If you are a lawyer who does not specialize in privacy, you may be familiar with the feeling of dread that creeps into your heart when a client requests your counsel on how to comply with data privacy laws. The feeling is well-founded. There is no single statute you can consult to provide the needed advice. In the United States, the law of privacy is commonly referred to as “sectoral,” meaning that there is no overarching legal regime covering privacy generally, but rather a series of federal laws (and often accompanying regulations) that each govern a particular subject matter. Nor is privacy protection exclusively on the federal level; federal law does not generally preempt state privacy laws, and state legislatures have not been shy about enacting their own privacy regulations. If your client operates an internet-based business or otherwise serves customers beyond the borders of the United States, the client may also be subject to the privacy regulations prevailing in other countries and trading blocs, which are in many cases intentionally written to have extraterritorial effect.
For those of you who may be experiencing this sort of dread, the ABA’s Cyberspace Law Committee now offers a helping hand. The committee’s Consumer Privacy and Data Analytics Subcommittee has assembled an international group of privacy experts and tasked them with compiling a guide to privacy laws from multiple jurisdictions around the world—the Global Privacy Checklist. The Checklist is a valuable starting point for any lawyer who counsels clients on complying with privacy laws. It serves as a pointer to the most salient of those laws in multiple jurisdictions: U.S. federal, U.S. states, Australia, Canada, the European Union’s General Data Protection Regulation, and the member states of the European Union.
The Checklist is an Excel spreadsheet, with each of the covered jurisdictions occupying its own tab. It is organized around a user-friendly “if-then” framework. For example, the U.S. federal tab includes the “if” statement: If “You collect and use email addresses for commercial purposes.” The “then” statement points the user to the relevant legal rules: “Then consider the applicability of” the “Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): 15 U.S.C. §§ 7701–7713.” What follows is a summary of the rules that must be followed to comply with the CAN-SPAM Act.
Defining the scope of laws to include within the privacy rubric is more difficult than it may seem. Laws addressing data privacy are related to, and sometimes overlap with, those addressing data security; therefore, the Checklist’s coverage sometimes includes security laws. Coverage of all U.S. state laws relating in some way to data privacy would exceed the scope of the project and the resources available to it. To make the project manageable, the Checklist’s U.S. states tab is limited to the five most commonly encountered areas of privacy regulation: general privacy, data of children, biometric data, health data, and financial data. Coverage of the EU member states is also limited to a few key subject areas.
As valuable as the Checklist is, it has a few important limitations. It does not cover case law or determinations by regulatory agencies. Nor does it include proposed legislation, which is voluminous in light of the number of jurisdictions included among the U.S. states and the EU member states. The authors of the Checklist have sought to represent the state of the legal landscape as of the date of its publication. Inevitably, however, there will have been recent legal developments in some of the many covered jurisdictions that will not have come to their attention in time to include them. Given the dynamic nature of regulation touching upon privacy and the limited resources available, it is not feasible to keep the list continuously updated. We hope to update the Checklist annually, however, as resources allow.
Readers are encouraged to communicate with the Checklist’s editors and let us know of any new or additional laws or regulations that should be considered when the Checklist is updated. Our contact information: John Isaza, [email protected], and John Rothchild, [email protected]. The editors extend a hearty thanks to the team of volunteers whose efforts made this Checklist possible. They are listed in the contributors tab.
Recently enacted state laws targeting arbitration provisions in employment agreements specifically related to sexual harassment have come into conflict with the Federal Arbitration Act (FAA), as illustrated by recent court decisions in New York and California.
In the shadow of the #MeToo movement, many states sought to strengthen their human rights laws to combat the prevalence of sexual harassment in the workplace. One of the tools put forth in state statutes was to prohibit the use of the arbitral forum for claims of sexual harassment. This has resulted in a predictable clash with the mandates of the FAA, which provide that arbitration provisions in contractual agreements shall be upheld and binding on the parties with limited exceptions.
For instance, in New York, the state passed legislation in 2018, N.Y. C.P.L.R. § 7515, prohibiting the use of arbitration agreements for claims of sexual harassment regardless of the FAA. As a result, in Latif v. Morgan Stanley & Co. LLC, 2019 WL 2610985 (S.D.N.Y., June 26, 2019), the opposing positions of the FAA and the state legislation resulted in District Court Judge Denise Cote holding that the state law ban on mandatory arbitration in sexual harassment cases was preempted by the FAA.
As a general proposition, Judge Cote noted that the FAA preempts any state law that discriminates on its face against the FAA. The New York statute specifically provided that any mandatory arbitration provision in an employment contract which provides that arbitration is the only and final remedy for such a claim is “null and void.” Latif went to the Second Circuit Court of Appeals, where an application for an en banc hearing was submitted. The Second Circuit dismissed the appeal on January 15, 2020, for lack of jurisdiction because the district court had stayed the federal action pending arbitration, citing Katz v. Cellco P’ship, 794 F.3d 341 (2d Cir. 2015), which provides for a stay of the federal action where an arbitration is compelled, as such, there is no final determination to appeal. It is this author’s sense, that but for this stay, that deference still would have been given to the FAA.
California recently passed legislation, Assembly Bill No. 51 (AB 51), banning employers from requiring the execution of an arbitration agreement as a condition of employment and prohibiting any discrimination or retaliation against employees who refuse to sign such an agreement. The legislation was scheduled to take effect on January 1, 2020, and it covered under its rubric not just sexual harassment claims, even though it was inspired by the #MeToo movement, but any employment-related disputes. On December 30, 2019, the federal district court in the Eastern District of California in the case of Chamber of Commerce of the United States of America, et al. v. Bacerra, et al., 2:19-cv-2456 (KJM) (DB), issued a TRO until a hearing could be held on a temporary injunction, and the court noted that this was due to the conflict between the state law and the FAA and the upheaval the law going into effect would have on employment agreements, even in the short term, where there is a serious question as to whether the law is preempted by the FAA. After hearing oral argument, the court temporarily enjoined the enforcement of the California statute on January 31, 2020.
Congressional action to amend the FAA would resolve this dispute. For instance, the Arbitration Fairness Act of 2017 was introduced in the 115th Congress to prohibit forced arbitration agreements for employment claims as well as civil rights and commercial claims. This legislation expired at the end of the 115th session without further action; however, similar legislation was introduced in the 116th Congress as the Forced Arbitration Injustice Repeal Act of 2019. It was approved by the House on September 20, 2019, by a vote of 225-186, but has not been acted upon by the Senate. In addition, there has been bi-partisan legislation specifically targeting sexual harassment arbitration. The legislation, Ending Forced Arbitration of Sexual Harassment Act of 2017, which expired with the 115th Congress before being acted upon, has been reintroduced as Ending Forced Arbitration of Sexual Harassment Act of 2019 in the 116th Congress and is still going through the legislative process. This bill would provide a carve-out in the FAA for sexual harassment claims and may be a compromise versus banning all employment-related arbitrations.
As of today, the inherent conflict between the FAA and the states’ attempts to take steps to combat sexual harassment by targeting arbitration clauses will continue to be fought in cases such as the ones discussed above until the question reaches the Supreme Court or Congress takes action.
By now, most businesses accept ongoing cyber threats as a fact of life. How could they not with the onslaught of daily news reporting about malware, phishing, ransomware, viruses, and various other hacking attacks? Some firms, accepting the reality of the threats, are deciding whether to ignore their cyber risks, fix them, or transfer them by way of insurance. This article considers this last option, specifically how you can obtain full insurance coverage for your actual cyber exposures at a fair premium.
Although not impossible, the process is a good deal more complex than, say, purchasing adequate fire insurance. What follows is a step-by-step primer on how to get the job done. In a nutshell, you must first thoroughly assess your IT and non-IT risks and then retain a broker knowledgeable in cyber-risk insurance coverage so you can come to the bargaining table with an accurate understanding of the coverage you actually need.
Essential Steps
Step One. It is absolutely critical that you have a thorough, comprehensive assessment of your cyber exposures in hand to enable your critical decision-making. This assessment should cover your IT risks, including systems security, policies, procedures, and training, and your non-IT risks, including social media usage and policies, bring-your-own-device policies, Cloud-computing contracts, Internet of Things exposures, and compliance issues. Without such a thorough and comprehensive assessment, you simply cannot make informed, cyber risk-management decisions to protect your business.
Step Two. Retain a sophisticated broker who is savvy in the various cyber insurance coverages offered. There are a great number of underwriters offering cyber risk coverage, with the various coverages differing in the risks covered, the assessment of a policyholder’s risks, and the premiums charged. Only a truly qualified broker, experienced in the marketplace, can guide a business through the maze to the right coverage.
Step Three. This is the promised nit and grit. Any business needs two major classes of coverage: first-party liability coverage for risks it cannot remediate but are too pressing to ignore, and third-party liability coverage for damages it might cause, directly or indirectly, to third parties. An example of the former would be the intrusion of a virus that causes a disruption in a firm’s business, and of the latter a hacking attack that causes a breach or loss of a client’s data. The coverages set out below are those you should discuss with your broker and insist upon when you have the data to indicate the real risks.
Primary Liability Coverages
First-party liability coverage is for your firm to cover the costs incurred from a break-in to your systems. The essential elements of the coverage are:
Theft and fraud coverage for some of the costs of a theft or destruction of your data, or theft of your company’s funds. How much coverage you may be able to obtain may depend on how well-versed you are in the actual costs your business will incur.
Forensic investigation coverage for determining the cause of the intrusion.
Network and business interruption coverage can be the most important part of your cyber coverage. The carrier may impose limitations to this coverage, but one of them you should not permit is specifying that the intrusion must be caused by an intentional cyber attack. Not only may “intentional” be hard to prove, but for your business the result is the same: you are losing money because of the attack. Reasonable conditions on the coverage may include a time limit on when the coverage begins and the total length of outage the insurance will cover. You can negotiate these limitations if you are fully prepared to discuss the business exposures giving rise to the coverage you are seeking, including contingent business expenses which you probably will not be able to quantify in advance.
