rules, which subjects it to excise taxes and a requirement to correct the taxable expenditure. In some circumstances, organization managers may also be subject to an excise tax. If the amount of the taxable expenditure is not corrected within a given time period, the private foundation may be subject to a second-tier tax, and it may have its private foundation status terminated.

Political Activities

Both public charities and private foundations are subject to an absolute prohibition on political campaign activities, which is enforced through excise taxes and the revocation of an organization’s tax-exempt status. The definition of “political campaign activities” (also frequently referred to as campaign intervention or electioneering) is much broader than the election law/campaign finance law definition of “political activities.” Unfortunately, despite recent efforts to clarify this arena, there is no clear statutory or regulatory definition of what qualifies as campaign intervention. The IRS will look at all of the facts and circumstances to determine whether the charity is signaling or implying support for a candidate or party through its communications and activities. This context-driven identification of prohibited political campaign activities often causes organizations to be overly cautious. Many activities not intended to result in campaign intervention could be viewed that way by the IRS. For example, campaign intervention can very easily arise, particularly in an election year, as a result of an organization’s lobbying and issue advocacy. However, it can also be found as a result of business transactions the organization enters into, such as selling advertising, or even via its website and social media communications. Given that the context of the communications or the activities controls the analysis, many activities of an organization not directly connected to its advocacy programs could still result in a finding that the organization engaged in impermissible campaign activities.

Concerns regarding this issue are significant for many organizations this year because Donald Trump filed a notice in early 2017 with the Federal Election Commission that his campaign committee had raised enough money for the 2020 election such that it was required to file. He has also already filed a trademark registration for his 2020 campaign: “Keep America Great!” Those filings have resulted in fear by organizations, fueled in part by misinformation in the media and blogosphere, that charities are now prohibited from criticizing Donald Trump’s acts and statements as president because he is already taking actions as Trump the candidate for 2020. In fact, such communications and actions by the charitable sector are analyzed in the same way they always are, which is with regard to all of the facts and circumstances surrounding the activity or communication. There are no factors that are determinative, and organizations are advised to obtain advice from qualified counsel on the subject. Some of the relevant factors specifically referenced by the IRS in guidance include (not an exhaustive list): whether the statement identifies a candidate by name (or any other identifier that clearly indicates it is referencing the candidate); whether it is delivered close in time to the election (clearly a factor that currently weighs in favor of an organization); whether the timing of the communication or action is related to specific legislation or policies; whether the communication or action is addressing the individual as an officeholder or a candidate; whether it is an issue the organization historically has worked on; and whether it relates to the organization’s mission. A communication or action that encourages voters not to re-elect Trump would likely be regarded as campaign intervention. In contrast, an action that is issue-focused in response to current legislative action, and does not reference Trump the candidate, would likely not be campaign intervention. However, there is enough gray area that can result between (and even potentially including) those examples that, depending on the facts and circumstances surrounding the criticism (or praise), an analysis of the actual planned action or communication is often required.

Illegal Activities

It is generally understood that a charitable organization that promotes violations of the law or public policy in order to achieve its charitable purposes cannot be operated in compliance with the requirements of section 501(c)(3). This restriction comes from the law regarding charitable trusts and has arisen for charitable organizations in a variety of circumstances, including: Medicare and Medicaid fraud; sponsoring nonviolent protest demonstrations as a primary activity at which members are encouraged to commit acts of civil disobedience; activities intended to support the cultivation and distribution of medical marijuana in a state in which such activities are legal; and university prohibition against interracial dating and marriage. Charitable organizations can, however, conduct activities such as strikes, economic boycotts, picketing, mass demonstrations, etc. as a means of furthering educational or charitable purposes so long as the activities are not illegal or contrary to clearly defined public policy.

Litigation as a Charitable Activity

Organizations may be able to conduct litigation as a means of advocacy and in furtherance of their charitable purpose without jeopardizing their tax-exempt status. Most commonly seen are organizations that litigate to enforce environmental legislation, consumer protection, and to defend human and civil rights secured by law. Therefore, it is not uncommon to see significant litigation during periods of political unrest and significant changes in public policy. In order to qualify as charitable, litigation must be conducted for a public, rather than a private, purpose. This does not mean that a nonprofit cannot represent individual plaintiffs; however, the litigation should be expected to have a significant impact beyond the interests of the specific plaintiffs represented by the nonprofit. Although well-recognized as a means to exemption, organizations seeking to operate as a public interest law firm are advised to review the IRS’s detailed guidance and restrictions regarding the firm’s operations, which are intended to ensure that that the operations further charitable purposes and are distinguishable from the operations of a for-profit law firm.

Attribution Issues

Charitable organizations must take precautions to prevent activities that could jeopardize exemption from being attributed to the charity as the result of the actions of individual staff or directors, members, or organizations with which the charity is affiliated or works in coalition. Individuals associated with charitable organizations do not lose their free speech rights when they are speaking outside of official organization functions and publications. However, attribution from staff member or director’s actions can occur when it could be inferred that speech from the individual is made under the authority of the organization or the action is ratified by the organization. Individuals associated with charities, particularly individuals who are generally viewed as speaking on behalf of an organization, should take care to clarify when they are speaking in their individual capacity. That care should be taken not just in more traditional modes of public communication such as speeches, op-eds, interviews, etc., but also in the individual’s social media communications (particularly if they use personal social media accounts to engage in organization-related or organization-endorsed speech).

Charities that organize their membership and supporters to engage in protests and other public demonstrations are not generally going to be held accountable for the unauthorized activities of individuals who engage in illegal activities as a part of a march or demonstration sponsored by the charity. However, if the organization encourages, authorizes, or otherwise ratifies the illegal activities of the individual members, such action may jeopardize the organization’s charitable status.

Similarly, organizations that work in coalition with other groups that are not 501(c)(3)s, including organizations that the charity may be closely affiliated with, must take care to ensure that activities of the coalition members that the charity cannot conduct itself are not attributed back to it. For example, if a 501(c)(3) has an affiliated 501(c)(4) or 501(c)(6), it must avoid the appearance of subsidizing the political campaign activities of the affiliated entity that the charity cannot itself conduct. In other situations, 501(c)(3) organizations may be working in coalition with a variety of organizations to advocate for an issue that is important to all involved groups. The charities involved in the coalition must take steps to ensure that activities that may be conducted by some coalition members, such as political campaign activity or excessive lobbying, are not attributed to the charity.

Conclusion

There are many ways, in addition to those discussed above, for charities to advocate for policies and positions that advance their charitable purposes and benefit their charitable constituency. All organizations engaging in advocacy activities should understand the compliance issues inherent in each type of activity, but particularly organizations that are newly engaging in a certain type of advocacy in response to political and public-policy changes. It is often necessary for charities to involve themselves in policy to ensure that communities lacking a voice (or a loud enough voice) in the political process are able to have their voices amplified and heard, particularly in these political times.

As a teen, Donald Maurice helped with his family’s construction and land development company. Out in the hot sun, he’d spend hours pounding nails, sawing boards, as part of a team building houses. It was the perfect beginning for his legal career, in which he began as a land use attorney. But this was the mid-1980s, and the savings and loan crisis quickly transformed him into a financial services attorney. “I had a knack for understanding commercial property and the challenges that borrowers and lenders faced,” he says. When that crisis resolved, his career continued to evolve in this practice area. Now, he helps manage a 30 plus attorney law firm, Maurice Wutscher, with offices in 16 states. He’s a regular contributor to his firm’s blog, hosts webinars, and gives speeches throughout the country on consumer and commercial finance laws.

*     *     *

What inspired you to become a lawyer?

My family’s work was construction and land development, mostly commercial and residential land development. I would work with my family in the summer and when I had breaks from school. At a very young age I learned that the law impacted how we could develop properties and construct buildings. I found it very interesting, and when you’re outside in the hot heat of the summer sun, it seemed a lot better to be on that side of the business than on the labor side.

How did you come to specialize in consumer and commercial finance companies?

When I went to law school, which was in the mid-’80s, the S&L crisis began to unfold. When I graduated in 1988, my intent was to pursue a career in land use law, but at that time there weren’t many developments going on because of the crisis. In fact, commercial and residential developments were largely in default. The loans were not being paid and the lenders needed to begin to take back their properties. Some smaller New Jersey banks reached out to the law firm where I worked and wanted assistance in recovering these properties. I had a background in construction and development, so I understood the state of the properties and went from being a land use attorney to a financial services attorney just by virtue of the economy at the time.

What do you enjoy about it?

I had a knack for understanding commercial property and the challenges that borrowers and lenders faced. As the economy began to recover, there was less and less work like that. Commercial properties were thriving, and the development end of it was moving forward properly. A theory of law called lender liability began. It was interesting and new, and it involved borrowers accusing banks of wrongdoing. I began successfully defending against these cases.

Soon there was a new area of lending that was growing very rapidly and that was the consumer side. What banks began to see in the late ’80s and early ’90s was a growth in consumer-related litigation arising from financial products and services, particularly in the automobile finance area. The same banks that had hired my firm and myself to defend them in commercial matters began to send the consumer matters to me. I found them very similar to commercial matters. It fit very well into what I was doing, and I was very successful on that end of the work, as well as defending the financial services companies against those types of claims.

Later on, a group of plaintiffs’ attorneys representing consumers in the financial services transactions began to expand out from automobile loans to all types of consumer loans. So, we saw a lot of activity in credit cards and credit card disclosures and the alleged failure to make proper disclosures. In the late ’90s and turn of the century, we saw the growth of debt collection, particularly with the emergence of large companies that bought defaulted debt and then would collect on it. Unlike original creditors and creditors who extend credit, the debt-buying companies were often subject to other sets of federal and state regulations that allowed for civil claims to be brought against them that were not typically brought against creditors.

So I began to represent these debt-buying companies. There were not a lot of people 20 years ago doing this work, and I have been representing that industry for 20 years. I continued to grow that practice in New York, New Jersey, and Pennsylvania.

