This text is excerpted from the ABA’s Strategic Networking for Introverts, Extroverts, and Everyone in Between.

Referrals are sometimes called networking gold. In strategic networking, referrals are an end product of a plan focused on meeting specific people who are able to introduce you to potential clients and relevant sources. The purpose of referral-focused strategies is to identify and meet those people who can help you reach your goals.

The process of making referrals is partly art because it requires sensitive balancing to put people together and the best referrers seem to have a sixth sense about connections and timing. Of course, for referrers, making introductions is also a strategy in that the referrer needs to decide which requests to fill, whom to ask to take a referral, and so on.

Anyone can be a referrer. Good referrers hear the need for introductions in ordinary conversation. For example, a young mother talks about being worried about going back to work. A good listener will broaden the conversation to ask if the woman needs a nanny or a referral to a day care center. Or, an accountant says he is looking for more restaurant clients. The good listener may probe to find out what kind of restaurants and then be able to offer introductions.

Effective referrers usually have large heterogenous networks, resource-rich due to a wide variety of weak and strong links. If your network is reasonably large and diverse it increases the likelihood that someone you know may be helpful to someone else.

• Often, people ask for introductions to personal service people who may have nothing to do with your day job but may be in your network because you know them.
• Or, they are going to a conference in another city where you have contacts you can suggest they meet.
• Or, professionals interested in a new subject may ask a weak link in their own net-work to introduce them to people they know who can help them.

The key to successful referral requests is specificity. If you ask to meet anyone who might need someone who does what you do, the possibilities seem infinite. Too vague a request is difficult for the referrer to remember. If you make the request very specific—I’d like to meet the in-house lawyer for the teamsters union—it is easier for referrers to help you reach the specific person.

In addition to helping a networker implement his/her plan, the process of referring makes people feel good. Emotionally, as a species, we are hardwired to collaborate. We want to help other people in our group, our tribe, our network. Helping others and being helped by them adds an emotional component to strategic requests. When someone accepts a referral request both people feel good.

Larry Hutcher, co-managing partner of a midsize firm and a master referrer, says, ‘Good networkers are givers. Give first because it always comes back to you. I always ask, “How can I help you?” Later I explain what my firm does and follow by saying, “I’d love to represent you.”’

This excerpt was adapted from an upcoming ABA Business Law Section book entitled Corporate Social Responsibility Deskbook.

I. Introduction

Sustainability is about the long-term well-being of society—an issue that encompasses a wide range of aspirational targets, including the sustainable development goals (SDGs) of the 2030 Agenda for Sustainable Development adopted by world leaders that went into effect on January 1, 2016. Among other things, the SDGs include ending poverty and hunger; ensuring healthy lives and promoting well-being for all; ensuring inclusive and equitable quality education and promoting lifelong learning opportunities for all; and promoting sustained, inclusive, and sustainable economic growth, full and productive employment, and decent work for all. The goals listed above are based on the recognition that society in general is vulnerable to a number of significant environmental and social risks, including failure of climate-change mitigation and adaptation, major biodiversity loss and ecosystem collapse, man-made environmental disasters (e.g., oil spills), failure of urban planning, food crises, rapid and massive spread of infectious diseases, and profound social instability.[1]

Clearly the challenges described above are daunting, and for most businesses it may be difficult to see how they can play a meaningful role in addressing them. Although it is common for “society” to be identified as an organizational stakeholder, the reality is that one company cannot, acting on its own, achieve all the goals associated with societal well-being. However, every company, regardless of its size, can make a difference in some small, yet meaningful way in the communities in which they operate, and companies are focusing more and more attention on the impact they have within their communities.[2] Focusing on the community level allows an organization to set meaningful targets and implement programs that fit the scale of its operations and that provide the most immediate value to the organization and its stakeholders. Societal well-being projects and initiatives must ensure that the organization does not compromise, and instead improves, the well-being of local communities through its value chain and in society at large.

II. Legal and Regulatory Requirements

The legal issues associated with the community engagement and investment activities of an organization will depend on its decisions regarding the types of contributions that will be made (i.e., cash, in-kind, human resources, etc.), the nature of the projects and activities that will be supported, and the specific topical areas of interest. All businesses must determine the appropriate legal and organizational structures for their community-focused activities, and this often means that a decision must eventually be made about whether to form a separate legal entity, owned and controlled by the parent company, through which community investments will be funneled (i.e., a corporate foundation). Other common legal issues include mitigating potential legal risks associated with employee volunteer programs, sponsoring and/or hosting community events, and entering into joint ventures and other types of alliance arrangements with local nonprofit organizations. Specialized legal guidance will be required when businesses get involved in complex and highly regulated areas, such as helping to provide financial services for low-wealth and underserved communities; supporting public and private financing of community cultural facilities; participating in community-based efforts to preserve open space while expanding the availability of affordable housing; and assisting local courts in positively and proactively addressing juvenile delinquency by providing vocational training and job opportunities.

III. Voluntary Standards, Norms, and Guidelines

Businesses have long been called upon to comply with a range of formal laws and regulations in various areas related to sustainability-related responsibilities, including those pertaining to the environmental impact of their operations, the employment relationship, working conditions, and health and safety standards. However, apart from satisfying the requirements of local governments with respect to permits and licenses necessary for engaging in certain activities in the community, businesses generally are not heavily constrained by legal guidelines with respect to their community involvement and development activities. This is an area in which voluntary standards have played an important role in providing business with ideas for objectives for their community involvement.

Since the late 1990s there has been a proliferation of transnational, voluntary standards for what constitutes CSR, including state-developed standards; public/private partnerships; multistakeholder negotiation processes; industries and companies; institutional investors; functional groups such as accountancy firms and social assurance consulting groups; NGOs; and nonfinancial ratings agencies.[3] Although voluntary standards focusing specifically on the relationship of businesses and the communities in which they operate are still evolving, lessons can be drawn from many widely recognized normative frameworks, principles, and guidelines such as the United Nations Sustainable Development Goals, the United Nations Global Compact, the OECD Guidelines for Multinational Enterprises (OECD Guidelines), the United Nations Guiding Principles on Business and Human Rights, and the Future-Fit Business Framework.[4] Specialized standards can be used as reference points for support of sustainability-related initiatives in local communities, such as requiring that recipients of grants and other investments for sustainable sourcing and agricultural activities adhere to the guidance developed by the Sustainable Agriculture Initiative Platform.

Although many of the standards and guidelines discussed herein can reasonably be characterized as aspirational, the International Organization for Standardization (ISO) seeks to provide organizations with easy access to international “state-of-the-art” models that they can follow in implementing their management systems. ISO has developed and distributed ISO 26000 Guidance on Social Responsibility which, although not a management system standard, is a useful guide for improvement of organizational practices with respect to social responsibility. ISO 26000 identifies and explains various core subjects, such as organizational governance, human rights, labor practices, the environment, fair operating practices and consumer issues, and, notably for purposes of this discussion, explicitly includes community involvement and development among its core subjects.[5] The issues for businesses relating to community involvement and development identified in ISO 26000 include community involvement and respecting the laws and practices of the community; social investment (i.e., building infrastructure and improving social aspects of community life); employment creation (i.e., making decisions to maximize local employment opportunities); technology development (i.e., engaging in partnerships with local organizations and facilitating diffusion of technology into the community to contribute to economic development); wealth and income (i.e., using natural resources in a sustainable way that helps to alleviate poverty, give preference to local suppliers, and fulfill tax responsibilities); education and culture (i.e., supporting education at all levels and promoting cultural activities); health (i.e., promoting good health, raising awareness about disease, and supporting access to essential health care services); and responsible investment (i.e., incorporating economic, social, environmental, and governance dimensions into investment decisions along with traditional financial dimensions).[6]

IV. Governance and Compliance

Community engagement and investment is a multifaceted activity that requires formal management and planning. Working with and in the community is part of the broader CSR activities of the company, which means that management should begin at the top of the hierarchy with the board of directors or, in most cases, the committee of the board that has been delegated responsibility for overseeing CSR activities on behalf of all of the directors. The CSR committee, working in collaboration with senior management of the company and specialists working specifically on community-related matters, should be tasked with developing strategies and policies relating to community engagement and investment; deciding on the optimal organizational structure for community-related activities, including perhaps the formation of an affiliated corporate foundation; ensure that procedures are in place for conducting due diligence on prospective recipients of grants and other resources from the company and potential partners in community development projects; developing and approving projects; overseeing implementation of projects, including preparation of definitive agreements with community partners, monitoring progress, and measuring impact; and compiling and analyzing relevant information regarding community activities for presentation in the company’s sustainability reporting.

V. Community Engagement

Community engagement and dialogue—sharing information with and listening to community members to provide them with a voice on matters that impact them—is the cornerstone of everything a company does vis-à-vis the community in which operates. Community engagement appears in many of the voluntary standards relating to sustainability and reporting on sustainability-related matters. For example, the OECD Guidelines call on enterprises to seek and consider the views of community members before making decisions regarding changes in operations that would have major effects on the livelihood of employees and their family members living in the community and the community as a whole (e.g., proposed closures of facilities), and take steps to mitigate adverse effects of such decisions on the community. The Sustainability Reporting Standards created by the Global Reporting Initiative, and discussed in more detail below, call for reporting organizations to discuss their management approach with local communities by describing the means by which stakeholders are identified and engaged; which vulnerable groups have been identified; any collective or individual rights that have been identified that are of particular concern for the community in question; how it engages with stakeholder groups that are particular to the community (for example, groups defined by age, indigenous background, ethnicity, or migration status); and the means by which its departments and other bodies address risks and impacts, or support independent third parties that engage with stakeholders and address risks and impacts.[7]

VI. Reporting

Although more and more companies produce reports that emphasize the importance of being a good “community citizen” and effectively managing their relationships with community members and the community environment, those same reports often reflect difficulties in identifying and describing specific goals for community involvement and the impact that company activities are having on the community. As with all aspects of sustainability reporting, practices of companies regarding their disclosures relating to community engagement and investment have been evolving as time has passed and stakeholder interest in such activities has increased. Although mandatory reporting requirements have been slow to emerge, the need to keep communities informed has found its way into global standards such as the OECD Guidelines, which provide that enterprises are expected to ensure that timely, regular, reliable, and relevant information is disclosed to the community regarding the activities, structure, financial situation, and performance of the enterprise and relationships between the enterprise and its stakeholders, as well as communicate information to the community regarding the social, ethical, and environmental policies of the enterprise and other codes of conduct to which the enterprise subscribes (including voluntary standards relating to community involvement and development).

