As marketplaces have become digital and more technology platforms are integrating payment solutions into the customer experience, there has been increased interest among technology companies in potentially becoming money transmitters or partnering with regulated financial institutions^[1] (directly or indirectly) to embed payment solutions within their platforms or apps.

A company could embed payments into its software and user interface to combine transaction processing in a seamless, cohesive experience for its customers. For example, an online marketplace connecting lessors and renters could add new payments functionality. Embedding payment functionality in this way could serve as an additional revenue stream by offering payment services as an “add-on” or “value-add” service. This model stands in contrast to one where a company primarily engages in the business of payments, with payments services as a primary source of revenue, such as offering a peer-to-peer money transfer app.

Companies that wish to add payments functionality into their offerings should not add the payment rail first and think about regulatory compliance later. Platforms and marketplaces that rush to offer payment rails without first assessing the legal ramifications may find themselves subject to an enforcement action by a federal or state regulator, dropped by a strategic partner, or realizing too late that the resources needed to add payment functionality far exceeded their expectations or potential returns. Considering regulatory compliance too late, or not at all, could deter future investors, or derail a promising IPO, merger, or acquisition.

Drawing from our experience, below are key considerations for companies to strategically approach the threshold legal and business questions around offering embedded payments solutions, with a focus on the impact to the product’s design, necessary compliance resources, and potential revenue.

Regulatory Compliant Strategies to Embedding Payments

There are different ways to offer payment services and various legal and business considerations companies should think about when considering embedding payments functionality, consistent with regulatory compliance.

Top of mind, at the federal and state level, are money transmitter laws. Generally, a “money transmitter” is a person that accepts value from one person and transmits that value to another person or to another location by any means. In other words, money transmitters are persons who facilitate the transfer of value (fiat or crypto assets) between two consumers, a consumer and a business (or vice versa), or between businesses. A company that is licensed as a money transmitter with all relevant states and registered as a money services business (MSB^[2]) with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is able to sit directly in the “flow of funds” or receive value in an account that it owns or controls from one person, and transmit that value to another person or to another location on behalf of the sender. 

There are different approaches to embedding payments in compliance with applicable laws and regulations, including the following: 

1. the money transmission licensure model, in which the business obtains relevant state licenses and registers as an MSB;^[3] 
2. the partnership model, whereby a company contracts directly with a regulated financial institution to provide payment services (a variation, the banking-as-a-service API model, is where a company directly contracts with a technology company that already has a direct relationship with a regulated financial institution, such as a bank, to provide payment services); and
3. the risk-based model, whereby a company relies on an exemption from money transmission licensure and MSB registration to provide payment services on its own.

The optimal approach varies by company, depending on the company’s business goals, risk appetite, and resources for regulatory compliance, among other important considerations. The following chart is an example of how these different considerations may point in favor of one approach over another. 

The Licensure Path

Becoming a regulated money transmitter—registering as an MSB and obtaining state money transmitter licenses—is no small matter. While registering with FinCEN as an MSB is a fairly simple and straightforward process, state licensure is very time-consuming and cumbersome, and can be very expensive.

The general purpose of the state money transmission application process is to make sure the applicant has the financial capability, management, and business model in place to successfully operate a money transmission business. Among other requirements, state-level money transmitter applicants are required to submit a business plan, have a surety bond, undergo criminal background checks and fingerprinting, provide financial statements, and meet minimum net worth requirements.

If a company wants to offer money transmission services nationwide, the company must obtain a license in each state and coordinate the licensure process with state regulators. Every state has its own money transmission application, but many states have joined the Multistate MSB Licensing Agreement Program (MMLAP). With MMLAP, the multi-state money transmission application process is more streamlined and coordinated by a single state. The MMLAP application process consists of two phases: (1) review of the general license application requirements applicable to MMLAP participating states by a single state regulator and (2) review of state-specific license application information by other states in which the applicant is seeking money transmission licensure. Generally, the licensure process for a single state may take between six months and one year. If a company plans to go to market in the relative short term, the application processing time may ultimately be the deciding factor against licensure. 

Beyond obtaining initial state licenses and registering with FinCEN, licensed and registered money transmitters have important ongoing federal and state regulatory obligations. At the federal level, the purpose of money transmission laws is to combat money laundering and terrorist financing. Money transmitters registered with FinCEN are required to implement and maintain an anti-money laundering (AML) program, report suspicious and large transactions to FinCEN, and comply with recordkeeping and other AML requirements.

In contrast to the purpose of federal money transmission laws, in a large majority of states, the purpose of money transmission laws is generally consumer protection. State-licensed money transmitters are subject to ongoing supervision, such as examination by the state regulator, and quarterly and annual reporting. Oftentimes this requires at least one individual or, in many cases, multiple individuals to be responsible for creating and overseeing the company’s regulatory obligations. 

As with other regulatory licensure regimes, there are exemptions from MSB registration and money transmission licensure. However, the exemptions are not uniform and vary from federal to state, and state to state. For example, a company may be exempt from federal MSB registration, but not state licensure. Or, a company may be exempt from licensure in one state, but not in another. If a company ultimately decides to rely on an exemption, the company should consult with outside counsel to understand the legal risk of relying on that exemption.

The Partnership Path

While the money transmission licensure process may be long and cumbersome, that does not necessarily mean that the partnership path is less resource intensive. First, the company must find a partner that is willing to offer its services based on the company’s business model. Each regulated financial institution has its own risk appetite, and a company’s business model may simply be too risky for the regulated financial institution. Further, the commercial partnership agreement negotiating process takes time, and, depending on the partner, there is no guarantee that it will be faster than obtaining state money transmission licensure.

In addition, generally speaking, a company that pursues the partnership path will lose some autonomy. While a company that partners with a regulated financial institution may avoid some direct regulatory scrutiny, the regulated financial institution is subject to federal and/or state oversight and may be liable for the activities of its partner. This means that the company will face constraints and scrutiny from its regulated financial institution partner over its platform and services offered, such as customer on-boarding. Similarly, if the regulated financial institution is not willing to provide a payment service to a certain customer or class of customers, then the company likely cannot offer the service to those customers through its partnership.

The partnership model may also impose additional onboarding or marketing restrictions on a company. Some of these restrictions may arise from the regulated financial institution partner’s own regulatory and risk-management obligations. For example, if the regulated financial institution partner requires certain information to be collected from all customers during on-boarding, it may contractually require the company to collect that information. Similarly, the regulated financial institution may contractually require the company to seek its approval for all marketing materials before they are disseminated, or that certain information or other terms are included in the company’s terms of service or user agreement.

For these and other reasons, partnering with a regulated financial institution does not necessarily guarantee a lighter regulatory burden. Oftentimes, in fact, the regulated financial institution will pass down some of its regulatory compliance obligations to the company. For example, the regulated financial institution may require the company to develop compliance policies that are subject to approval by the regulated financial institution, and implement those compliance policies. Alternatively, the regulated financial institution may provide the company with its compliance policies and require the company to adopt and implement them. Depending on the company’s business model, this may result in multiple compliance policies that must be created or adopted, and followed and managed. Similar to the licensure model, this may require an individual, or multiple individuals, to oversee the company’s contractually required compliance burden. As it relates to compliance risk, the primary difference between the licensure path and the partnership path is the shifting from regulatory risk to contractual risk.

There are also potential financial drawbacks to the partnership model. In the partnership model, the regulated financial institution will usually take a percentage of each transaction it processes. Further, there may be mandatory minimum usage requirements. While these are both business points subject to contractual negotiation, bargaining power is a huge limiting factor on a company’s ability to negotiate such terms. If a company is a small start-up, a larger regulated financial institution partner may not be willing to budge on the usage commitments or the percentage of each transaction that the regulated financial institution partner retains, i.e., its fees for providing the service.

Takeaway

Regulatory compliance should be a primary consideration in the development of embedded payments functionality. Whether regulatory compliance sits with the company as a regulated financial institution (the licensure model), or through its contractual relationship with a regulated financial institution (the partnership model), understanding payments regulatory compliance and the accompanying legal framework on the front-end may ultimately improve business performance, time to market, and strategic relationships.

This article discusses only a few threshold business and legal considerations and risks associated with embedded payments. Companies that plan to enter the payments space should consider, with experienced legal counsel, all of the legal and business considerations before applying for licensure or partnering with a payment service provider.

1. As used in this article, the term “regulated financial institution” means a financial institution that is registered, licensed, and/or authorized by the appropriate federal and/or state regulator to perform payments services. ↑

2. A “money transmitter” is a type of MSB. ↑

3. As previously mentioned, a “money transmitter” is a type of MSB. ↑

In a recent decision of the Delaware Court of Chancery, the reader is fortunate to be taken on a “tour” by Vice Chancellor J. Travis Laster “through traditional fiduciary law, the DGCL, Delaware corporate law, and Delaware’s support for private ordering” as he examined the validity of a consequential stockholder-level agreement.^[1] Ultimately, after carefully scrutinizing the facts and circumstances present, Vice Chancellor Laster found that the Covenant (as defined below), although not facially invalid or unreasonable based on the facts and circumstances of this particular case, to the extent it seeks to prevent the assertion of a claim for intentional breach of fiduciary to be invalid because of policy limitations on contracting.

The facts of New Enterprise Associates 14, L.P., et al. v. Rich, et al., involve Fugue, Inc. (the “Company”), a Delaware corporation founded in 2012 whose business is providing its clients with tools to build, deploy, and maintain a cloud infrastructure security platform. Josh Stella (“Stella”) served as the Company’s Chief Executive Officer during the time in question. In 2013, the Company conducted an offering of its series seed preferred stock, with Core Capital Partners III, L.P. (“Core Capital”), a plaintiff, serving as the lead investor in that series seed offering. Core Capital is an investment fund sponsored by a venture capital firm based in Washington, D.C. In 2014, New Enterprise Associates 14, L.P. and two affiliates, all sophisticated VC funds (these VC funds, together with Core Capital, are referred to herein as the “Funds”), invested in the Company by purchasing preferred stock—ultimately investing approximately $39 million after multiple financing rounds. Each of the Funds was also entitled to appoint one member of the Board. By 2020, the Funds had been invested in the Company for six to seven years, so their investments in the Company were starting to get “long in the tooth” for VC funds. The Funds therefore urged Stella to seek a liquidity event. Toward the end of March 2021, Stella informed the Company’s Board of Directors (the “Board”) of the inability to locate a buyer of the Company, advised the Board that the Company needed capital, and recommended that the Company engage in a recapitalization transaction as a remedy. The Board authorized Stella to proceed.

As the Funds had no interest investing additional capital in the Company, the Company management finally advised the Board and existing stockholders that the only option available was for the Company to engage in a recapitalization to be led by George Rich (“Rich”). Rich and his investor group would only commit, however, on the following conditions (this arrangement is referred to herein as the “Recapitalization”): (i) the holders of all existing preferred stock had to agree to an exchange of those shares for shares of the Company’s common stock; (ii) Rich and his fellow investors had to receive a new class of preferred stock, with preferential rights; and (iii) the Funds and other significant investors had to execute a voting agreement (the “Voting Agreement”) containing, among other provisions, a drag-along right, giving majority investors (i.e., Rich and his group) the ability to sell the Company to a third party and force the minority investors (i.e., the stockholders before the Recapitalization) to sell their ownership interest as well, without the need for consent from the minority investors, in a qualifying transaction. More significantly, the Voting Agreement also included a covenant from each signatory thereto not to sue Rich or his affiliates over a drag-along sale, including the assertion of any claims for their breach of a fiduciary duty (the “Covenant”). The drag-along right would be triggered if the Board and holders of a majority of the shares of the new class of preferred stock (held by Rich and his investors) approved a transaction that satisfied eight specified criteria (typical of drag-along rights—see the model form of Right of First Refusal and Co-Sale Agreement sponsored by the National Venture Capital Association [the “NVCA”] on its website^[2]). If those conditions were met, then the signatories to the Voting Agreement were forced to participate in that sale transaction (the “Drag-Along Sale”).

Although the Funds declined to participate in the Recapitalization, they did accept Rich’s terms by executing the Voting Agreement, together with the other investors in the Recapitalization and some existing stockholders. Rich and his investor group then invested roughly $8 million in the Company and acquired newly issued shares of Series A-1 Preferred Stock (the “Series A-1 Preferred Stock”) through two affiliated entities, one of which was designated as the “Lead Investor” for the Recapitalization. Rich controlled both vehicles indirectly through a holding company. Following the Recapitalization, the Board was composed of five members, who were Stella, two independent directors carried over from the Board in existence prior to the Recapitalization, and two representatives of the holders of Series A-1 Preferred Stock: Rich, as the designee of the Lead Investor, and David Rutchik (“Rutchik”).