Extortion is coverage for the cost of the “ransom” you may be required to pay to get your systems back online. Although there is no way to quantify the demand in advance, ransomware tracking shows these demands are on the rise.
Data loss and retention is coverage for the cost of restoring any data that may have been lost and possibly the cost of diagnosing the cause of the loss. It may be expensive because it is typically subject to substantial retentions. You should ensure, to the extent possible, that this coverage is not limited in terms of the cause of the loss. In this regard, it will be important for you to be able to demonstrate that you have done the necessary measures to remediate, within your firm’s capability, any potential IT or non-IT exposures revealed by your assessment so that the insurer is comfortable with not including a cause-of-loss limitation.
Third-party liability coverage is to cover claims by third parties whose data within your possession has been hacked into or otherwise compromised. The essential elements follow:
Privacy coverage is to address claims by your firm’s customers, clients, and employees for breaches of their confidential information. This coverage should include any failure to protect the data, rather than specifying that the breach be intentional. You should also seek coverage for any failure to report the breach under applicable state reporting requirements, or failure to disclose a breach under applicable privacy laws.
Regulatory actions coverage should include defense costs for any governmental or civil investigations or requests for information, beginning with the onset of the investigation, whether or not the investigation is instigated by a formal complaint or “suit.” You also will need coverage for civil fines and penalties.
Notification costs include notifying third parties who may have been affected by your data breach. You should be prepared to inform the insurer of the number of people to be notified and the method and cost of notification. Ensure this data is included in the policy along with a provision allowing you to update this data on a regular basis. Given the constantly changing landscape of individual state notification laws, it behooves your counsel to keep track of the state requirements that may apply to your clients.
Crisis management is an important element of this coverage to defray the public relations costs of defending or repairing your reputation. These costs may be difficult to quantify in advance, but you would be advised to consider coverage to support a substantial budget. Reputational restoration can be one of the most important aspects of your post-breach efforts.
Call-center costs may be one of the most significant of your postbreach expenses. It is important to have coverage for these costs included, along with the number of people eligible to receive call-center services, the specific call-center services to be provided, and the call center’s hours.
Credit/identity monitoring coverage is included in most policies but may be limited by the individuals who can receive the services and the list of approved vendors.
Transmission of viruses and malicious code protects against liability claims for damages for the transmission of viruses or other malicious code or data from your system to another system. Although important if your system is capable of this kind of transmission, you do not want to pay for unneeded coverage.
Other Important Considerations
Types of policies. Policies are generally divided into two major categories: “claims made” and “occurrence.” A claims made policy is triggered when a claim is made against the insured during the current policy period, regardless of when the act that gave rise to the claim took place. Occurrence policies cover claims that arise out of damage or injury that took place during a policy period, regardless of when claims are made. Most commercial general liability insurance is written on an occurrence form.
By way of example, a claim made by a customer in the current policy year that it suffered damage 10 years ago would be covered by a current claims made policy. On the other hand, a claim made that the damage occurred in a 10-year-old policy period, but not made until five years later, would be covered by an occurrence policy.
Trigger. Cyber policies, whether claims made or occurrence, typically are triggered by an event that results in the loss of data during the policy period. The claims-made polices typically are more restrictive in terms of the events that can trigger coverage, and the timing of resulting claims in relation to the loss may limit or preclude available coverage. Thus, you may find the occurrence policies preferable, their higher premiums notwithstanding.
Defense obligations. In some cyber policies, the defense obligation can be triggered only by a “suit,” which requires a lawsuit or written demand against the insured. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or written demand, where much of the defense costs on a particular matter may be spent. You should argue for less restrictive defense language so that there are no limitations as to coverage for governmental actions including investigations.
Choice of defense counsel. In some cyber policies, defense costs are covered only to the extent that the insured chooses from the insurer’s list of “panel” law firms. If the insured chooses a different firm, its defense costs probably will not be covered.
Given the substantial costs likely to be associated with a significant data breach—costs that could exceed the limits of the primary and applicable excess policies—you should have substantive input in the choice of counsel. Accordingly, you should argue for a policy with a balanced choice of counsel language, e.g., the insured and the insurer should mutually agree on defense counsel, and if they cannot agree, the insured will choose counsel for which the insurer shall pay up to a set hourly rate.
Retroactive coverage. Cyber policies often contain a “retroactive date” in which losses arising from events prior to the retroactive date will not be covered. Insurers often would like to fix the retroactive date at the initial date of coverage. Given that exposures unknown to you may have occurred some time ago, you should negotiate a retroactive date as far back as you can reasonably determine your exposures may have arisen.
Vendor liability. Acts and omissions of third parties may not be covered expressly, or may even may be excluded, under some cyber policies. By way of example, if a company uses the services of a third-party vendor to maintain its confidential customer or employee information in the Cloud, and the vendor experiences a data breach, your firm could be sued by its customers or employees. Whether you have coverage will depend on the policy language. Some cyber policies provide coverage for breaches of data maintained by third parties so long as there is a written agreement between the insured and the vendor to provide such services.
If you rely on a third party to maintain any of your confidential information, you should consider seeking a policy that expressly covers breaches of data maintained by the third party.
In the alternative, your contract with your cloud provider should include indemnification language backed up by a provision that the provider will maintain verifiable cyber-risk insurance. Self-insured retention language applicable to your coverage should be clear that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.
Loss of unencrypted data. Coverage for data lost from unencrypted devices is often excluded in cyber policies. If you must live with this limitation, ensure you have an enforceable policy that all personal information or sensitive firm information, in any format, is encrypted on individual devices. The better firm policy would prohibit personal information and sensitive firm information from personal devices, period.
Identity of covered entity. Many cyber policies define covered persons, for liability purposes, to include only natural persons. Your policy should accurately define the entity or entities who may be affected. This would also be the place to include any other entities who should be listed as additional insureds.
Policy territory outside the United States. Even if your firm does not operate outside the United States, your employees may lose their laptops, PDAs, and other electronic devices containing confidential information, or have them stolen, while traveling abroad. Many cyber policies attempt to restrict the applicable coverage territory to the United States and its territories. You should ensure that your cyber policy provides coverage for losses or thefts of confidential information that occur outside the United States.
Breaches unrelated to electronic records. Some cyber liability policies restrict coverage to loss or theft of electronic data. Given that many breaches occur as a result of loss or theft of paper or other nonelectronic records, your policy should cover both electronic and other forms of records.
Location of security failure. Some cyber insurers attempt to limit coverage to physical theft of data from company premises. This limitation would deny coverage from claims arising from laptop, PDA, or thumb drive thefts. Other policies limit coverage for data breaches resulting from password theft to situations where the theft occurs by nonelectronic means. You would be well advised not to permit these kinds of limitations, which could be costly in the long run.
Exclusions for generalized acts or omissions. Some cyber insurers will attempt to exclude coverage for losses arising from: (1) shortcomings in security of which the insured was aware prior to the inception of coverage; (2) the insured’s failure to take reasonable steps to design, maintain, and upgrade its security; and (3) certain failures of security software. If your firm performs a thorough cyber-risk assessment and acts on the remediation recommendations in the assessment, you should be able to demonstrate that, in your case, these kinds of exclusions should not be included.
Exclusions for acts of terrorism or war. Many cyber policies include this common exclusion, which would seem to apply to an attack by a foreign nation. If you cannot get the insurer to leave this exclusion out, then consider purchasing alternative coverage that would address your concerns.
Conclusion
You absolutely can achieve your goal of obtaining cyber-risk coverage for your full range of cyber exposures, but only if you have a thorough assessment of your IT and non-IT risks in hand, retain a broker knowledgeable in cyber-risk insurance coverage, and come to the bargaining table fully prepared with the essential facts as outlined above.
Please feel free to contact the author: Edward (“Ned”) M. Dunham, Jr. Spector Gadon Rosen Vinci P.C. 1635 Market Street, 7th floor Philadelphia, PA 19103 [email protected] (215) 241-8802
For over a decade, financial firms have been collaborating with financial technology (fintech) companies on an array of products and services. The explosive growth of these collaborations has resulted in massive investments. As of Q3’19, these collaborations raised $24.6B. The growing use of fintech may be attributable to: (1) ongoing innovation, (2) more options and benefits for consumers, and (3) enhanced operational capabilities and efficiencies for financial institutions. Financial firms can use fintechs in place of outdated legacy models to deliver financial services to consumers. Tech-savvy consumers have access to services (often on their smartphones) that enable them to conduct trades, pay bills, and manage their funds. Start-up fintechs can leverage the name, resources, and access to well-established financial firms to deliver their technology products and services to a growing consumer pool.
Although these collaborations appear to be a win-win situation for all parties, growing risks have prompted greater regulatory focus, not to mention the need for better-defined compliance frameworks to manage risks.
Limited Oversight
For years, there was little to no oversight of fintech collaborations. The evolving and innovative nature of fintechs created the perfect environment for unknown or undetected compliance risks. Financial regulators were unfamiliar with these products and, as a result, unsure about how to regulate them. Requirements were murky at best, leaving the financial industry vulnerable to fraud, money laundering, terrorist financing, cybercrime, and other illegal activity.
More Focus, More Regulation
The “limited oversight” approach proved to be unsustainable as the growth and complexity of fintech partnerships triggered unique legal, regulatory, reputational, and other risks. In response, financial services regulators are stepping up their efforts to ensure better and more specific oversight of fintechs.
In the United States, regulators are incorporating fintechs into enforcement and rulemaking actions involving: (1) consumer protection laws; (2) licensing requirements; (3) anti-money laundering and know-your-customer rules and regulations; (4) privacy and data security regulations; (5) cybersecurity regulations; and (6) special considerations involving Blockchain and cryptocurrency.