The Sustainability Reporting Standards developed by the Global Reporting Initiative (GRI) are the most widely used standards on sustainability reporting and disclosure around the world and include several types of disclosure categories that cover various aspects of community involvement, investment, and impact. The GRI reporting framework covers a wide range of performance indicators and disclosure standards in three categories: economic, environmental, and social. With respect to operations and other activities that might directly or indirectly have a material impact on their communities, organizations that have adopted the GRI framework are expected, among other things, to make disclosures regarding the impact that their investments and other support of infrastructure and local services has had on their stakeholders and the economy; the indirect economic impacts their operations and activities have had on their communities; community investment activities; engagement with local communities; the actual and potential negative impacts of their actions on local communities; and their managerial approach to community issues.

A framework for reporting promoted by the London Benchmarking Group (LBG), which is managed by Corporate Citizenship, a global corporate responsibility consultancy based in London with offices in Singapore and New York, is an effective tool for quantifying and organizing information about their corporate community investment activities and, most importantly, assessing and reporting on the impact of their relationships with communities and how to manage it.[8] LBG explained its framework as being “a simple input output model, enabling any [corporate community investment] activity to be assessed consistently in terms of the resources committed and the results achieved.”[9] Applying the framework begins with inputs (i.e., what resources did the company provide to support a community activity), continues with outputs (i.e., what happened within the community and the company as a result of the activity, and what additional resources were brought to bear on a particular issue as a result of the company’s contributions and participation in the activity), and finishes with identifying and measuring the impacts achieved on various groups (i.e., the changes that occurred for people, organizations, and the environment within the community and for the involved employees and overall business of the company).

VII. The Case for Community Engagement and Investment

Although the potential benefits of community engagement and investment for businesses are often framed as readily apparent, it is useful to consider ideas about the specific aims and objectives of corporate community involvement. One comprehensive list included making people inside and outside the community aware of various problems in the community; ensuring that investment and development efforts occur across all sectors of the community and in multiple areas, including education, health, recreation, and employment; motivating members of the community to participate in community welfare programs; providing equal opportunities within the community for access to education, health, and other facilities necessary for better well-being; building confidence among community members to help themselves and others; generating new ideas and changing patterns of life within the community in positive ways that do not negatively interfere with traditions and culture; bringing social reforms into the community; promoting social justice; developing effective methods to solve community programs, including better communications between community members and local governments; and creating interest in community welfare among community members and mobilizing those members to participate in the collective work for community development. 

Surveys have shown that commitment to CSR and related activities, including community involvement, is an important driver of employee engagement, and employees care a great deal about how their employer is perceived with respect to social responsibility in the communities in which they operate. Community engagement and investment activities provide organizations with important opportunities to leverage the impact of their contributions, given that businesses typically rely on their local communities as a source of talent for the employee base, for contractors for services that the organization seeks to outsource and, of course, as a market for the organization’s products and services. By contributing to educational and health programs in the community, an organization can increase the skills base of potential workers, thereby reducing training costs when new employees are hired and lowering the risk of adverse impacts to productivity due to illnesses among its employees or their immediate family members, either of which can cause employees to miss time at work. Organizations can provide financial support, as well as licensed technology, to launch a local network of engineers, scientists, and/or software developers to generate innovations that not only benefit the organization, but also provide new opportunities for other members of the community, thus improving overall community well-being. Finally, the proximity of local customers makes it easier for organizations to develop and communicate their marketing messages and seek and obtain feedback on the effectiveness of those messages and the quality and value of the product and services distributed by the organization. In fact, one of the compelling reasons for investing in community involvement at all levels is the relative ease of collecting and analyzing information relating to operational performance. Proximity to the human, technical, and other resources that can be developed and nurtured through community engagement and investment also allows organizations to move more quickly to seize opportunities and obtain a competitive advantage.

[1] The Global Risks Report 2017 (12th ed.) (Geneva: World Economic Forum, 2017), at 61–62.

[2] Communities have been described as individuals linked by issues (i.e., people concerned with the same issue); identity (i.e., people who share a set of beliefs, values, or experiences related to a specific issue, such as the environment or public health); interaction (i.e., people who are linked by a set of social relationships); and geography (i.e., people who are in the same location). See Engage Your Community Stakeholders: An Introductory Guide for Businesses 3 (Network for Business Sustainability, 2012).

[3] C. Williams, Corporate Social Responsibility and Corporate Governance in J. Gordon & G. Ringe, eds., Oxford Handbook of Corporate Law and Governance 7 (Oxford: Oxford University Press, 2016).

[4] Id. at 8–9.

[5] See International Organization for Standardization, ISO 26000 Guidance on Social Responsibility: Discovering ISO 26000 (2014); Handbook for Implementers of ISO 26000, Global Guidance Standard on Social Responsibility by Small and Medium Sized Businesses (Middlebury VT: ECOLOGIA, 2011) (hereinafter Handbook for Implementers).

[6] Handbook for Implementers, supra note 5, at 32–33.

[7] GRI 413: Local Communities 2016 (Amsterdam: Global Sustainability Standards Board, 2016).

[8] From Inputs to Impact: Measuring Corporate Community Contributions through the LBG Framework—A Guidance Manual 4 (London: Corporate Citizenship, 2014).

[9] Id. at 6.

A federal district court has opened the door for professional athletes to file lawsuits in the United States against foreign professional sports teams—and potentially the international conglomerates that own them—to resolve employment disputes.

In Lutz v. Rakuten, Inc. et al., Civ. Action No. 17-3895 (U.S.D.C. E.D. Pa.), Zach Lutz, a former Major League Baseball (MLB) player for the New York Mets, filed suit against Rakuten Baseball, Inc., a Japanese baseball company that owns and operates the Tohoku Rakuten Golden Eagles (the Golden Eagles), and Rakuten Inc., a Japanese e-commerce company and corporate parent of the Golden Eagles (Rakuten), for reneging on an agreed-upon contract for Lutz to play for the Golden Eagles for the 2015 season.

The Golden Eagles are a Japanese professional baseball team that plays in Nippon Professional Baseball’s Pacific League, one of two Japanese professional baseball leagues and the Japanese equivalent of MLB. The Golden Eagles are a wholly owned subsidiary of Rakuten, a Tokyo-based holding company that is often referred to as the “Amazon of Japan.” Through its subsidiaries and affiliates, Rakuten operates numerous e-commerce and internet services companies globally. In 2018, Rakuten’s consolidated businesses earned revenues of 1.1 trillion Japanese yen—close to 10 billion U.S. dollars. Although Rakuten may not be a household name in the United States, basketball and soccer fans may recognize Rakuten as the jersey sponsor of the NBA’s Golden State Warriors and La Liga’s FC Barcelona.

Lutz played for the Golden Eagles in 2014, but after injuring his thumb during the season, he returned to his home in Pottstown, Pennsylvania. During that time, the Golden Eagles monitored Lutz’s injury, subsequent surgery, and rehabilitation and began negotiating a new contract for the 2015 season (and beyond). For several months, Lutz and the Golden Eagles exchanged numerous communications via text message, e-mail, and telephone concerning his physical condition and the new contract. The Golden Eagles requested medical records from Lutz’s doctors in the United States, which he provided, and paid for Lutz’s medical insurance for physical therapy and rehabilitation during this period.

In December 2014, Lutz and the Golden Eagles agreed to a one-year deal for the 2015 season, which guaranteed Lutz $700,000 in base salary plus incentive bonuses and reimbursement for expenses. On December 4, 2014, a written contract was e-mailed to Lutz in Pennsylvania, and he signed and returned it to the Golden Eagles two days later.

However, the Golden Eagles never countersigned the contract. Lutz alleged that weeks after returning the signed contract, the Golden Eagles reneged on the deal and instead signed Gaby Sanchez, a better-known MLB player. Lutz remained on the team’s “reserve list,” which under the Nippon Professional Baseball Organization’s rules meant that he was barred from negotiating a new contract with any team in the world. Lutz remained on the reserve list for several weeks before he was released and eventually signed a contract with the Doosan Bears of the Korean Baseball Organization for $550,000—$150,000 less than his Golden Eagles contract, with no incentive bonuses or paid expenses, and a less attractive deal overall than the one he had accepted from the Golden Eagles.

In August 2017, Lutz filed suit in the U.S. District Court for the Eastern District of Pennsylvania against Rakuten and the Golden Eagles alleging fraud, negligent misrepresentation, and promissory estoppel. Rakuten and the Golden Eagles moved to dismiss Lutz’s complaint under Rule 12(b)(2) for lack of personal jurisdiction, and under Rule 12(b)(6) for failure to state a claim. Rakuten and the Golden Eagles primarily argued that the federal court lacked both general and specific personal jurisdiction over both entities such that litigation in a Pennsylvania court would violate the constitutional principles of due process. Specific jurisdiction requires that a defendant have sufficient “minimum contacts” with the forum and that the claims arise out of those contacts. General jurisdiction, on the other hand, subjects a foreign defendant to the court’s jurisdiction if its nonclaim-related contacts with the forum state are so continuous and systematic that the defendant can be considered “at home” there.

Rakuten and the Golden Eagles argued that the court lacked specific personal jurisdiction over them because neither entity conducts business or has a physical location in Pennsylvania, and because the Golden Eagles representatives did not set foot in Pennsylvania to negotiate or communicate with Lutz; in Rakuten’s case, its representatives were not involved in the contract negotiations with Lutz. The Golden Eagles argued that their contacts with Lutz were location-agnostic; they sent e-mails and text messages not knowing where Lutz was physically located at the time. Rakuten asserted that general personal jurisdiction over it was improper because, as an international conglomerate based in Japan, it does not engage in business that directly targets or solicits Pennsylvania residents.

In opposition, Lutz argued that specific personal jurisdiction was proper because representatives from the Golden Eagles communicated directly and frequently with him in Pennsylvania concerning his injury and a new contract for the 2015 season. Lutz argued that general personal jurisdiction over Rakuten was appropriate because Rakuten overtly promotes on its website that all of its business endeavors, including owning and operating the Golden Eagles, are part of an integrated global “ecosystem” that markets the Rakuten brand internationally, including in Pennsylvania.