You now help to run a 30-plus attorney law firm with offices in 16 states. What do you most enjoy about heading up a firm?

Running a firm is the toughest thing an attorney can do. I don’t run it myself, I can assure you of that. We have partners who handle various aspects of it. What I like about having a firm like ours is that we can specialize primarily in consumer financial services. To have a group of attorneys who all are working on regulatory compliance and financial services litigation brings a great amount of knowledge and experience to the table. It allows us to provide our clients with superior services. We have, for example, myself and others here who have been practicing in this area for 30 years.

We have offices from California to Boston to South Florida. It gives us a very good overview of what is happening nationally. We are able to spot emerging trends and help our clients who primarily are engaged nationwide to address some of these emerging issues quickly. I also do a lot of work in state legislative affairs. You begin to see patterns in how states are regulating consumer financial services, and in my role, I get to assist in shaping those state laws through my legislative work.

What are the main challenges of running a firm?

My biggest challenge is to provide assistance to all the other attorneys whom I work with. The attorneys are coming to me with questions either on the law or strategy, and my role is to assist them in answering those legal questions and developing a strategy. That means I have to be familiar with all of their cases.

Do you have a systematic or technological solution to tracking cases?

We do employ a wide variety of technology solutions. We share a lot of information through that technology, and we have systems that allow us to track the cases. But in ligation you can’t replace the ability to strategize with technology. So it has to be a hands-on endeavor in each of the cases. We are constantly having meetings concerning each of the cases that we work on internally and with our clients. Technology can only assist you in the very fundamental aspects of tracking and monitoring cases.

Is there a lot of travel for you?

I travel very often. I’m licensed in Massachusetts, New York, New Jersey, and D.C., and I have about 30 federal admissions. In any coming week, it’s not unusual for me to be in Boston, New York, Chicago, or New Jersey. I also do a good bit of travel for my legislative work.

You also provide advice and counsel to attorneys in matters of professional responsibility and attorney ethics. What issues do you see rise most frequently?

In the consumer financial services space, there are attorneys engaged in consumer debt collection. Unfortunately, the practices of these attorneys have come under extraordinary scrutiny as a result of the application of the federal Fair Debt Collection Practices Act (FDCPA). This has created extraordinary difficulties that other attorneys do not regularly face. They are subject to lawsuits by consumers simply because the attorneys file lawsuits on behalf of their clients.

The FDCPA is sometimes utilized to sue these attorneys, alleging, for example, that because they lost a case, the lawyers did not have a basis to sue on the claim. Sometimes the lawyers are sued because it’s alleged that they did not spend enough time reviewing a file before they sent a letter. The federal Consumer Financial Protection Bureau has brought enforcement actions against lawyers and law firms based on that theory. There is no other attorney practice area that I know of that is subject to that great deal of risk. It has caused a significant number of problems for these attorneys.

What I have learned from representing these attorneys is that they probably spend far more than other types of practice groups on both professional compliance and compliance with the federal and state laws in the areas in which they practice. They do this not only because they want to do a very good job for their clients, but because of the personal risks that they now face.

You help write a blog, the Consumer Financial Services Blog. How valuable is the blog to the firm?

We started the blog about six years ago, and we did it because we love to write. My articles are typically analytical, but the blog also has a lot of case updates that our clients may find interesting. Certainly there is an element of the blog that is there to display the talent of our attorneys. Most, if not all, of our attorneys publish to the blog regularly. It provides the public with insights into the skill and expertise of our attorneys.

It also keeps our attorneys up to date on developments in law. Because we’re writing about what we believe are important developments impacting consumer and financial services, our attorneys are staying abreast of changes in the law, both in the decisional law and in the regulations and statutes.

How often is a new article posted on the blog?

Since May of 2015, we typically publish four articles a week. In all, there are nearly 550 articles published through the blog.

You recently spoke at the ABA Business Law Section about the case the Midland Funding v. Aleida Johnson case before the U.S. Supreme Court. What are your main views about this case?

The issue presented in Midland v. Johnson, whether a proof of claim for a debt subject to an expired limitation violates the FDCPA was one our firm successfully defended many years ago in the Eastern District of Pennsylvania bankruptcy court. I though the issue was resolved, but it re-emerged in the 11th Circuit Court of Appeals, in Crawford v. LVNV and again from the same court in Midland v. Johnson. We knew that that the decisions did not sit right under bankruptcy law. Claims under the bankruptcy code include debt subject to defenses. The fact that a debt is subject to the defense of an expired limitations period doesn’t mean that the creditor no longer has a claim under bankruptcy law.

We thought maybe the theory would remain in the 11th Circuit, which covers Georgia, Florida, and Alabama, and wouldn’t expand to other parts of the country, but sure enough it did. Soon after, we had a case in the Third Circuit, Torres v. Cavalry, a case in the Fourth Circuit, Dubois v. Atlas, and several trial court level cases in the Fifth and Seventh Circuits. All of them involved these Crawford claims.

We successfully argued for a dismissal in the Torres case. Dubois went to the Fourth Circuit Court of Appeals which, in August of 2016, affirmed the decision of the bankruptcy court dismissing the claim. And in the Seventh Circuit—several Illinois bankruptcy courts also dismissed the claim, one of which was affirmed by the U.S. District Court.

I’m outside counsel to the Receivables Management Association, which is a trade organization of companies that are engaged in the purchase and collection of accounts receivable. Some of these companies are debt buying companies, which were mostly the targets of each of these complaints. They had asked us to look at this issue because of the work that we had done and the cases I mentioned.

Our firm filed an amicus for RMA in Midland v. Johnson. We thought we could add to the excellent work that Midland’s attorneys had done by addressing the issue of due process—an issue we had explored in one of the Illinois cases. Essentially, in a Chapter 13 bankruptcy filing, due process can only be afforded to creditors holding claims is they are allowed to participate in the bankruptcy process by the filing of a proof of claim. I later had the pleasure of being at the Supreme Court to hear the oral argument.

You also give many webinars. What is the primary value of doing these?

Because I’m working across the country, we see a lot of trends. One of the early webinars we gave was on Crawford. We talked about Crawford soon after it came down and said that there’s a possibility this could spread throughout the United States. We offered insights so that others could defend these cases. Both plaintiffs and defense counsel participate in our webinars. It’s not a lecture, but rather a discussion of the issues.

I work a lot with the ABA and produce presentations and sometimes webinars, and various other organizations ask us to do the same.

You give many speeches. If you could pick any topic to talk about what would it be?

The one I enjoy the most is professional responsibility. Attorneys hold themselves to such a high standard of moral and professional responsibility. I don’t know of any other profession that goes as far as what is required of us. It lets the public know that attorneys strive not only do their best work for each of their clients, but also that our job is to protect the integrity of our legal system.

What advice would you give to a new attorney who’s just starting out?

Number one: spend your early years learning how the law developed. Learn procedure as well. Spend a lot of time not only reading the case law but understanding the how and why the common law, statutory law, and procedure developed.

In my first five years of practice, I spent an inordinate of amount of time learning not just what the law was but how the law got there. It’ll help you later on because as you continue in your career, it helps you understand the future development of the law.

Number two is to have peers and mentors. Certainly if you’re in a smaller firm you need to be part of the larger organizations. The ABA is prime example of that. When I first started out, my firm was small. Even our firm, though we have 30 attorneys, is still small compared to larger firms. The ABA’s Consumer Financial Services Committee is the preeminent spot for you to be. I’ve been a member since I began to practice, and so many of the leaders in that group, whether they realize it or not, were mentoring me. They were encouraging me to participate in presentations and in writing. The Consumer Financial Services Committee wants you to be involved. At the same time the people who go to the meetings are the people shaping consumer financial services law. You will not see that anywhere else. And it is also a unique setting, you have defense attorneys, plaintiff attorneys, general counsel, federal and state regulators, and enforcement attorneys all in one place.

I have personally benefited from these interactions. As a defense litigator, I often touch on so many areas of consumer financial services law, whether it be credit reporting, or debt collection or disclosures or privacy and now technology and payment systems. Because of this group, it allowed to me to explore the connections between the financial products and services from the creditors, regulators and consumer advocates perspectives, long before the products or services made their way to the public.

What do you do for fun?

I love to do things around the house. I do our yard work and landscaping and all of our handyman work. Anything that needs to be done around the house from plumbing to electrical to cutting the grass.

I’ve always loved taking pictures in different forms—sports photos, photos of the family, or our travels. Lately, I’ve been very interested in aerial photography. A lot of people call them drones but these drones have pretty sophisticated cameras attached to them. It enables you to get to locations that you typically wouldn’t or couldn’t go, and you can capture some beautiful landscapes. I also enjoy traveling with my wife and my two adult daughters.

Thank you so much!

Corporate lawyers rarely focus their practice on managing corporate records and the information, knowledge, and expertise that those records contain, but doing so can be enormously valuable to a corporate client. The question that corporate lawyers should be vitally interested in is why it matters to effectively manage corporate information, knowledge, and expertise. Lawyers who provide advice and counsel to corporate clients, even in specialty subjects such as security compliance, EEO, intellectual property, tax, or any other legal subject, should have some familiarity with the issues involved with that client’s records because they contain vital data, information, and knowledge that may be directly on point to their subject matter advice. The quality of that advice is directly dependent on the quality of the information, knowledge, and expertise in, or that should be in, the corporate records.

Managing corporate records might seem to the uninitiated to be a simple, straightforward matter, often the responsibility of file clerks who pay little or no attention to the content of those records. Managing the data, information, and knowledge in corporate records is by far a quite complicated subject that must be the responsibility of critically thinking individuals who are familiar enough with corporate operations and the applicable law to be able to evaluate the quality and appropriateness of that data, information, and knowledge.

Corporate lawyers and those in private practice should be able to quickly and accurately answer such questions as “What is a corporate record?” and “How long must a particular corporate record be maintained in corporate files?” These are just two of the most fundamental questions with which corporate lawyers serving as professional record managers must be familiar and comfortable with answering because those answers absolutely govern the fate and longevity of the data, information, and knowledge the records contain. Fundamentally, the question is whether the quality of the information, knowledge, and expertise is as high as it possibly could be in terms of its accuracy, completeness, timeliness, and at least a dozen more factors that measure its quality.