By mid-July 2021, the two independent directors resigned from the Board after unsuccessful discussions with a potential buyer, leaving Stella, Rich, and Rutchik serving as the remaining members of the Board. The following week, the three-member Board: (i) authorized the Company to issue a second tranche of (almost four million) shares of Series A-1 Preferred Stock to nine buyers, which included the Rich group and Rutchik; and (ii) agreed to amend the transaction documents for the Recapitalization so that the issuance of the second tranche of additional shares was included as part of the original offer and sale of Series A-1 Preferred Stock conducted under the Recapitalization. The importance of this second action is the benefit conferred on the buyers, who would now “acquire the shares at the same price and on the same terms that Rich had extracted in April 2021 when the Company was low on cash and had no alternatives.” Further compounding things, on July 29, 2021, the three-member Board approved grants of stock options and, although the vast majority of them went to employees, each member of the Board also received a large stock option grant. Thus, the issuance of this second tranche of Series A-1 Preferred Stock under these circumstances, as well as the grants of options to the Board members (together, the “Interested Transactions”), the Funds argued, “were obvious instances of self-dealing on terms that appear facially unfair to the Company and highly beneficial to Rich and his confederates” and clear breaches of the duty of loyalty owed to the Company and its stockholders.

Further, during this same time the Company was holding discussions with a potential buyer. After several months of negotiations, the Board informed the stockholders that there was an “agreement in principle” to sell the Company for $120 million in cash. On February 12, 2022, the Company sent to the Funds a draft merger agreement with a joinder agreement and voting form, approving such merger, and told them that “they were obligated to sign the joinder agreement and voting form.” § 1.2 of the joinder agreement contained a release from each signatory thereto for any and all claims against the Company, the directors, and their associates and affiliates. The Funds agreed to do so if Rich and Rutchik would attest that they had not had any communications with the buyer about a potential transaction before the Recapitalization. Rich and Rutchik would only agree to sign substantially narrower affirmations, culminating in the Funds’ refusal to vote in favor of the merger or sign the accompanying joinder. On February 17, 2022, the Company announced the execution of, and the consummation of the closing of the transactions contemplated under, the merger agreement. On May 9, 2022, the Funds sued the directors for breach of fiduciary duties in connection with the drag-along sale. Vice Chancellor noted that the “gist” of the Funds’ claims is that “the Drag-Along Sale (i) failed to provide any consideration for derivative claims relating to the Interested Transactions and (ii) conferred a unique benefit on Rich, Rutchik, Stella, and their affiliates by extinguishing the standing of sell-side stockholders to pursue those claims.” As a consequence, the Funds asserted that the Drag-Along Sale was an interested transaction subject to the entire fairness test, a test the defendants could not satisfy. The defendants moved to dismiss the complaint, arguing that the Covenant foreclosed the Funds’ claims.

Vice Chancellor Laster’s legal analysis in this case was thorough and extensive, first focusing on the facial validity of the Covenant. He examined arguments supporting a finding of the Covenant to be facially invalid (e.g., extent to which parties can waive breaches of fiduciary duties in Delaware corporations) and arguments supporting a finding of the Covenant not to be facially invalid (e.g., ability under law to tailor fiduciary obligations), and noted early in the decision that the “argument against facial invalidity takes longer to unspool.”

In unspooling that argument, the Vice Chancellor reviewed the differences between covenants not to sue versus releases, and whether any public policy limitations could be placed on them; specifically, reviewing Illinois law, New York law, and Delaware law on this issue. He also noted the clear language of the agreements and the terms to which the Funds had agreed, and the bargained-for exchange that induced Rich to be the lead investor and invest, along with his fellow investors, roughly $8 million in the Company in the Recapitalization. The Court of Chancery additionally noted that the Covenant is similar to a provision found (in its most expansive form) in the model form of Voting Agreement sponsored by the NVCA. He examined the ability to contractually tailor fiduciary duties as well as what tailoring was statutorily authorized—specifically, §§ 102(a)(3), 102(b)(7), 122(17), 141(a), 145, 327, and 367 of the DGCL—and concluded that §§ 327 and 367 demonstrate that some loyalty claims can be limited under Delaware law, which indicates that the Covenant is not facially invalid. Vice Chancellor Laster found that Delaware corporate law does permit more fiduciary tailoring “than is commonly understood” to be permitted.

The Vice Chancellor also examined the ability to tailor fiduciary duties under common law and considered Delaware’s contractarian approach (i.e., allowing parties to business entities an opportunity to craft the limits of their obligations). After noting and acknowledging Delaware’s respect for private ordering, the judge compared the leeway permissible in stockholder-level arrangements versus the stricter requirements found in charter documents of corporations. He also reviewed other types of rights that persons can waive (jury trial right, right to counsel, right against self-incrimination, certain property rights, restrictive covenants, and nondisclosure agreements are some examples). On this point, Vice Chancellor Laster noted that the fact a person can waive fundamental liberty and property-interest rights indicates that the Funds could waive their rights associated with ownership in a corporation (i.e., “suggests that the Covenant is not facially invalid”).

In a reflective moment, the Vice Chancellor pondered whether the DGCL should be amended to impose a requirement on stockholders of Delaware corporations to disclose to the corporation the existence of any consequential stockholder-level agreements in effect (i.e., agreements that would meet certain criteria) and restrict the enforceability of any such agreement unless both: (i) a copy of such agreement is delivered to the corporation; and (ii) the corporation in turn either (a) files the agreement or a summary thereof with the Delaware Secretary of State, or (ii) notes its existence on the stock ledger and makes it available for inspection by any stockholder upon request. In footnote 276 of the Decision, Vice Chancellor Laster noted that this type of disclosure requirement would be similar to the “informed consent” a lawyer needs to receive from her client with respect to a conflict of interest that would otherwise constitute a breach of duty to that client under the applicable Rules of Professional Conduct. He also highlighted that his suggested approach on how to deal with consequential stockholder-level agreements (i.e., he proposed that their disclosure be required) differed from the approach advanced by Justice Valihur in her dissent in Manti (i.e., she proposed to invalidate them).

The court then looked to see if declaring the Covenant facially invalid would undermine Delaware’s corporate brand, and Vice Chancellor Laster determined that a stockholder-level agreement for a Delaware corporation, in which the stockholders agree on how to allocate their rights with respect to that corporation, to be consistent with Delaware’s corporate brand. He concluded that, as this case involved a conflict between two elemental forces of Delaware corporate law—private ordering and fiduciary accountability—the argument about undermining Delaware’s corporate brand did not warrant holding the Covenant facially invalid.

Next, the judge considered whether the Covenant should be facially invalid based on the premise that allowing stockholders to waive claims for breach of fiduciary duty through a private agreement would blur the distinction between corporations, which are subject to corporate formalities, and LLCs, which are creatures of contract and whose statutes (i.e., the Delaware Limited Liability Company Act, the Delaware Revised Uniform Partnership Act, and the Delaware Revised Uniform Limited Partnership Act) specifically allow the contracting away of fiduciary duties. Not finding this argument to be persuasive, he noted that the line between these two types of legal entities is already blurred. And he disagreed with the assertion that stockholder-level arrangements blurred the distinctions between the entities, particularly noting the importance of distinguishing between having provisions like the Covenant in the constitutive documents of the entity versus having them at the owner level. On this point, the judge concluded that the argument about blurring the line between the two types of entities was an insufficient basis to declare the Covenant facially invalid.

In the next leg of the tour, Vice Chancellor Laster reviewed relevant Delaware caselaw, first examining not only the majority decision but also Justice Valihur’s dissent in Manti Holdings, LLC v. Authentix Acquisition Co., 261 A.3d 1199 (Del. 2021) (the “Manti case”). In the Manti case, the Delaware Supreme Court reaffirmed the corporate principle that “sophisticated and informed stockholders” of Delaware corporations, who have bargaining power and are represented by legal counsel, can voluntarily waive in advance their appraisal rights under Section 262 of the DGCL. The Vice Chancellor also reviewed a Delaware decision neither side cited: In re Altor Bioscience Corp., C.A. No. 2017-0466-JRS (Del. Ch. May 15, 2019) (TRANSCRIPT) (the “Altor Bioscience case”). In the Altor Bioscience case, the court held that a bargained-for covenant not to sue barred claims for breach of fiduciary duty comparable to the Covenant was valid. From the Manti case and the Altor Bioscience case, the judge formulated a two-step analysis to determine the validity of a provision like the Covenant. First, the provision must be narrowly tailored to address a specific transaction that otherwise would constitute a breach of a fiduciary duty. Second, the provision must survive close scrutiny for reasonableness. The Vice Chancellor then applied that two-step analysis to the facts present in this particular matter and determined, based on the facts available, that the Covenant passed both tests, noting “[t]he facts of this case provide an example of sophisticated parties using a provision like the Covenant to allocate risk and order their affairs. This is a case where a provision like the Covenant can be enforced.”

At this moment, the Vice Chancellor also stressed that this decision should not be construed to stand for the proposition that provisions similar to the Covenant would be found to be enforceable under Delaware law. After noting how courts treat covenants not to compete (an economic right and restraint on trade), the judge said Delaware courts would take a similar hard look in reviewing covenants not to sue, which he termed to be a foundational right (the right to have access to courts, for example). He envisioned and listed certain scenarios (e.g., agreements with retail stockholders as opposed to the sophisticated stockholders suing in this case) where the validity of such a restrictive covenant would be viewed especially critically by the court.

Although Vice Chancellor Laster did conclude that the Covenant satisfied the two-part test of the Manti case and the Altor Bioscience case—i.e., the Covenant was (i) not invalid as a form of impermissible fiduciary tailoring because it only applied to certain sale transactions meeting eight contractually defined criteria and (ii) reasonable based on the facts present—the judge ultimately applied a public policy limitation to the Covenant and found it to be in violation of Delaware’s public policy against the enforcement of contractual arrangements exempting a party from tort liability for harm caused by intentional or reckless conduct. Thus, the motion to dismiss was denied. In support of his conclusion, the Vice Chancellor cited (a) the Restatement (Second) of Contracts § 195, (b) 8 Williston on Contracts § 19:24, and (c) the decision in Abry P’rs V, L.P. v. F&W Acq. LLC, 891 A.2d 1032, 1057–59 (Del. Ch. 2006).

1. Special thanks to my law partner Michael J. Halloran for his input on this decision and article. ↑

2. National Venture Capital Association, Model Legal Documents. ↑

With the recent launch of ChatGPT, artificial intelligence (AI) has been a hot topic in the news. In addition to ChatGPT being a novel and unique tool that may be used in a variety of ways, it creates novel and unique intellectual property issues and concerns.

ChatGPT represents a major improvement in our collective ability to access, process, and convey information. In the past, to answer a question, we would need to perform either simple or extensive research. If the question is relatively basic, a simple search on a search engine might suffice to provide the desired answers. If the question is more complex, additional research might be required, including, e.g., visiting a library and referencing multiple texts. Now, with the introduction of ChatGPT, all that may be required is simply posing the question to ChatGPT. This AI engine is capable of parsing the question presented and providing a thorough answer, regardless of the complexity of the question—though with inconsistent accuracy.

ChatGPT’s capabilities include improving ease of access to information, forming an appropriate response to the question posed or information requested, and conveying information in a very natural manner. Indeed, if one wanted to research ChatGPT’s capabilities and then write an article about those capabilities, the process could be short-circuited by simply asking ChatGPT to write a short article about itself. ChatGPT can prepare an article that is practically indistinguishable from a human author, without copying prior content. In fact, now you may be wondering if you are being tricked into reading an article written by ChatGPT.

The advancements represented by ChatGPT, however, raise novel issues and present certain concerns. From an intellectual property standpoint, copyright questions abound. For example, ChatGPT is a bit of a black box, and it generally does not include citations or attributions to original sources. Thus, it is unclear if particular content created by ChatGPT could infringe on another author’s copyrights.

ChatGPT may not raise any specific patent-related concerns from a content perspective. However, what if a ChatGPT-like AI was trained to create inventions? That is akin to what Stephen Thaler did, and what subsequently formed the basis for a writ of certiorari presented to the U.S. Supreme Court.