On April 22, 2019, U.S. District Judge Chad F. Kenney issued a detailed opinion, holding that the federal court had personal jurisdiction over the Golden Eagles but lacked personal jurisdiction over Rakuten. Judge Kenney found that the Golden Eagles “knowingly reached into Pennsylvania to recruit and employ [Lutz] to play baseball for the Golden Eagles.” The court found specific personal jurisdiction over the Golden Eagles because it “purposefully directed its activities at Pennsylvania” by: (1) knowing that Lutz was a Pennsylvania resident, evidenced by the fact that they wired money to his Pennsylvania bank account for his 2014 salary; (2) communicating via e-mail, text message, and telephone with him while he was in Pennsylvania regarding his recovery and the 2015 contract; and (3) paying for his medical insurance for his physical therapy and rehabilitation, most of which occurred in Pennsylvania.

The court determined that it lacked personal jurisdiction over Rakuten, however. There was no specific personal jurisdiction because Lutz’s allegations implicated only the Golden Eagles and not Rakuten. The court also found that general personal jurisdiction was lacking because Rakuten, as a holding company, does not (1) sell any goods or services in Pennsylvania, (2) have any locations in Pennsylvania, or (3) directly target or solicit Pennsylvania citizens. Instead, the court applied the test set forth in Zippo in finding that Rakuten passively marketed its global “ecosystem” and “is more akin to an advertisement of the overall Rakuten brand.” The court refused to attribute the activity of websites managed by third parties, who were affiliates but not wholly owned subsidiaries of Rakuten, to Rakuten itself even though such websites bear the Rakuten name and logo and promote the overarching Rakuten brand.

Although Judge Kenney’s opinion dismissed Rakuten, the court denied the defendants’ Rule 12(b)(6) motion, allowing Lutz’s claims against the Golden Eagles to proceed. Even though he dismissed Rakuten, Judge Kenney implicitly endorsed the notion that an international conglomerate such as Rakuten could be subject to personal jurisdiction in a federal district court if its marketing strategy targets citizens of a particular state and is central to its business.

This decision should send shockwaves to foreign professional sports teams because it opens the door for U.S.-based professional athletes to litigate employment disputes in American courts. By actively reaching into the forum state to recruit and employ an athlete, such actions may be considered to be “purposefully directed” at the forum and may subject the foreign teams to jurisdiction there. This is a crucial development for the legal rights of U.S.-based professional athletes for two primary reasons.

First, litigating in foreign jurisdictions is cost prohibitive and logistically challenging for individual plaintiffs. Judge Kenney acknowledged that it would pose a significant burden on Lutz to bring his claims in Japan, whereas the Golden Eagles would face a “substantially smaller burden” to defend itself in Pennsylvania. In addition, international courts and foreign alternative dispute resolution options (e.g., arbitration) often do not protect the same rights and provide the same relief as American courts. As a result, foreign professional teams have avoided making contractual payments to players without much (or any) redress.

Second, foreign professional sports teams are frequently owned by international conglomerates, such as Rakuten, that use the team to promote the overall brand through the team’s exposure to consumers and active content marketing and distribution networks. To the extent that these foreign entities target American consumers through their global branding strategies, they may be subject to personal jurisdiction in American courts. In September 2017, Rakuten entered into a sponsorship deal reportedly worth $60 million with the Golden State Warriors to promote its global “ecosystem” by displaying its logo on the front of the team’s jerseys, arguably targeting consumers in each of the 27 American cities where the Warriors play (including Philadelphia, Pennsylvania) and in millions of households worldwide through television and other media. By sponsoring the Warriors—the most prominent, superstar-packed team in the NBA with more nationally televised games than any NBA team and a massive media and social media following—Rakuten undoubtedly knew that it would gain immense exposure in the United States. A November 2017 Forbes article covering the deal suggested that the Warriors used complex analytics to value such exposure and justify the exorbitant cost of the deal (twice the cost of the next highest NBA team jersey patch deal).

On the other hand, as the defendants raised in their moving papers, had Lutz alleged contract claims against the Golden Eagles, he would have had to contend with a forum selection clause, choice-of-law provisions, and a requirement to arbitrate, all of which would have forced Lutz to resolve this dispute in Japan according to Japanese procedures. Creative pleading allowed Lutz to sidestep any potential contract law issues, but other putative plaintiffs whose claims arise under contract law may not reap the benefits of the Lutz decision. In addition, as Lutz demonstrated, imputing personal jurisdiction on a parent holding company that had no direct involvement in the claim is an uphill battle for a plaintiff. Parent companies often run their businesses through operating subsidiaries specifically to avoid the situation Rakuten confronted (and prevailed on) in this litigation, i.e., opening its deep pockets to resolve a dispute it had no direct role in creating. Moreover, if a plaintiff successfully surpasses the personal jurisdictional threshold, it must still prove that the corporate parent is somehow liable to the plaintiff under a joint-employment or some other legal theory—another uphill battle.

While the Golden Eagles may have had grounds to seek an interlocutory appeal of the court’s denial of their Rule 12(b)(2) motion, seeking to dismiss the entire case, they opted to file an Answer to Lutz’s complaint and move the case forward.  This may have been a prudent move as Lutz likely would have cross-appealed, challenging the court’s dismissal of Rakuten – a risk that Rakuten might prefer to avoid as it would allow the appellate court to take a closer look at the record evidence of Rakuten’s deep business entwinement with its subsidiaries, including the Golden Eagles. However, depending on the outcome of the case, an appeal could remain an option, albeit still a risky one. . On a broader scale, although it was persuasive, Judge Kenney’s decision is not binding on other courts. Thus, any appeal by the Golden Eagles runs the risk that the Court of Appeals for the Third Circuit will affirm Judge Kenney’s opinion, thereby setting a precedent for all federal courts in Pennsylvania, New Jersey, Delaware and the U.S. Virgin Islands, in addition to creating a persuasive decision for all other federal courts.   For now, however, Lutz’s case will proceed and Judge Kenney’s decision will inevitably serve as a guidepost for professional athletes to pursue lawsuits in the U.S. against foreign professional sports teams, a major turning point for player rights.

After the enactment of the General Data Protection Regulation (GDPR) in Europe, privacy experts foresaw that it would be only a matter of time until similar privacy laws—ones that gave consumers more control over their personal data and the way it was used—were enacted in the United States. Several states have already either implemented new laws or are amending existing laws that surround consumer protection and the privacy of consumers’ information. Of note is the California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020.[1] Washington State, home of Amazon and Microsoft, recently introduced Senate Bill 5376, the Washington Protection Act (WPA), which will offer consumers a way to oversee and manage their personal data.

The Laws

Like the GDPR, there are business-use exceptions that make it possible for most financial institutions, debt collectors included, to continue using personal data in their businesses without disruption. Both the CCPA and WPA provide exceptions for financial institutions that collect consumer information while complying with the Gramm Leach Bliley Act (GLBA); however, within the framework of these new privacy regulations, ensuring compliance may not be as straightforward as it seems at first glance.

The GLBA governs the privacy of consumer and customer information for financial institutions of all types. It is based on the customer’s/consumer’s relationship with a financial institution or service provider and requires the financial institution to protect information a customer or consumer has given to the financial institution. The institution also must disclose its privacy policy and practices as well as the types of information it may share with others.[2] Put simply, when it comes to information about consumers and customers, financial institutions must disclose how they will use the information, and the GLBA gives consumers the right to opt out of certain types of that use if it means information will be shared with a third party. These conditions apply to certain information given by the consumer in the pursuit of its relationship with the financial services provider or financial institution. In the GLBA, the protected information is called “nonpublic personal information,” which is defined as any information provided by a consumer in order to obtain a financial service or product.[3] This is important when discussing the WPA and CCPA because, as noted above, both acts have an exception for personal information obtained pursuant to the GLBA, although the designation and type of information protected under these acts are very different.

The CCPA and WPA

The CCPA and the WPA protect a broad range of personal information. Although the GLBA is focused on protecting information that is given to an institution in the conduct of business for personal, household, or family purposes,[4] the state acts create rights for consumers to access, delete, and better control the use of nearly any information that can identify them. The CCPA, for example, defines the information that it protects as “any information that identifies, relates to, describes or is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household,”[5] and the WPA defines its protected information as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”[6] Both the California act and the pending Washington act offer consumers the right to access and to delete their personal information with some exceptions. There are several types of information that are excepted from both acts, such as the information that is already regulated and protected by certain privacy or information statutes like the Fair Credit Reporting Act, the Federal Driver’s Privacy Protection Act, and, of course, the GLBA; however, unlike the other acts, the exception for information gathered pursuant to the GLBA is not comprehensive.

When the CCPA was originally passed, it excluded “personal information collected, processed, sold or disclosed pursuant” to the GLBA if it was in conflict with that law.[7] The language was changed, removing the caveat that required the CCPA to be in conflict, which effectively excluded all information collected under the GLBA; however, with this change, new language made it clear that consumers would have a private right of action around any GLBA-collected information in case of a breach.[8] Additional language was recently presented with the backing of California’s attorney general that, if passed, would subject information that financial institutions collect pursuant to the GLBA to a private right of action for any consumer whose rights under [the] title are violated.[9] Again, the CCPA creates rights to access, delete, and be notified about personal information for all California residents. As it stands currently, this opens the door for private rights of action against any information about a financial consumer that is not gathered pursuant to GLBA, and will allow consumers to assert their rights for personal information that is collected and processed pursuant to the GLBA. Similarly, the Washington Protection Act excepts information collected under the GLBA, but only if it complies with that law.[10]

Thinking about Compliance, Debt Collection, and Privacy

When collecting a debt, in addition to customer information collected pursuant to the GLBA, an entity may have additional personal data that is part of a loan or collection file. For example, a customer may provide a reference for a loan, or a co-signor’s personal information may be included in the loan file, but not subject to the obligations that financial institutions owe to consumers and customers. The GLBA does not require disclosures for parties affiliated with the customer that may be a part of the financial information that they provide. This information is still personal data as defined in the WPA and CCPA, and because it is not governed by the financial institution’s ongoing GLBA obligations to consumers, it may fall squarely into the states’ acts. Even if such information were considered as “complying with the GLBA” under the WPA, it still may be subject to the private right of action pursuant to the CCPA. Additionally, compliance with the GLBA is not so clear cut. Information that can be considered “publicly available” is not subject to the privacy and protection rules of the GLBA and is often subject to an institution’s reasonable belief about the information.[11]

Ultimately, despite the exemptions provided by the WPA and CCPA for institutions that follow the GLBA, there are likely to be gaps that require thinking about ways to adjust practices to comply with the state laws and to allow Washington and California consumers to exercise their full rights. Debt collectors, both creditors and others who engage in debt collection, must evaluate the nature of the data that they hold and prepare to respond to the exercise of consumer rights implemented by these acts. To prepare, any entity that is involved in debt collection should consider taking additional steps with the information that they receive. Overall, a more holistic approach to consumer data will ease compliance as the privacy landscape continues to change:

• Consider data holistically. Consider implementing practices that look at the best way to protect all of the data your entity receives, not just customer or consumer data. Information that comes through marketing, employment, and even that which is offered incidentally to a credit transaction or financial service can change your compliance obligations.
• Identify noncustomer personal information. During an application process or the acquisition of a new file for collection, consider noting when a person other than the customer has personal information in the file and denote that it exists.
• Segregate noncustomer personal information. Segregating personal information will help avoid risk and assist you or your client in responding to valid consumer requests under the WPA and the CCPA.
• Prepare to respond. The rights instituted under the WPA and the CCPA are likely to impact your organization even if it is complying with the GLBA. Mitigate risk by preparing to respond to customer requests for information. Consider the form of the requests that your organization will accept, what your responses will look like, how to minimize the time spent responding, and how to ensure that California and Washington consumers get the best customer service possible. Keep in mind that other states are likely to follow.
• Train staff. Training staff to focus on what constitutes personal data will improve their ability to track and preserve it across the organization, reducing the costs of compliance and lowering the likelihood of a lawsuit.