Complicating the practice of corporate records management is the fact that today’s records no longer are pieces of paper in a physical file somewhere in the corporate facilities. For several decades now, many, if not most, corporate records involve technical electronic systems for their creation, transmission, storage, and maintenance. These technical electronic systems not only speed the creation and communication of corporate data, information, and knowledge, but also often frustrate their being quickly located, identified, and used for the purposes that corporate lawyers need to make of them. For these and many other reasons, attorneys who represent corporate clients and those in private practice must have enough familiarity with corporate records-management practices to be able to retrieve the data, information, and knowledge they need to ensure that their practices are providing the best legal advice possible. Furthermore, many lawyers might not realize that practicing corporate records management and providing legal services in this field can be a lucrative practice area.

Mismanagement of data, information, and knowledge can cause enormous legal liabilities, as recent corporate disasters have shown, and the Sarbanes-Oxley Act has tried to rectify some of these situations and prevent them happening in the future. Given the myriad of laws, regulations, and other requirements, corporate compliance is a tremendous legal challenge, but corporate counsel must go beyond mere compliance to understand how they might anticipate legal problems before they occur to avoid potential liabilities. Effective management of corporate information, knowledge, and expertise by experienced counsel will go a long way toward preventing legal and other corporate disasters that have taken so many companies to their graves.

As professionals responsible for managing the content of corporate records, attorneys must achieve various levels of understanding about the content of those records in order to be extraordinarily capable in their field. Attorneys must have the ability to:

• access the quality of the information, knowledge, and expertise in those records;
• know how to classify, i.e., determine the type of information, knowledge, and expertise that is in the record content;
• organize the records so that their information, knowledge, and expertise can be quickly found when needed;
• detect problems in the content and context of the information, knowledge, and expertise;
• develop solutions for the problems found in the information, knowledge, and expertise content or context;
• implement solutions to the problems found in the information, knowledge, and expertise content or context;
• assure that problems found in the information, knowledge, and expertise content or context do not reoccur; and
• educate firm members throughout the company so that problems found in record content or context are not repeated.

(Excerpted from the Preface to Designing an Effective Corporate Information, Knowledge Management, and Records Retention Compliance Program, 2016 Edition (Thomson Reuters 2016).)

In summary, lawyers serving both inside a corporation and in private practice with corporate clients should pay significantly more attention to the quality of the corporation’s information, knowledge, and expertise and should develop a program to systematically capture as much of the tacit information, knowledge, and expertise that should be in its records, but that walks out the company’s doors in the minds of its employees every night. Simply put, this article advocates that corporate counsel adopt a more inclusive strategic mindset to their corporate practices. To do this they should operate using an innovative strategy rather than a traditional one. The business universe, including the business of law practice, consists of two distinct types of operating space and strategies: traditional and innovative, with the latter devoting significant resources to corporate law practice that, to date, has not received the attention it deserves, which is managing the quality of its information, knowledge, and expertise:

To apply an innovative strategy: (1) never use the competition as a benchmark, but create a leap in value for both one’s practice and one’s clients; and (2) reduce the firm’s costs while also offering clients more value. Operating with an innovative strategy focusing on corporate information, knowledge, and expertise is an underserved and mostly ignored area in which lawyers can build a profitable practice with plenty of room to grow and, most critically, serve as an important leader to corporate clients.

The bottom line for attorneys responsible for managing the content of corporate records is that they must have a comprehensive understanding and appreciation for: (1) all the business operations and functions of the company; and (2) all the applicable and relevant laws and regulations that apply to his or her company. That is why those serving as counsel to corporate clients are uniquely qualified to take on this responsibility of managing corporate information, knowledge, and expertise and why attention to this subject must be included in those lawyers’ responsibilities.

In 2017, The Business Lawyer published a landmark report titled “Defining Key Competencies for Business Lawyers,” which was prepared by a task force that the ABA Business Law Section’s Business Law Education Committee created in 2013. The task force, drawing on the framework of the MacCrate Report, but with a focus on business lawyer competencies, directed the report toward faculty and students in law schools and business law practitioners. Barbara Wagner deserves special praise for serving as the primary author of this report, which provides valuable guidance for law school curriculum committees and for practitioners tasked with creating training and development opportunities.

The task force, recognizing that the list of competencies might be modified in the future, invited comments on the report. One aspect of the report that the task force might want to address is the minimal discussion of competencies relating to the leadership role played by business lawyers. The report does include specific skills relating to leadership that are inherent in a business lawyer’s work, such as problem solving, critical thinking, and communication, and in a section that extends beyond the MacCrate framework, the report lists people skills and other behavioral competencies of business lawyers.

However, the report is quiescent when discussing broader leadership competencies. These competencies include thinking strategically about how a lawyer’s risk-management skills relate to the value-creation focus of business strategy, motivating others in an organization, leading change management, developing a leadership vision, building social capital, and building a team.

When covering the business knowledge that a lawyer should possess, the report discusses topics such as finance, accounting, supply chain, marketing, and a “facility with numbers.” Although this business knowledge certainly is useful, there is little mention of broader leadership competencies. In its over 26,000 words, the report (according to my keyboard’s “Find” function) includes the word “strategy” in only four sentences—two dealing with transactional strategy and two dealing with factual investigations. The word “team” is mentioned only once, and the words “leader,” “leadership,” and “vision” do not appear in the report. Concepts relating to motivating others within an organization, change management, and social capital are also missing. Although the report does discuss the important competency of adding value to a deal, it ignores the lawyer’s broader role in developing value-creating business strategies.

These omissions are unfortunate from both practitioner and academic perspectives. From a practitioner perspective, the percentage of lawyers in CEO positions has declined over the past century. A 2016 article titled “Who Let the Lawyers Out” in the University of Pennsylvania Journal of Business Law notes that, prior to 1930, over 75 percent of American CEOs had a legal education; by 2012 this figure had dropped to nine percent according to U.S. News & World Report.

The tide might be turning. A 2013 ACC/Georgetown study concludes that the value of strategic input from general counsel will increase in the future. This is an important shift from the traditional management assumption that law is merely a cost center. When the Directors Roundtable honored Lori Schechter in 2016 for her work as general counsel of McKesson Corporation, her remarks reflect this new direction. In her words, the way to “get a seat at the table” is “a combination of not just being the naysayer or the person looking at the risk issues, but also being the person that’s helping to create the value.”

From an academic perspective, the opening lines of an article in the Winter 2017 issue of the Journal of Law, Business & Ethics note the lack of leadership education in law schools: “In the recent experience of this recent law school graduate, I observe a lack of appreciation that leadership, in legal education or the profession, is vital to wellbeing. There is utility in educating law students about leadership as an essential or core competency for ethical engagement and success as a lawyer.”

Law schools have abundant opportunities to include leadership education and strategic thinking in the curriculum. For example, the required course on contracts could cover strategies to increase the value-creating function of a contract as a business tool as well as a legal document. The required course on torts could explore value-creating aspects of tort law, such as the use of product liability prevention processes to identify new product opportunities. In addition, a third-year capstone course on, say, “law and leadership” could aggregate learning from the required law school courses using the lens of value-creating legal strategies, just as final-semester capstone business strategy courses in business schools combine elements from business school core courses on finance, marketing, operations, and management.

This article focuses on a key aspect of a business lawyer’s leadership role—the ability to provide strategic input into management decisions. The Harvard Business School’s required course on leadership provides a useful framework for academics and practitioners interested in this element of leadership. The course utilizes a three-part model—based on the intersection of economics, law, and ethics—that can be used to conceptualize a lawyer’s leadership role in the development and implementation of business strategy.

The following sections, adapted from Chapter 1 of The Three Pillar Model for Business Decisions: Strategy, Law & Ethics (Van Rye Publishing, 2016), apply the Harvard model to the work of a business lawyer. The first section covers the triadic framework used in the course. The second section recommends an expansion of the model by replacing economics with strategy. The third section identifies a key challenge in using the model—the gap between the value-creation orientation of strategy and the risk-management focus of law. The fourth section suggests an approach for closing the gap. The article concludes with practical examples that illustrate the important role that law can play in value creation.

The Harvard Leadership Course

Academics Timothy Fort of Indiana University, Archie Carroll of the University of Georgia, and Mark Schwartz of York University have developed theoretical models of business decision making based on economics, law, and ethics. The clearest practical application of these models originated at Harvard Business School (HBS). I first encountered this application in 1998 when I was a visiting professor of business administration at Harvard and served on the teaching committee for a module called “Leadership, Values and Decision Making” that was taught to all MBA students. This module later morphed into the current required HBS leadership course, “Leadership and Corporate Accountability” (LCA). Professor Lynn Sharp Paine, former senior associate dean at HBS, described the practical nature of the course in Datar et al., Rethinking the MBA: “We are training future practitioners. . . . We focus not on rare events or abstract issues in moral philosophy, but on decisions that students will have to make in their careers.”

LCA focuses on the three key elements that form the foundation for decision-making in business—economics, law, and ethics. The 2011 online version of the course syllabus describes the three categories of a business leader’s responsibilities as: “. . . economic, legal, and ethical. Economic responsibilities relate to resource allocation and wealth creation; legal responsibilities flow from formal laws and regulations; and ethical responsibilities have to do with basic principles and standards of conduct.”

The course is especially challenging and important because it takes future leaders into what the syllabus calls the “grey areas” of business. The analytical perspectives of the economics, law, and ethics triad, a staple of everyday business decision making, shape these real-world challenges. The following diagram from a course overview that students receive at the beginning of LCA depicts the overlap of the three perspectives. As the course overview notes, “The basic idea is that outstanding managers develop plans of action that fall in the ‘sweet spot’ at the intersection of their economic, legal, and ethical responsibilities.”