As this is happening, regulators are trying to strike the right balance between promoting innovation and regulating these efforts properly. At the federal level, the Consumer Financial Protection Bureau (CFPB) has launched its Innovation Office that houses various resources, including a Compliance Assistance Sandbox, to help companies test innovative products and services for a limited period while sharing data with the CFPB. The CFPB has also launched the American Consumer Financial Innovation Network (ACFIN), a partnership with multiple state regulators to serve as a network that will help enhance coordination among federal and state regulators to facilitate financial innovation.
States are also getting into the act. Arizona’s fintech sandbox was the first state sandbox that allows participants to test-drive their products, under regulatory supervision temporarily. Other states such as Wyoming, Utah, and Nevada are following Arizona’s lead with similar models.
Growing regulatory focus at both the federal and state level is creating the potential for a patchwork of state and federal requirements. This potential outcome is further complicated by global regulations in that fintech arrangements often facilitate access to a global consumer base. With access comes the application of complex and often restrictive laws, such as the European Union’s General Data Protection Regulations (GDPR). Additionally, various countries around the world are assessing current requirements to ensure they adequately manage the risks posed by fintechs. The Global Financial Innovation Network (GFIN) has emerged as an international effort for collaboration by regulators and numerous U.S. federal and state regulatory agencies, including the CFPB and the New York Department of Financial Services.
Embrace Compliance
So, what should fintech collaborations do? In response, these collaborations should have a practical and documented plan to establish and maintain a strong compliance program to manage risks and to prepare for expanded regulatory scrutiny. Begin with the following preliminary steps: (1) know the current regulatory environment and applicable requirements at the state, federal, and international levels; (2) document current controls (no one needs to begin with a blank slate); and (3) identify risks (by priority) for engaging in these collaborations.
The next step should be to launch efforts to establish and maintain effective compliance controls. A sample framework for a fintech compliance program can include: (1) a dedicated compliance program administrator; (2) risk assessments to identify and address risks; (3) policies and procedures; (4) oversight measures to periodically assess the effectiveness of program controls; (5) maintenance of program controls through ongoing monitoring of regulatory and internal developments; (6) third-party management; (7) delivery of training; (8) recordkeeping requirements; (9) an escalation process for reporting violations; and (10) periodic reporting on the program. Feel free to make adjustments based on your needs and requirements, but do not procrastinate critical measures, and plan for what cannot be done immediately.
Make sure to factor in special considerations for a fintech compliance program, such as: (1) controls around how personal information is collected, managed, stored, and handled in any other way; (2) AML/CFT and KYC controls to help flag, address, and manage money laundering and suspicious activities as well as maintain customer due diligence protocols; (3) information security controls to manage breaches of company information to ensure a timely and effective response.
Some final considerations revolve around who must be involved. It is critical to engage legal, compliance, and risk personnel early and throughout the planning and implementation of fintech collaborations and compliance programs. Separately, regular presentations should be made to educate and inform boards and management on the fintech compliance program, as well as existing and emerging fintech-related issues and challenges. Management and the governing authority of the company must be knowledgeable about risks to make well-informed decisions.
Conclusion
Fintechs are no longer market disrupters and are here to stay as integral players in the financial services sector. However, their success cannot be sustained without the responsible delivery of products and services, which is why fintech compliance must be an integral part of any collaboration. Effective compliance requires, at a minimum, knowledge of fintech regulatory requirements and issues. It also requires a documented and effective compliance program to help identify, manage, and possibly prevent regulatory, reputational, and unforeseen risks. Anything less could have an immediate or long-term impact on the fintech’s credibility, bottom line, and ultimately its business viability.
On December 10, 2019, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) held a joint workshop on accuracy in consumer reporting. The workshop included remarks from FTC Commissioner Noah Joshua Phillips, CFPB Assistant Director for Supervision Policy Peggy Twohig, CFPB Deputy Director Brian Johnson, and FTC Deputy Director for the Bureau of Economics Andrew Stivers. The workshop included four panels:
Panel 1: Furnisher Practices and Compliance with Accuracy Requirements
Panel 2: Current Accuracy Topics for Traditional Credit Reporting
Panel 3: Accuracy Considerations for Background Screening
Panel 4: Navigating the Dispute Process
Panelists included a range of stakeholders in the consumer reporting ecosystem, including representatives from consumer reporting agencies (CRAs), trade associations, furnishers, and consumer advocacy organizations.
In her closing remarks, Maneesha Mithal, associate director in the FTC’s Division of Privacy & Identity Protection, discussed three key takeaways and themes from the workshop:
Alternative Data. Mithal noted that the issue of alternative data came up on almost every panel, and that there appeared to be a consensus that using some types of alternative data may benefit consumers and the industry. Mithal noted that a number of panelists expressed caution about using “fringe data,” including social media data. In a panel discussion, Michael Turner, founder and president of the Policy and Economic Research Council (PERC), drew a distinction between “proven payment data,” including payments for utilities, media, and rent, and unproven “fringe data” or “unstructured data,” including information from social media. Turner, along with a number of other panelists, believed that reporting proven payment data would be beneficial for consumers. Francis Creighton, president and CEO of the Consumer Data Industry Association (CDIA), noted that consumers are currently experiencing the “downside” impacts of the reporting of negative information about the nonpayment or late payment of obligations for utilities, media, and rental housing, but are not receiving the “upside” benefits of reporting on the positive payment histories on those recurring obligations. Consumer advocates, such as Ed Mierzwinski of the U.S. Public Interest Research Group (PIRG), expressed skepticism regarding the use of certain alternative data, such as utility payment data, and the ability of the industry to ensure the accuracy of such data.
Role of Technology. Mithal also noted that there was some consensus that technology, including artificial intelligence (AI) and pattern recognition, may improve the quality and accuracy of consumer report information. Mithal stated that there appeared to be less consensus regarding the use of technology in data matching, with some panelists expressing the view that manual review is still necessary to ensure maximum possible accuracy. Mithal also noted that some panelists expressed the view that the CFPB should exercise its supervisory authority to examine CRAs and furnishers’ use of technology in consumer reporting.
In general, industry panelists spoke favorably about the prospects for AI and other technologies. For example, Eric Ellman, senior vice president of public policy and legal affairs at CDIA, discussed the use of technology in dispute intake, including filtering credit repair disputes from legitimate consumer disputes. Chi Chi Wu of the National Consumer Law Center expressed skepticism about relying on AI and other technologies for data matching and dispute investigations.
Accuracy. Mithal concluded by discussing the accuracy of consumer reporting more generally, and stated that some panelists believe that regulators should issue specific guidance in this area. Mithal also noted that panelists discussed both the importance of data accuracy with respect to consumer reports and furnished data, including ways in which CRAs may oversee furnishers.
In general, industry panelists pointed to substantial improvements made in recent years with regard to the accuracy of consumer reports, with repeated emphasis on improvements brought about by the National Consumer Assistance Plan (NCAP), an outgrowth of a multistate attorney general settlement with the three nationwide CRAs in May 2015. Turner discussed improvements between the early and more recent studies of data accuracy. Consumer advocates stressed continuing problems with data accuracy, including the reappearance of derogatory information on consumer reports.
Additional themes from the panels include:
Market Interest in Ensuring Accuracy.Many industry panelists emphasized that CRAs and furnishers benefit from an accurate and reliable consumer reporting system. These panelists explained that it is not beneficial to the market for CRAs or furnishers to provide inaccurate information, which could lead to financial institutions making incorrect credit or employment decisions. Creighton pointed to the financial crisis as an example of the risks associated with providing credit to consumers who cannot afford it. Mierzwinski disputed these accounts, pointing to certain studies that found high rates of inaccuracies on consumer reports and claiming that CRAs should invest more in technology. Representatives from the nationwide credit bureaus disagreed and described significant investments in technology to improve data accuracy and monitor furnishers.
Encouraging Smaller Furnishers to Furnish.Elisabeth Johnson-Crawford, the chief technical officer at Credit Builders Alliance (CBA), explained that CBA’s members would like to furnish information about their clients, who are typically low-income individuals seeking to build good credit. Johnson-Crawford described the standard Metro-2 format used for reporting information to the three nationwide CRAs as complex and a potential barrier for smaller companies to furnish information. Johnson-Crawford also discussed her members’ reliance on software vendors for furnishing data, and stated that regulators should provide additional incentives for these software vendors to ensure the accuracy and integrity of credit reporting data. Johnson-Crawford emphasized that in light of the regulatory environment, smaller furnishers are hesitating to furnish data to CRAs unless they are sure they can do it correctly.
Credit Repair Companies.There was a general consensus among panelists that the rise of credit repair companies is a negative factor in the credit reporting ecosystem. According to panelists, some credit repair companies are charging consumers high fees in exchange for submitting a large volume of disputes to CRAs for the purpose of removing accurate but negative information from consumer reports. Some panelists called for regulatory intervention to address this issue.
Supervisory Highlights.Several panelists referenced the Supervisory Highlights Consumer Reporting Special Edition that the CFPB released on December 10, 2019, which includes key findings from the bureau’s supervisory work with CRAs and furnishers. Some panelists praised the publication as a way for furnishers and CRAs to benchmark their own policies and procedures with respect to credit reporting, and to learn lessons from the mistakes of others. Wu cited the report’s findings that some CRAs are still relying on furnishers for reinvestigations without conducting an independent review. However, the CFPB found that examiners “have also observed significant improvements in [FCRA and Regulation V protections], including continued investment in FCRA-related CMS.”
The FTC and CFPB accepted comments on a wide range of topics affecting the accuracy of consumer reports until January 10, 2020. The FTC and CFPB did not discuss how they might use the workshop discussion and comments received.