[1] There are multiple proposed amendments that have been presented to change the CCPA, and the amendments cover a variety of subjects. No one is exactly sure what will happen come January 1, 2020.

[2] The FCRA, like the GLBA, provides certain exceptions and restrictions related to affiliate disclosures. These can be found at 15 U.S.C. § 1681s; however, this article is not intended to address those restrictions.

[3] 16 C.F.R. § 313.3.

[4] 15 U.S.C. § 6807.

[5] CCPA § 1798.140(o).

[6] WPA § 3(16).

[7] CCPA § 1798.145(e) (2018 version).

[8] CCPA § 1798.145(e) (second version).

[9] CCPA § 1798.150 (as proposed by SB 561, Feb. 22, 2019).

[10] WPA § 4(f).

[11] 16 C.F.R. § 1016.3(r).

This morning, once again without an open meeting—whatever happened to government in the sunshine?—the SEC  voted to propose amendments intended to improve the disclosure requirements for financial statements relating to acquisitions and dispositions of businesses.  According to the press release, the proposed changes are designed to “improve for investors the financial information about acquired and disposed businesses; facilitate more timely access to capital; and reduce the complexity and cost to prepare the disclosure.”  The proposal will be open for public comment for 60 days.

The proposed amendments affect Rules 3-05 and Article 11 of Reg S-X, as well as related rules and forms.  Under Rule 3-05, acquiring companies must provide separate audited annual and unaudited interim pre-acquisition financial statements of the acquired business, with the number of years required determined on the basis of the relative significance of the acquisition. Article 11 applies to pro forma financial statements, and requires the company to file unaudited pro forma financial information with regard to the acquisition or disposition, including adjustments that show how the acquisition or disposition might have affected the historic financial statements. (The proposal also applies to rules and forms related to real estate businesses and investment companies, not discussed in this post.)

Among other things, the proposed changes would make the following changes:

Significance test. Currently, to determine the significance of an acquisition (and therefore the extent of the financial disclosure), under Rule 3-05, companies apply prescribed investment, asset and income tests set forth in the “significant subsidiary” definition in Rule 1-02(w). The proposal would revise the significance tests by modifying the investment test and the income test. The new investment test would “compare the registrant’s investment in and advances to the acquired business to the aggregate worldwide market value of the registrant’s voting and non-voting common equity (‘aggregate worldwide market value’), when available.” The new income test would reduce the frequency of anomalous results that occur from relying solely on the net income component by requiring that “the tested subsidiary  meet both a new revenue component and the net income component.” It would also require use of after-tax income. The changes would also expand the use of pro forma financial information in measuring significance, and conform the significance threshold and tests for a disposed business.

Number of years.  Currently, if none of the significance tests exceeds 20%, no Rule 3-05 financial statements are required.  Between 20% and 40%, financial statements are required for the most recent fiscal year and any required interim periods; between 40% and 50%, a second fiscal year is required, and over 50%, a third fiscal year is required (unless net revenues of the acquired business were less than $100 million in its most recent fiscal year).  The proposal would reduce the number of years of required financial statements for the acquired business from three years to two years for an acquisition that exceeds 50% significance. In addition, the proposal would revise Rule 3-05 “where a significance test measures 20%, but none exceeds 40%, to require financial statements for the ‘most recent’ interim period specified in Rule 3-01 and 3-02 rather than ‘any’ interim period.”

Acquisition of component of entity. Where the acquisition is of a component, such as a product line or a line of business spread across more than one sub or division, but constitutes a “business” as defined in Rule 11-01(d),  the proposal would eliminate the need to make some allocations of corporate overhead, interest and income tax expenses by permitting the omission of certain expenses for these types of acquisitions if required conditions are satisfied.

Clarifications. The proposal would also revise “Rule 3-05 and Article 11 to clarify when financial statements and pro forma financial information are required, and to update the language to take into account concepts that have developed since adoption of the rules over 30 years ago.”

Individually insignificant acquisitions.   Currently, if the aggregate impact of “individually insignificant businesses” acquired since the date of the most recent audited balance sheet exceeds 50%, the company must include in a registration statement or proxy statement audited historical pre-acquisition financial statements covering at least the substantial majority of the businesses acquired, as well as related pro forma financial information as required by Article 11. The proposal would modify and enhance the required disclosure for the aggregate effect of acquisitions for which financial statements are not required or are not yet required, by, among other things, requiring “pro forma financial information depicting the aggregate effects of all such businesses in all material respects and pre-acquisition historical financial statements only for those businesses whose individual significance exceeds 20% but are not yet required to file financial statements.”

International acquisitions. The proposal would modify Rule 3-05 to permit financial statements “to be prepared in accordance with IFRS-IASB without reconciliation to U.S. GAAP if the acquired business would qualify to use IFRS-IASB if it were a registrant, and to permit foreign private issuers that prepare their financial statements using IFRS-IASB to provide Rule 3-05 Financial Statements prepared using home country GAAP to be reconciled to IFRS-IASB rather than U.S. GAAP.”

Omission of financial statements. Currently, Rule 3-05 financial statements are not required once the operating results of the acquired business have been reflected in the audited consolidated financial statements of the acquiring company for a complete fiscal year, unless the financial statements have not been previously filed or, when previously filed, the acquired business is of major significance. Under the proposal, financial statements would no longer be required in registration statements and proxy statements once the acquired business is reflected in filed post-acquisition company financial statements for a complete fiscal year, thus eliminating the requirement to provide financial statements when they have not been previously filed or when they have been previously filed but the acquired business is of major significance.

Use of pro forma for significance test.  Currently, a company may use pro forma, rather than historical, financial information if the company “made a significant acquisition subsequent to the latest fiscal year-end and filed its Rule 3-05 Financial Statements and pro forma financial information on Form 8-K.” The proposal would “expand the circumstances in which a registrant can use pro forma financial information for significance testing,” allowing companies, for all filings, to “measure significance using filed pro forma financial information that only depicts significant business acquisitions and dispositions consummated after the latest fiscal year-end for which the registrant’s financial statements are required to be filed,” subject to satisfaction of specified conditions.

Pro forma financial information. Currently, pro forma financial information typically includes a pro forma balance sheet and pro forma income based on the historical financial statements of the acquiring company and the acquired or disposed business. Pro formas generally include “adjustments intended to show how the acquisition or disposition might have affected those financial statements had the transaction occurred at an earlier time.” In addition, the existing pro forma adjustment criteria “preclude the inclusion of adjustments for the potential effects of post-acquisition actions expected to be taken by management, which can be important to investors.” The proposal would “revise Article 11 by replacing the existing pro forma adjustment criteria with simplified requirements to depict the accounting for the transaction and present the reasonably estimable synergies and other transaction effects that have occurred or are reasonably expected to occur.”  More specifically, the proposal would allow inclusion of “disclosure of ‘Transaction Accounting Adjustments,’ reflecting the accounting for the transaction; and ‘Management’s Adjustments,’ reflecting reasonably estimable synergies and transaction effects.” In particular, “Management’s Adjustments would be required for and limited to synergies and other effects of the transaction, such as closing facilities, discontinuing product lines, terminating employees, and executing new or modifying existing agreements, that are both reasonably estimable and have occurred or are reasonably expected to occur.” The proposal would also revise Rule 11-01(b) to raise the significance threshold for the disposition of a business from 10% to 20%.

Smaller reporting companies. The proposal would make corresponding changes to the smaller reporting company requirements in Article 8 of Reg S-X.

Before the recent controversy involving The Boeing Company and its 737 MAX 8, a New York Times article suggested that actions on the part of McKinsey & Company may have exposed itself and possibly Boeing to liability under the Foreign Corrupt Practices Act (“FCPA”).[1] However, no definitive conclusion should be drawn from the Times article.  A violation of the FCPA is not necessarily involved, certainly by McKinsey and Boeing. Yet the article raises a number of important issues that merit consideration.

Background

What the article suggests is that because of Boeing’s need for titanium in 2006, “it did what many companies do when faced with vexing problems: it turned to McKinsey & Company, the consulting firm with the golden pedigree, purveyor of ‘best practices’ advice to businesses and governments around the world.”

Boeing asked McKinsey to evaluate a proposal, potentially worth $500 million annually, to mine titanium in India through a foreign partnership financed by an influential Ukrainian oligarch.

McKinsey says it advised Boeing of the risks of working with the oligarch and recommended “character due diligence.” Attached to its evaluation was a single PowerPoint slide in which McKinsey described what it said was the potential partner’s strategy for winning mining permits. It included bribing Indian officials.

The partner’s plan, McKinsey noted, was to “respect traditional bureaucratic process including use of bribes.” McKinsey also wrote that the partner had identified eight “key Indian officials”—named in the PowerPoint slide—whose influence was needed for the deal to go through. Nowhere in the slide did McKinsey advise that such a scheme would be illegal or unwise.

According to the article, “neither McKinsey nor Boeing was charged in the case, and Boeing has not been accused of paying bribes. But several employees of the two companies are believed to have testified before a grand jury. Boeing continued to pursue the venture even after being advised that its partner’s plans included paying bribes, records show.” Importantly, the article notes that “ultimately the deal fell apart.” 