The course guide for instructors elaborates on this sweet spot, which is also described as the “zone of sustainability”:

Actions and strategies that fall inside this zone tend to be acceptable to the firm’s constituencies and thus repeatable over time, while those that lie outside typically invite negative repercussions from injured, wronged, or otherwise disappointed parties. Actions outside the zone may even lead to the firm’s failure, especially if pursued at length.

The three dimensions of the Harvard model are also depicted in the form of the following decision tree, adapted from a diagram developed by Constance Bagley (a senior research scholar at Yale Law School). The original diagram appeared in a 2003 Harvard Business Review article titled “The Ethical Leader’s Decision Tree.”

The ideal decision-making path would follow the “Legal,” “Creates Value,” and “Ethical” branches, although in some cases another path might be justified. For example, business leaders might decide to take an action that benefits society even if it does not create economic value for shareholders.

Expanding the Harvard Model

The Harvard model provides a practical framework for making business decisions. However, expanding the economics perspective makes the model even more useful in business and other settings.

Candidates for this expansion include the seven core functions that are critical to business success: accounting, finance, legal, marketing, operations, human resources, and strategy. Of these functions, strategy is the most likely replacement for economics. Defined broadly, strategy involves establishing and achieving goals. In a business setting, strategy focuses on the goal of value creation for shareholders, which brings into play all functions and disciplines, including economics.

Strategy is also an attractive candidate because it is important in all organizations (including nonprofits that are not concerned with creating shareholder value) and in the political realm. On a personal level, the strategic ability to establish and achieve goals is also key to success. By replacing economics with strategy, the three dimensions of decision-making—the “three pillars” that are described in The Three Pillar Model for Business Decisions: Strategy, Law & Ethics—provide a framework that is appropriate for all forms of business, leadership, and personal decision-making.

In a business setting the key questions that decision makers should address are:

• Strategy Pillar: What is our value-creation goal and how do we intend to achieve it?
• Law Pillar: How can we manage the legal risks associated with our strategy?
• Ethics Pillar: Is our proposed strategic decision ethical?

The following diagram depicts the expanded version of the Harvard model in which economics is replaced by strategy:

The Gap between the Strategy Pillar and the Law Pillar

This revised model—with its sweet spot in the middle illustrating an overlap among the three pillars—might be more aspirational than descriptive. True, the overlap between the strategy pillar and the ethics pillar has increased in recent years, especially as more companies embrace corporate social responsibility. For example, the previously mentioned “Who Let the Lawyers Out” article notes that former Johnson & Johnson CEO Ralph Larson was asked whether he wanted the company “to maximize shareholder value or be a good corporate citizen.” He answered, “Yes.”

Law and ethics are even more intertwined than strategy and ethics. Legal doctrines such as fraud, unconscionability, good faith, and fiduciary duty provide solid guidelines for ethical conduct. Furthermore, company “codes of conduct” frequently blend law and ethics. Of course, when lawyers provide ethical leadership, their advice might extend beyond the law. In a talk at the Directors Roundtable, former Senior Vice President and General Counsel of General Electric Company Ben W. Heineman discussed the role of a lawyer-statesman:

It’s pretty simple. The first question is, “Is it legal?” And the last question [is], “Is it right?” Your job inside the corporation is to ask that “Is it right?” question insistently and to move way beyond legal issues to all the political, economic, and social impacts of what the corporation is doing. There are basically three roles for a lawyer: expert, counselor and leader. In basically asking that “Is it right?” question as a lawyer-statesman, you are acting in all three roles.

Although there is overlap between the other pillars, a gap often exists between the strategy pillar and the law pillar. For example, with the exception of a PESTLE analysis (that examines Political, Economic, Social, Technological, Legal, and Environmental factors), the multitude of strategy concepts and frameworks that have developed over the years generally overlook the importance of law. As a result, in reality the model looks more like this.

The gap between strategy and law results in large part from the key role business lawyers play in managing risk, a role that often bridles a business decision-maker’s enthusiasm for certain value-creation strategies. As the task force report explains, lawyers analyzing a proposed transaction must put themselves “in the shoes of someone attacking the plan.” Business lawyers often need what the ACC/Georgetown study calls “managerial courage” when providing the independent professional advice this risk-management role requires: “Managerial courage is about the willingness and ability to speak up and represent the organization and act in its best interest, even when it feels uncomfortable or may reflect poorly on colleagues.”

This risk-management role is increasingly important, given that surveys indicate that law has emerged as the most important category of business risk. For example, the 2015 Travelers Business Risk Index was developed from a survey of more than 1,200 business risk managers representing 10 industries. The survey questioned managers about their greatest risk concerns among several categories, including financial, operational, and legal risk. Only two categories—“Legal Liability” and “Medical Cost Inflation”—were included in the top ten risks for every industry. The top ten lists for nine of the 10 industries included another category of legal risk, “Complying with Laws.”

Closing the Gap between Strategy and Law

The gap between the strategy pillar and the law pillar is reminiscent of the “mind the gap” recording that warns travelers boarding London trains to be careful of the gap between the train and the platform. Although minding the gap—that is, understanding that the gap exists—is important, deciding what action to take after recognizing the gap is essential.

Companies that are successful in closing the gap have an opportunity to create competitive advantage over their rivals. Robert Bird, writing in the Connecticut Law Review (November 2011), notes that, when this happens, the competitive advantage can be sustainable. In other words, the sweet spot in decision-making that Harvard calls the zone of sustainability might more accurately be called the zone of sustainable competitive advantage.

Bird based his conclusion on a legal analysis using a resource-attribute framework that strategy professor Jay Barney developed. One takeaway from this analysis is that law’s complexity can create resources that, in Barney’s terminology, are imperfectly imitable by competitors. In other words, managers who are able to work with legal counsel to penetrate the veil of complexity that surrounds the law have an opportunity to create a sustainable competitive advantage.

Bird and coauthor David Orozco describe various pathways of corporate legal strategy in an article in the MIT Sloan Management Review (Fall 2014). They emphasize the need for “a fundamental change from managing risk to creating business opportunities” that requires business leaders to “regard the law as a key enabler of value creation.” The challenge for business leaders and their legal advisors in achieving this fundamental change is that the strategy pillar and the law pillar often operate as separate silos where key business questions are framed in terms of either shareholder value or risk management, either reward or risk.

At best, this parallel play is unfortunate as businesses miss opportunities to create value through synergies between strategy and law. At worst, the silo mentality is destructive when it creates a conflict between the strategy pillar and the law pillar—e.g., when a risk-averse approach results in an overly legalistic contract that hinders a business opportunity. In the previously-mentioned “Who Let the Lawyers Out” article, PepsiCo CEO Indra Nooyi commented on the combination of a perfect contract with a flawed business deal: “We cannot afford this separation of church and state.”

This silo mentality might result in what decision researchers call frame blindness. Mental frames often are useful because they enable us to simplify the complexity in our lives so that we can make rational decisions. However, simplification can come at a cost. When we view the world through a particular window (from the perspective of either the strategy pillar or the law pillar, for example), we see only part of the landscape. As noted in the 1990 book Decision Traps, narrowing the scope of our vision causes us to become susceptible to frame blindness—much like the blind spot on the side-view mirrors of a car. By failing to consider the big picture, we might miss the best options when making decisions.

For example, I assign an exercise in which graduate students and executives (including lawyers) play the role of a C-suite executive considering the advice of legal counsel in deciding whether to accept a settlement offer from the opposing side in a lawsuit. Almost everyone exhibits frame blindness by concentrating on the legal issues raised in the case. In so doing, they overlook fundamental financial and strategic concerns, such as the net present value of a victory in court, opportunity costs, and the possibility of creating a joint venture with the other side.

To close the gap between strategy and law, business leaders and legal counsel should attempt to reduce frame blindness by reframing the shareholder value orientation that characterizes the strategy pillar of decision making and the risk-management orientation that dominates the law pillar. A big-picture mindset can be useful in the reframing process. In his 1993 negotiation book, Getting Past No, William Ury uses the phrase “going to the balcony” as a metaphor to describe the mental detachment that often is necessary to create this mindset. From their balcony vantage point, business leaders and legal counsel have an opportunity to gain a broad perspective that allows them to see the entire playing field without the blind spots that hinder sound decision making when they operate within their separate silos.

When observing the playing field, they should take special note of the key stakeholders (in addition to shareholders) who impact business success. Which stakeholders have the greatest effect on a company’s economic value? A 2011 McKinsey survey that posed this question produced responses from 1,396 executives worldwide. Respondents were allowed to select multiple responses from a list of stakeholders. Three-quarters of the executives felt that customers had the greatest effect on economic value. The other main categories were government/regulators (53 percent), employees (49 percent), and investors (28 percent).

Just as the most successful negotiators have the ability to look at deals from the opposing side’s perspective, business leaders and legal counsel should take into account the interests of all stakeholders affected by their decisions, not just shareholder interests. What are these stakeholder interests? How can these interests be linked to company interests to create mutual gains that benefit all parties?

By addressing these questions, decision makers can move beyond the frame blindness of the strategy and law silos toward a joint stakeholder interest mindset. This new mindset can create an intersection between the strategy pillar and the law pillar that has the potential to create competitive advantage while also benefitting stakeholders, as illustrated by the examples below.

Moving beyond frame blindness is consistent with the Proactive Law Movement in Europe. Under the leadership of Helena Haapio, an international contract counsel for Lexpert, Ltd., this movement focuses on using the law not only to manage risk, but also to create value and strengthen relationships. The Proactive Law Movement emphasizes collaboration between lawyers and various business functions.

Michael Porter and Mark Kramer, in “Creating Shareholde Value” published in the Harvard Business Review in 2011, also advocate, in part, a management philosophy similar to a stakeholder interest mindset. They redefine the purpose of the corporation as “creating shared value, not just profit per se.” However, their shared-value philosophy focuses primarily on one stakeholder—society. In their words, the principle of shared value “involves creating economic value in a way that also creates value for society by addressing its needs and challenges.” A stakeholder interest mindset of the type advocated here, in contrast, searches for value-creating opportunities for all stakeholders identified in the McKinsey survey—customers, the government, employees, and investors.