Thaler created DABUS, short for Device for the Autonomous Bootstrapping of Unified Sentience. DABUS is a combination of two AI systems, the first trained with data from a particular scientific area and used to generate novel alterations of that data, and the second developed to measure the novelty and utility of the alterations created by the first.

DABUS created two inventions that formed the basis of two patent applications at the United States Patent and Trademark Office (USPTO). These applications were subsequently rejected on the basis that they were not invented by a human. Thaler appealed to the USPTO’s review board, which upheld the USPTO’s refusal of the applications.

Thaler sought review of the USPTO’s decision in the Eastern District of Virginia. The district court sided with the USPTO, holding that an inventor must be a human. Undeterred, Thaler went to the Court of Appeals for the Federal Circuit (CAFC), which affirmed the district court’s decision—leading to Thaler’s petition for a writ of cert to the Supreme Court.

The crux of the case turned on interpretation of the relevant statutory language. In particular, 35 U.S.C. § 101 states that “[w]hoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor,” while 35 U.S.C. § 100(f) defines inventor as “the individual or, if a joint invention, the individuals collectively who invented or discovered the subject matter of the invention.”

Thaler contended that Congress did not include any restrictions on the words “inventor” or “individual” to pertain to only natural persons. Thus, according to Thaler, DABUS can be an inventor.

The district court held that “individual” ordinarily means a human being. The CAFC held that its prior decisions held that inventors must be natural persons, but acknowledged that the question in those cases pertained to corporations as the competing interest, not an AI program.

In late April, the Supreme Court refused to hear this case. In choosing to not weigh in on whether inventions created by AI may be provided the benefit of patent protection under the laws of the United States, the Court effectively answered that question with a “no,” at least for the time being.

Of course, generative AI is only in its infancy, and the future likely holds additional questions pertaining to the interrelationship between patents and generative AI. Those questions could have wide-ranging implications for both the patent system itself as well as every industry where patents operate.

Corporate legal departments are getting more savvy when it comes to spending their money on legal resources. We recently saw a slide that circulated from a Paul Hastings associate where, among other not-so-pleasant items, it showed that junior associates are billing rates of $850 per hour. The days of corporate legal departments paying these rates for a junior attorney to perform low-value work are no longer a viable option.

One of the key practices for managing these concerns is to prioritize the most critical legal issues and focus on implementing technologies that can streamline addressing them most effectively. For example, eDiscovery and contract management are critical areas where technology and redistributed staffing can help to simplify workflows and reduce costs. In IPRO’s recent 2023 State of Law Firm Industry Report, 69% of survey respondents pointed out “increasing client demand for ‘more output with less costs’ as the trend they agreed with the most.”

Reducing costs is particularly challenging in the current environment, however: in Thomson Reuters’s 2022 Law Firm Business Leaders Report, 98% of managing partners and C-suite leaders said they would “probably” or “definitely” increase billing rates in 2023 to improve their financial performance. This means that $850 hourly rate will go up even higher. This is not a sustainable model for corporate legal departments that are tasked with cutting costs.

So how are legal departments meeting this goal? There are several baseline steps you can take to evaluate your legal spend.

• Analyze your legal bills.
  • If you don’t use billing codes, it’s a good time to start.
  • What tasks are the attorneys at your law firms performing?
  • What tasks are paralegals performing?
  • What are the technology costs they are passing through?
• Evaluate internal work distribution.
  • What are members of your internal team spending time working on?
  • Are there repetitive tasks you could automate?
  • Is there lower value/risk work that you could outsource to an Alternative Legal Solutions Provider (ALSP)?
• Consider consolidating outside counsel work with just a few firms.
  • According to the IPRO report mentioned above, “over 65% of in-house corporate legal teams are likely to reduce the number of law firms they work with, as they see keeping more work in-house as a measure to mitigate the most pressing challenges of 2023.”
  • This can allow for better ability to negotiate rates and more specialization in your business.
  • Choose firms with the expertise for your matter types, not just by their AmLaw rating.
  • Ask questions about firms’ use of AI and analytics along with proof of concept/case studies.
• Determine the actual volume of data involved in litigation and investigation matters each year.
  • By knowing this figure, you are in a much better position to take control of technology costs such as data collection, processing, and hosting, whether you use a third-party vendor or choose to manage the technology internally.
• Determine the volume of first-level review being managed by your outside counsel.
  • What are you paying your outside counsel to do first-level review, and is it worth it, or are other options more cost-effective?
  • Ensure your counsel is willing to work with your review partner of choice.
• Use AI and technology effectively on every matter.
  • If your outside counsel isn’t pushing this, consider it a red flag. In the IPRO report, 73% of law firm professionals said they “aim to increase the use of technology to become more competitive in 2023.”
  • Evaluate how to bring AI into your existing workstreams. A knowledgeable service provider or ALSP partner can help.
• Track metrics on every case.
  • Your outside counsel and service provider partners should be providing metrics that are meaningful to your business. If they aren’t, figure out what those metrics are, and start building out your models.

In conclusion, in the context of the varied issues facing corporate legal departments today, it is important for companies to prioritize their most critical legal concerns and implement technology and staffing solutions that can address them effectively. Budget and staffing cuts often have a significant impact on corporate legal departments, and it is important for companies to consider the broader implications of these cuts when restructuring. By redistributing some functions, companies may be able to mitigate the impacts of budget and staffing cuts and maintain the effectiveness of their legal departments.

We continue to see an upward trend in private equity funds (“PE Funds”) utilizing co-investments. When properly structured, co-investment transactions can yield a number of benefits for co-investors and PE Fund sponsors alike.

Co-investments in private equity are joint investments made by two or more investors, typically including a PE Fund sponsor and one or more limited partners. Each co-investor will directly participate in the equity financing of a particular target portfolio company (the “Portco”) alongside the PE Fund, as opposed to investing via the PE Fund itself. In doing so, co-investors can potentially gain greater exposure to a specific investment and increase their potential returns, while the PE Fund sponsor benefits from reduced capital requirements and potential access to additional investment opportunities. Typically, the PE Fund and co-investors will invest in a holding company (a “Holding Company”) that acquires the Portco, but the Holding Company may also invest directly in the Portco.

While the primary goal of both the PE Fund and co-investors is to maximize investment returns, it is crucial to structure co-investments in a way that provides the PE Fund with sufficient operational flexibility while also safeguarding the interests of each co-investor.

This article will identify five key considerations for both PE Funds and co-investors when structuring and negotiating co-investment transactions.

Key Considerations and Deal Terms for Co-Investments

Active vs. Passive

When considering co-investment opportunities, one of the primary considerations for a co-investor is their desired level of decision-making with respect to the Portco. A co-investor might prefer to have ongoing involvement in the Portco following the closing of the transaction and therefore seek to make a direct co-investment in the Portco alongside the PE Fund sponsor. This structure is commonly referred to as an active co-investment. Alternatively, co-investors who are looking to have limited involvement in the majority of the decision-making may choose to invest through a special purpose vehicle (“SPV”), often a limited partnership, that is created and controlled by the PE Fund sponsor. The co-investors pool their capital in the SPV, which then participates alongside the PE Fund sponsor in the co-investment transaction. This structure is generally described as a passive co-investment. It is critical that the parties consider both tax and jurisdictional matters when structuring the co-investment transaction, though these points are beyond the scope of this article.

Alignment on Exit Strategy

PE Funds and co-investors must also consider the consequences of any liquidity events with respect to the Portco and/or Holding Company. Typically, co-investors will look to exit the investment at the same time and under the same economic terms and conditions as the PE Fund through negotiating certain tag-along or co-sale rights. A PE Fund should consider how these co-sale rights could impact any decision by the PE Fund to syndicate its investment in the future and look to pre-negotiate carve-outs to any co-sale right to allow for syndication if required.

To avoid the risk of a co-investor blocking a transaction by not agreeing to a sale, the PE Fund will want to have the right to force each co-investor to sell their interests when the PE Fund decides to sell, provided that certain requirements are met. The prerequisites for triggering the PE Fund’s drag rights may include a certain sale threshold being met (i.e., a full exit transaction as opposed to a partial sale) and/or achieving a predetermined rate of return. In addition to negotiating the triggers to the PE Fund’s drag rights, co-investors should look to prohibit or limit the scope and duration of their noncompete and nonsolicit covenants following a sale, as well as limiting the representations and warranties they provide upon a sale to fundamental ones relating to the ownership of their shares. Furthermore, while most co-investment agreements will place limitations on the transfer of shares, co-investors should look to negotiate the right to transfer their shares to affiliated entities and place restrictions on the PE Fund’s ability to enter into syndication arrangements absent the co-investors’ consent.

It is essential that the parties gain alignment on exit strategy, as a dispute at the time of sale could detrimentally impact the proposed transaction with the third party. By pre-negotiating the terms of exit, this can reduce the potential for such disputes.

Board Composition

PE Funds and co-investors should carefully consider the board composition of the investment vehicle. Depending on the size of each co-investor’s investment, co-investors may negotiate the right to nominate directors to the board of the Portco and/or Holding Company. PE Funds may also be agreeable to granting a specific co-investor a board seat if that co-investor has a skillset or industry knowledge that can be instrumental to the support of the Portco. As the board of directors oversees the management and direction of the Portco, it is critical that the PE Fund and co-investors consider the board composition and its impact on the management of the investment. In addition, the co-investor should be cognizant that its nominee will have a fiduciary obligation to the Portco that overrides any obligation to represent the nominating co-investor’s interests at the board level. This fiduciary duty does not apply to shareholders or unit holders. Thus, co-investors should ensure that they have negotiated the right to veto certain board decisions (as outlined below) in their capacity as shareholder to avoid the risk that their nominee is found to be in a conflict of interest based on advocating on behalf of the co-investor.

However, in cases where granting a board seat to the co-investor is not appropriate due to the size of the co-investor’s investment, conflict of interest, or other reasons, the co-investor may instead seek an observer right. This right allows the co-investor to nominate an individual who may attend, but not vote at, meetings of the board of directors. While board observers do not have voting rights and thus do not have a fiduciary duty to the Portco, they can be an effective tool for co-investors to monitor the decision-making activities of the board and ensure that their interests are being adequately considered and represented.

Minority Approval Rights

The right of a co-investor to approve certain actions or veto board decisions of the SPV or Portco isheavily negotiated in co-investment transactions. As the PE Fund often takes operational control of the Portco, co-investors will look to have the right to approve a pre-negotiated list of matters that they deem critical to protecting their investment.

When determining which matters should be subject to minority approval rights, the parties should consider the effect that such approval rights might have on the Portco’s ability to make decisions quickly and efficiently. Some of the more common minority approval rights that are sought by co-investors include the right to approve:

1. any amendments to the Portco’s organizational documents;
2. the entering into of any material transactions outside the ordinary course of business (e.g., taking on any debt over a predetermined threshold, entering into a related-party transaction, amending the compensation of management of the Portco outside of ordinary course, or entering into a strategic relationship in which the contribution is greater than a predetermined threshold);
3. the entering into of any fundamental transactions outside the ordinary course of business (e.g., amalgamation, merger, reorganization, or sale of all or substantially all of the Portco’s assets);
4. the authorization, creation, or issuance of any class of securities of the Portco that impacts or has preference over any class of securities held by co-investors; and
5. the declaration or payment of any distribution, whether in the form of a dividend or return of capital.

Whether a particular co-investor receives some or all of these approval rights depends on the nature of the co-investment, the role of the co-investor, and the bargaining power of the co-investor.

Information Rights

In order to monitor their investment, meet their reporting and disclosure requirements, and hold management accountable, co-investors should look to negotiate rights to access and receive ongoing detailed information regarding the Portco. While certain corporate statues mandate that shareholders receive audited annual financial statements (unless the corporation is not a reporting issuer and the shareholders unanimously waive the audit requirement on an annual basis), shareholders’ agreements will often provide shareholders the right to receive management-prepared monthly and quarterly interim financial statements, as well as management-prepared budgets and financial forecasts. In addition, co-investors should look to receive notice of certain events, such as notice of the commencement of litigation against the Portco. Co-investors must also consider their own internal reporting obligations and ensure that they can meet these obligations with respect to the Portco based on the rights they negotiate. As is the case with other minority protections, the scope of a co-investor’s contractual information rights will depend on the size of the co-investor’s investment and the type of co-investment transaction.