Consideration of All Relevant Factors

By itself, the disclosure on the PowerPoint slide does not constitute a violation of the FCPA. A multitude of factors come into play before any determination can be made as to whether an FCPA violation may be involved. In particular, evidence of corrupt intent is required. This is the lynchpin to any violation of the FCPA’s anti-bribery provisions.[2] A host of other factors may also be involved. 

For example, what precisely happened next? What were the roles of McKinsey and Boeing? As is, the disclosure reveals a suggested course of conduct that, if pursued, would constitute a violation of the FCPA’s anti-bribery provisions. Disclosures of this sort can and do surface as part of due diligence. Indeed, they pose a significant red flag. In most situations, such a disclosure may effectively preclude proceeding. But they do not automatically pose an absolute bar to proceeding. 

In the context of the article, what the disclosure represents is corroboration of what may have been intended, assuming the parties proceeded in the manner suggested. In a vacuum, it does not constitute conclusive evidence of improper inducements. Nor does the disclosure, by itself, demonstrate that improper inducements were actually made or even attempted. But the disclosure does reflect intent in terms of what was contemplated. From a prosecutor’s perspective, it would be invaluable corroborating evidence along with whatever other evidence may exist.

Consultants Should Err on the Side of Making Disclosures

Consultants should certainly err on the side of making candid disclosures. In this situation, it is not known what disclaimers may have been formally or informally made in conjunction with the PowerPoint slide. But regardless, proposals should not leave the realities of a relationship or transaction vague or ill-defined.  The more the realities are spelled out, the more likely potential problems can be avoided. Either the prospective endeavor does not proceed or special measures are undertaken to ensure that improper inducements are not made. 

Mere language in an agreement or other forms of admonitions do not constitute special measures. Much more is required. The special measures may impact the structure of a transaction. They may mean that a range of carefully designed controls are instituted. In essence, it means that special efforts must be undertaken to put in place effective mechanisms to preclude the prospect of improper inducements. In many situations, taking such steps may not be realistic or even possible. In others, creative and effective mechanisms may be possible.

Of course, prudence dictates that disclosures of the nature suggested by the article include disclaimers and appropriate cautionary language. But the disclosure itself is a positive development as it allows for a company to make an informed decision. It also allows for a company to take a range of measures to ensure that what is suggested does not take place. From a compliance perspective, the critical factor is what is done with the information. 

From the content of the Times article, it is not really known what took place. It is suggested that Boeing went forward before finding another source of the titanium. But we really do not know the specifies of what that entailed. Could going “forward” mean conduct of a very preliminary nature? Were special measures undertaken? Did Boeing, for example, exercise control over each step in the process?  Are there other critical facts of which we are not aware? In any event, it would appear that McKinsey put Boeing on notice regarding what might be involved. And Boeing is certainly well equipped to understand the implications.

Vicarious Liability

In a larger context, the allegations contained in the Times article signal the degree to which issues of vicarious liability may arise where there are incorrect assumptions as to what may expose a company to liability under the FCPA. Simply retaining the services of a well-respected firm does not, by itself, foreclose a company’s prospect of vicarious liability. 

Mere size should never be determinative. But the experience and reputation of a well-respected consulting firm may prove critical as to the likelihood of exposure to vicarious liability. This is because a firm of such stature is more likely to have in place a compliance program and related controls that tend to minimize the prospect of questionable conduct. An additional and compelling factor is the greater likelihood that the firm has the relevant experience. In short, an experienced and reputable firm is less likely to stumble due to sheer ignorance.

However, it is a mistake to believe that retaining the services of a well-respected consulting firm relieves a company of any oversight. The law applies equally to big and small firms as it does to highly-reputable and less-reputable firms. A consulting firm acts on a company’s behalf. What it does on behalf of a company may expose that company to liability. Quite simply, a company cannot take a head-in-the-sand approach to what a consulting firm does on its behalf. It must carefully monitor the efforts of its consulting firm.

Consulting Firm Liability

The Times article also raises the larger issue as to how a consulting firm may expose itself to liability as an accessory. Here, without more information, no assessment can be made as to whether there was a misstep on the part of McKinsey. Proper disclaimers may well have been made in conjunction with the PowerPoint presentation or in other ways. Yet, without appropriate and timely disclaimers or cautionary admonitions, a consulting firm may later be deemed to be an accessory if a proposed relationship or transaction proceeds in a particular manner. 

This is fundamentally similar to advising employees about what is said in emails. One must always operate on the basis that whatever information is communicated may be misconstrued. As a result, the utmost care needs to be exercised when conveying sensitive information. This is particularly so when a consulting firm is reporting on situations or on a course of conduct that could be perceived as questionable. A footnote or reliance on boilerplate language may not suffice.  The recipient should be on clear notice as to the issues of concern.

In sum, the Times article very much merits consideration. In the absence of more facts, no conclusions should be drawn as to the conduct of either McKinsey or Boeing. But from a legal perspective, it prompts careful thought and reexamination of relationships with consulting firms. It serves as a reminder of the care required in overseeing the work of consultants. In its own way, the article also serves as a vital reminder to consultants as to the care required in conveying information assembled on a client’s behalf.  

[1]W. Bogdanich and M. Forsythe, “‘Exhibit A’: How McKinsey Got Entangled in a Bribery Case,” The New York Times (Dec. 30, 2018).

[2]15 U.S.C. §§ 78dd-1, 78dd-2, 78dd-3 (2019).

Oracle’s decade-long copyright infringement suit against Google may be heading to the Supreme Court. The case involves the copyrightability of application programming interfaces (APIs) and the application of the fair use doctrine to copying APIs for the purpose of creating interoperable programs. The case pits software copyright owners against software developers creating interoperable programs.

As Google was developing its Android mobile operating system, it wanted to use Java so that the vast network of Java developers would develop applications for the Android mobile operating system and could use the Java programming shortcuts with which they were familiar from Java app development. Google wanted rapid application development for its Android mobile operating system. Google initially sought a license from Oracle, which now owns Java, but the negotiations broke down, in part because Google refused to make the implementation of its programs compatible with the Java virtual machine or interoperable with other Java programs, which violates Java’s “write once, run anywhere” philosophy.

Ultimately, Google copied the declaring code of 37 APIs in their entirety and the structure, sequence, and organization of the 37 APIs—over 11,000 lines of code in total—as part of its competing commercial platform. Google only had to copy 170 lines of code to ensure interoperability. It was undisputed that the copied APIs could have been written in multiple ways, and Google could have written its own APIs. It would have required more time and effort, and it would have required more effort by developers of mobile applications for Android mobile, but it could have been done. After copying Java’s code, Google purposely made its Android platform incompatible with Java, which meant that Android Apps run only on Android devices, and Java Apps do not run on Android devices.

In Oracle v. Google I, the Federal Circuit held that in light of the evidence and controlling precedent, the Java APIs were copyrightable, reversing the district court’s judgment that they were not, after a jury verdict finding copyright infringement. After Oracle v. Google I, the U.S. Supreme Court denied certiorari, probably in part due to the interlocutory nature of the case. However, the United States took the position that the Java code at issue was copyrightable, and there was no circuit split on the merger doctrine or section 102(b). On remand, the jury returned a verdict that Google’s copying of 37 APIs and the structure, sequence and organization of the corresponding implementing code was a fair use.

In Oracle v. Google II, the Federal Circuit held that no reasonable jury could conclude that Google’s copying of over 11,000 lines of code, where it only had to copy 170 lines of code for interoperability, was a fair use. On the fair use factors, the Federal Circuit concluded that Google’s use of the Java code was overwhelmingly commercial (Factor 1), the nature of the work—software—favored Google (Factor 2), the amount of the work taken was neutral or favored Oracle because the code was a highly valuable part of the Java platform (Factor 3), and the effect on Oracle’s existing and potential markets heavily favored Oracle because the Android platform caused Oracle to lose customers and impaired Oracle’s ability to license its work for mobile devices (Factor 4).

These decisions reflect the Federal Circuit’s strong view of the copyrightability of software. That view informed its decision on fair use, particularly regarding the first and fourth fair use factors—namely, the overwhelming commercial nature of Google’s use of the Java APIs and the substantial evidence of market harm to Oracle from Google’s unauthorized copying of the Java APIs.

Google again has petitioned for certiorari, arguing that the APIs are not copyrightable, and the Federal Circuit should not have reversed the jury’s fair use verdict. Now that the Federal Circuit has ruled for Oracle on the issue of fair use, only the damages phase of the case remains. At this juncture, there are two issues that potentially could be dispositive of the case if the Supreme Court granted certiorari and ruled for Google. If Google were to prevail on either copyrightability or fair use, the case would be over, and there would be no need for a trial on Oracle’s damages. If the Supreme Court believes either Federal Circuit decision is erroneous, however, it may be more likely to grant certiorari at this point.

Google’s appeal is important for several reasons. It involves the scope of copyright as applied to software and the application of the fair use defense in copying software code for purposes of interoperability. Second, the decision involves the somewhat complicated application of longstanding copyright doctrines—merger, scènes à faire, and the idea/expression dichotomy embodied in section 102(b)—to software. A Supreme Court decision on copyrightability and fair use in the context of software would impact the use of existing software code to build new programs, thereby significantly impacting the software industry. Oracle’s potential damages in the case have been estimated variously at between $8 billion and $9 billion, a number staggeringly large for a copyright software case (or any other case for that matter). Last, if copyrights in the Java code were timely registered and Oracle ultimately prevails, it could be awarded attorney’s fees in the court’s discretion, which at this point are substantial. See 17 U.S.C. §§ 504–505.

Any Supreme Court decision in Google could have substantial impact on the issue of copyrightability and the application of longstanding copyright doctrines such as the merger doctrine, scènes à faire doctrine, and section 102(b), which prohibits copyright protection for a command structure, system, or method of operation, among other things. A decision on these subsidiary issues in assessing copyrightability could have substantial impact on how these doctrines are applied in the software context. Similarly, a Supreme Court decision on fair use of computer code would significantly impact the industry and the balance between software copyright owners and others seeking to use their code in creating competing programs. This is a case to watch.

On March 27, 2019, the Supreme Court held (in a 6-2 decision) in Francis V. Lorenzo v. Securities and Exchange Commission[2] that a person who (1) knowingly disseminates false and misleading statements to prospective investors and (2) acts with the intent to defraud can be held liable under subsections (a) and (c) of Securities and Exchange Commission Rule 10b-5 (Rule 10b-5), and other relevant statutory provisions, even if such person was not the “maker” of such statements.