Conclusion

To summarize, the three pillars provide a framework for making business decisions. The gap between the strategy pillar and the law pillar represents a major challenge in using this framework. By closing this gap, business decision makers can create a sweet spot at the intersection of the three pillars—a zone of sustainable competitive advantage.

Business leaders and legal counsel should ascend the balcony to reframe decisions relating to creating shareholder value (the strategy pillar) and managing risk (the law pillar). During the reframing process, they should identify and consider all stakeholder interests when developing opportunities for value creation.

The Three Pillar Model for Business Decisions: Strategy, Law & Ethics provides many practical illustrations of the benefits that arise from closing the gap between the strategy pillar and the law pillar. Here are some examples relating to specific stakeholders:

• Customers: Use product liability prevention processes as a source of new product development to meet customer needs.
• Employees: Use employment law to attract and retain the best business talent.
• Government: Use government regulation to develop new business models through disruptive innovation and a regulatory gap strategy.
• Investors: Use an intellectual property management plan to create shareholder value.
• A variety of stakeholders: Use lean contracting and contract visualization to develop contracts that are useful business tools and use dispute-resolution processes for value creation.

Closing the gap also enables lawyers to meet their ethical leadership responsibilities. Through the stakeholder-interest mindset, they can encourage management to make decisions that are aligned with the codex developed by Professor Paine and others—a list of eight, key ethical principles based on legal requirements and codes of conduct used by the world’s largest companies.

A legal director at Royal Dutch Shell told this story during a Law Society speech in London:

Two young fish swim along and happen to meet an older fish swimming the other way, who nods at them and says, “Morning, boys. How’s the water?” The two young fish swim on for a bit until, eventually, one of them looks over at the other and [says], “What the hell is water?” Like water, law is around us—everywhere. It affects everything a company does. But somehow you can’t see it, at least not on the surface.

Business leaders often do not understand how and why law, like the water that surrounds a fish, touches all company activities. By closing the gap between the strategy pillar and the law pillar, lawyers can show these leaders that, in addition to its traditional risk-management function, law is an important factor in the creation of value that will result in sustainable competitive advantage.

The Shareholder Agreement—Overlooked, Underestimated

It’s an exciting time for a client when a venture capital investor (VC) comes onto the scene. Company founders work hard to find financing. When big money and an attractive valuation are proposed, it’s hard for them not to get caught up in the moment. But financing always comes with strings attached. Clients need to be aware. Show me the money! (But give me a reasonable shareholder agreement too.)

“Investor Rights Agreement,” “Right of First Refusal and Co-Sale Agreement,” the simple “Side Letter” are all different varieties of shareholder agreements. Whatever the shape and size, a shareholder agreement can contain a broad variety of potential tricks and traps.

Term sheets for VC investments usually outline all of the major terms that will be contained in the investment documents, including the shareholder agreement. In a perfect world, where clients consult their attorneys before making big decisions (and listen to the offered advice, and send holiday candies…), lawyers get a copy of the term sheet in advance and have a chance to walk their clients through all of the provisions and implications. In the real world, clients often review the $X investment amount on line one, the $Y valuation amount on line two, and the signature block on page ten, and then send the executed copy to their lawyer. Condition your client in advance! When you catch the slightest whiff of a financing in the air, be relentless in making the point: no signature on the term sheet until we understand the shareholder agreement!

The ultimate purpose of a shareholder agreement is to provide a VC with rights above and beyond what it would have simply by virtue of its overall percentage ownership of the company. The main issues addressed in a shareholder agreement are: (1) ownership (restrictions on share transfers); (2) conduct of business (board composition and consent rights); and (3) exit (drag-along rights).

Steering Clear of “That Guy”

VCs want to know who they are getting in bed with (who wouldn’t!) and be sure that company ownership cannot substantially change without their consent. Founders and other key shareholders almost always have to accept some restrictions on transfer. The questions are, how tight are the restrictions and to whom do they apply?

Carve-outs permitting transfers to trusts and estate-planning vehicles are common and, if important to a founder, should be demanded. Who should be restricted is complicated, and sometimes contentious. Restrictions can take the form of outright prohibitions on transfer, right of first offer/right of first refusal provisions that permit transfers, but only after the VCs or other shareholders are first given the right to buy the shares, or both. There is an inherent tension between, on the one hand, founders and the company (who collectively want tight control in anticipation of a financing) and, on the other hand, common shareholders who are not founders, but may hold some substantial portion of shares (who often feel like they should not be subject to transfer restrictions). Not anticipating these dynamics in advance of a financing can result in giving inadvertent leverage to individual shareholders at the very moment when having a united front is most important. Internal shareholder relations are in the same category as corporate housekeeping matters and general skeletons in the closet—things that need to be tidied up and addressed proactively in advance, not ignored until VCs start asking their inevitable due diligence questions.

Hey Man, We’re Trying to Run a Business Here!

VCs always require some level of control over the company, even when they hold less than a majority of shares. Control comes in the form of the right to appoint board members and the right to veto certain specified actions. The balance to be struck in the shareholder agreement is for the VC to have enough control to protect its investment while not stifling the company’s agility in an ever-changing business environment. When founders and VCs see eye-to-eye (typically at the moment of funding), everything is great. But when visions start to diverge (usually when business is not growing as planned) the specific wording in the dusty, long-forgotten shareholder agreement becomes front and center. Founders should negotiate these provisions with the worst case scenario in mind, and be confident that they could effectively run the business if the VC exercised every veto right possible, and the VC director opposed every suggested initiative.

Running for the Exits

Drag-along rights allow a VC to force other shareholders to sell their stock when the VC finds a buyer. The critical component of a drag-along right is the threshold price above which a shareholder must sell. While the interests of shareholders of all classes are usually aligned when the sale price is high, interests start to diverge when the sale price is lower (when it becomes more likely that, after paying the preference on the VC’s preferred shares, little or nothing will be left over for the common shareholders). Here again, founders need to assume a gloomy scenario when agreeing to terms. Nobody reads a shareholder agreement during a blockbuster sale. But they revisit every page when the deal is not so good.

Pay Attention; Read the Shareholder Agreement

There is more to a VC investment than money and valuation! Shareholder agreements give VCs extensive rights, far beyond the economics reflected in a company’s charter. Lawyers should, in their usual buzzkill lawyerly way, force their clients to slow down and think about how restrictive shareholder agreement covenants will feel during the lean times, even when the lush times (the funding wire transfer!) are close at hand. Reading the fine print, and understanding the nuances and dynamics, is critical. Recite these mantras until your clients know them cold: don’t sign a term sheet without counsel; read the shareholder agreement slowly; read it to the end; read it again. Negotiate a solid shareholder agreement on behalf of your client. If everything goes well, you’ll never read it again. And if not, you’ll be glad you did.

Introduction

“The loss of industrial information and intellectual property through cyber espionage constitutes the ‘greatest transfer of wealth in history,’” said Gen. Keith Alexander—at the time, the nation’s top cyber warrior.

In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has only become bigger, more insidious, and more expensive to address, and lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $5.06 trillion in value added, or 34.8 percent of U.S. GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60 percent of all U.S. exports. U.S. companies have a lot to lose.

Economic espionage (sometimes called industrial espionage) is a major drain on competitive advantage, unique IP, and market share. Not only are U.S. companies directly hurt by the theft of their IP, but they may end up competing against their own technology advanced by the IP thief. Susan Brewer & Anthony Crescenzi, State-Sponsored Crime: The Futility of the Economic Espionage Act, Hous. J. of Int’l L. (Summer 2016). For example, “American oil and gas firms are frequently targeted and subject to theft of trade secret, business plans, exploration bids and geological data.” Blake Clayton & Adam Segal, Addressing Cyber Threats to Oil and Gas Suppliers, Council on Foreign Relations (June 2013).

Economic espionage is not new. What is new is the way IP is stolen. Cyber attacks are the most used method that other nations, companies, and criminals employ to root out and steal your IP and other valuable or sensitive information. It is our increased dependency on IT systems and networks that creates vulnerabilities, even though there are such obvious benefits and uses to them.

In May 2013, the Commission on the Theft of American Intellectual Property released a report that concluded that the scale of international theft of American intellectual property is . . . roughly $300 billion per year and 2.1 million additional jobs now in our economy. While China is not the only actor targeting U.S. IP and technology, it is the only nation that considers acquiring foreign science and technology a national growth strategy.

U.S. Congressional Committee on Energy and Commerce Hearing, Cyber Espionage and the Theft of U.S. Intellectual Property and Technology (July 3, 2013). So, depending on how you calculate the impact of economic espionage to U.S. businesses, it can mean a loss of roughly a billion dollars a day or more.

Did the September Agreement between China and the United States Address the Problem?

By some accounts, U.S. cyber espionage concerns subsided on September 25, 2015, when China unexpectedly agreed with the United States (and, later, other countries) to refrain from cyber economic espionage. It remains to be seen whether China ceases its governmental involvement in cyber economic espionage, although there is good reason to be skeptical. The “understanding” did not cover other forms of economic espionage, only the cyber variety. According to Reuters:

There were clear limits to Friday’s deal. A White House statement said the two leaders agreed that neither government would knowingly support cyber theft of corporate secrets or business information. But the agreement stopped short of any promise to refrain from traditional government-to-government cyber spying for intelligence purposes. That could include the massive hack of the federal government’s personnel office this year that compromised the data of more than 20 million people. U.S. officials have traced that back to China, but have not said whether they believe the government was responsible.

Given the increasing complexity of the way cyber attacks are carried out and the challenges of attribution or “pinning” an information heist on one person or organization, perhaps the Chinese merely were placating the United States. In other words, the Chinese can say they will cease cyber economic espionage because verification of the true identity of the thief is nearly impossible. Thus, it is difficult to know exactly whether anything really has changed.