Legal commentators have long lamented that chapter 11’s high costs and complexities make it too difficult for small businesses to successfully reorganize.[i] In response to these concerns, Congress recently passed amendments to the Bankruptcy Code known as the Small Business Reorganization Act (SBRA). On August 23, 2019, SBRA was signed into law.[ii]
Before SBRA, struggling businesses considering bankruptcy had two options: chapter 7 or chapter 11. Upon the filing of a chapter 7 case, a bankruptcy estate is created that is comprised of the debtor’s nonexempt property. A trustee is appointed to liquidate the assets of the bankruptcy estate and distribute the proceeds to the debtor’s creditors. Chapter 7 is not an option for businesses hoping to survive bankruptcy and retain control of its operations.
In contrast, a chapter 11 debtor retains control over its operations and restructures its debts through a court-approved plan. Although the chapter 11 debtor retains control, the debtor is subject to increased oversight from the bankruptcy court and the U.S. trustee. The chapter 11 debtor’s plan to repay its debts must meet stringent requirements and be confirmed (i.e., approved) by the bankruptcy court before the debtor can exit bankruptcy. While in bankruptcy, the debtor is required to obtain the court’s approval of all nonordinary course-of-business transactions and must comply with the U.S. trustee’s monthly reporting requirements. As a result, a small business may not be able to afford the costs of a chapter 11.
The SBRA endeavors to strike a balance between chapter 7 and chapter 11. Under the SBRA, certain debtors can retain control over their business operations while reorganizing.[iii] However, they will no longer be subject to the more costly requirements in chapter 11.[iv] Unlike chapter 11, a trustee will be appointed to each small-business debtor case. The SBRA’s sponsors explain that the trustee will “perform duties similar to those performed by a . . . Chapter 13 trustee and help ensure the reorganization stays on track.”[v]
In addition, the SBRA provides that a committee of creditors will not be appointed unless ordered by the bankruptcy court for cause.[vi] This should decrease the costs of a chapter 11. When a creditor committee is formed in a chapter 11 case, the committee can hire its own professionals. However, the debtor is required to pay for the fees and costs of the committee’s professionals. Generally, the SBRA will now allow the small business debtor to avoid this additional expenditure.
Many of the SBRA’s amendments will streamline the plan confirmation process and potentially reduce plan confirmation costs. In a chapter 11 case, the debtor must file a disclosure statement with the bankruptcy court. The disclosure statement is a detailed document intended to inform creditors of key provisions in the debtor’s plan. It must be approved by the bankruptcy court before creditors can vote to accept the debtor’s plan. Under the SBRA, a debtor will generally not be required to prepare a disclosure statement.[vii] In a chapter 11 case, the debtor’s exclusive right to file a plan is limited. Once this exclusivity period expires, creditors are free to file their own competing plans. The SBRA permits only the debtor to file a plan of reorganization.[viii] The SBRA’s elimination of a disclosure statement and potential competing plans will prevent contested hearings that prolong the reorganization process and increase costs for debtors.
The SBRA also relaxes the requirements to confirm a plan. First, the owners of small-business debtors can retain their ownership interest provided the plan does not “discriminate unfairly” and is “fair and equitable.”[ix] It is also easier for the small-business debtor to confirm a plan over creditors’ objections. Essentially, a plan will be confirmed so long as it provides that all projected disposable income for three to five years will be used to make plan payments.[x] In addition, the required plan contents under the SBRA are less stringent than those for chapter 11 plans.[xi]
Ultimately, by lowering costs and simplifying the plan confirmation process, the SBRA aims to provide another option for small businesses wishing to reorganize.
[ii] The SBRA will go into effect 180 days after the date of enactment. See H.R. 3311, § 5.
[iii] 11 U.S.C. § 1182 defines a “debtor” as a small-business debtor. Under 11 U.S.C. § 101(51D)(A), “small-business debtor” is defined as a “person engaged in commercial or business activities (including any affiliate of such person that is also a debtor under this title and excluding a person whose primary activity is the business of owning or operating real properties or activities incidental thereto) that has aggregate noncontingent liquidated secured and unsecured debts as of the of the date of the filing of the petition or the date of the order for relief in an amount not more than $2,725,625. . . .”
[vii] A small-business debtor will not be required to file a disclosure statement unless ordered to do so by a bankruptcy court for cause. See 11 U.S.C. § 1181(b).
[viii] 11 U.S.C. § 1189. The SBRA’s deadline for a small-business debtor to file a plan is 90 days from the order for relief with such deadline to be extendable by the court if the extension is “attributable to circumstances for which the debtor should not justly be held accountable.” 11 U.S.C. § 1189(d).
[x]See 11 U.S.C. § 1191(c). Disposable income is defined to mean income that is received by the debtor and that is not reasonably necessary to be expended—
(1) for—(A) the maintenance or support of the debtor or a dependent of the debtor; or (B) a domestic support obligation that first becomes payable after the date of the filing of the petition; or
(2) for the payment of expenditures necessary for the continuation, preservation, or operation of the business of the debtor. 11 U.S.C. § 1191(d).
[xi]Compare 11 U.S.C. § 1190 with 11 U.S.C. § 1123.
High-profile cyber breaches have affected millions of customers and employees, resulting in unprecedented losses to businesses through direct costs in responding to the breaches, regulatory penalties, lawsuits brought by customers and business partners, business disruption, reputational damage, and loss of shareholder value. Officers and directors are increasingly facing the possibility of personal liability for these losses.
1. A Director’s Fiduciary Duties
In the past, directors were generally free from personal liability for cybersecurity breaches because directors’ cybersecurity duties were unclear. Personal fiduciary liability claims against Wyndham, Target, and Home Depot directors were all dismissed because the directors’ cybersecurity monitoring duties were not clear enough to be “known duties” that would give rise to personal liability. Courts also concluded that claims that directors should have known of threats or had access to information about threats did not create liability for fiduciaries.
However, current trends suggest that directors might be more likely to face personal liability for cybersecurity breaches in the future as directors’ cybersecurity responsibilities become clearer. Just this year, a judge in Georgia declined to dismiss a claim against a director of Equifax, Inc. who had personal knowledge of cybersecurity vulnerabilities, yet misrepresented the strength of the organization’s technology. Also this year, a judge in California approved the first settlement against directors and officers of Yahoo! Inc. relating to a data breach. The complexity and frequency of cybersecurity breaches, the severe consequences of a breach to corporations, and the growth of the cybersecurity industry all appear to clarify directors’ cybersecurity duties.
When directors fail to institute or monitor cybersecurity measures, or when they consciously disregard red flags that they have a known duty to address, shareholders may bring claims to hold directors personally liable. A recent decision by the Delaware Supreme Court in June of 2019, Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), illustrates the importance of boards exercising reasonable oversight.
Marchand involved an ice cream manufacturer, Blue Bell Creameries, which operated numerous manufacturing plants in the United States. In 2015, Blue Bell suffered a listeria outbreak in several of its manufacturing plants that spread and caused the deaths of three people. The company was forced to recall its products, shut down production at several of its plants, and lay off a large part of its workforce. Blue Bell had a history of food safety violations, but there was little evidence that the board was addressing those concerns. Shareholders sued the officers and directors, alleging that they breached their fiduciary duties of loyalty by failing to make good-faith efforts to ensure that the company’s regulatory compliance programs were adequate. According to the complaint, the board had no committee overseeing food safety, no board-level process to address food-safety issues, and no process to be advised of food-safety reports or developments. Although the Delaware Court of Chancery dismissed the case against the directors, the Delaware Supreme Court reinstated the case, ruling that the complaint adequately alleged that the directors violated their duty of loyalty by consciously failing to attempt to assure that reasonable information and reporting systems existed and by failing to conduct reasonable investigations.
On October 1, the Delaware Court of Chancery denied a motion to dismiss a Caremark claim in In re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222 (Oct. 1, 2019). Clovis is the first decision to allow a Caremark claim to proceed beyond the pleadings since the Delaware Supreme Court’s decision in Marchand. The Clovis decision highlights (1) the importance of board-level efforts to oversee compliance with governing law and regulatory mandates, particularly in situations where compliance issues are critical to a “monoline” company, and (2) how stockholders are using books and records demands under 8 Del. C. § 220 to pursue fiduciary claims focused on those same compliance issues.
The principles of Marchand apply directly to cybersecurity risk. If a company suffers significant losses due to data breach, and it is revealed that the directors failed to design board-level systems to oversee and monitor organization risk, or consistently failed to monitor those systems for red flags or cyber threats or conduct reasonable investigations, they could face personal liability. In June of 2014, then-SEC Commissioner Luis Aguilar counseled boards of directors that they are “already responsible for overseeing the management of all types of risks . . . and there can be little doubt that cyber risk also must be considered as part of the board’s overall risk oversight.”
2. Practical Guidance for Directors and Officers
The following are practical steps that directors and officers should take to minimize cybersecurity risks to their organizations as well as to themselves of personal liability.
Understand the laws, regulations, and guidance relating to data security and privacy that are applicable to your organization by consulting with the appropriate experts. Be aware of which regulatory bodies have authority over the organization.
Ensure that your organization has conducted a cyber-risk assessment and understand your vulnerabilities. Be aware of what type of data your organization collects or maintains and how the data flows through the organization.
For public companies, ensure that there are effective controls and procedures to address cybersecurity risks and incidents in required public filings and disclosures.
Ensure that your organization has a written information security program and data privacy and security policies that are tailored to your risk profile. Ensure that employees receive regular and frequent security and privacy training, that policies are regularly updated, and that policies are properly implemented and enforced.
Implement cybersecurity reporting systems and controls and monitor these systems to remain abreast of potential risks, red flags, and cybersecurity threats.
Ask cybersecurity personnel about the security practices and policies of the organization and about any changes or red flags related to cybersecurity. Consider deficiencies revealed in audits and adopt a security plan that is tailored to the organization’s specific risk profile.
Be aware of which members or committees of the board have cybersecurity responsibilities. Ensure that at least one director is sufficiently technically educated to lead board discussions and questions on information security.
Include cybersecurity as a regular topic at board meetings and ensure that, in both appearance and substance, the board is focused on the organization’s security.
Establish a culture of security by consistently updating and enforcing physical and technological security policies. A “tone at the top” is critical to achieving a culture of security.