Rule 10b-5 makes it unlawful for any person, directly or indirectly, to:

• employ any device, scheme, or artifice to defraud,
• make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
• engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person in connection with the purchase or sale of any security.

In June 2009, Waste2Energy Holdings, Inc. stated in a public filing that its assets were worth approximately $14,000,000 (including intellectual property valued at more than $10,000,000). In the summer of 2009, Waste2Energy Holdings, Inc. hired Charles Vista, LLC to sell $15,000,000 of debentures to investors. In early October of 2009, Waste2Energy Holdings, Inc. publicly disclosed and informed Francis Lorenzo (Petitioner), Vice President of Investment Banking at Charles Vista, LLC, that Waste2Energy Holdings, Inc.’s total assets were worth $400,000, significantly less than previously disclosed to the public. After becoming aware of Waste2Energy Holdings, Inc.’s overvaluation of its assets, Petitioner, at the direction of his direct superior, sent e-mails, the contents of which were supplied by his direct superior, to prospective investors that included false and misleading information regarding the valuation of Waste2Energy Holdings, Inc.’s assets.

In 2013, the Securities and Exchange Commission (SEC) charged Petitioner with, and found Petitioner liable for, violating subsection (b) of Rule 10b-5. Petitioner appealed the SEC’s ruling to the U.S. Court of Appeals for the District of Columbia (Court of Appeals). Relying on Janus Capital Group, Inc. v. First Derivative Traders,[3] a Supreme Court decision holding that only the “maker” of false or misleading statements can be held liable under subsection (b) of Rule 10b-5, Petitioner argued that because his direct superior (1) directed Petitioner to send the e-mails and (2) supplied the content for the e-mails, he was not the “maker” of any false or misleading statements and therefore could not be liable under subsection (b) of Rule 10b-5. The Court of Appeals agreed that Petitioner could not be held liable under subsection (b) of Rule 10b-5; however, the Court of Appeals found Petitioner liable under subsections (a) and (c) of Rule 10b-5.  

Petitioner appealed the Court of Appeals decision to the Supreme Court. In Petitioner’s argument to the Supreme Court, Petitioner claimed that each subsection of Rule 10b-5 governs “different, mutually exclusive, spheres of conduct,” with subsection (b) governing the making of false or misleading statements. Petitioner went on to argue that because he did not have ultimate authority over the false or misleading statements, he could not be held liable under subsection (b) of Rule 10b-5 and that because he was not liable under subsection (b), the remaining subsections could not be applied to the acts in question.

The Supreme Court rejected Petitioner’s interpretation of Rule 10b-5, explaining that the Supreme Court and SEC have a history of recognizing significant overlap among the subsections of Rule 10b-5 and other securities statutes. As a result of this overlap, the Supreme Court reasoned that the making of false or misleading statements is not governed solely by subsection (b) of Rule 10b-5, but also falls within the scope of subsections (a) and (c). The Supreme Court, agreeing with the Court of Appeals, found that by sending the e-mails that Petitioner knew contained untrue and misleading statements, Petitioner violated subsections (a) and (c) of Rule 10b-5. The Supreme Court ultimately held that Petitioner “employ[ed] a “device,” “scheme,” or “artifice to defraud,”” violating Rule 10b-5(a), and “engage[d] in [an] act, practice, or course of business” that “operate[d] . . . as a fraud or deceit” in violation of Rule 10b-5(c).

In dissent, Justice Thomas, joined by Justice Gorsuch, argued that the majority’s interpretation of Rule 10b-5 renders the Supreme Court’s decision in Janus a “dead letter.” Justice Thomas asserts that the subsections of Rule 10b-5 are straightforward and clearly specify the conduct each governs—with subsection (b) governing the making of false or misleading statements. Concluding that the majority opinion broadens the scope of subsections (a) and (c) to cover conduct within the plain meaning of subsection (b), Justice Thomas argues that subsection (b) of Rule 10b-5 is now subsumed into subsections (a) and (c), rendering meaningless the Supreme Court’s decision in Janus (detailing conduct governed by subsection (b)). The majority disagreed with this contention, noting that Janus will still apply (and preclude liability) in instances where an individual neither made nor disseminated false information, as opposed to the case at hand where Petitioner knew of and disseminated false information.

Given the Supreme Court’s broad interpretation of Rule 10b-5, it is likely that future litigants will seek to expand the scope of activities subject to Rule 10b-5. However, as the Supreme Court noted, in cases where a person is only tangentially involved with disseminating false or misleading statements, applying subsections (a) and (c) of Rule 10b-5 may prove more difficult and could cause the Supreme Court to more clearly define the reach of these subsections in the future. For example, as the Supreme Court noted, liability would be inappropriate for a mailroom clerk who disseminated misleading or false statements without the intent to defraud. It is clear that future cases may present factual scenarios that would fall outside the reach of subsections (a) and (c); however, in the case at hand, it was clear Petitioner was directly involved with disseminating false and misleading statements because he sent such statements directly to investors and invited them to follow up with him directly.

[1] Chauncey Lane is a partner in the Dallas office of Husch Blackwell LLP. Cooper Overcash and Michael Caine are associates in the Dallas office of Husch Blackwell LLP. Chauncey, Cooper, and Michael are members of the firm’s Corporate and Securities practice group where they advise domestic and international clients on capital market transactions, Securities and Exchange Commission compliance, and complex commercial transactions.

[2] 587 U.S.___ (2019).

[3] 564 U.S. 135 (2011).

In 2019, we are surrounded by AI—from our personal assistants Siri, Alexa, and Google Home Hub; our retailers predicting what we want before we do (think Amazon/Netflix recommended sections); and our cars that sense when braking is required in an emergency—and AI just keeps getting smarter and more accurate over time as it incorporates more data sets, meaning that AI has become more integrated and trusted within our society.

Throughout the world, healthcare systems are some of the most used and relied upon sectors, but they are stretched in terms of resourcing, technology, and funding. For many years, researchers and technology giants have wondered how we can harness the large amount of data that exists in the world for good—to help our healthcare system cope, grow, and thrive in modern times where we are all living longer and expecting more from our healthcare systems.

In this article, we explore some of the issues with AI and health care—the positive aspects and the barriers to integration and use that exist now or will in the future, as well as some of the trials already conducted in both the United States and the European Union.

What Is AI and How Does It Work?

In its broadest sense, AI is a tool where technology and/or a system can perform tasks and analyze facts/situations independently of a human. There are many different applications of AI, including machine learning, deep learning, and robotics.

• Machine learning is when a system uses algorithms to review data in an iterative process until it “learns” how to make a determination or prediction on its own.
• Deep learning is when a complex system similar to human neural networks is fed large amounts of data until it “learns” by example, discovering patterns in the data.
• Robotics is where a machine performs a task instead of a human; for example, where a machine is programmed to perform a simple (or complex) operation with precision and accuracy based on experience.

AI in the healthcare sector works by analyzing and learning from hundreds of thousands (even millions) of records, images, and/or scenarios to spot patterns, common traits, etc. of certain medical conditions, and to analyze findings and/or cut down the options for consideration by the medical professional.

AI and the Healthcare Sector

The prospect of further integration of AI in the healthcare sector is an exciting and promising development with the potential to transform healthcare systems to be more proactive, use fewer resources, lessen time spent on administrative matters, and, most importantly, focus on patient care.

Many are wary of AI in the healthcare sector, however—a sector based on human decisions, skill, and compassion that many feel uncomfortable relinquishing to a machine. Doctors, nurses, and other medical professionals are all highly trained and trusted to deliver high-quality and personalized health care to those in need. Naturally, there is some hesitation about ceding control of some of these tasks to a machine.

AI advocates are clear to point out that AI in health care is designed to complement and not replace human decision-making, experience, and care. AI is said to present the opportunity to free up more of health professionals’ time to care for patients instead of being burdened with administrative tasks and/or spending hours developing a tailored diagnosis and treatment plan.

Some recent examples of AI within the healthcare sector include the following:

• Machine learning was used to identify chronic heart failure and diabetic patients who required closer observation, then analyzed the results of monitoring kits provided to these patients. The patient’s healthcare providers were then automatically alerted when the patient required medical intervention.
• The National Institutes of Health and Global Good developed an algorithm that analyzes digital images of a woman’s cervix and can more accurately identify precancerous changes that will require medical intervention. This easy-to-use technology (which can be used with a camera phone) is an exciting development for those low-resource areas and countries where such screening is not prevalent.
• The United Kingdom’s National Health Service (NHS) provided patients with complex respiratory needs a tablet and probe that measured heart rate and blood oxygen levels on a daily basis. These results were logged and analyzed by the AI technology, reporting back to the clinical team at a local hospital when there were drops in heart rate and/or blood oxygen levels requiring medical intervention. During the period of this study, admissions at the local hospital for this group dropped 17 percent.
• The NHS Eye Hospital Moorfields worked with Google’s DeepMind for nine months and conducted a trial based on an algorithm developed to spot and diagnose eye conditions from scans. This was aimed at cutting down unnecessary referrals to NHS hospitals, allowing clinicians to focus on more serious and urgent cases.
• For pathologists, instead of individually assessing each image/slide, AI technology can be used to review all images/slides and flag the problematic ones for closer review.

In each of the examples above, the healthcare system saved time and resources by ensuring that only those patients requiring more immediate medical intervention were seen to, and that those who were stable were seen at nonemergency appointments to follow-up. Healthcare professionals were able to prioritize those cases with the most urgency while continuing to monitor the other, less urgent cases.

Another AI advantage is that patients are given more control over their own healthcare. They can monitor their own statistics and outcomes and are comforted that medical professionals can intervene when they have spotted concerning results. This also helps patients understand their own health and how their own body reacts to certain conditions/factors.

The Challenges

There are some concerns that have been raised around the integration of AI technologies into the healthcare system, including data protection, patient trust, biased data, and contractual, regulatory, and ownership issues.