Furthermore, as reported by the FBI in April of 2016, the “FBI’s number of investigations into possible economic espionage on U.S. businesses has increased by 53% within the past year.” Although the list of Justice Department cases do not differentiate between cyber and in-person theft, the list of active criminal cases involving trade secret theft is sizable.

Going Public May Be the Law, but It Does Not Look Good

Sizing up the problem is further compounded by the fact that, although reporting requirements mandate the disclosure of events that have a material impact to a publicly traded company, there are strong disincentives to disclose a successful IP theft. Not only does such a theft raise questions about management not doing its job or IT leadership failing to keep the bad guys out, but it also tells other bad guys that your company has inadequate security and could invite further cyber attacks.

On December 18, 2015, the Cyber Information Sharing Act became law. The law was designed to create a voluntary cybersecurity information sharing process to encourage public and private entities to share cyber threat information while protecting classified information, intelligence sources, privacy, and more.

It remains to be seen whether the law will address the reluctance of companies to come forward.

The Law Cannot Really Solve the Problem

In-house lawyers play several roles that can help mitigate the effect of economic espionage on their individual company. From negotiating better security software agreements, to legally protecting IT, to aggressively going after IP thieves, lawyers increasingly play an important role. For the most part, however, lawmakers have been hamstrung in finding an effective legal solution to the theft of company trade secrets.

In this regard, it is important to differentiate between cyber economic espionage and in-person theft. In the case of cyber economic espionage, the “theft” is almost always done remotely and outside the United States by operators that go to great lengths to obfuscate their identity and whereabouts.

The issue is so great that new laws are needed to stem the flow of U.S. ingenuity. For example, the Cyber Economic Espionage Accountability Act was proposed to take aim at foreigners present in the United States and stealing IP.

Although the Economic Espionage Act of 1996 (EEA), 18 U.S.C. § 1832, is the major criminal law on which perpetrators of economic espionage are prosecuted, it may be ripe for reworking. David P. Fidler, Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets Through Cyber Technologies, 17 ASIL Insights 10 (Mar. 20, 2013). In U.S. v. Hanjuan Jin, the defendant was convicted of trade-secret theft, but was acquitted of charges under the EEA because there was insufficient evidence of the China connection.

Economic Espionage Act

The Economic Espionage Act details the legal framework for theft of trade secrets:

(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly—

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.

(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.

There have been several convictions under the EEA, but the true effectiveness of the law as a deterrent is questionable. The EEA has already been amended to increase penalties from a conviction, but still it seems like a drop in the bucket given the volume of IP theft. The EEA may be more effective if amended to allow for a private right of action, letting companies sue for the harm caused from theft of their IP.

On the international stage, agreements, treaties, and organizations exist but may be of limited usefulness in addressing IP theft. For some countries, economic espionage is no different than regular espionage and is considered “fair game.” With few laws to convict the criminals and many practical limitations, understanding how trade-secret crimes are perpetrated today may make more sense to preempt or mitigate harm or to protect your company’s information crown jewels before the theft has transpired than expecting real economic redress through any legal channels.

10 Shocking Ways They Are Stealing Your IP and Corporate Mojo

The world of economic espionage has become rather sophisticated, and in-person theft is very different than cyber theft. When your corporate value may be in jeopardy, it is prudent to assess the risk and attempt to mitigate the issues that create the greatest risk. For example, if your organization needs engineers and hires from abroad, conducting deep background checks, and even hiring judiciously from countries that pose the greatest risk, are prudent courses of action.

If the cyber assault on your IT infrastructure suggests that the bad actors are state entities trying to exploit a weak perimeter, different fixes are needed. In that regard, IT security, although good, will never keep out all the bad actors all of the time. No matter how much money and effort you exert to solve the problem, if they want it badly enough, the cyber thieves will find a way.

What follows are the things that your company is doing wrong and the frankly shocking and brazen nature of how your people and systems are assaulted

1. The Internet of Things (IoT) Is Awesome and Scary

The IoT involves smart devices (i.e., devices embedded with software and sensors such as copiers, medical devices, refrigerators, sports monitors, TVs, cars, music devices, etc.) that are connected to the Internet and collect and transmit information, sometimes without your knowledge. They continue to make everything interconnected and accessible, but often have limited security, making your information even more vulnerable to cyber attacks, and making it harder to calculate risk.

The prediction is an explosion of IoT and smarter and more connected devices over the next decade, which does not bode well for stemming the tide of theft of trade secrets. In other words, the IoT may be a way your trade secrets are exposed, exploited, and exfiltrated.

2. Economic Espionage as a Service

You can buy almost anything on the “dark web” that you cannot buy on the mainstream web, such as stolen credit-card numbers, stolen IP, and even IP thieves themselves. “Economic espionage attacks can be aided by espionage-as-a-service offerings that are readily available in cybercriminal underground forums and markets and the Deep Web. Attackers can easily buy the tools they need to spy on and exfiltrate highly confidential corporate data or “company crown jewels” from rivals. They can even hire hackers to do the actual spying for them,” according to Trend Micro.

In addition to state actors, IP theft is now increasingly perpetrated by sophisticated cyber mercenaries. Lawyers can help address the new threats by ensuring that heightened security functionality is part of new technology purchases when negotiating contracts on behalf of their company, mandating that company information is stored only in hyper-secure, compliance-driven Clouds, and that policy dictates that information is encrypted when “inflight” or “at rest.”

3. Beware of the Never-Ending Assault of Malware

Malware is malicious software that seeks to get in and grab data, spy, lie in wait to do something nefarious in the future, disrupt IT, and more. Although there are sophisticated attacks on IT security systems, many cyber attacks are successful because they bombard organizations with thousands, or even millions, of cyber assaults just to find a way into company computers. There are endless examples of hacks on U.S. companies that have caused major harm. Persistence combined with greater sophistication means cyber attacks will continue seemingly unabated.

What lawyers can do is help IT professionals combat persistence with compliance. Compliance methodology must be applied to IT and information-security policies and practices. Compliance methodology tends to institutional vigilance and “good” corporate behavior, which helps employees get it right and helps insulate the company if all else fails, as the built-in rigor manifests reasonableness. In other words, the company cares and tries, and institutionalized caring matters to shareholders, markets, the court of public opinion, courts, regulators, and the bottom line. Randolph Kahn, Information Nation: Seven Keys to Information Management Compliance Second Edition (Wiley Press, 2009).

4. Grabbing Treasure Troves Undetected Has Become Easier

More and more data fits in smaller storage devices, which makes stealing more and more valuable data that much easier. Further, sending the information outside the firewall via e-mail and the IoT has been effective as well. The CIA and NSA hacks are just recent examples. Organizations are not “risk profiling” their information so that they can apply the necessary protections. The fact is that not all information is equal in value, and organizations are woefully negligent at managing to that reality. The problem is that, as information volumes increase (and they are already massive for most big companies), being vigilant about everything is impractical.

Most companies have policies that require encryption of company trade-secret information and protection of any confidential information sent outside the protected firewall. Too often, however, information travels freely without any protection or encryption outside the company. In other words, policies are not followed, which leads to exposed IP.

However, the place to start to address the issue is knowing which information deserves protection. Large companies usually have information-security classification regimes that are underutilized or improperly utilized by employees, and technology that can apply the rules “automatically” too often is not harnessed either. To protect information and IP, it must be classified as a trade secret. In any event, the law requires that reasonable steps be taken to protect IP if you want to be able to assert your legal rights, and that begins with classification as well.

Lawyers can help reinvigorate classification regimes, simplify and redraft existing classification policies, and insist on the use of encryption technology. Once again, compliance methodology can help institutionalize vigilance.

5. Demanding Code and Information and Exploiting Legally Mandated “Backdoors”

One way some countries are gaining access to U.S. IP is by requiring the transfer of your company’s information (i.e., trade secrets), including computer code, to be allowed to do business in their country. Indeed, some countries even legislate the result, according to the World Economic Forum, which stated that “China, for instance, has joined Russia in tightening the requirements placed on foreign companies to store information within national borders.”

Another way IP is extracted is by providing access to IP and computer code through “backdoors” to encryption technology. In other words, the locked door protecting your trade secrets is now unlocked. From the hearing before the U.S.-China Economic and Security Review Commission: “Recently the government in Beijing has proposed a series of regulatory provisions that would require U.S. tech companies and their foreign customers, especially financial institutions and banks, to turn over source code and encryption software, effectively creating backdoor entry points into otherwise secure networks, all being done, of course, under the guise of cybersecurity.”

Before sharing a company’s secret sauce, its lawyers must advise their clients on how to proceed, if at all, with maximum protections in place.

6. Cyber Thieves Are Successfully Exploiting Laziness and the Lack of Understanding

The Office of Personnel Management (OPM) hack and so many others were successful because proper authentication to gain access is not effectuated. Many cyber hackers are successful because IT security is unimpressive at best. That is the reality, in part because there is a misunderstanding of how to keep cyber hackers away from your data, as well as a lack of vigilance in doing it. One easy solution to secure important information is to use better authentication techniques.

Two-factor authentication is the very least your company should be using. Passwords alone are not sufficient, as real hackers have technology that will crack your password in no time. Good passwords today are about concepts or ideas, not words. So instead of using “Fluffy123,” the better password is “MyLastDogAte5Shoes.” Still, that is only the first layer and not enough by itself. Every archive containing company “trade secrets” needs at least two-factor authentication, and there is confusion about what two- and three-factor authentication is, so the following is provided to clear it up:

• one-factor authentication is a unique something the employee knows, such as a strong password;
• two-factor authentication is the first factor plus something the employee possesses, such as a company ID card and security code, a security fob that generates a unique code, etc.;
• three-factor authentication adds to the above something the employee is, such as a voice scan, fingerprint, eye scan, etc.

Lawyers must revisit these information-security company policies and gather audit and compliance groups to focus greater scrutiny on how databases and repositories are managed. It may have prevented 20 million Americans from having their personal information stolen.