Preemptive Rights

Co-investors should look to ensure that they have the right to maintain their ownership percentage in the Portco and/or Holding Company by negotiating robust preemptive rights on any future issuance of shares by the investment vehicle. Notably, there are certain equity issuances that are regularly carved out of the preemptive rights regime, including issuances that are part of the Portco’s equity incentive plan and issuances in connection with a transaction that has received shareholder approval.

Fees and Related-Party Transactions

Investors who invest through a PE Fund will typically be charged management fees that are calculated as a percentage of the total committed capital. PE Funds will also charge incentive fees that equate to a percentage of the profits earned on investments by the PE Fund, with such incentive fees becoming payable by investors only after a certain return threshold has been achieved. When an investor makes a co-investment outside of the PE Fund, the manner in which fees are charged differs from that when investing through the PE fund. Where management and incentive fees are directly charged on co-investments, they are usually capped and lower than when investing directly into the PE Fund. Whether such fees are charged will depend on the needs of the PE Fund sponsor, as well as the form of the co-investment structure, including whether the co-investor is an active or passive co-investor. Co-investors should also consider what fees and expenses they will be required to cover relating to the investment, operation, and sale of the investment vehicle. These fees are heavily negotiated and will impact the potential return on investment of each party.

Although the use of co-investment structures can lead to reduced or no management and incentive fees, co-investors may still bear indirect fees, as the PE Fund and/or its affiliate or another third party will typically charge management fees or other fees and expenses to the Portco and/or Holding Company. These fees and expenses are in consideration of the PE Fund managing the investment vehicle or providing other services, such as deal support. Consequently, co-investors should consider seeking contractual protections to prevent the PE Fund sponsor from increasing or introducing additional fee-bearing arrangements beyond what is disclosed and agreed to by the parties as of the closing of the initial investment. Such contractual protections may take the form of an approval right by the majority of co-investors or a covenant by the PE Fund sponsor to disclose to co-investors all fee-bearing arrangements between the Portco and/or Holding Company and the PE Fund sponsor (or any of its affiliates). An alternative approach would be to require that all such arrangements be entered into on arm’s-length terms, though it may prove difficult to demonstrate that a particular fee-bearing arrangement between the Portco and/or Holding Company and the PE Fund sponsor does not reflect arm’s-length terms. Any restrictions on fees should be reasonable to reflect the services to be provided by the PE Fund sponsor.

Conclusion

Co-investments will continue to play a significant role in private equity due to the advantages outlined in this article. It is critical that both co-investors and PE Funds carefully consider the various ways in which co-investments can be structured in order to ensure that all parties are aligned and working towards a common goal of creating value for investors. The parties should look to strike a balance between the need for co-investors to protect their investment and the need to provide the PE Fund sponsor with the latitude to make operational decisions based on its expertise so that it may maximize returns.

When asked to identify the area that presents the greatest risk to their organizations, 62 percent of respondents in a recent Baker McKenzie survey of 600 senior litigation attorneys at large companies on four continents indicated that their top concern is the area of cybersecurity and data-related disputes (theft of trade secrets, ransomware, and privacy violations).^[1] To those of us working in the information security and privacy area, this finding is not surprising because much the same result was returned by a variety of other recent surveys.^[2]

What is noteworthy is that this risk area continues to be at the top of attorneys’ list of concerns. Evidently, the risk-reduction measures taken by the large organizations that comprised the survey’s respondents (and that have the most money to spend on these problems) are not lowering risk exposures to reassuring levels. Something is seriously wrong here, and it has been getting worse for decades.^[3] In order to turn this dangerous trend around, we urgently need greater personal involvement of the leadership, including expanded budgets for this crucial area.^[4]

That’s why this article proposes that we now deploy independent third-party legal compliance audits, examining the actions taken (or not taken) by the directors and officers, to make sure that the information security and privacy area is being properly addressed. The compliance auditing approach proposed here asks only whether the directors and officers are doing all that is now required by law—something that they should already be aware of and attending to, but, unfortunately, in many instances are not. This type of independent compliance audit has many uses, including vetting a prospective vendor on which a firm will soon critically depend, vetting a firm that is about to be acquired or merged with another, vetting a firm in which a large investment will soon be made, and vetting a firm that has requested access to a trade secret at another firm.

The Legal Compliance Audit Process

Parallels to the Financial Audit Process

The best frame of reference to illuminate the proposed legal compliance audit process is the historically proven independent financial audit process, which is already widely performed for publicly listed companies in the United States. The intention of expressing a one-page professional opinion on a certain topic is the same, except in the legal compliance audit the opinion states whether the directors and officers are in full compliance with all their legal duties, in all material respects, in the domain of information security and privacy. In both types of audit projects, a confidential management letter is also issued to the top management of the auditee organization if there are control deficiencies that need to be rectified.

In both types of independent audits, the auditor must be truly independent from the auditee organization, although the legal compliance auditor has a higher standard than an independent financial auditor does. The legal compliance auditor must meet all of the independence requirements of an independent financial auditor as well as all of the requirements of independent attorneys preparing professional opinions. In this way, the process fits with the existing expectations of the business world surrounding independent audits, and also fits with the professional obligations of all licensed attorneys doing this type of work.^[5]

As with the financial auditing process, in the legal compliance auditing process there are published journal articles,^[6] professional association ethics statements,^[7] professional association guides,^[8] and published treatises^[9] that can help ensure that the process of generating a professional opinion covers certain essential topics and is performed in a high-quality, repeatable manner. In the case of the legal compliance audit process discussed in this article, those topics include setting up the engagement so that both attorney-client privilege and attorney work-product doctrine can be used to protect the information gathered and generated.

Like the financial auditing process, the proposed legal compliance audit process is intended to balance out excesses and imbalances that can no longer be sustained.^[10] As will be explained in detail below, the current excessive focus on profits and other financial metrics, which primarily benefit shareholders, board members, and top management, must be rebalanced with metrics that incorporate the needs of other constituencies, such as business partners and customers.

The ESG Framework

To achieve this rebalancing, we must have seriously motivated leaders at the top of our corporations. Rather than increasing legal accountability, the legal compliance audit process only checks to see whether the leadership is currently performing the minimum that is now required by law. There is already ample precedent to demonstrate that directors and officers are currently being held accountable for information security and privacy problems.^[11] When directors and officers become better acquainted with their existing personal legal accountability, that will help motivate them to pay greater attention to, and hopefully provide additional funding for, the critically important information security and privacy area.

By incentivizing the adoption of this type of new leadership attitude, the proposed solution described here fits within the environment, social, and governance (“ESG”) area—specifically, the governance area.^[12] Interestingly, in the Baker McKenzie survey mentioned above, the second category of concern in terms of greatest risk to their organizations, cited by 58 percent of respondents, was ESG issues. Thus, the proposed compliance audit approach addresses both the No. 1 concern and the No. 2 concern of litigation attorneys surveyed.

Ease of Use

Further improving the attractiveness of the legal compliance audit approach is the fact that the audit methodology is ready to go, can be deployed immediately by any firm in any industry, and is applicable to firms legally domiciled in any state/territory/district in the United States. This ease of use extends beyond adoption, and includes ease of comparison of the results with other firms that have also gone through such a compliance audit.

Levels of Sophistication

There are three distinct levels of sophistication associated with the legal compliance audit process, and they all pertain to the information that is generated as a result of performing the audit: (1) internal use only, (2) shared only with selected third parties, and (3) publicly released.

If the compliance audit process is being used for the first time, then the results may be for internal use only. The results can be used to raise the awareness level of the directors and officers, generate a list of control-related remedial actions, align the actions of management at multiple levels in the organization, and create a new incentive system for the directors and officers. These internal-use-only results can also be used as critical inputs an internal legal compliance process, such as those supported by governance, risk, and compliance (“GRC”) tools.

The next level of sophistication involves generating a professional opinion that is shared with one or more specific parties, such as a business partner who is considering the disclosure of a trade secret to the auditee firm. The professional opinion can give the third party additional assurance that the auditee firm is set-up, managed, and governed in such a way that it can be trusted. Other third parties that would be interested in confidentially receiving such a professional opinion include insurance companies, major investors, lenders of a significant amount of money, and firms participating in a merger or acquisition deal. One particularly useful example of this confidential-release-to-a-third-party approach involves a release to a regulator, such as the Federal Trade Commission (“FTC”), as a part of a consent decree or nonprosecution agreement.^[13]

The most sophisticated use of this compliance audit process involves making the professional opinion public information and then revealing a new “fully compliant” opinion every year thereafter. This would generally be undertaken only after the auditee firm has received several years of “fully compliant” professional opinions—and after it has gained confidence that it can predictably continue to generate these same “fully compliant” professional opinions every year going forward. This public disclosure can be leveraged for public relations purposes, for marketing purposes, and to achieve competitive advantage (where excellent security and privacy are, for example, made part of the product or service offering). This last approach to using the results of a compliance audit can also be used to rehabilitate the damaged reputation of a firm that has recently suffered a highly publicized major breach.

Specific Reasons for Use of Legal Compliance Audits

Revelations of Misrepresentations

There is ample evidence that many firms these days are failing to perform adequate due diligence before they enter into major investments, mergers and acquisitions, and other high-risk transactions (signing outsourcing services contracts, disclosing trade secrets to third parties, and entering into other critical business partnerships). In a surprisingly large number of recent situations, companies are publicly shown to be lying, twisting the truth, and otherwise misrepresenting what is actually going on.^[14] By performing the proposed legal audit process, these misrepresentations, in many cases, will be readily revealed because the state of information security and privacy legal compliance is a litmus test of good internal management and governance.^[15] This audit process is accordingly very useful when evaluating third parties prior to entering into a variety of high-risk transactions, such as when an insurance company considers issuing directors and officers (“D&O”) liability insurance.

A very large and well-known venture capital, for example, invested $210 million in FTX, an amount that now has been written down to $0.^[16] This and a number of other venture capital firms evidently failed to sufficiently investigate what was happening internally at FTX before making their investments. Later, after FTX declared bankruptcy, it came to light that there was a very serious lack of corporate governance mechanisms. For example, FTX was revealed to have no complete list of its own bank accounts, no separation of customer funds and company funds, no complete list of its employees, and no board of directors. It also lacked adequate teams to handle cash management, accounting, auditing, risk management, and information security. If the independent legal compliance audit approach had been performed before this investment in FTX was made, the venture capital firm undoubtedly would have decided not to proceed with the investment.

Heightened Awareness of Legal Duties

Another reason to perform an annual compliance audit is that it increases the level of awareness^[17] of the directors and officers when it comes to their legal duties, specifically in those areas where they may not be performing all that the law currently requires. While certainly this group wants to know how to avoid personal liability, these leaders also want to know what their job as a director or officer entails, as the law sees it. Many people in this group have not received a clear and succinct job description when it comes to the relatively new domain of information security and privacy. A legal compliance audit helps to ensure that the directors and officers understand, and are in fact performing according to, those same requirements.

The annual performance of such an audit also creates a metric that measures performance according to that same job description. An internal audit preparation process, such as that conducted by many publicly listed firms for the financial audit process, can ensure that the firm receives a “fully compliant” opinion every year. An annual legal compliance audit also can be a significant motivator to ensure that the minimum required by law has been met: D&O bonuses, promotions, perks, and related incentives can be tied to receiving a “fully compliant” professional opinion from the audit process.

This annual reconsideration, which can be institutionalized into a part of the governance and management reporting system (aka the GRC reporting system), also creates new opportunities, such as going well beyond the minimum to achieve competitive advantage, to create a favorable public relations image, and to better market existing products and services. Third-party trust in the firm receiving this type of legal compliance audit will be built up over time if the organization can show a string of “fully compliant” opinions using an independent audit process such as this.^[18]

Recognition of Funding Needs

A big part of why the information security and privacy area continues to be increasingly litigious and disputed is that the existing incentive systems at many organizations have been designed such that the organizations allocate insufficient resources to this increasingly critical area.^[19] Typically, the information security and privacy area is seen as a line item in the budget that does not bring in revenue and does not generate profit. In addition, decision makers see the information security and privacy domain as an undesirable expenditure because it requires long-term, sustained expenditures in order to be successful.^[20] In contrast, great emphasis is placed on existing financial performance metrics, such as stock price and whether stock options are exercisable (“in the money”)—metrics grounded in short-term results. Use of these metrics for decision-making often leaves information security and privacy underfunded not only because information security and privacy are long-term endeavors but also because there is no inspiring dramatic prize for a firm that remains quietly reliable due to its excellent information security and privacy. Furthermore, these financial metrics are historically firm-oriented, when the new reality of a tightly interconnected technological world requires that we expand our horizons to include the needs of other entities.