Oversee the prudent selection and monitoring of vendors and service providers to ensure that the organization’s information remains free of unnecessary risk and that contracts with vendors contain appropriate security and privacy obligations, remedy for breach, and audit rights.
Be familiar with insurance policies that cover cyber risk and data breach response. Ask about their policy limits and exclusions, and whether they cover both first- and third-party data losses.
3. Conclusion
Directors and officers have a duty to oversee an organization’s management of its cybersecurity risks. Instituting, updating, and monitoring system controls is key to avoiding personal fiduciary liability, and directors should give special attention to any red or yellow flags. As cybersecurity threats continue to proliferate, directors’ good-faith efforts to fulfill their oversight duties will not only protect them from potential personal liability, it will also protect the organization, its customers, employees, and shareholders.
It is a familiar trope from bank heist movies that the robbers gleefully open the bag stuffed with stolen cash in the get-away car, only to have a hidden canister explode and mark all of the proceeds of their crime with indelible ink. For many marijuana-related businesses (MRBs) in the United States, it must seem that the revenues generated by their businesses bear a similar, if invisible, mark of condemnation, as many MRBs have struggled to find a bank willing to provide basic depositary and other financial services to them. This is due to the curious legal status of marijuana as a federally prohibited controlled substance but a legal and highly sought-after commodity under the laws of most U.S. states (currently 33 states and the District of Columbia have legalized marijuana for medical uses, and 11 states plus D.C. have legalized so-called adult-use marijuana, which can be for purely recreational purposes).
This state of legal limbo, which effectively prevents many MRBs from obtaining banking services, greatly increases the risks to which these businesses are exposed in that they must deal with vast amounts of cash, thereby increasing the risk of robbery and making it difficult to render payment to others (including taxing bodies, many of which do not accept cash payments). Moreover, cash businesses are more readily exploited for money laundering and other nefarious purposes, which undermines the public-policy goal of creating legal and regulated markets. Still, a burgeoning reform effort is slowly chipping away at the blanket prohibition of marijuana at the federal level, with multiple legislative initiatives ongoing in the U.S. Congress. Moreover, hemp, marijuana’s first cousin, and hemp-derived consumer products containing cannabidiol (CBD) are now legal under federal law (although some important legal restrictions on CBD products remain). This article will provide an overview of current U.S. federal law as it relates to the provision of banking services to the marijuana and hemp industries, as well as some of the major legislative reform efforts and their potential impact on cannabis banking.
II. Current Federal Law Relating to Marijuana Banking
A. Federal Criminal Law Enforcement Policy
Federal criminal law enforcement policy relating to marijuana offenses has evolved over time. Under the administration of President Barack Obama, the Department of Justice (DoJ) issued guidance commonly referred to as the Cole Memorandum (for its primary author, Deputy Attorney General James Cole) that instructed federal prosecutors to focus their enforcement efforts relating to marijuana on specific enforcement priorities, such as preventing the distribution of marijuana to minors and ensuring that revenues from the sale of marijuana did not flow to criminal enterprises, and ensuring that state-legal marijuana activity was not used as a cover for trafficking of other illegal drugs.[1] Cases that did not implicate these priorities were to be de-emphasized. Although the Cole Memorandum did not change federal law, it was seen as creating a de facto safe harbor from federal prosecution for state-legal marijuana-related activities that avoided the enumerated criteria. Given that the Cole Memorandum was merely an expression of the enforcement priorities of the DoJ at the time of its publication, it was at all times susceptible to revocation if a new administration took a different view. This is precisely what happened in January 2018, when then-Attorney General Jeff Sessions rescinded the Cole Memorandum and instructed federal prosecutors to enforce the federal prohibition on marijuana based on the principles that govern all federal prosecutions.[2] In spite of this new policy, there is little indication that federal prosecutions of MRBs increased noticeably following January 2018, and current Attorney General William Barr has indicated that he does not intend to “go after” companies that operate in compliance with the Cole Memorandum criteria.[3] However, as before, the enforcement policy of the DoJ is subject to change at any time and does not provide MRBs with legal certainty as to the range of permissible activities.
B. Federal Law Relating to Marijuana Banking
MRBs currently have extremely limited access to banking services, as many banks are wary of potentially violating federal anti-money laundering and other laws by engaging in transactions with the proceeds of federally illegal marijuana operations. There have been numerous anecdotal reports of MRBs that are unable to obtain banking services or have had their banking relationships terminated due to their (direct or indirect) involvement in the marijuana industry. Indeed, to our knowledge, none of the major banks in the United States accepts MRBs as customers, despite the fact that state-legal marijuana is rapidly becoming a large and lucrative industry. In terms of hard data, the federal Financial Crimes Enforcement Network (FinCEN)[4] reports that, as of September 30, 2019, 563 banks and 160 credit unions were providing banking services to MRBs.[5] While this number represents a substantial increase from 375 banks and 111 credit unions as of September 30, 2018,[6] these banks and credit unions represent a small minority of the overall U.S. banking industry, and the data confirm that most banks and credit unions are not currently providing banking services to MRBs. Moreover, the data do not indicate the scope or nature of banking services provided by these institutions, and in some cases the reporting could relate simply to a prudential notice of a transaction involving an MRB by a bank that is not actively serving such customers.
In order to address the lack of banking services available to MRBs, some states have studied possible ways to encourage the provision of such services to MRBs within the respective states, but no workable solution has yet been found, and it is difficult to imagine a state-level banking system created to serve the marijuana industry that could both achieve the scale needed to meet the rapidly growing industry’s needs and avoid implicating federal law (as even state-chartered banks are subject to a variety of federal laws and the jurisdiction of one or more federal banking regulators). In light of these challenges, any lasting solution to the dearth of banking services available to MRBs will require federal legislative action.
The primary federal law that affects the provision of banking services to MRBs is the Bank Secrecy Act of 1970 (BSA).[7] Among other things, the BSA requires U.S. financial institutions to help federal government agencies detect and prevent money laundering. To this end, it requires banks to report suspicious activity that might signify money laundering, tax evasion, or other criminal activity. These reports are referred to as “suspicious activity reports” (SARs). The federal anti-money laundering statutes make it a crime to knowingly engage in monetary transactions involving proceeds of certain unlawful activity, including the sale of marijuana.[8] Under these laws, all proceeds generated by MRBs (even if operating in compliance with state law) are unlawful, and financial transactions with such proceeds (including accepting deposits, making loans, and other banking services) may constitute illegal money laundering.
Notwithstanding the federal prohibition on transactions involving the proceeds of marijuana-related operations, FinCEN issued guidance in February 2014 on how banks could do business with MRBs.[9] This guidance was expressly based on the principles set forth in the Cole Memorandum and was accompanied by additional guidance issued by the DoJ on the same day that effectively applied the same enforcement priorities set forth in the DoJ’s prior guidance to the enforcement of the BSA.[10] Despite former Attorney General Sessions’ revocation of the Cole Memorandum, FinCEN has confirmed that its 2014 guidance remains in effect.[11]
Although the FinCEN guidance describes how banks may do business with MRBs without triggering BSA enforcement by FinCEN, it does not legalize such activities, and it does not rule out enforcement actions by federal banking regulators or criminal law enforcement agencies. The guidance primarily requires banks to conduct extensive and ongoing due diligence on any MRBs to which they wish to provide banking services in order to ensure their compliance with the Cole Memorandum principles and applicable state laws, and to file SARs for transactions related to MRBs.[12] The due diligence and ongoing monitoring required under the FinCEN guidance are considerably more far-reaching than the normal due diligence that banks must conduct on their customers. Moreover, the guidance does not contemplate a one-time filing for a bank doing business with an MRB; rather, FinCEN expects banks to file continuing activity reports to update a previously filed SAR if their ongoing monitoring indicates that marijuana-related activity is continuing.
The FinCEN guidance mandates three types of SARs for MRB transactions: (1) marijuana limited SARs for transactions involving an MRB that the bank reasonably believes, based on its review, do not implicate the Cole Memorandum priorities or violate state law, (2) marijuana priority SARs for transactions involving an MRB that the bank reasonably believes, based on its review, implicate the Cole Memorandum priorities or violate state law, and (3) marijuana termination SARs to be used if the bank deems it necessary to terminate its relationship with an MRB in order to maintain an effective anti-money laundering compliance program.[13] FinCEN notes some red flags to distinguish priority SARs, including such things as excessive deposits relative to the scope of the MRB’s permitted activities or to local competitors, rapid movements of funds, a lack of satisfactory documentation to demonstrate compliance with state law, and receipt of cash from outside the state.[14] Although the red flags cited by FinCEN are understandable from a regulator’s perspective as indicators of potential illicit activities, one can imagine that they would be extremely difficult for banks to assess and monitor in practice because they would require a high degree of visibility into customers’ operations as well as reliable information on the markets in which the customers operated (including data on competitors). This may be one reason why very few banks appear to have begun providing banking services to MRBs.
The 2014 guidance issued by the DoJ accompanying the FinCEN guidance emphasized that prosecution of a financial institution under the federal anti-money laundering statutes might be appropriate if the financial institution were to discover that a person to whom it was providing banking services was violating one of the Cole Memorandum priorities, such as by diverting marijuana from a state in which marijuana sales are regulated to ones in which such sales are illegal under state law.[15] Notably, the guidance also provided that prosecution might be appropriate if the financial institution were willfully blind to such illegal activity as a result of a failure to conduct appropriate due diligence of the customer’s activities.[16] Consequently, the guidance places a heavy (and potentially impracticable) burden on banks to effectively ascertain the scope and nature of their customers’ MRB activities and to continually monitor those activities to ensure that they do not implicate any of the Cole Memorandum enforcement priorities.