7. New Techniques and Never-Ending Attacks of Spear Phishing, Ransomware, and Zero-Day Malware Will Catch Someone Off-Guard

Cyber thieves are using more sophisticated ways to breach company security, including spear- phishing, ransomware, and zero-day malware attacks. Unlike phishing, which uses an e-mail and a malicious code attached from an organization with which you were not expecting to communicate, spear phishing is a communication from a trusted individual or organization and one with whom you are likely to engage. This far more targeted and sophisticated approach scams even technically sophisticated people. According to Trend Micro:

Using the intel gathered during reconnaissance, the attackers typically send contextually relevant malware-laden spear-phishing emails to the chosen high-ranking corporate official. This helps ensure they get the credentials with the highest level of access required to infiltrate systems where company crown jewels are stored. Network command and control (C&C) is then established aided by backdoors, remote access Trojans (RATs), or other malware. Attackers then move laterally across the network to seek out top-secret data. The data is then exfiltrated to a site that only the attackers have access to for selling to the highest bidders or delivery to the individual or company that hired them.

Ransomware is even more malicious. It is a special type of malware that secretly installs on a computer and then either holds data hostage, or is a sophisticated leakware that threatens to publish the data. It works by locking the system or even encrypting the files until a ransom is paid.

Finally, unlike in years past, organized entities are now seeking to harvest information or company trade secrets using zero-day malware that got its name because it is so new that no commercial anti-virus software exists yet to eradicate the harm.

8. Exploiting the Slow-Reacting Security Team

The hack of OPM, which has been linked to China, is a perfect example of breaching security and trolling for information. In that case, the bad guys made off with the most extensive collection of personal information about U.S. government employees, past and present, ever.

Shockingly, the OPM IT security team had watched and monitored the bad guys moving throughout their IT systems for months before the information was extracted. Had the IT staff reacted in a timely manner, they likely would have been able to protect the trove of information that ultimately was stolen.

Assuming the bad guys will get in from time to time, it is worthwhile walling off data and setting up “honey pots” in your archives. Honey pots are information troves marked “M&A targets,” “products specs,” or other valuable targets to attract the criminals to a specific location. That misinformation sends the bad guys in the wrong direction.

Lawyers can help customize the honey pots to deal with the various possible assaults on select pools of data depending upon the target country of the thieves, given that certain countries are after money and pricing information, while others are after M&A targets and product designs.

9. Exploiting Your Relationships and Joint Ventures

During negotiations between Westinghouse Electric and a Chinese state-owned nuclear power company, the companies began to cooperate more closely, and the Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business,” according to the Wang Dong Indictment.

For all relationships with partners doing business outside the United States, local lawyers will be essential to guide the transaction. Equally as important is limiting access to trade secrets and IP not part of the transactions. That may mean limiting access to facilities and systems where such information is housed, and having strict rules ironed out about who gets access to what information. If cloud-based collaboration tools are used to work on the partnership, more strict rules about what can and cannot be stored and shared in such environments is essential.

Make sure that your IP stays in the United States if possible. If you must bring your IP, make sure there are agreements in place for every eventuality, understanding that such measures still may not be enough protection. Perhaps more importantly is the need to control access to your information and to limit the number of people that have access.

There have been many cases where a “partner” is manufacturing in China and uses the U.S. company’s molds or designs. If there is no agreement governing the molds or designs, and what happens when the relationship ends, then it is quite possible that the Chinese partner will retain the molds or designs and use the same for their own benefit. Even if you have an agreement governing what happens when the relationship is over, they may still steal your molds and designs to work against you.

10. They Are Getting Information from Your Workforce or Your Recruiter

IP is being stolen by competitors or foreign entities hiring operatives who may work at your business for years or even decades. Monitoring and auditing information transmissions and extreme vetting must be utilized to mitigate this risk.

Even more troubling is the recent revelation that the Chinese have begun U.S.-based recruitment and headhunting firms that appear perfectly legitimate, but really are placing “operatives” at U.S. businesses that have IP deemed strategically important to China. Further, according to the FBI, job advertisements are posted online by those intent on stealing IP to attract employees.

Conclusion

Economic espionage from abroad is a significant and growing concern. Cyber attacks are becoming more challenging to combat and, in conjunction with traditional physical stealing of trade secrets, poses a large existential threat to American businesses, the economy, and security.

In the United States, officials are pursuing an enhanced and comprehensive strategy to attempt to counter economic espionage and IP theft in general. Many agencies, including law enforcement, are focused on the problem, and it is a top priority for the FBI. In the end, however, self-help likely is U.S. companies most prudent avenue. In that regard, lawyers play a unique and important role: negotiator, risk manager, creative drafter, and hopefully not litigator. At about a billion dollars a day of U.S. IP theft, however, U.S. companies have much to lose, and they are continuing to lose.

Predispute consumer arbitration has sparked energetic debate and sharp divides over the utility of the class action versus the utility of individual arbitration. Thus far, the U.S. Supreme Court’s jurisprudence has given a “thumbs up” approach to predispute consumer arbitration waivers, which almost always include a class waiver agreement. In AT&T Mobility LLC v. Concepcion, 563 U. S. 333, 347–48 (2011), the Supreme Court implicitly approved predispute class-action waivers, when it held that the Federal Arbitration Act (FAA) preempted California state law, which tended to hold such agreements unconscionable in consumer cases. Then in American Express Company v. Italian Colors Restaurant, 133 S. Ct. 2304, 2309 (2013), the Court rejected the argument that aggregate, or class litigation, is necessary to preserve the opportunity to vindicate low-value, statutory claims. Congress showed little interest in amending the FAA, even for consumer cases. It seemed that consumer arbitration was the “wild west” of the law, in that it was largely unregulated and could direct claims to the black hole of private dispute resolution.

The CFPB Proposes an Arbitration Prohibition

But then entered the Consumer Financial Protection Bureau (CFPB). In May 2016, the CFPB issued a proposed rule prohibiting predispute arbitration agreements in providing consumer financial services products. This rule would prohibit mandatory predispute arbitration agreements in consumer agreements for items such as checking or savings accounts, credit cards, student loans, payday loans, automobile leases, debt management services, some payment processing services, other types of consumer loans, prepaid cards, and consumer debt collection. The rule would also prohibit predispute arbitration agreements in connection with providing a consumer report or credit score to a consumer or referring applicants to creditors to whom requests for credit may be made.

Ironically, the CFPB chose to exclude the federal government, its affiliates, and state governments when providing consumer financial products or services, permitting the government to enter into private arbitration class waivers, whereas private industry cannot. The rule includes other exclusions, such as for brokers under the Securities and Exchange Commission (SEC).

The proposed rule prohibits covered providers from “rely[ing] in any way on a predispute arbitration agreement” in connection with “any aspect of a class action that is related to any of the consumer financial services or products” covered by the rule after the final rule’s effective date. The prohibition does not apply if the presiding court has ruled that the case may not proceed as a class action and the time for interlocutory appellate review has passed.

For consumer arbitration agreements entered into after the effective date, the proposed rule requires the following arbitration agreement language: “We agree that neither we nor anyone else will use this agreement to stop you from being part of a class action case in court. You may file a class action in court or you may be a member of a class action even if you do not file it.”

The effective compliance date will be 211 days after publication of the final rule in the Federal Register. The Dodd-Frank Act requires that any proposed rule apply only to agreements entered into 180 days after the rule’s effective date, which is proposed as 30 days.

The proposed rule also provides for certain reporting requirements of arbitration results to the CFPB for any consumer arbitration that does occur, presumably when the consumer elects to choose arbitration over class actions. The provider must report the initial claim and counterclaim, the arbitration agreement, the judgment or award, if any, and any communication received from an arbitrator or arbitral service regarding a provider’s failure to pay required fees or a finding that the arbitration agreement is out of compliance with the arbitral service’s fairness principles or due process rules.

In support of the rule, CFPB Director Cordray touted the benefits of the class action for consumers, claiming that consumer financial services “group lawsuits delivered, on average, about $220 million in payments to 6.8 million consumers per year.” But the CFPB’s decision to require class resolution as superior dispute resolution vehicle to individual arbitration is not necessarily supported by the findings of the CFPB’s empirical arbitration study. Why are the study results so important? The Dodd-Frank Act delegates rule-making authority on arbitration in consumer financial products and services to the CFPB, but any rules promulgated “must be consistent with the [arbitration] study.” 12 U.S.C. § 5518(b) (emphasis added).

The CFPB Ban on Class Arbitration Waivers—What’s Happening Now

As noted above, the CFPB published the proposed rule banning the use of class arbitration waivers in May 2016. The notice-and-comment period ended August 22, 2016. The CFPB was flooded with nearly 13,000 comments on the proposed rule, both in favor of the rule and against it. A number of consumer financial services representatives stated that the CFPB’s rule will effectively end the viability of consumer arbitration. Put simply, without the “carrot” of a class arbitration waiver, a company has no incentive to offer, much less to cover the costs of, individual consumer arbitration.

Prior to the presidential election, most folks thought the CFPB would publish the proposed rule rather quickly. Even after the election, many predicted that the CFPB would publish the final rule banning class waivers in consumer arbitration agreements before President Trump’s inauguration. As of the date of this article, the CFPB’s fall 2016 regulatory agenda identifies February 2017 as the target date for publication of the final arbitration rule. But surprisingly, the CFPB has not published a final rule yet.

There are a number of reasons the CFPB may delay publishing the final rule. First, one might expect any rule so blatantly antibusiness to draw the attention of President Trump, which could cause a flutter of tweets or other social media ire.

Second, the CFPB’s previously impervious structure is now in question. In October 2016, the U.S. Court of Appeals for the District of Columbia in PHH Corp. v. Consumer Financial Protection Bureau, 839 F.3d 1, 8–9 (D.C. Cir. Oct. 11, 2016), declared the directorship of the CFPB, set up to be unaccountable to the executive, unconstitutional. The D.C. Circuit analyzed the enormous power this single–director structure gave the CFPB:

The CFPB’s concentration of enormous executive power in a single, unaccountable, unchecked Director not only departs from settled historical practice, but also poses a far greater risk of arbitrary decision-making and abuse of power, and a far greater threat to individual liberty, than does a multi-member independent agency.