The excessive focus on short-term financial results is well-known and has led to major breaches of system defenses—and was, in fact, one of the allegations of the plaintiffs in two recent, high-visibility shareholder lawsuits, respectively involving LastPass^[21] and SolarWinds.^[22] In defense of those in the D&O group, particularly those who genuinely want to do the right things, under the traditional short-term financial-results-oriented system, they have often found themselves pushed into making decisions that favor short-term financial results at the expense of long-term organizational sustainability.^[23]

By using ESG metrics, such as the legal audit process described here, we can move away from an overwhelming focus on short-term financial results and instead obtain a more balanced scorecard emphasizing more sustainable and justifiable decisions in the long term. This, in turn, will increase budgets for information security and privacy, and it will help to align the objectives of stakeholders such as business partners, customers, employees, investors, regulators, and insurance companies. Excellent information security and privacy, as reflected by a “fully compliant” professional opinion resulting from a legal compliance audit, is a win-win for all of these stakeholders. The world has become far too interconnected not to make decisions based on a multiparty framework.

Focus on Directors and Officers as a Practicality and a Deterrent

The legal compliance audit process places an incentivizing focus on directors and officers. An audit focus on the actions of the directors and officers is warranted because they set the direction of the entire firm they govern and manage, and they are also the ones who are named as defendants in lawsuits after a major problem.

This audit focus is also warranted because they are the subject of a good deal of recent legislation and regulation.^[24] The number and scope of externally dictated requirements for information security and privacy are being markedly increased, for example by the U.S. Securities and Exchange Commission (“SEC”), which has proposed new rules for disclosures in this area about the level of board expertise, the type of board risk management oversight, and recent material incidents.^[25]

Public statements made by both federal and state regulators have also recently included the intention to hold corporate directors and officers personally liable for serious lapses in this same area. For example, former SEC Commissioner Luis A. Aguilar indicated that personal liability was one potential result of “failing to implement adequate steps to protect a company from cyber-threats.”^[26] Echoing the same perspective, recently retired SEC Chairman Jay Clayton, at his confirmation hearing, stated that “individual liability is the greatest deterrent.”^[27] Similarly, former U.S. Department of Justice Deputy Attorney General Sally Yates issued an influential memo indicating that (a) individual executives were to be henceforth individually targeted at the onset of prosecution of corporate wrongdoing, (b) involved corporate entities would be deemed cooperative only if they designated the individuals involved, (c) there would be no entity fine settlements creating a “clear plan” preventing executive prosecution, and (d) Department of Justice staff should pursue civil charges against individuals regardless of their ability to pay.^[28]

Financial Incentives

Of course, there are also increasingly significant financial reasons to do a better job in the information security and privacy area. One reason why information security and privacy risks are of such great concern is the very large dollar amounts associated with shareholder suit settlements, regulatory fines, and court judgments. Furthermore, violations of the General Data Protection Regulation (“GDPR”), if they involve the rights and freedoms of data subjects, can involve fines of up to four percent of worldwide annual turnover (sales).^[29]

Given that 55 percent of large companies worldwide are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of these breaches,^[30] it makes very good sense to have an annual independent audit process that identifies those businesses that are particularly risky, as evidenced by their failure to meet the minimum required by law. This can help other businesses avoid investing in, or becoming business partners with, firms such as FTX. Prevention and avoidance are far less expensive than recovery, repair, reputation rehabilitation, and dealing with the legal aftermath of these incidents. For example, the cost of remediation for a ransomware attack can be thirty times the cost of prevention, according to a survey by Accenture.^[31]

Below are notable examples of recent legal activity, which highlight the potentially enormous financial benefits of the legal compliance audit process.

Facebook. Facebook agreed to the largest FTC civil penalty ever imposed on a company for violating consumers’ privacy, in response to the Cambridge Analytica scandal. That 2019 case was resolved with a fine of $5 billion (not a typo).^[32] This penalty was not the end of the matter for Facebook: the company recently settled a user class action civil suit related to the same incident for $725 million.^[33]

Part of the FTC settlement involved use of a third-party privacy program assessor, similar to—but even more intense scrutiny than—the legal compliance audit process described here. Per the settlement agreement, Mark Zuckerberg, the chief executive officer (“CEO”) of Facebook (now Meta), must certify every quarter that Facebook is compliant with the new privacy program. If he falsely certifies this status, Zuckerberg will be subject to both civil and criminal penalties. This FTC strategy makes the CEO markedly more personally accountable for information security and privacy than in the past.^[34]

Yahoo! In 2016, Yahoo! announced several data breaches that had taken place in 2013 and 2014, which had impacted three billion users. As a result of these disclosures, the purchase price in the then-underway acquisition of Yahoo! by Verizon was reduced by $350 million.^[35] Following these events, the Yahoo! shareholders filed a securities class action suit against the company and certain directors and officers. This lawsuit was settled for $80 million.^[36]

There was also a derivative complaint brought against Yahoo!’s board for breach of fiduciary duty, insider trading, unjust enrichment, and waste. Also alleged in the complaint was that Yahoo! officials knew about the data breaches before they were publicly disclosed and that these defendants sold their stock holdings before the breaches were made public. This suit was settled for $29 million.^[37] Later, Altaba, Yahoo!’s successor in interest, agreed to pay a further penalty of $35 million in resolution of the SEC’s first data breach enforcement action, again relating to the same data breach incidents.^[38] A separate consumer class action lawsuit, which was focused on the same breaches, was settled for $85 million.^[39] This last action is particularly noteworthy because it resulted in the plaintiffs’ lawyers receiving approximately $11 million in fees and expenses, and in that respect presented a potential multimillion-dollar payday. While derivative lawsuits filed against directors and officers, alleging that they breached their fiduciary duties, may be difficult to mount and win, they are not impossible in the information security and privacy domain—and a bunch of plaintiff attorneys are likely to now try their hand at this game.^[40]

Target. The cost to a business from a single information security and/or privacy problem^[41] can be horrendous, even in those cases where the involved legal actions are dismissed or abandoned by the plaintiffs. Consider what happened at Target. In 2013, the payment card data and personal details of approximately 70 million Target retail store customers were stolen by hackers. On the day the breach was announced, the stock price dropped almost 2.2 percent, representing a reduction of $890 million in the market value of the firm.^[42] Target’s EBIT (reported earnings before interest and taxes) decreased by 28.6 percent in the four quarters after the breach, compared to the four quarters before the breach.

As a result of the breach, the firm became embroiled in investigations and lawsuits with forty-seven states and the District of Columbia. The resulting settlement, announced in 2023, involved $18.5 million paid to the states and the District of Columbia.^[43] Interestingly, part of the settlement involves the retention of an independent third party to do a comprehensive security assessment, again not too far away from what this article is proposing. Of further concern to the directors and officers is a multidistrict consumer class action suit, which was pending at the time that this article was prepared.^[44]

In its 2016 10-K report, Target reported a total of $292 million of breach-related expenses. Target also suffered a severe blow to its brand, it paid a great deal for legal defense costs, and its president was forced to resign.

In addition, Target’s board was distracted by a shareholder derivative lawsuit that dragged on for years, involving exchanges of thousands of documents, interviews with sixty-eight witnesses, and consultations with a variety of potential expert witnesses. Although that Target case was eventually dismissed, shareholder cybersecurity-related derivative lawsuits are an increasing threat.^[45] Beyond paying fines and damages, directors and officers also need to worry about losing their seats on the board of directors, their executive employment positions, significant value in the shares they own, and stock options and performance bonuses. They additionally need to worry about the erosion of their personal reputations, paying legal fees that D&O liability insurance does not cover, plus paying regulatory fines as well as civil suit damages. Although rare, they may also go to prison if a criminal law has been violated, but in all cases they suffer health-taxing stress as a defendant in a high-profile lawsuit or criminal prosecution.^[46]

Legal Defenses Created When Legal Compliance Audits Are Used

As a side benefit of the proposed compliance audit approach, an admissible evidentiary paper trail is created by a third-party lawyer auditor. This evidence can later be used not only to defend the auditee corporation, showing that the directors and officers were in fact diligent in their efforts to be compliant with all relevant legal obligations, but also to personally defend the involved directors and officers. Hopefully, disclosure of the fact that these compliance audits were annually performed, and then used to make internal decisions related to information security and privacy, would be enough to cause those who are considering legal actions to seriously reconsider the advisability of proceeding. The circumstances supporting the use of the following three notable legal defenses—which are suitable for a defense against both civil claims and criminal charges—are created when this compliance audit process is performed.

Business Judgment Rule

The first of these three possible affirmative legal defenses involves the business judgment rule. In its general formulation, the factors for this defense require that the directors and officers acted in good faith, with the care that an ordinary prudent person in a like position would exercise under similar circumstances, and also acted in a manner that they reasonably believed to be in the best interests of the corporation.^[47]

A legal compliance audit provides support for the business judgment rule because it involves the provision of an independent expert’s advice—in a form designed to be admissible in court—about the reasonable and appropriate course of action that is in the best interests of the corporation. The performance of a legal compliance audit also supports the use of the business judgment rule because it shows good faith in that it creates evidence that the directors and officers acted reasonably and intended to faithfully perform their legal duties.

Acting on the Advice of Counsel

The second possible legal defense involves acting on the advice of counsel. In its general formulation, the factors for this defense require that, “before taking action,” the directors and officers “in good faith sought the advice of an attorney whom [they] considered to be competent, . . . for the purpose of determining the lawfulness of [their] possible future conduct”; and to enable that attorney to do a proper job, they “made a full and accurate report” to this attorney about all material facts relevant to the matter and then acted in strict accordance “with the advice of [their] attorney who had been given a full report.”^[48]

This type of legal audit process involves the retention of a competent attorney who follows a scripted process^[49] in accordance with professional ethics, much the way that independent financial auditors follow a scripted process in accordance with professional ethics. While the burden is on the directors and officers to show that they followed the recommendations found in the management letter detailing needed changes, they are likely to be highly motivated to follow such advice because if they follow the lawyer auditor’s recommendations, they avoid significant legal problems, not to mention attendant business problems such as adverse publicity, damage to the company’s brand, and time lost to handling problems that need not have taken place.

Insufficient Time to Discover the Incident and Take Action

The third of these legal defenses involves a defendant’s claim that the incident could not have reasonably been discovered in sufficient time for the directors and officers to have taken action. In its general formulation, the factors for this affirmative defense require that evidence of the need for the directors and officers to take remedial action could not have been discovered within the time frame involved even though the directors and officers had exercised reasonable due diligence.^[50]

The legal compliance audit establishes proof that the directors and officers exercised reasonable due diligence. As mentioned, the legal compliance audit process results in a one-page professional opinion indicating whether the directors and officers are fully compliant with all their material duties in the domain of information security and privacy. If they are deemed presently not compliant, the lawyer auditor provides the directors and officers with a management letter detailing needed remedial actions. These recommendations are responsive to the unique legal requirements that the directors and officers at that auditee firm face (which, in turn, are based on a review of industry-specific laws and regulations, in-force consent decrees, contractual agreements, and related firm-specific legal obligations). So, the performance of this legal audit involves the retention of an independent attorney not just to identify whether the directors and officers are compliant with all of their material legal obligations but also to double-check internal efforts to identify all relevant legal requirements. This management letter and the annual preparation of a list of all relevant legal requirements (which is accomplished as part one of the compliance audit), as well as an internal risk-management system that regularly reviews progress on identified and needed improvements, help to establish that the directors and officers did all that they could reasonably do, from a legal standpoint.

Beyond taking all reasonable actions to protect the organization and its constituencies (customers, employees, business partners, shareholders, etc.), and performing the legal compliance audit described here (and responding to the deficiencies noted, if any), there is not much that the directors and officers can do to prevent or avoid the breach itself given that information system attacks are now often automated and happen extremely fast. Thus, a very good defensive claim can be made that such incidents, if and when they do occur, could not reasonably have been discovered or responded to in sufficient time to have reduced the losses that were sustained. Instead, the efforts of the directors and officers should be focused on doing everything they can do, to further exclude the attackers from their systems, restore the integrity of their systems after a breach, restore reliable versions of files from backups, switch over to alternative facilities, control the damage done by adverse publicity, notify third parties, and the like.