Data Protection

In the United States, personally identifiable health information (PHI) is protected from unauthorized use and disclosure by a variety of laws and regulations, most notably the Health Insurance Portability and Affordability Act and the Health Information Technology for Economic and Clinical Health Act (together, HIPAA). Any use of PHI for AI would likely require new or different consent from the patient. Where the AI is used for the benefit of a particular patient, presumably that consent would not be difficult to obtain, but robust AI technologies require a significant amount of data to be effective, and because the use of that data is not necessarily for the benefit of any particular patient contributing data, consent for use of PHI in AI may not be so readily provided. A revision of HIPAA or applicable state laws to permit the disclosure of PHI for the purpose of AI technologies may be required, as well as additional protections to ensure that once the PHI goes into the “soup pot” of AI datasets, it cannot be individually identified again.

In the European Union, the General Data Protection Regulation (GDPR) came into force in 2018 and brought about significant changes in data protection regulation across the EU and beyond due to its enhanced territorial scope. One of the themes of the GDPR is that data subjects are given more control over their personal data. There are a few separate issues relating to data protection and AI technology when considering AI and healthcare applications:

• Legal basis. There will be different legal bases applicable to different organizations; for example, healthcare providers generally rely on vital interests (as the processing condition) and therefore may rely on the research and statistics exemption to repurpose such data collected for use in AI technology. Other organizations, such as those who utilize wearable technologies like fitness trackers or heart-rate monitors used by individuals (as opposed to patients), will generally rely on consent to process such data and therefore may not as easily repurpose such data collected, such as for the development of AI technology.
• Data subject rights. Under the GDPR, data subjects have enhanced rights; therefore, organizations must carefully consider the legal basis on which they are relying for processing. For example, when relying on consent, a data subject can withdraw that consent at any time, and the organization must stop processing and notify any third party with which the data was shared to stop its processing. Although data subjects have the right to request deletion of their personal data, from a practical perspective, how can data be deleted if it has become part of the algorithm?
• Data Transfers. A scenario likely to occur with AI technology development is the transfer of data between the United States and European Union and indeed across the globe. In a data transfer scenario, both parties (i.e., the transferor and the transferee) have an obligation to ensure that such transfers are protected and that the data is transferred using adequate measures as stipulated in the GDPR.
• It has been noted that medical data is now three times more valuable than credit-card details in illegal markets; therefore, organizations handling and sharing health data for any purpose must ensure that this data is protected from unlawful loss, access, or disclosure to avoid causing substantial distress to data subjects. When such personal data has been anonymized, then security is less of a concern from a data protection/privacy perspective because the data protection legislation does not apply to data where an individual can no longer be identified; however, anonymized data may still pose a commercial risk due to its value.

Patient Trust

Many individuals may not initially feel comfortable knowing that technology has made a potentially life-or-death decision about their healthcare and/or treatment plan. The healthcare sector is grounded in trust and personal care and compassion for those in need, and some see AI as removing that personal element in favor of a machine-led, batch-process type system where the individual and his or her needs may not be at the core of the decisions and care provided.

It could be argued, however, that AI and increased technology use within healthcare systems could actually improve personalized health care and give individuals more control over their own health by involving them in the process and allowing them to monitor their health remotely.

Many patients may also be uncomfortable with the lack of formal qualification and/or testing of AI technologies and machines, in contrast with healthcare professionals such as doctors and surgeons who often study and train for many years acquiring knowledge and skills in a particular area, which instils trust in patients.

Additionally, some patients may be unwilling to accept such AI technology as part of the healthcare system, given that in recent years the growth of AI technologies has brought about some general mistrust around the rapid growth of AI technologies in our daily lives.

How can the healthcare sector alleviate such concerns? All new technology experiences some bumps on the path to acceptance; distrust or suspicion of new technologies and fear of error takes time and education to overcome. Focusing on the patient and individual care, along with reassuring patients that AI technology will not replace doctors, may alleviate the fears of concerned patients. In addition, education about how AI technology will allow doctors to create more personalized healthcare treatment plans for patients and focus more on patient interaction and care will go a long way toward acceptance of AI technology in the healthcare sector. Medical care at its core is about empathy and care for patients, which cannot be replaced by AI technology, but AI technology can free up time and resources from those that provide that empathy and care by doing some of the “heavy lifting” so that the healthcare system can focus on the patients.

In terms of trust of the AI technology itself, there may need to be more legislative governance and/or accepted standards of testing for such technologies to reassure patients that the AI technology produces accurate results and has been thoroughly vetted as suitable to make decisions about health, diagnosis, and treatment.

There may also be a generational gap in that older patients are generally more wary of AI technologies and their infiltration into our daily lives. However, younger individuals—those who have been brought up in the age of social media, wearable devices, and other technologies—are generally more willing to accept and embrace AI than their parents and grandparents.

Overall, in time the benefits of AI to the healthcare experience (i.e., personalized care, diagnosis, and treatment; saved time and resources; and a more effective and cost-efficient healthcare system) will overcome patient mistrust in the technology.

Bias/Accuracy of Data

One concern that has been voiced by medical professionals is that the data available (from healthcare providers) to train AI technology and machines is not always accurate and often contain biases that may feed through into the technology, which may result in AI technology that is not representative of the population and therefore may not always make the correct decisions for every individual.

For example, in the United Kingdom especially, clinical trials (where most medical data is generated for research purposes) are dominated by white, middle-aged males; therefore, much of the data associated with medical trials is dominated in such a way. Ethnic minority populations, older people, and females are traditionally under-represented in medical trials; therefore, there may be implicit (or sometimes even explicit) bias in the data provided to an AI technology machine from which to learn. In other words, will the results provided by an AI technology based primarily on middle-aged, white males apply to individuals who are not middle-aged, white males? How will patients and providers know? However, there is also an argument that deliberately skewing the data the opposite way (e.g., by ensuring trials are reflective of all ethnic groups) could impact the effectiveness of a study where a condition may predominantly affect one group (e.g., sickle cell anaemia, which is most commonly found in those of African, Caribbean, Middle Eastern, and Asian origin).

Put another way, the output from an AI technology skewed in favor of one or more characteristics (i.e., the middle-aged male) may lead to inaccurate outputs and/or inappropriate treatment plans. In addition, some medical conditions are associated with certain groups more than others; therefore, AI technology may not be reflective of the conditions and medical needs of one group where the data used to train it were reflective of another group.

If AI technology is to reach its full potential in the healthcare system, care must be taken with the data used to train AI technologies to ensure that it is reflective of and includes a cross-section of the population, and is therefore fair and unbiased, so that its output is as accurate as possible.

Another issue, particularly with the NHS, is that hospitals are still very much reliant on paper-based records, although there has been for many years a push toward greater digitalization of healthcare records (which not only aids healthcare data-sharing for medical care purposes, but also assists in “feeding” such data to AI technology from which to learn). Nevertheless, legacy systems and the general lack of investment in technology has meant that moving toward any substantive ability to facilitate data sharing has been a slow process. The format of such records will also differ per area, data may not always be correctly labelled, and records are sometimes not kept as up-to-date as they should be. This lack of standardization creates gaps in information and could mean that the data from which the AI technology is learning is not the full picture of any one individual’s health/symptoms.

This brings questions about bigger issues in health care, especially in the United Kingdom, concerning whether it is possible to move forward with AI technology when the healthcare system is still not modernized enough to have easily accessible digital records. Although the United States is farther along in its adoption of electronic health care records and the digital data they contain, the implicit bias concern is equally strong in both countries. In addition, the lack of standardization of electronic data—both in the United States and between the United States and the European Union—makes ensuring a robust data input especially difficult. Although appropriate governmental regulations may address this, the market itself must figure out how to make it technically and financially viable.

Contractual and Regulatory Issues

There are a variety of potential complex contractual issues that must be addressed among developers and various stakeholders in the healthcare system before AI technology is rolled out, particularly regarding the allocation of liability. Where a doctor fails to diagnose correctly, prescribes the wrong dose of medication, or otherwise acts negligently, the patient has a claim against the doctor/healthcare provider, and the hospital or healthcare system in which the doctor/provider worked, for malpractice, negligence, and/or personal injury. However, who is liable where an AI technology failed to spot a cancerous tumour on a scan it analyzed?

There may be a lot of finger-pointing in this case. The doctors would argue that they were not liable because they (presumably) utilized the AI technology correctly, and that the fault lies with the hospital/healthcare system that required its use and/or the vendor/developer of the technology itself. The hospital/healthcare system might argue that is not liable because the third-party technology vendor developed the technology and trained the doctors in its use. The developer might argue that they are not responsible because AI technology is constantly “learning,” and only from the data it is given. It is important that the contracts between the developer and healthcare system, and between the healthcare system and its physicians, are clear on the allocation of liability in the event that a patient is harmed in relation to the use of AI technology.

Another issue that must be addressed by contract is the warranties (if any) that are provided by the developer to the healthcare provider. How likely is a developer to warrant that the AI technology is accurate? If unlikely, how could the healthcare provider understand its limitations? Is the training provided on the AI technology warranted to provide that information?

Regulatory issues also abound. In the United States, AI-enabled technologies may or may not be regulated as medical devices. Current regulations are unclear on this issue, but generally in both the European Union and United States, devices/technology used in the context of medical advice/health care requires approval. The problem with current regulatory approval processes is that approval is granted only to one specific version of a product and/or device, but AI technology and/or devices are constantly learning; if each iteration is a new “version,” then any approved version would be out-of-date almost immediately (and that’s without getting into “custom-made devices” within the medical device sector). Requiring regulatory approval for each version/iteration of the AI technology would be nonsensical. A new regulatory scheme tailored to the reality of AI technology (and other new and emerging technologies) in both the United States and European Union is needed.

Intellectual Property Ownership

Intellectual property and ownership issues regarding AI technologies include the following questions:

Who owns the data? For purposes of developing robust AI technologies, provided the bias issues discussed above are positively addressed, the more data, the better. Therefore, although AI developers/manufacturers could solicit the data from each data subject (i.e., the patient) directly, the more practical route is to acquire vast amounts of data from the healthcare provider, but who owns the data, and can the healthcare provider disclose/use the data this way?

In the United States, the patient generally does not own his or her medical information. The health record is generally owned by the provider that keeps the record (as a normal business record); HIPAA protects the privacy of the information for the benefit of the individual, but ownership of that information is not addressed in any federal law or the laws of 49 states (New Hampshire is the only state where the individual owns his or her information as a matter of statute). This structure applies only to the data fed into the AI technology. Who owns the output? Most likely, the developer or manufacturer will assert ownership to the results because it owns the algorithms that create the AI. What about results that are personal to an individual, such as a diagnosis or treatment plan? Isn’t that part of the health record owned by the provider?