. . . 

This new agency, the CFPB, lacks that critical check and structural constitutional protection, yet wields vast power over the U.S. economy. So “this wolf comes as a wolf.”

Id. at *4 (quoting Morrison v. Olson, 487 U.S. 654, 699 (1988) (Scalia, J. dissenting)). The D.C. Circuit chose to remedy the CFPB’s structural flaw not by shutting down the CFPB, but by electing the narrower remedy of severing the “for-cause” director removal provision, making the CFPB director removable at the will of the president. The ramifications of this decision certainly affect the CFPB’s unwieldy power, but the extent of that weakening remains to be seen.

The D.C. Circuit granted the CFPB’s petition for rehearing en banc and vacated the panel’s opinion on February 16, 2017. The en banc court hearing will be held on May 24, 2017. This opinion will likely have a large effect on the scope of the CFPB, and current Director Cordray’s authority under this new administration. Even if the CFPB goes forward with the final rule, it is likely that it will face a slew of litigation from industry advocates who support consumer arbitration, which may deteriorate the effectiveness of the rule.

In the interim, to the extent the CFPB is reconsidering the effectiveness of this watershed anti-arbitration rule, it could revise the rule to still permit consumer arbitration to develop, but under a regulatory regime that is more pro-consumer. The CFPB arbitration study shows some defects in consumer arbitration in its current form, but it also highlights some major deficits in consumer class actions.

The CFPB Arbitration Study: What is Working In Consumer Arbitration, What is Not

In 2015, the CFPB finished its multiyear study of consumer financial arbitration before the American Arbitration Association (AAA) and of class actions based on consumer financial services. Although the CFPB states that the study shows “that class actions provide a more effective means for consumers to challenge problematic practices” by financial services companies, the results are not quite so conclusive. The Arbitration Report showed:

• Over the three-year period of 2010–2012, consumers filed an average of 411 claims for arbitration in consumer financial services products. This is abysmally low.
• Of the 1,060 arbitration filings studied, about 60 percent settled or ended in a manner consistent with settlement. Only 32 percent were resolved on the merits. This settlement figure suggests that some sort of resolution is being achieved prior to a merits decision in consumer arbitration.
• Consumers had access to attorneys. Counsel represented consumers in nearly 60 percent of the cases. Companies, of course, nearly always had counsel.
• It appears that attorneys with arbitration experience are representing these consumers. Repeat player attorneys represented consumers in 50 percent of filings across all consumer financial services product markets. Forty-five percent of those filings were by “heavy” consumer repeat players, meaning the attorney appeared in four of more arbitration disputes in the three-year study period. For student loan disputes, heavy repeat player law firms represented 93 percent of consumers.
• Dispute resolution is not a primary concern for consumer choice. When asked about factors that are important in selecting a credit card, no consumer raised dispute resolution. When asked, in a telephone survey, what one would do if a credit card company charged an improper fee, most respondents commonsensically answered he or she would cancel the credit card. Less than 2 percent mentioned seeking legal advice or suing, but 10 percent said they would refer the issue to a governmental agency.

What does this information tell us about consumer arbitration? Well, first it tells us that consumers are not pursuing consumer arbitration at all, which is troubling. Are consumers scared of arbitration? Unwary of the procedure? Cynical of recovery? Or are the arbitration fees still too high to make it worth pursuing? The AAA currently caps a consumer’s fees in consumer arbitration at $200. The business portion of a consumer arbitration, regardless of who initiates it, is $1,700, plus an additional $750 arbitrator compensation fee. Some businesses agree to fully pay the costs of consumer arbitration in the arbitration agreement, and some “consumer-friendly” agreements even offer to pay a premium and/or attorneys’ fees if the consumer receives an arbitral award that is greater than the business’s last settlement offer. The Arbitration Study did not report on how often an arbitrator awards such “incentivizing premiums,” but one would think their very presence encourages settlements.

The Arbitration Study also tells us that for the few consumer cases being pursued, consumers have access to attorney representation. The attorneys who tend to represent consumers in this dispute have developed a cottage niche, no doubt because they are familiar with the AAA Consumer Arbitration Rules and procedure. Finally, the settlement figures tell us that something useful is occurring in consumer arbitration. In some way, perhaps due to the business-side costs of consumer arbitration or incentivizing premiums, parties are likely reaching a settlement resolution prior to a merits decision.

The study also reported “win” rates for affirmative consumer claims and for business claims. Remember that only 32 percent of the cases filed resulted in an arbitrator decision on the merits, thus the sample size is very low. For claims brought by consumers that resulted in a decision on the merits, consumers “won” some kind of relief in about 20 percent of the cases (32/158). Businesses “won” relief in over 90 percent of the business-brought cases (227/244) that went to a merits decision, although some of the decisions were similar to a default judgment.

But one cannot make an assessment of arbitration by simply comparing consumer win rates to business win rates. As stated above, the sample size of merits decision was very small. More importantly, the study shows that most arbitration disputes resolved in a manner consistent with settlement. Additionally, differing incentives to assert claims can explain some of the difference in outcomes. If a business funds all or most of the dispute resolution process, consumers are incentivized to bring claims of questionable merit. Yet for the business which must pay all or most of the upfront costs ($1,700 per consumer claim under AAA rules), the incentive is to not bring (1) low value claims or (2) claims of questionable merit. Any comparative “win” rate of consumers to businesses would need to be compared to how consumers fare in litigation, not just how consumers fare compared to businesses, a point the Arbitration Study made.

The CFPB Arbitration Study: What It Tells Us About Individual Consumer Recovery in Class Actions

The CFPB Consumer Arbitration Study also examined class action recovery in consumer financial class actions. Although the CFPB concluded, in proposing its arbitration class-waiver ban, that consumers are better off preserving the class action than waiving it, the study results do not support this conclusion. For example, the CFPB Arbitration Study found that approximately 60 percent of the consumer financial products class actions filed ended in a non-class settlement or potential non-class settlement (i.e., withdrawal or dismissal by the plaintiff). Only 12 percent (69 cases) reached an approved class-action settlement. This means that only a very small portion of class actions filed resulted in any damages to the class-member consumer. Yet those class actions filed do result in a societal drain on judicial resources and corporate class action defense costs (which we would assume are passed on in one form or other to the consumer). Attorneys’ fees awarded to counsel in class action settlements during the relevant time frame were $424 million, which is estimated at about 24 percent of total class payments and 16 percent of gross relief (proposed cash relief and in kind relief).

Second, the average claims rate (claims made as a percentage of eligible class members) was low, 21 percent, with an 8 percent median. Thus, even when consumers obtain a settlement through the class device, they usually do not take the administrative steps to obtain the payout. Finally, the CFPB study did not attempt to provide data on the average class member recovery for those 69 cases that reached class settlement or the difficulty of obtaining settlement proceeds. But even taking Directory Cordray’s slogan of an average of “about $220 million in payments to 6.8 million consumers per year in consumer financial services cases,” one could estimate this results in about $32.35 in recovery to the individual per year, that is, if he or she takes the time to read and fill out the cumbersome forms required for claims-made recovery. These statistics cause one to at least question the effectiveness of the class action for providing individual relief to the class members.

The CFPB Could Take a More Moderate Approach to Facilitate Transparent and Free Consumer Arbitration

What should we make of the data provided above? First, it is premature to conclude that the class action is a more effective dispute resolution platform than individual arbitration. When only 12 percent of cases filed results in any class settlement, it suggests that there is a significant waste in the system. Second, we know arbitration is chilling consumer activity. The CFPB could confront this by providing more consumer education on arbitration and requiring more transparency. The CFPB could implement data-reporting requirements (similar, but more extensive than, those in the proposed rule for essentially post-dispute arbitration) that require reporting of the types of claims made, demand amounts, counterclaims and amounts, case resolutions, product types, and information about consumer representation.

The CFPB should require any consumer arbitration to be fully business-funded at no cost to the consumer. When a business faces transaction costs of nearly $2,000 per arbitration filed, repeat consumer filings will attract its attention. In addition, the CFPB could consider requiring that any consumer arbitration which results in a favorable consumer award on the merits should be awarded treble damages and attorneys’ fees. This provision would include a sort of “built in” incentivizing provision. The goal of this provision is to encourage organically what we already see occurring, increased settlement of consumer disputes. Still further, the CFPB should require that any consumer arbitration award must result in a written statement of decision, which permits other consumers to know how the arbitrator applied the law to the facts of that case. This will facilitate consumer knowledge of potential corporate overreach (and encourage more recovery), and will also help aid the consumer in arbitrator selection. The CFPB has a number of measures it could take to regulate consumer arbitration to the benefit of the consumer, short of removing a potentially viable dispute resolution platform that could benefit the individual consumer.

Conclusion

The CFPB’s proposed anti-arbitration rule will have a wide effect on consumer financial services, and even potentially on other consumer arbitration agreements. But the CFPB’s arbitration class-waiver ban is essentially an election of the class action to the expense of individual arbitration. This policy choice is premature and is not yet supported by the data. The abysmally low number of consumer arbitration filings is too low to make generic assessments regarding the efficacy of consumer arbitration. But it tells us consumers need to know more and have confidence to pursue their own low-value claims, or be aware that attorney assistance may be available. Even still, the image the Arbitration Study paints of class actions show that this vehicle is not providing satisfactory recovery to the individual class members. But requiring businesses to fully fund and incentivize consumer arbitration in a fair and transparent way could provide a vehicle for individualized low-cost consumer relief. Will there still be some de minimis claims that are not pursued on the individual level? Yes. But this tradeoff may be rational in the eyes of the consumer to preserve an essentially free dispute resolution platform for economically rational claims. The CFPB should take the time pending issuance of its final rule, under a new Executive Branch, to issue regulations that will make consumer arbitration more susceptible to empirical study, more transparent, and cost free for the consumer.