Legal Compliance Audits and the Sarbanes-Oxley Act: Parallel Strategies

The scandals occurring during the dot-com bubble, and the subsequent crash of the stock market (for example Enron, WorldCom, and Tyco International), prompted Congress to focus on the actions taken by company leaders when it passed the Sarbanes-Oxley Act of 2002 (“SOX”). Section 404 of that law requires that publicly listed companies must establish internal controls over financial reporting processes and document those controls, test them, and maintain them in an effective state.

Based on the hearings surrounding the dot-com bubble scandals, it is clear that the “tone from the top” (messaging provided to employees from the top management and the board) is absolutely critical. If the tone from the top is to cut corners, bend the rules, and do whatever you need to do in order to make lots of money—as it was at Enron—then multiple employees engaged in fraud and misrepresentation will be the predictable result.^[51] However, if the tone from the top is honesty, ethics, integrity-mindedness, legal compliance, and a focus on community, then the result will be a successful and sustainable company. In the words of the former chair of the SEC: “If you’re a new leader in an organization, my advice is to let people get to know you—and your values. Let them know how serious you are about doing the right thing [about being fully compliant with the law].”^[52]

SOX provides a barometer indicating the tone from the top. That law is noteworthy because it puts two members of the top management team (the chief executive officer and the chief financial officer) at these companies on the spot, increasing their personal accountability and personal liability. They must sign quarterly forms stating that they have reviewed the internal disclosure controls over financial reporting (in a 10-Q or 10-K statement). Because they are on the line legally, because their name appears on these forms, the process surrounding the generation of financial statements, and the internal controls that go along with that process, have improved notably since SOX went into effect.^[53]

Like SOX, the legal compliance audit process that this article proposes can have a markedly reorienting effect on both the board and top management, such that information security and privacy are both markedly improved.^[54] The process of annually reviewing whether the directors and officers are in compliance with all of their legally required duties in the domain of information security and privacy creates a new incentive system and a new point of reference that guides decisions throughout the year. Thus, this annual compliance audit process not only reduces the long-term costs of information security and privacy but also improves the tone-at-the-top messaging from the leaders—thereby, and most importantly, improving the trustworthiness of the firms using this approach. Trust in today’s high-tech world critically depends on security, privacy, transparency, and compliance,^[55] and the legal compliance audit process can help markedly improve the level of trust that a firm receives.

1. Cybersecurity and Data Are Key Disputes Concerns in 2023 Says New Survey from Baker McKenzie, Baker McKenzie (Jan. 10, 2023) (annual litigation forecast). ↑

2. The prior year’s Baker McKenzie survey, for example, came up with the same conclusion about the area of greatest concern for corporate legal counsel. Another source with the same conclusion is a 2021 Honeywell survey of facility managers in the United States, Germany, and China. In that survey, 71 percent said that cybersecurity was their top business priority. Why Cybersecurity Remains a Top Priority for Businesses, IEEE Comput. Soc’y (Oct. 12, 2021). According to still another survey, entitled The State of Cybersecurity Resilience 2021, published by Accenture, 68 percent of business leaders feel as though their cybersecurity risks are increasing. That same survey indicated that 87 percent of the firms that have the lowest level of cybersecurity losses (dubbed “cybersecurity champions”) were measuring the maturity of their cybersecurity programs more frequently than other firms, and at least annually. This is in accord with the recommendations in this paper—that is, that the compliance audit discussed herein should be performed annually or as transactional needs require (such as for the issuance of directors and officers (“D&O”) liability insurance). In general, frequent measurement of the situation enables better management and governance. ↑

3. IBM Security, in its 2022 annual Cost of a Data Breach report, noted that the average cost of a data breach in the United States is now $9.44 million. These costs of a data breach have surged 13 percent in the two years from 2020 to 2022. Those firms with the greatest number of compliance failures had a substantially larger average loss—specifically, $258,293 more than the average. At the same time, those firms with a high level of board oversight had a substantially smaller average loss—specifically, a $216,707 smaller-than-average loss. See Figure 13 in that report for details. As explained later, the proposed compliance audit process increases compliance levels and increases the engagement level of directors and officers, both of which should have substantial attractive cost-related impacts on breaches. ↑

4. See Charles Cresson Wood & Harvey Nusz, Directors & Officers: Just Because They Don’t Perform Technical or Operational Work, Doesn’t Mean They Aren’t Personally Involved, 65 EDPACS, no. 6, 2022, at 12. ↑

5. See, e.g., Tribar Opinion Committee, American Bar Association, Statement on the Role of Customary Practice in the Preparation and Understanding of Third-Party Legal Opinions, 63 Bus. Law. 1277 (2008) ↑

6. See, e.g., Jim Fold, Lawyer’s Standards and Responsibilities in Rendering Opinions, 33 Bus. Law. 1295 (1978). ↑

7. See, e.g., Model Rules of Pro. Conduct r. 1.6 cmts. 5, 18 (Am. Bar Ass’n 2021). ↑

8. See, e.g., ABA Legal Opinion Principles (1998); ABA Third-Party Legal Opinion Report (1991); Tri-Bar II and Restatement of the Law Governing Lawyers (1998). ↑

9. See, e.g., Charles Cresson Wood, Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process (InfoSecurity Infrastructure 2020). ↑

10. In the wake of the 1929 stock market crash, Congress sought to restore confidence in the financial system with the Securities Act of 1933 (15 U.S.C. § 77a et seq.) and the Securities and Exchange Act of 1934 (15 U.S.C. § 78a et seq.). This new legislation required third-party auditors to express an opinion on the financial statements of all publicly listed companies. The process of performing third-party audits brought transparency and trustworthiness to the financial statements that had previously been questionable, and in some instances outright fraudulent. Likewise, it is through the independent compliance auditing process that a new transparency and trustworthiness can be brought to the domain of information security and privacy. ↑

11. Charles Cresson Wood, The Rules Have Now Been Clarified—The Minimum Legal Duties for Directors & Officers Are Both Established and Readily Determined, 20 ISSA J. 20 (May 2022). ↑

12. ESG is an organizational framework that considers the needs of stakeholders such as employees, customers, suppliers, and financiers. The framework was first popularized in 2004 in a United Nations report entitled Who Cares Wins. Application of this framework involves measurement of a variety of metrics reflecting progress in meeting the needs of stakeholders, in addition to meeting the financial needs of shareholders. Both information security and privacy, as well as management structure, are part of the governance areas that these alternative metrics examine. The proposed legal compliance audit approach, by examining whether the directors and officers in a corporation are in compliance with the minimum that the law requires (including fiduciary duties), involves both the information security and privacy area and the management structure area. ↑

13. Third-party audits of this nature can be used to confirm continued compliance with the terms of the consent decree, deferred prosecution agreement, or nonprosecution agreement. Whereas the third-party audits in those cases involve compliance with a situation-specific set of corporate reforms, in the compliance audits described in this article, the scope is restricted to compliance with all material legal duties of the directors and officers in the domain of information security and privacy. The first of the two types of third-party audits mentioned in this footnote was used, for example, by the FTC in its settlement with Facebook surrounding the Cambridge Analytica affair. See Nicole Lindsey, What Did the Consent Decree from the FTC Settlement with Facebook Really Change?, CPO Mag., May 3, 2018. ↑

14. An interesting contemporary case involves a firm called Frank, which was an internet gateway to financial aid for students. JPMorgan paid $175 million for the firm but later alleged that the mailing list was largely a forgery. This is an example where inadequate due diligence prior to a major transaction cost a firm big money. The legal compliance audit process can be used to detect the absence of the corporate governance mechanisms that should be in place for a firm the size of Frank. If such an audit had been performed, red flags most likely would have been detected. The same can be said for FTX, Bernard L. Madoff Investment Securities, and a variety of other Ponzi schemes. For further discussion about the Frank case, see Katherine Long, Frank, the College Loan Start-Up JPMorgan Is Suing for Fraud, Was Warned by the FTC for Misleading Students About Covid Relief Money, Insider, Jan. 13, 2023. ↑

15. See Charles Cresson Wood, What the FTX Scandal Reveals About Third Party Risk Evaluation, 21 ISSA J. 15 (Jan. 2023). ↑

16. Chase Peterson-Withorn, These FTX Investors Stand to Lose the Most from the Crypto Exchange Implosion, Forbes, November 10, 2022. ↑

17. The widespread lack of clarity about information-security-and-privacy-related roles and responsibilities among those in the D&O group is in evidence in the recent conviction of Joe Sullivan, a chief information security officer at Uber. See Charles Cresson Wood, The Serious Management Problem Illustrated by CISO Joe Sullivan’s Conviction, 20 ISSA J. 16 (Nov. 2022). ↑

18. Charles Cresson Wood, A Parachute for the Restoration of Trust After Your Firm Has Been Breached, 21 ISSA J., (forthcoming June 2023). ↑

19. Charles Cresson Wood, Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability, 43 J. Legis. 65 (Dec. 2016). ↑

20. For a discussion of the incentive systems that cause bad decisions to be made in the information security and privacy area, see Wood, supra note 19. ↑

21. See Doe v. LastPass US LP, No. 1:23-cv-10004 (D. Mass. Jan. 17, 2023). ↑

22. See SolarWinds Corp., SEC Form 8-K, at item 8.01 (Oct. 28, 2022) (discussing proposed settlement). ↑

23. The case of the worldwide accounting firm Arthur Andersen is a good example. A single decision to destroy working-paper-related evidence related to the Enron scandal, in spite of the fact that a legal hold had been placed on all data destruction activities related to this potential evidence, ultimately caused Arthur Andersen to go out of business. Misunderstanding the current information security and privacy legal situation can have very serious consequences. See Jonathan Weil, Arthur Andersen Admits It Destroyed Documents Related to Enron Account, Wall St. J., Jan. 11, 2002; see also Arthur Andersen LLP v. United States, 544 U.S. 696 (2005). ↑

24. For an example of the new regulations, see N.Y. Dep’t of Fin. Servs. (“NYDFS”), Cybersecurity Regulation § 500.4(a) (2023) (requiring that the chief information security officer (“CISO”) have “adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program”). In addition, laws that have been around for a while have additional provisions that are just now coming into effect, such as is the case with the California Consumer Privacy Act of 2018 (“CCPA”), which has provisions that came into effect as of January 1, 2023. ↑

25. Press Release, U.S. Sec. & Exch. Comm’n, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Mar. 9, 2022). ↑

26. The trend of increasingly holding directors and officers personally liable appears intended to force directors and officers to pay additional attention to the information security and privacy area. See Luis A. Aguilar, Comm’r, U.S. Sec. & Exch. Comm’n, Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014) (indicating that personal liability was one potential result of “failing to implement adequate steps” to protect the company from information security and privacy threats). ↑

27. Steven R. Peikin, Codir., Enf’t Div., U.S. Sec. & Exch. Comm’n, Speech at the New York University School of Law: Reflections on the Past, Present, and Future of SEC’s Enforcement of the Foreign Corrupt Practices Act (Nov. 9, 2017). For a practical application of this idea in law, see Wood, supra note 19. ↑

28. Sally Quillian Yates, Off. of the Deputy Att’y Gen., U.S. Dep’t of Just., Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015) (colloquially called the “Yates Memo”). ↑

29. European Parliament, General Data Protection Regulation, art. 83, Regulation (EU) 2016/679. ↑

30. Accenture, State of Cybersecurity Resilience 2022, at 31 (2022). ↑

31. Accenture, State of Cybersecurity Resilience 2021, at 24 (2021). ↑

32. See Press Release, Fed. Trade Comm’n, FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (July 24, 2019). ↑

33. This settlement was the largest settlement ever reached in a class action related to privacy. See Plaintiff’s Notice of Motion and Motion to Certify a Settlement Class and Grant Preliminary Settlement Approval, In re Facebook, Inc. Consumer Privacy User Profile Litig., No. 18-md-02843-VC (N.D. Cal. Dec. 22, 2022). In 2019, Facebook also paid a $100 million fine to the U.S. Securities and Exchange Commission (“SEC”) to settle claims that it misled investors. See Press Release, U.S. Sec. & Exch. Comm’n, Facebook to Pay $100 Million for Misleading Investors About the Risks It Faced from the Misuse of User Data (July 24, 2019). Now the Federal Trade Commission seeks to restrict the ways that Facebook can monetize the information under its control. See Press Release, Fed. Trade Comm’n, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023). ↑

34. Lesley Fair, What the FTC Facebook Settlement Means for Consumers, Fed. Trade Comm’n Consumer Advice (July 24, 2019). ↑