III. Federal Legalization Efforts
Various bills have been introduced in Congress to legalize marijuana or to provide MRBs with access to essential services. These include, most prominently, the Secure and Fair Enforcement Banking Act of 2019 (SAFE Banking Act), which passed the House of Representatives by a bipartisan vote of 321-103 in September 2019.[17] The SAFE Banking Act remains under consideration by the Senate Banking Committee, where its prospects (once seemingly fairly bright following a public hearing in July 2019) recently dimmed based on a public statement issued by committee chairman Sen. Mike Crapo (R-Idaho). Sen. Crapo had initially indicated that he would hold a committee vote by the end of 2019, but on December 18, 2019, he issued a statement sharply criticizing the bill in its current form and demanding that it be amended to address “the high level potency of marijuana, marketing tactics to children, lack of research on marijuana’s effects, and the need to prevent bad actors and cartels from using the banks to disguise ill-gotten cash to launder money into the financial system.”[18] One particularly controversial element of Sen. Crapo’s comments to the bill is his proposal to introduce a potency limitation of two-percent THC content on all marijuana products, a standard that many products currently on the market in legal states may not meet.[19] Sen. Crapo’s statement did not propose specific textual amendments to the bill and instead requested public comment on the enumerated points, which suggests that his statement may have been a way to avoid, or at least delay, consideration of the bill. In any event, the Senate Banking Committee has yet to take up the bill, and its fate in that committee currently appears to be uncertain at best.
Even if the Senate Banking Committee were to advance the bill, its chances of passage in the full Senate are uncertain, as the bill lacks a champion among Senate Republicans who is willing to drum up support for the bill or press leadership for a floor vote. The financial services industry (including through the American Bankers Association and other industry groups) strongly backs passage of the act,[20] but it appears that action on marijuana banking will have to wait until the SAFE Banking Act is revised to the satisfaction of Sen. Crapo or the balance of power shifts in the Senate following the 2020 elections.
Notwithstanding its currently unclear chances of being enacted into law, the SAFE Banking Act represents an important model of limited legislative action that seeks to facilitate specific commercial activities ancillary to the marijuana industry without addressing the fundamental (and politically more difficult) question of legalization of marijuana itself. The act would prohibit federal banking regulators from taking various punitive measures against a bank (including terminating or limiting deposit insurance) solely because it provides or has provided financial services to a “cannabis-related legitimate business” or service provider.[21] The range of financial services that would be protected under the act is broadly defined, and the term “cannabis-related legitimate business” means any person that participates in any business that is legal under state law that involves cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.[22] It is crucial that the act includes protection of service providers, as many businesses that are not directly involved in the marijuana business, such as commercial landlords, construction companies, providers of hydroponic equipment, lighting systems. and the like, are currently at risk of losing access to banking services if it becomes known that MRBs are among their customers.
Additionally, the act would clarify that, for purposes of the federal anti-money laundering statutes, the proceeds of a transaction involving activities of a cannabis-related legitimate business or service provider would not be considered proceeds of an unlawful activity and would provide that a bank or insurer that provides a financial service to a cannabis-related legitimate business or service provider may not be held liable solely for providing such a financial service or for further investing any income derived from such a service.[23]
The act would also provide that a bank that has a legal interest in the collateral for a loan or other financial service to a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment leased or sold to such a business, would not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any federal law for providing such loan or service.[24] Finally, the act would call for FinCEN to issue new guidance for the submission of SARs for transactions with cannabis-related legitimate businesses or service providers that is designed to not significantly inhibit the provision of financial services to such businesses.[25]
The SAFE Banking Act would represent an important milestone in the slow march toward the creation of a legal and regulated nation-wide marijuana market in the United States, but it would not be a panacea for banks or for their customers. Among other issues, since the bill would not decriminalize marijuana under the Controlled Substances Act, MRBs and their officers, directors, and employees could still face federal criminal prosecution for violating federal law. If this were to happen to an MRB served by a bank, it could adversely affect the viability and creditworthiness of the affected MRB; this, in turn, would result in heightened commercial risks for banks that elect to provide financial services to MRBs compared to customers in other industries. Moreover, banks would effectively be responsible for ensuring that their marijuana-industry customers are operating in compliance with all applicable state laws, as state-law compliance is a precondition for the legal protection afforded by the act. As a result, banks’ compliance costs would likely be significantly higher when serving such customers, and this, combined with the heightened commercial risks, may deter many banks from taking advantage of the opportunity that Congress is seeking to create.
In addition to the SAFE Banking Act, several bills have been proposed in Congress that would not merely protect banks and others from criminal enforcement actions for the provision of services to the marijuana industry, rather they would address the federal prohibition itself either by legalizing marijuana at the federal level or by requiring the federal government to abide by any state-level legalization. These bills include most prominently the Marijuana Opportunity Reinvestment and Expungement Act of 2019 (MORE Act) and the Strengthening the Tenth Amendment Through Entrusting States Act (STATES Act).
The MORE Act was introduced by Sen. Kamala Harris (D-California) and Rep. Jerold Nadler (D-New York) and would remove marijuana from Schedule I under the Controlled Substances Act,[26] which would effectively legalize it under federal law.[27] It would also include extensive provisions intended to provide redress for the historically inequitable enforcement of the federal marijuana laws, including by retroactively legalizing marijuana for criminal liability purposes and by providing for various social justice measures to address effects of the so-called War on Drugs, including expungement of many marijuana-related criminal convictions.[28] This bill was voted out of the House Judiciary Committee (with two Republican votes) on November 20, 2019,[29] but it remains subject to the jurisdiction of various other committees, and no floor vote is yet in sight.
The STATES Act was introduced in the Senate by Sens. Elizabeth Warren (D-Massachusetts) and Cory Gardner (R-Colorado) and in the House by Rep. Earl Blumenauer (D-Oregon) and would amend the Controlled Substances Act so that its provisions would no longer apply to any person acting in compliance with state or tribal laws relating to the manufacture, production, possession, distribution, dispensation, administration, or delivery of marijuana.[30] The result of this bill would be that marijuana would remain illegal under federal law in states that have not legalized it (or to the extent that state-level legalization is limited to certain uses or under specific criteria), but it would become legal under federal law in states that have legalized it.
To address financial issues caused by the federal prohibition on marijuana, the STATES Act would provide that state-legal marijuana transactions do not constitute trafficking of illegal substances or result in the proceeds of an unlawful transaction, which should (in theory) remove transactions with the proceeds of marijuana businesses from the scope of the federal anti-money laundering laws and make the provision of banking services to MRBs legal.[31] However, it is unclear how this would work in practice and whether the federal banking regulators would take the view that transactions with the proceeds of state-legal marijuana transactions are, in fact, no longer illicit transactions subject to SAR reporting and other requirements of federal law.
Moreover, the STATES Act would place the entire burden on banks to determine whether their customers (or other entities transacting with their customers) are conducting their marijuana-related operations in compliance with state law. This may prove to be an unreasonable burden that prevents many banks from taking on such customers in that any financial transactions with companies that purport to operate within state law but in fact are not in compliance (even inadvertently) would likely constitute violations of the federal anti-money laundering statutes that would require the submission of SARs under the BSA (subject to any further guidance that FinCEN may issue following passage of such a law) and potentially the termination of the bank’s relationship with such customers. From a banking perspective, the STATES Act is an imperfect approach, but it seems to be an attempt to garner bipartisan support for something that is akin to federal marijuana legalization without requiring members of Congress to vote for full legalization, and it seems designed to have bipartisan appeal by advancing a federalism argument in favor of respecting the decisions of the individual states. It remains unclear whether this approach will gain sufficient support to advance to a floor vote in either house of Congress.
Other efforts to legalize marijuana at the federal level, or to facilitate the provision of banking and other services to MRBs, include the Responsibly Addressing the Marijuana Policy Gap Act of 2019,[32] which would remove state-legal marijuana-related activities from the scope of the Controlled Substances Act and seek to ensure that MRBs have access to banking services, bankruptcy proceedings, and certain tax deductions; the State Cannabis Commerce Act,[33] which would not change marijuana’s status as an illegal controlled substance under federal law, but would prohibit any federal agency from using appropriated funds to prevent any state from implementing any law legalizing the use, distribution, possession, or cultivation of marijuana within that state; and the Marijuana Justice Act of 2019,[34] which would remove marijuana from the purview of the Controlled Substances Act and effect a variety of social justice provisions intended to address the effects of disparate enforcement of the federal drugs laws.
The likelihood of passage of any of these attempts to legalize marijuana federally or to facilitate the provision of services to the marijuana industry under any of the models described above, or of another approach that may emerge, is unclear and may depend to some extent on the results of the 2020 presidential and congressional elections. Although a Democratic takeover of the White House and the Senate (while retaining a majority in the House) would not ensure passage of full federal marijuana legalization, the recent linking of social justice measures with legalization may go a long way to garner broad support among otherwise reluctant Democratic lawmakers.
In the meantime, we might expect that any substantive federal action on marijuana will come piecemeal in the form of amendments to federal appropriations bills. Under one amendment that has been part of appropriations bills since 2014 and that was included in the federal funding bill that was signed into law by President Donald Trump on December 20, 2019, the DoJ is prohibited from using funds appropriated under the law to enforce the federal marijuana prohibition against state-legal medical marijuana businesses and users.[35] President Trump attached a so-called signing statement to the bill that suggested that his DoJ may disregard this rider to the extent that he believes it interferes with his “constitutional responsibility to faithfully execute the laws of the United States,”[36] but the import of this statement is as yet unclear. It is notable that several other marijuana-related riders were included in the House version of the spending bill (including one that would have extended the prohibition on the DoJ’s use of funds to enforce the federal marijuana prohibition beyond medical marijuana to also include state-legal, adult-use marijuana activities), but they were eliminated in the reconciliation of the House and Senate versions and therefore did not make their way into the final legislation.