In the United Kingdom, the person who developed the diagnosis and/or treatment plan owns the copyright in that plan (as the author of such plan); however, the personal information would still be owned by the patient (data subject) because it is personal to him or her. If the AI developer “owns” an individual’s diagnosis or treatment plan, can the developer sell or disclose it, or incorporate that information into other products, or use it for some other purpose? Currently, developers and users of AI technology are contracting around these issues, but that means that ownership, use, and disclosure are different across contracts as a result of individual leverage and market forces and, of course, such contracts leave out the patients entirely (unless the patient is providing the data to the AI developer directly).

In the European Union, there is a distinction between “ownership” and “control” over personal data. Data subjects (i.e., an individual) always retain ownership of their personal data (i.e., a company cannot own such information), but do not always have control over their personal data (e.g., a healthcare provider does not need permission to use one’s personal data because it was collected for the provider’s own purposes and control). Under the GDPR, data subjects are given enhanced rights over their own personal data; however, there are circumstances where a party who controls such personal data does not need to comply with the data subject’s requests and can continue to process the personal information (e.g., for medical treatment).

Where data is shared for the purposes of developing and/or testing AI technology, the key consideration should be transparency: Is the patient fully informed? Is there an appropriate legal basis? Without transparency, processing may be unlawful, and the patient could prevent it.

Who owns the algorithm? The algorithm is likely owned by the company who developed it for use in the device and/or AI technology; however, there are questions around whether someone can own something that is essentially a “self-learning” machine. Is the algorithm something tangible that can be explained? Or is the initial algorithm something tangible, but then the AI learns to improve this, and then the company no longer has control over the decision-making process?

Who owns the device/product/finished AI machine? This will depend on what the device or product is. Where the product is the technology, i.e., the algorithm, the healthcare provider may wish to own this to control more of the output. However, it is likely that the developer/manufacturer would want to claim ownership, especially where such use is novel in the sector.

UK/EU Thoughts

The United Kingdom has been investigating the role of AI in healthcare over the last few years, and in September 2018, the government published a code of conduct for data-driven healthcare technology. The code sets out 10 key principles (some relate to data protection and existing NHS codes of practice):

1. Define the user—who is the product for, and what problem are you solving?
2. Define the value proposition—why has it been developed?
3. Be fair, transparent, and accountable about what data are used—use privacy-by-design principles and data protection impact assessments.
4. Use data that are proportionate to the identified user need—use the minimum personal data required to achieve the purposes.
5. Make use of open standards—build in current standards.
6. Be transparent to the limitations of the data and understand the quality of the data.
7. Make security integral to the design—have appropriate levels of security to safeguard data.
8. Define the commercial strategy—commercial terms that benefit partnership between the commercial organization and healthcare provider.
9. Show evidence of effectiveness for the intended use.
10. Show the type of algorithm being developed or deployed, the evidence base for using that algorithm, how performance will be monitored on an ongoing basis, and how performance will be validated—show the learning method you are building.

It is clear from the United Kingdom’s willingness and prioritization of such a code of conduct that AI technology is seen as a method of advancing its healthcare system. It remains to be seen whether the code will be successful and ensure best practices among organizations working together to develop such technologies in the future. As of the date of this article, the government has more pressing priorities, and cooperation with the European Union in this area may be delayed.

The matter has also been discussed at an EU level, and in April 2018, the European Commission published its Communication on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society (the Communication). The Communication outlines the need for major reforms in the healthcare sector and how developing new and innovative ways of working (through the use of technology and digital platforms) could assist in transforming health care into a modern, innovative, and sustainable sector.

In December 2018, the European Economic and Social Committee (EESC) released its opinion on the Communication (the Opinion), which largely supports the Communication and the Commission’s roadmap for transformation of the healthcare sector, and outlined some observations of which to take note when implementing such a vision of transformation.

The Communication focuses on three key areas:

1. Citizens’ secure access to and sharing of health data. The Commission highlighted that many data subjects would like to have better access to their health data and have more control/choice over with whom it is shared; however, there is limited electronic access to health records. Often, records are in paper form and scattered among different healthcare providers, i.e., not available electronically in one central location.
2. Better data to promote research, disease, prevention, and personalized health care. Personalized health care is an emerging approach to health care that focuses on using data to better understand individual characteristics to enable care to be provided when necessary. The use of data have increased the healthcare sectors’ ability to monitor, identify, and predict healthcare conditions, which also means they are better equipped to diagnose and treat such conditions.
3. Digital tools for citizen empowerment and for person-centered care. The Commission recognizes that to cope with the ever-increasing demand on healthcare services, health care must move away from treatments and toward health promotion and prevention, which will involve a move away from disease and toward well-being, as well as a move away from fragmented service provisions toward a community-based care model.

Conclusion

There has been significant recognition at national and supranational government levels that AI technology has a role to play in the development of health care; however, many obstacles remain before AI technologies are fully accepted into those healthcare systems. Such issues will require thoughtful and careful consideration by technology developers, healthcare providers, and healthcare professionals to develop a consistent approach to the issues identified as barriers to the full integration of AI technologies into the healthcare systems.

As noted, in the United Kingdom, the government has seen these potential issues arising in discussions about health care and AI and recognize the potential benefits to the NHS of adopting such technologies. The government has therefore published a code of conduct to ensure that healthcare organizations and those developing AI technologies are working together and upholding best practices when dealing with patient data.

In the European Union, the Commission has been considering more effective ways to encourage AI technology in the healthcare sector and has identified some barriers to adoption of AI technology in the healthcare sector and set out some proposals to remedy this.

In the United States, AI technology is becoming more accepted by patients and providers, but regulations are lagging behind innovation and acceptance, which may be dangerous to patients. In addition, the uncertainty around liability, ownership, etc. may be dampening progress in the United States, not to mention the uncertainty around whether AI technologies (and automation in general) will create jobs or eliminate them.

We hope that, moving forward, AI technology companies and the healthcare sector find a way to partner successfully, utilizing patient data in a safe and secure manner while training AI technology/machines to provide healthcare assistance in the future, and ensuring that our healthcare systems move with the times and cope with mounting pressure on staff, time, and resources to the benefit of all.

The authors thank the Health IT Task Force of the Cyberspace Committee for support and assistance with the article.

Introduction

 The Bankruptcy Court for the District of Maryland recently ruled that a secured creditor retains its priority over other junior creditors even though its UCC financing statement lapsed during the bankruptcy case.  The case resolves a conflict between federal bankruptcy law and UCC state law. The freeze rule maintains the petition-date priority of the secured creditors throughout a bankruptcy case.

The Case: Firstrust Bank v. Indus. Bank (In re Essex Constr., LLC), 591 B.R. 630 (Bankr. D. Md. 2018)

Essex Construction, LLC filed for bankruptcy under chapter 11. On the petition date, two banks held perfected security interests in the debtor’s assets: Firstrust Bank and Industrial Bank. On the petition date, Industrial held the senior interest. Industrial recorded its UCC-1 financing statement in 2012; Firstrust in 2014. The debtor filed for bankruptcy in 2016. One year later, in 2017, and while the case was still in chapter 11, Industrial’s financing statement lapsed.

The issue centers on the post-petition lapse of Industrial’s financial statement. Neither bank disputed that Industrial held the senior interest on the petition date. They disagreed on the effect of the post-petition lapse. Firstrust argued that state law—Article 9 of the UCC—mandates that it should jump Industrial in priority and that a chapter 11 proceeding should not change this result under state law.  Industrial asserted that the freeze rule in bankruptcy rendered the post-petition lapse inapplicable for determining priority.

Priority Lost: Article 9 of the UCC

Under section 9-515 of Maryland’s UCC, a filed financing statement remains effective for five years. Industrial filed its statement in 2012, and it remained effective until 2017.  Absent the filing of a continuation statement, the financing statement lapses on the expiration date and rendered unperfected pursuant to section 9-322(a)(2), which states that a perfected security interest has priority over a conflicting unperfected security interest.  In short, a secured creditor will lose its place in line if it fails to file the continuation statement.  Under this rational, Firstrust argued that its security interest had priority over Industrial’s conflicting unperfected security interest because of the lapse in 2017.

Firstrust relied on legislative history. It noted that the UCC used to state the following: “[i]f a security interest perfected by filing exists at the time insolvency proceedings are commenced by or against the debtor, the security interest remains perfected until termination of the insolvency proceedings.”  That language was removed in the current version of the UCC.  Firstrust argued that the removal of this language evidenced the legislature’s intent to eliminate the freeze rule. That rational, however, was not supported by the comments to the section 9-515, which explain that the legislature did not intend to eliminate that rule.  Rather, the comments confirm that the effect of the lapse on priority is left to courts to decide based on federal bankruptcy law.

Priority Regained: Freeze Rule in Bankruptcy

In bankruptcy, the freeze rule freezes the priority of a security interest as of the petition date, which will remain the priority throughout the bankruptcy case. This principle has been recognized by the U.S. Supreme Court since at least 1931: “valid liens existing at the time of the commencement of a bankruptcy proceeding are preserved.” Isaacs v. Hobbs Tie & Timber Co., 282 U.S. 734, 738 (1931).

Two leading cases explain how the freeze rule works. In Halmar Distributors, a debtor moved its inventory to Massachusetts. The senior secured creditor filed proper financing statements in New York, but the junior filed in both New York and Massachusetts. Under the UCC, the senior had to file in Massachusetts within four months to maintain its position. It failed to do so. Yet the court found that the senior maintained its position because the lapse occurred after the debtor filed for bankruptcy. The senior secured creditor’s position was frozen in time on the day of the petition.

The second case is Chaseley’s Foods. It also involved the effect of a lapsed financing statement on a secured creditor’s priority. Again, the court found that the secured creditor maintained its status despite failing to file a continuation statement during a bankruptcy case. The court also addressed the effect of the UCC. It concluded that a bankruptcy case maintains the priority of a secured creditor regardless of whether a provision in the UCC reaffirms this principle. The lapse makes no change.

That is what happened here. Before bankruptcy, Industrial had priority over Firstrust. On the day of the bankruptcy filing, Industrial had priority over Firstrust. Throughout the bankruptcy case, Industrial had priority over Firstrust. Nothing changed when Industrial’s financial statement lapsed shortly after the bankruptcy filing. Under the UCC, Industrial would have lost priority. But the freeze rule maintained Industrial’s priority—a result that the drafters of the UCC affirmed in their comments to Article 9. A senior secured creditor in bankruptcy need not file a continuation statement to maintain its priority.