35. See Anjali Athavaley, Verizon Sought $925 Million Discount for Yahoo Merger, Got $350 Million, Reuters, Mar. 13, 2017. ↑

36. See Kevin LaCroix, Yahoo Settles Data-Breach-Related Securities Suit for $80 Million, D&O Diary (Mar. 5, 2018). ↑

37. See Kevin LaCroix, Yahoo Data-Breach-Related Derivative Suit Settled for $29 Million, D&O Diary (Jan. 21, 2019). ↑

38. See Press Release, U.S. Sec. & Exch. Comm’n, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 24, 2018). ↑

39. See LaCroix, supra note 37; see also Greg Otto, Yahoo to Pay up to $85M to Settle Data Breach Lawsuit, CyberScoop (Oct. 24, 2018); Settlement Agreement and Release, In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 5:16-MD-02752-lhk (N.D. Cal. Oct. 22, 2018). ↑

40. An interesting discussion, including a warning to companies and boards about the risk from shareholder derivative suits, can be found in Craig Newman, Judge Approves Settlement in Yahoo! D&O Shareholder Suits, NACD BoardTalk (Jan. 14, 2019). ↑

41. The IBM/Ponemon Institute Cost of Data Breach Study (2017) indicated that the average cost of a breach in the United States is $7.35 million, some 5 percent higher than the prior year, and the odds of experiencing a breach are about 25 percent per year. An Accenture/Ponemon Institute Cost of Cybercrime (2018) study pegged the average annual cost of cybercrime at $13 million per breach (worldwide), up 12 percent from the prior year. Whatever the exact numbers are, the potential losses are very large, and the probabilities of being the next victim are also very high. ↑

42. Such a drop in the price of the stock of attacked firms is by no means extreme. For example, two months after the announcement of the 2017 cyberattack on Equifax, the large consumer credit reporting firm, its stock price dropped by almost 25 percent. See Shinichi Kamiya et al., What Is the Impact of Successful Cyberattacks on Target Firms? (Ohio State Univ. Fisher Coll. of Bus., Working Paper No. 2018-03-04, July 2018). ↑

43. Cynthia J. Larose, Target Reaches $18.5 Million Dollar Settlement in Data Breach with States, 13 Nat’l L. Rev. (Jan. 19, 2023). ↑

44. Kevin M. McGinty, Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action, 13 Nat’l L. Rev. (Jan. 19, 2023). ↑

45. Kevin M. LaCroix, Target Corporation Cybersecurity-Related Derivative Litigation Dismissed, D&O Diary (July 9, 2016). ↑

46. According to Steven Gladstone, shareholder derivative actions alleging breach of fiduciary duties by directors and officers have increased markedly in recent years. The Future of D&O Insurance, 51 Risk Mgmt. 26 (Sept. 2004). Many of these suits have settled for well over $100 million. Some recent examples include the BofA/Merrill Lynch merger securities shareholder suit settlement ($2.83 billion in 2012) and the Waste Management federal securities law violation shareholder suit settlement ($457 million in 2001). Clearly, there is big money in shareholder derivative suits naming top management as defendants, and lapses in the information security or privacy area might trigger such a suit. ↑

47. Aronson v. Lewis, 473 A.2d 805, 812 (1984). ↑

48. United States v. Al-Shahin, 474 F.3d 941, 947 (7th Cir. 2007) (citations omitted). ↑

49. This scripted process is summarized in Wood, supra note 9. ↑

50. Bedolla v. Logan & Frazer, 52 Cal. App. 3d 118 (1975). ↑

51. The best methods to quickly spot a company with a bad tone at the top are explored in Wood, supra note 15. ↑

52. Mary Jo White, What I’ve Learned About White-Collar Crime, Harv. Bus. Rev., July–Aug. 2019, at 59 (White was the former chair of the SEC). ↑

53. Whether these new measures are cost-effective is another discussion entirely. See, e.g., Stephen M. Bainbridge Sarbanes-Oxley § 404 at Twenty, Harv. L. Sch. F. on Corp. Governance, Sept. 22, 2022. The scripted and very focused compliance audit discussed in this article, however, has a much less expensive, much less time-consuming, and much more cost-effective profile. See Wood, supra note 11. ↑

54. Unlike SOX, the legal compliance audit approach requires no legislation, no regulation, and no endorsement whatsoever from politicians—or from anyone else for that matter. It is based on existing auditing methodologies, existing legal requirements (unique to each auditee firm, but the process for identifying these and categorizing them is the same for all firms), existing ethics statements, and existing scripted processes. This makes the compliance auditing process not just immediately deployable but also flexible and adaptable so that it can be added to and used in virtually any business situation. Rather than being something imposed by the government (as SOX was), the legal compliance audit process can be optionally added to contracts, negotiations, and deals, as the circumstances require, and can be negotiated by the parties involved. ↑

55. A good brief article about trust in the realm of high-tech products is Roger A. Grimes, Why Security Is Really All About Trust: Once You Lose Faith in a Company and Its Products No Amount of Security Will Restore Your Trust, CSO, Mar. 8, 2016. ↑

David Letterman’s “Is This Anything?” sketch provided viewers with not only a good laugh, but also a memorable maxim when contemplating meaning and relevance. At Dave’s prompt, the curtain would rise to reveal such things as a scantily clad model running a circular saw against an armored breastplate, shooting sparks across the stage. The question posed to the viewers was then, “Is this anything?” . . . does this elaborate and eye-catching show amount to anything?

Users of valuation reports sometimes find themselves asking a similar question. For all of their elaborate and eye-catching presentations, do these analyses actually conclude values (or ranges of values) that reasonably approximate those at which market participants would agree to transact?

There are, of course, many variables and considerations that go into estimating the value of a privately held company, let alone a particular security within that company’s capital stack. However, there is one area of a valuation report on which readers might initially focus, and a corresponding question that they might ask themselves, in order to quickly assess the likelihood that a valuation analysis is on a path to a conclusion that reasonably reflects the perspective of market participants. An affirmative response to this key question tends, in my experience, to suggest an increase in that likelihood.

Key Question: Does the report convey reasonable basis for how market multiples were evaluated and selected?

Establishing reasonable basis is an important part of employing market multiples, but valuation reports that include a market approach periodically fall short of exhibiting such reasonable basis. While the opinions in valuation reports can be as varied as the personalities and backgrounds of the professionals who prepare them, a careful review of stated rationale regarding market multiples can be illuminating as to whether, or to what extent, reasonable basis was sought in the analysis. Absent such reasonable basis, deployment of market multiples can become problematic. Perhaps Dr. Aswath Damodaran of NYU’s Stern School of Business described this best when he said, “The problem with multiples is not in their use but in their abuse.”^[1]

Below, I summarize three observations from practical experience that provide some insight into what “abuse,” or lack of reasonable basis, may look like in this context.

A restatement of facts without a clear connection between those facts and the chosen multiple(s).

This sort of “red flag,” if you will, is often followed closely by other “red flags.” For example, I came across this comment in a third-party valuation report, which illustrates this cascading red flag effect:

. . . the selected multiples considered i.) the strong revenue growth observed in the last fiscal year (LFY), ii.) the modest revenue declines experienced in the last twelve months (LTM), and iii.) the accelerating revenue declines and corresponding operating losses reasonably anticipated in the next twelve months (NTM) . . .

While at first blush the statement appears to contain basis, it immediately begs a question of how these factors influenced the selection of multiples. The report provided no answer to this question and, thus, the reader was left unable to discern any connection between these statements and the ultimate selections (red flag #1). Instead, the report provided only a schedule indicating that three BEV/R^[2] multiples had been selected (BEV/R(LFY), BEV/R(LTM) and BEV/R(NTM)) at exactly the upper quartile of the data set, with no rationale given for either the magnitude or the statistical similarity of the selections (red flag #2). The analysis then went on to not only calculate and present business enterprise value indications that were significantly different from one another, but also weight these indications equally without a stated rationale for doing so in that circumstance (red flag #3). The tale of these sorts of “red flags” is thus a simple and sobering one: Once freed from an onus to establish and convey reasonable basis, analysts can effectively select any combination of multiples they wish (a theme that will appear again in the next observation).

Inclusion and direct incorporation/weighting of multiples of companies having significantly different business models and risks than the subject company.

A quick scan of the guideline firms used in a valuation report can sometimes reveal striking differences within the sample set. While some functional differences are always to be expected in such sample sets, significant differences in business model and risks can lead to inaccurate results if not properly acknowledged and addressed.

For example, and in similar fashion to the cascading red flags noted in the prior example, I reviewed a third-party valuation report of a sporting goods retailer where the preparers had included two bargain apparel retailers in the sample set (in addition to the seven sporting goods retailers already gathered, which initially seemed both curious and superfluous) (red flag #1). In fact, the analyst’s own industry analysis of sporting goods retailing had specifically noted that “. . . retailers that exclusively sell apparel are not included in this industry” (red flag #2). The bargain apparel retailers traded at multiples that were significantly above the other sporting goods retailers, and the analyst relied on that fact to ultimately quantify multiples that were materially (and seemingly, at first glance, randomly) above the range of the sporting goods firms (red flag #3). No rationale was provided (or was readily apparent) for the chosen magnitude of each specific multiple utilized, nor was any rationale provided for weighting all four value indications equally (red flag #4). Ultimately, the only pattern and purpose for the chosen multiples that could be discerned was that the average value indication derived from them exactly matched the valuation indication prepared under the discounted cash flow method (DCF). Stated differently, it appeared as though the preparers had chosen a slate of multiples with the intent to conveniently “corroborate” this purported market approach indication with that of their DCF and, thus, the credibility of both the market approach and the entire valuation analysis was called into question.

Unsupported use of median(s).

Even in less egregious and more simple cases, where rationale is clearly stated, such basis may fall short of being reasonable. For example, I observed a median BEV/R multiple being selected in another third-party valuation report, and this was the sole rationale provided for the median selection:

. . .We generally believe that the median is the best representative statistic for the guideline company data because it minimizes the distortion from outliers . . .

While minimizing distortion from outliers may be a valid reason for preferring the median over the average, it does not in isolation constitute reasonable basis for the selection in the first place. In other words, there is likely good reason that a sample set of guideline firms do not all trade at the median multiple, and investigating both the contributing factors and the relevance of those factors to the subject company is an important part of evaluating and applying market multiples.

Summary

It is understandably difficult for readers of valuation reports on privately held companies to gauge the likelihood that the conclusions contained therein reflect the perspective of market participants. There are many variables and factors to be taken into consideration, and so many different opinions circulating in markets that it should come as no surprise that valuation reports often become the subject of debate or dispute. However, a quick check of whether a valuation report has established and conveyed reasonable basis with regard to evaluating and selecting market multiples may be a useful early indicator for whether that report is on the path to rendering a conclusion that is consistent with the perspective of market participants.

1. Dr. Aswath Damodaran, It is all relative . . . Multiples, Comparables and Value!, Leonard N. Stern School of Business, New York University, p. 6. ↑

2. Business enterprise value to revenues. ↑

The Federal Trade Commission’s (FTC) new proposed rule that would prohibit many employers nationwide—including trade and professional associations but not including charities and other nonprofits—from entering into any non-compete agreements with all workers (including independent contractors and not excluding senior executives) has gotten the attention of the association community. What the final rule will look like and whether it will be challenged in court and survive such challenges is unclear. Meanwhile, at the state level, approximately fifteen states and Washington, DC, have enacted laws that impose some form of limitation on the use of employee non-compete agreements. In DC, a new law took effect last October that significantly restricts employers’ use of non-compete agreements, but in a much-scaled-back version compared to the original law. On the other side of the country, California has for many years had the nation’s most sweeping statutory ban against employee non-compete agreements. Overlaid on top of all of this is every state’s and DC’s “common law,” which has always permitted but imposed limitations and conditions on employers’ use of non-compete agreements, with the limitations and conditions varying from state to state.

Common Law on Non-Compete Agreements

Common law in the United States treats non-compete agreements as generally enforceable, but subject to certain limitations and requirements. Non-compete agreements are generally defined as contractual agreements between employers and employees that restrict employees from competing with their former employers for a certain period of time and within a certain geographic area after the termination of employment.

As noted above, the enforceability of non-compete agreements varies by state, as they are governed by state law. Some states, such as California, have common law restrictions that limit the enforceability of non-compete agreements, while other states’ common law, such as Texas’, generally enforce them more liberally. And some states have statutory restrictions on non-compete agreements, which further limit their enforceability. The DC and California statutes are discussed below.