IV. Hemp Banking
Hemp is a close relative of marijuana in that both plants are varietals of the cannabis sativa L plant, and there is no definitive scientific point of demarcation between hemp and marijuana. Instead, the distinction between hemp and marijuana is primarily a matter of laws that distinguish the two substances based on the percentage content of THC (the primary intoxicating substance in marijuana). The legal distinction between hemp and marijuana is of great significance, as hemp was legalized at the federal level by the Agriculture Improvement Act of 2018 (2018 Farm Bill),[37] whereas marijuana remains illegal under federal law. Under the 2018 Farm Bill, hemp may not have a THC concentration of greater than 0.3 percent on a dry-weight basis,[38] and cannabis or derivative products with THC in excess of this threshold are legally classified as marijuana.
In connection with the legalization of hemp (by removing it from Schedule I under the Controlled Substances Act), the 2018 Farm Bill requires the U.S. Department of Agriculture (USDA) to issue rules governing the industrial cultivation of hemp.[39] Any hemp that is produced in accordance with the 2018 Farm Bill and USDA rules, and products derived therefrom (such as consumer products containing CBD), will not be deemed to be controlled substances under the Controlled Substances Act. Moreover, although the 2018 Farm Bill does not require states to remove any existing legal prohibitions or legal limitations on hemp or its derivative products, the law does prohibit state or tribal constraints on the inter-state movement of hemp, which is essential to facilitating the formation of a nation-wide hemp industry.[40] The 2018 Farm Bill also aims to promote industrial-scale cultivation of hemp by making hemp producers eligible for federal crop insurance programs and USDA grants and development programs.[41]
The USDA issued its interim final rule on October 31, 2019, establishing the initial parameters for commercial hemp production.[42] Although the public comment period was initially scheduled to end on December 30, 2019, the USDA extended that period until Jan. 29, 2020, in order to provide stakeholders with more time to submit comments.[43] To date, over 1,800 comments have been posted.[44] The USDA intends to issue its final rule by late 2021.[45]
Under the interim final rule, states and Indian tribes may submit plans for approval by the USDA for the production of hemp in their respective territories.[46] If a state or tribe declines to submit a plan, or if their plan is not approved by the USDA, then the USDA’s rules will govern hemp production in those states and tribal territories.[47] Any commercial hemp production operations must be approved under a USDA-approved state or tribal licensing regime or directly by the USDA. Licenses for hemp production will be nontransferable and must be renewed every three years, and criminal background checks will be required for all “key participants” in hemp businesses (includes owners of direct or indirect financial interests and senior executives).[48]
The USDA rules contain two provisions that have been the subject of many critical public comments. First, the USDA requires that THC content be measured on the basis of “total potential THC,” which would take into account not only the level of psychoactive Delta-9 THC but also what the USDA refers to as the potential conversion of delta-9-tetrahydrocannabinolic acid (THCA), which in its unconverted form is not intoxicating to humans, into THC.[49] This approach diverges from the widely understood basis for the legal distinction between hemp (containing no more than 0.3 percent THC without counting THCA) and marijuana, and this aspect of the USDA interim final rule appears to have caught many in the industry off-guard. Many of the public comments submitted to the USDA have suggested that requiring hemp to remain within the cap of 0.3 percent THC content based on “total potential THC” will decimate the nascent industry because much of the hemp that is currently produced would not meet this standard (and the risk of inadvertently exceeding the prescribed level of THC content would be unreasonably high).[50] Moreover, many commentators have argued that it is unnecessary to include THCA in the THC content test because THCA is not itself psychoactive (rather it may be converted under specific circumstances into psychoactive THC).[51]
The second part of the USDA interim final rule that has garnered a flood of critical public comments relates to the testing requirements—namely, that the THC-content testing be done in a laboratory that is approved by the Drug Enforcement Agency (DEA) and that the THC content of each lot of hemp be tested not more than 15 days prior to harvesting.[52] Numerous commentators have pointed out that there is a limited number of DEA-approved labs in many parts of the country, and that the 15-day window for testing is impractical, particularly for large producers or ones in remote areas with limited access to approved labs.[53] To date, the USDA has not responded to any of the public comments, and it remains to be seen whether the final rule (which in any event may not be issued until late 2021) will remedy any of these issues. It remains to be seen how hemp producers will work with (or around) these controversial aspects of the USDA rules, but it seems clear that, although federal legalization of hemp is a major and necessary step, the hemp cultivation industry will experience some growing pains along the way to the development of a vibrant, nationwide market.
The consumer-facing side of the hemp industry has grown rapidly since legalization, in particular with a wide range of consumer products containing CBD hitting the market over the past 18 months. However, the legalization of hemp and its derivative products in the 2018 Farm Bill does not mean that the industry is free of federal regulation (beyond the USDA rules for cultivation). Among other regulators, the Federal Trade Commission (FTC) retains the authority under the Federal Trade Commission Act[54] to regulate the manner in which CBD products are marketed and sold, and the Food and Drug Administration (FDA) has the power to regulate the compliance of CBD products with the Federal Food, Drug, and Cosmetic Act,[55] including any potential sales of such products as unapproved drugs or dietary supplements and the use of misleading or impermissible health claims in the marketing of CBD. Both the FTC and FDA have issued warning letters to various companies citing apparent violations of federal law and requiring the recipients to remedy such violations.[56]
Many participants in the nascent hemp industry appear to have taken an aggressive approach to putting products on the market that may not comply with federal law and in making at times expansive claims about the health benefits of their products. On the other hand, federal regulators have been slow to issue guidance on the precise extent of permissible uses and claims relating to CBD products, which has made it difficult for producers to know where the line between permissible marketing and illegal claims lies. Additionally, consumer advocates have reported that quality control in the CBD product space appears to be uneven, with both the CBD content and the THC content in these products in some cases diverging substantially from the levels stated on their labels (which may mean, in the case of a higher-than-stated THC level, that the products may constitute illegal marijuana products instead of legal hemp products). One hopes that regulators will take a constructive approach and work with the industry to formulate clear and practicable rules to facilitate its growth in a manner that promotes public health and safety.
Following hemp legalization in the 2018 Farm Bill, various U.S. senators requested guidance on hemp banking from the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), and the Farm Credit Administration (FCA).[57] The senators noted that despite hemp legalization, hemp businesses were having difficulty accessing capital and obtaining banking services and urged the federal banking regulators to issue public guidance that would provide banks and credit unions with greater clarity on the scope of permissible banking activities and any specific requirements applicable to such services.[58]
The first federal banking regulator to provide public guidance on hemp banking was the NCUA, which issued a statement in August 2019.[59] The NCUA indicated that credit unions that wish to provide banking services to hemp businesses should implement an anti-money-laundering compliance program that mirrors that contemplated by the 2014 FinCEN guidance, including with respect to filing SARs, but it noted that no SARs will be required for legal hemp-related transactions.[60] Among other things, the NCUA noted that an adequate risk assessment requires credit unions to understand the specific state laws governing each customer’s hemp business.
The Federal Reserve, FDIC, OCC, and FinCEN, in consultation with the Conference of State Bank Supervisors, responded to the senators’ entreaties by issuing a joint statement on December 3, 2019, that took note of hemp legalization and provided guidance for banks to engage in banking relationships with hemp-related businesses.[61] The guidance provided that because hemp is no longer a Schedule I substance under the Controlled Substances Act, banks are not required to file SARs solely because a customer engages in the growth or cultivation of hemp in accordance with applicable laws and regulations.[62] It also stated that banks are expected to follow standard SAR procedures, including by filing a SAR if indicia of suspicious activity warrant, when serving hemp-related customers.[63] The guidance emphasized the importance of banks’ compliance with applicable regulatory requirements for customer identification, suspicious activity reporting, currency transaction reporting, and risk-based customer due diligence, including the collection of beneficial ownership information for customers that are legal entities, when electing to serve hemp-related businesses.[64] Finally, the joint statement indicated that FinCEN will release additional guidance on hemp banking after further review of the USDA hemp regulations and noted that, as before hemp legalization, FinCEN’s 2014 guidance continues to apply to the provision of banking services to MRBs.[65]
Although further legislative action may not be technically required for banks to begin servicing hemp businesses, there have not yet been notable federal legislative efforts to specifically address the difficulty that hemp businesses continue to have in obtaining banking products and services. However, the SAFE Banking Act does make note of this fact and would require federal banking regulators to issue guidance within 90 days of enactment to confirm the legality of providing financial services to hemp businesses and to create best practices for financial institutions to follow. Until the SAFE Banking Act or similar legislation is passed, banks that wish to provide services to hemp businesses must rely on the guidance issued by the federal regulators and the fact that hemp is legal under federal law without further legislative action.
The provision of banking services to hemp businesses requires a carefully calibrated know-your-customer process and ongoing compliance monitoring system that allows banks to identify and limit potential risks and to navigate the many challenges that the industry faces, not least the constraints found in the USDA interim final rule, as well as the risk of FTC and/or FDA enforcement actions. For banks that are willing to invest in creating the necessary policies and structures, however, hemp is a rapidly growing industry with a vast need of capital and financial services that, given its limited access to banking services, offers attractive margins. Moreover, early entrants into the hemp space will be well positioned to quickly and with limited risk enter the much larger and more lucrative, fully legal marijuana market, when and if one comes to pass.
DISCLAIMER: Morrison & Foerster LLP makes available the information in this article for informational purposes only, and it does not constitute legal advice and should not be relied on as such. Morrison & Foerster LLP renders legal advice only after compliance with certain procedures for accepting clients and when it is legally permissible to do so. Readers seeking to act upon any of the information contained in this article are urged to seek their own legal advice.
[1]Memorandum from James M. Cole, Deputy Attorney Gen. to All United States Attorneys Regarding Guidance Regarding Marijuana Enforcement (Aug. 29, 2013).
[2]Memorandum from Jefferson B. Sessions, Attorney Gen. to All United States Attorneys Regarding Marijuana Enforcement (Jan. 4, 2018).
[4] FinCEN is a part of the U.S. Treasury Department that is charged with implementing, administering, and enforcing the Bank Secrecy Act of 1970, the main federal anti-money-laundering statute.
[5] Financial Crimes Enforcement Network, Marijuana Banking Update: Depositary Institutions (by type) Providing Banking Services to Marijuana Related Businesses (SARs filed through Sept. 30, 2019).
[6] Financial Crimes Enforcement Network, Marijuana Banking Update: Depositary Institutions (by type) Providing Banking Services to Marijuana Related Businesses (SARs filed through Sept. 30, 2018).
[7] The term “Bank Secrecy Act” is used herein to refer to the Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act of 1970, Pub. L. No. 91-508 (12 U.S.C. §§ 1829b, 1951–59; 31 U.S.C. §§ 5311–32), as well as several subsequent laws that have amended and expanded its scope, including (among others) the Money Laundering Control Act, Pub. L. No. 99-570 (18 U.S.C. §§ 1956 and 1957), and the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act), Pub. L. 107-56, 115 Stat. 272. These laws are also referred to herein generally as the federal anti-money-laundering statutes.
[10]Memorandum from James M. Cole, Deputy Attorney Gen. to All United States Attorneys Regarding Guidance Regarding Marijuana Related Financial Crimes (Feb. 14, 2014).
[11]Letter from Drew Maloney, Asst. Secretary of the Treasury for Legislative Affairs to Rep. Denny Heck (Jan. 31, 2018).
[12] Financial Crimes Enforcement Network, supra note 9, at 2-3.
[15] Memorandum from James M. Cole, Deputy Attorney Gen. to All United States Attorneys Regarding Guidance Regarding Marijuana Related Financial Crimes (Feb. 14, 2014), at 2.
[29]Press Release, U.S. House of Representatives Judiciary Committee, House Judiciary Passes MORE Act to Decriminalize Marijuana at Federal Level (Nov. 20, 2019).
[43]Press Release, U.S. Department of Agriculture Agricultural Marketing Service, USDA Extends U.S. Domestic Hemp Production Program Interim Final Rule Comment Period to January 29 (Dec. 17, 2019).
[45] U.S. Department of Agriculture Agricultural Marketing Service, Interim Final Rule on Establishment of a Domestic Hemp Production Program (Oct. 31, 2019).
[52] U.S. Department of Agriculture Agricultural Marketing Service, Interim Final Rule on Establishment of a Domestic Hemp Production Program (Oct. 31, 2019).
[56]See, e.g.,Press Release, Federal Trade Commission, FTC Sends Warning Letters to Companies Advertising Their CBD-Infused Products as Treatments for Serious Diseases, Including Cancer, Alzheimer’s, and Multiple Sclerosis (Sept. 10, 2019); Press Release, U.S. Food and Drug Administration, FDA warns 15 companies for illegally selling various products containing cannabidiol as agency details safety concerns (Nov. 25, 2019).
[57]See, e.g.,Press Release, Michael Bennet, U.S. Senator for Colorado, Bennet Urges Financial Regulators to Provide Guidance, Certainty for Hemp Farmers and Processors (June 14, 2019); Press Release, Ron Wyden, U.S. Senator for Oregon, Wyden, McConnell Urge Federal Financial Regulators to Prevent Discrimination of Legal Hemp Industry (April 2, 2019).
[61]Press Release, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network, Office of the Comptroller of the Currency, Conference of State Bank Supervisors, Agencies Clarify Requirements for Providing Financial Services to Hemp-Related Businesses (Dec. 3, 2019).
High River Limited Partnership, et al. v. Occidental Petroleum Corporation arises from Occidental Petroleum’s bidding war and high-profile acquisition of Anadarko Petroleum. Plaintiffs bought 26 million shares of Occidental stock worth $1.16 billion after the acquisition was announced. Plaintiffs disagreed with Occidental’s sale of some assets to be acquired in the deal and the price it paid to secure financing through preferred stock to avoid a shareholder vote, among other business decisions. Ten days after sending its demand, plaintiffs filed suit to enforce their demand and launched a proxy fight with intent to obtain consent to elect four members of Occidental’s board of directors, change Occidental’s bylaws, and modify the consent solicitation process. Occidental strongly contested their efforts.
Under case law interpreting title 8, section 220 of the Delaware Code (Section 220), stockholders can demand access to a company’s books and records only if they present a “proper purpose.” Although a court may deem as proper one of several purposes, a well-established proper purpose exists when a stockholder demonstrates a credible basis to suspect that the company has engaged in wrongdoing, such as by breaching its fiduciary duty. The issue lies in the boundaries of proper purposes.
Plaintiffs argued for expanding a proper stockholders’ purpose of communicating with others “in furtherance of a potential” or ongoing “bona fide proxy contest.” The rule would allow stockholders to employ Section 220 to obtain business documents upon showing “a credible basis that the information sought would be material in the prosecution of a proxy contest.” It would open the door for stockholders to inspect books and records regarding directors’ questionable but not actionable business judgment in furtherance of a proxy contest.
Plaintiffs cited Tactron, Inc. v. KDI Corporation andHigh River Ltd. Partnership v. Forest Labs, Inc., but the court distinguished each case. In Tactron, the court granted a demand for records to aid in a proxy contest, but limited plaintiffs to reviewing only logistical information and not information on business decisions.
The Occidental plaintiffs had already succeeded in similar claims in Forest Labs. The court granted their demand to inspect books and records related to business decisions when the purpose was to prepare a proxy contest, but limited the grant to documents that were “essential and sufficient” for the proxy contest purpose. In Occidental, by contrast, significant information about the underlying acquisition was highly publicized and freely available. Plaintiffs asserted that an information gulf impaired their proxy contest efforts, but the court found that they already had all of the essential information they needed without access to Occidental’s internal documents. Therefore, unlike in Forest Labs, the information plaintiffs sought was not “essential and sufficient.”
Plaintiffs also argued, more traditionally, that their purpose was to investigate corporate mismanagement; however, plaintiffs’ pretrial brief argued that they did not allege intentional breach of fiduciary duty by the board, so the court dismissed this argument summarily. The court declared that disagreement with business judgment is insufficient to establish a credible basis for mismanagement; some allegation of fiduciary breach is required.
The court clarified the proper purpose requirement for a Section 220 demand: (1) various proper purposes include an investigation of wrongdoing or mismanagement beyond a disagreement with business judgment if the stockholders demonstrate a credible basis for their suspicion; and (2) if the purpose propose is to engage in a proxy contest, then any documents requested must be “essential and sufficient” to the proxy contest.
The court left open the possibility that a proxy contest may be a proper purpose in a case with different facts. The court determined that with the right facts, it “might endorse a rule that would allow a stockholder to receive books and records relating to questionable, but not actionable, board-level decisions . . . in aid of a potential proxy contest.” According to the court, information sought through a Section 220 demand would need to be “essential and sufficient” to pursuing a proxy contest to allow stockholders access to the records.
TECHSHOW will take place in Chicago on February 26–29, 2020. As they do each year, attendees from all over North America and overseas will come to see and demonstrate some of the newest advances in law practice technology. TECHSHOW is more than a marketplace for the latest and greatest. It is also an opportunity to learn, network, and discover how to get the best out of legal technology—both what you may want to acquire and what you may already have. In some cases, you might be surprised to learn that your firm’s tech problem is actually more of a people problem. An experience from last year’s show is illustrative.
Top of mind for Glen, an attendee at last year’s show, was to find better time-tracking and billing software for his firm. Two years prior, his partners had purchased a new system that promised easier and more accurate time entry with complete integration with their billing system, but the purchase was a dud according to Glen, and he was looking to replace it with something that worked better.
After spending most of the morning talking to vendors on the show’s expansive EXPO floor, he took a break and attended a talk I was co-presenting entitled The Human Side of Technology Implementation. Glen approached me after the talk and asked if I knew which time-tracking and billing systems were easier to implement than others. I was curious. What were the problems his firm had encountered with their last purchase? What had been difficult?
As Glen answered my questions, it quickly became clear that the problem his firm was having with its new system wasn’t a matter of picking poor, broken, or outdated technology. The features and functionality of the new system were more than adequate for his firm’s needs. Contrary to what he initially thought, their old vendor had not over-promised and under-delivered. The difficulties his firm was experiencing instead came from how the software had been selected and adopted, and how his firm members had been trained to use it.
Two of his firm’s partners had been tasked with interviewing vendors, sampling the software, and making recommendations for acquisition to the firm’s partners. They had done a thorough job of surveying the market and negotiating a competitive deal, but they never asked the firm members who would be the most active users of the software what they thought was important. As we talked, Glen began to see how the announcement of the change to a new time-entry and tracking system came across as a top-down edict from management. He recalled hearing second-hand that some attorneys and staff felt that management didn’t value their opinions and insights.
Significant changes in law firms can cause ripples and turbulence, and changes in technology are no exception. I explained to Glen that firm members felt no ownership of this change and consequently little investment in its successful implementation. Glen hoped their resistance to this change would have been overcome when firm members were trained and saw how useful the new system could be. Unfortunately, adoption of the new system was slow and uneven. A few attorneys simply refused to use it for the first few months, time entry was more error prone than before, and it was taking longer to get bills out to clients.
Glen asked if more training would help. I said it might if he approached things differently. His first inclination was to go to the original vendor’s booth and renegotiate the deal to include more training. I suggested rather than doing that, he should first go back to his firm and ask what kind of training his staff and attorneys thought would be most useful. I told him to pay particular attention to those firm members who were most hands-on in the time-entry process.
I received an e-mail from Glen five months later describing the new training program his firm members had designed with a third-party vendor. Rather than a long, one-day program, they spread multiple training sessions over three months with practice assignments due in between. Training was broken into modules so individual firm members could focus on only those that were most relevant to their jobs. Staff members also volunteered to become go-to persons for helping others with their problems. Glen concluded by saying that “late is better than never” and that his firm’s new system was finally beginning to pay off now that they were paying attention to the people side of introducing new technology.
Connect with a global network of over 30,000 business law professionals