Under most states’ common law, for a non-compete agreement to be enforceable, it must generally meet the following requirements:

Consideration: Non-compete agreements must be supported by valid consideration, which means that the employee must receive something of value in exchange for agreeing to the restrictions. For example, the offer of initial employment, a promotion, or additional compensation may serve as valid consideration.

Reasonableness: Non-compete agreements must be reasonable in terms of their scope and duration. This means that the restrictions must be no broader than necessary to protect the legitimate business interests of the employer, such as protecting trade secrets, confidential information, and/or customer relationships. The duration (length of time) and scope (geographic, functionally, and otherwise) of the non-compete agreement also must be reasonable, and overly broad or overly long restrictions may be deemed unenforceable.

Public Policy: Non-compete agreements must not violate public policy. For example, non-compete agreements that unreasonably restrict an employee’s ability to seek new employment or that are against the public interest may be deemed unenforceable.

Notice: Non-compete agreements must be clear and conspicuous, and employees must be given reasonable notice of the restrictions before or at the time of entering into the agreement.

Overview of the FTC Proposed Rule

The FTC—which has jurisdiction over trade and professional associations (but not over non-association nonprofit organizations)—has proposed a Non-Compete Clause Rule that would prohibit employers nationwide from entering into non-compete agreements with all workers (including independent contractors and not excluding senior executives), on the basis that non-compete agreements constitute an unfair method of competition under Section 5 of the FTC Act. The FTC believes that non-compete agreements stifle competition, resulting in reduced wages and suppressed labor mobility.

The proposed rule would ban non-compete clauses categorically and is more restrictive than virtually all state non-compete laws, including Washington, DC’s (which exempts employees earning over $150,000 annually and which does not apply to independent contractors). Most states do not currently have a categorical ban on non-competes, and they typically differentiate amongst workers (such as by job function, earnings, etc.). The proposed rule would expressly preempt state law that is inconsistent with it.

The proposed rule defines “employer” as a person or entity that hires or contracts with a “worker” to work for the employer. “Worker” is defined as a natural person who works, whether paid or unpaid, for an employer. The term “worker” includes “an employee, [ ] independent contractor, extern, intern, volunteer, apprentice, or sole proprietor who provides a service to a client or customer.”

The proposed rule would apply to post-employment non-competition restrictions and would require employers to rescind existing non-compete agreements and provide notice to workers that they are no longer in effect. 

The FTC defines a non-compete agreement as “a contractual term between an employer and a worker that prevents the worker from seeking or accepting employment with a person, or operating a business, after the conclusion of the worker’s employment with the employer.” As such, in most cases, if a non-compete provision exists merely in an association employee handbook, it likely would not rise to the level of a contract, but any (enforceable, i.e., with consideration) non-compete agreements entered into between employers and their workers prior to, during, and following employment would be covered by the proposed rule, including both employment agreements and severance/separation agreements.

The FTC clarified that whether a contractual provision will be considered a “non-compete” clause will depend not on what it is called, but how it functions. The FTC’s definition of a non-compete clause would generally not include other types of restrictive employment covenants—such as nondisclosure agreements and non-solicitation agreements—because these covenants generally (if they are appropriately tailored) do not prevent a worker from seeking or accepting employment after leaving the prior job. However, such covenants would be considered non-compete clauses where they are so unusually broad in scope that they function as such. The proposed rule makes clear that “a contractual term [ ] is a de facto non-compete clause [when] it has the effect of prohibiting the worker from seeking or accepting employment with a person or operating a business after the conclusion of the worker’s employment with the employer.” For example, a nondisclosure agreement between an employer and a worker that is written so broadly that it effectively precludes the worker from working in the same field after the conclusion of the worker’s employment with the employer could be considered a de facto non-compete clause.

The proposed rule exempts non-compete agreements that are entered into by a person who is selling a business or an ownership interest in a business, when the person restricted is a substantial owner or member of the business being sold.

The proposed rule was published in the Federal Register, and the FTC received scores of public comments on it before the comment period closed on March 20, 2023. Notably, FTC Commissioner Christine Wilson published a dissenting opinion that provides a roadmap for employers seeking to oppose the proposed rule.

Compliance with the final rule will be required as of 180 days after publication in the Federal Register. In addition, as of the compliance date, employers must rescind any existing non-compete clauses and provide notice to their workers that their non-compete clauses are no longer in effect.

Legal challenges to the final rule are to be expected, with the U.S. Chamber of Commerce and some Republicans in Congress already contending that the FTC does not have the authority to issue the rule.

While not related to the FTC’s proposed rule, at least two bills have been introduced in Congress to impose federal statutory limitations on employers’ use of non-compete agreements.

Overview of the District of Columbia Non-Compete Law

DC’s new and modified Non-Compete Law took effect on October 1, 2022; it prohibits non-competition provisions for covered employees but allows non-compete agreements with “highly compensated” employees that meet certain drafting and procedural requirements. The law does not apply to independent contractors and does not limit or regulate non-solicitation agreements. The new law allows employers to use nondisclosure agreements and anti-moonlighting policies in certain circumstances and includes employer notice requirements in connection with them. The law applies to all employers operating in DC and covers employees who spend a substantial amount of their work time in DC (and not more than 50 percent of their work time in another state). While narrower than the originally enacted version, the law is much broader than similar laws in other states.

Non-compete provisions in new agreements entered into on or after October 1, 2022, are void and unenforceable if the provisions violate the law. After October 1, 2022, employers are prohibited from requiring or requesting that a covered employee sign an agreement or comply with a workplace policy (e.g., an employee handbook) that includes a non-compete provision. It is illegal to retaliate against an employee for refusing to comply with a provision void by the new law.

The DC law covers employees and prospective employees only if (i) they spend or are reasonably anticipated to spend more than 50 percent of their work time in DC, or (ii) their employment is or will be based in DC, and the employer reasonably anticipates that that the employee will regularly spend a substantial amount of the employee’s work time in DC and not more than 50 percent of the employee’s work time in another jurisdiction. This means that employers based outside of DC but that have employees who work remotely more than 50 percent of their time from DC will be subject to the law with respect to those employees. The law does not supersede the terms of any valid collective bargaining agreement.

The law permits DC employers to enter into non-competes with “highly compensated” employees, subject to certain restrictions and notice requirements. Highly compensated employees are defined as those who earn or are expected to earn total (cash) compensation of at least $150,000 per year ($250,000 for licensed physicians), with this amount to be indexed to the federal Consumer Price Index annually.

For employees who earn below the “highly compensated” threshold, employers are prohibited from entering into any agreement that contains a “non-compete agreement,” which is defined as any contract between an employer and employee containing a “non-compete provision,” which, in turn, is defined as a provision in a written agreement or workplace policy that prohibits an employee from “performing work for another for pay or from operating the employee’s own business.”

However, the law provides for four categories of provisions that are excluded from the definition of a “non-compete provision” and not affected by the new law (provided that they are otherwise lawful):

• Non-competition provisions entered into in connection with the sale of a business.
• Nondisclosure or confidentiality provisions that prohibit or restrict an employee from disclosing, using, selling, or accessing the employer’s confidential or proprietary information.
• A provision that provides a “long-term incentive” to the employee (e.g., bonuses or other performance-driven incentives for individual or organizational achievements).
• The law permits anti-moonlighting provisions restricting outside compensation for employment or the operation of a business by a current employee to the extent that the employer reasonably believes that such work could (i) result in the disclosure or use of the employer’s confidential or proprietary information, (ii) violate the employer’s, industry’s, or profession’s established rules regarding conflicts of interest, (iii) constitute a “conflict of commitment” (for accredited higher education institutions), or (iv) impair the employer’s ability to comply with federal or DC laws or with a contract or grant. If an employer adopts policies under any of these exceptions, there are certain notice requirements regarding the covered employees.

An employer with a workplace policy that includes one or more of these four exceptions must provide a written copy of the provisions to its DC employees within thirty days after an employee’s acceptance of employment and any time such policy changes. This notice and disclosure requirement applies to all affected DC employees, not only highly compensated employees.

Employers are strictly prohibited from retaliating against employees who refuse to agree to, or fail to comply with, an impermissible non-compete provision or workplace policy. Employers also are prohibited from retaliating against employees who either question or raise complaints about a non-compete agreement or policy.

The law outlines specific requirements for permitted non-compete agreements with “highly compensated” employees. To be valid and enforceable, any such agreement executed after October 1, 2022, must specify:

• the functional scope of the competitive restriction, including what services, roles, industry, and/or competing entities the employee is restricted from performing work for or on behalf of;
• the geographical limitations of the work restriction; and
• the duration of the restrictions, not to exceed 365 days from the date of separation (730 days for medical specialists).

Employers also must provide the non-compete agreement to the highly compensated employee in writing at least fourteen days before the start of employment or before a current employee is required to execute the agreement, and employers proposing such a non-compete agreement must provide a specifically worded notice (spelled out in the law) to the employee at the same time.

Employers may face both civil and administrative penalties for violations of the law. The law empowers the DC mayor or DC attorney general to fine employers, and aggrieved employees are able to file administrative complaints with the DC mayor’s office or file suit in civil court in DC.

Overview of the California Non-Compete and Non-Solicitation Law

As has been the case for many years, California law generally prohibits all non-compete agreements and restricts and regulates non-solicitation agreements for employees. California Business and Professions Code Section 16600 states that contracts that restrain individuals from engaging in lawful professions, trades, or businesses are void, except for a few specific exceptions. Note that these California laws apply to all association employees based in California, even if the association is based in another state. Following are some key points about these laws.

Non-Compete Agreements: Non-compete agreements, which typically restrict employees from working for a competitor or starting a competing business after leaving their current employer, are generally unenforceable in California. California’s strong public policy favors employee mobility and competition, and such agreements are generally considered void and unenforceable, regardless of the employee’s job level or type of employment. Additionally, California Labor Code Section 925 clarified in 2017 that forum-selection and choice-of-law clauses that select non-California forums and/or laws cannot be enforced if the employee performs work in California (with an exception if the employee is represented by legal counsel when negotiating the terms of the agreement). Thus, non-California-based employers with California employees effectively have no choice but to avoid employee non-compete agreements entirely and to ensure that employment agreements comply with the California law with respect to their choice-of-law and choice-of-venue clauses.

Non-Solicitation Agreements: Non-solicitation agreements, which restrict employees from soliciting their former employer’s customers/clients or employees after leaving their job, are more limited in California. Non-solicitation agreements are generally enforceable in California, but with certain restrictions. California Business and Professions Code Section 16600 states that an agreement between an employer and an employee prohibiting the solicitation of customers is not enforceable (unless directly tied to the use of employer trade secrets), as it is considered a restraint on competition. However, an agreement prohibiting the solicitation of other employees may be enforceable so long as it includes reasonable time and geographic limitations. Non-solicitation agreements with California employees must be narrowly tailored to protect the employer’s legitimate business interests, and they cannot be overly broad or prevent employees from engaging in their chosen profession or trade.

Trade Secret and Confidential Information Protections: California law provides protection for employers’ trade secrets and confidential information. Employees can be restricted from using or disclosing their employer’s trade secrets or confidential information after leaving their job, even if they have signed a non-compete and/or non-solicitation agreement.

Exceptions: There are some limited exceptions to California’s general prohibition on non-compete and non-solicitation agreements. For example, non-compete agreements may be allowed in connection with the sale of a business, and certain employees who are owners, officers, or directors of a corporation may be subject to non-solicitation agreements.

For more information, contact Mr. Tenenbaum at [email protected].

Has the administrative state gotten “too big for its britches”? Certainly, the pendulum of virtually uncritical deference to federal agencies has swung sharply in the opposite direction in various decisions of the Roberts Court.

Five years ago, in Lucia v. Securities & Exchange Commission,^[1] the U.S. Supreme Court held that U.S. Securities and Exchange Commission (“SEC”) administrative law judges (“ALJs”) are inferior executive officers and are therefore subject to the Appointments Clause of the U.S. Constitution.^[2] As a result, respondents in SEC administrative proceedings were entitled to de novo hearings before new, constitutionally appointed ALJs.

The most recent example is Axon Enterprise, Inc. v. Federal Trade Commission,^[3] which held—without dissent—that the statutory review schemes for both the Federal Trade Commission (“FTC”) and the SEC do not displace classic federal question jurisdiction over claims that those agencies’ structures or activities are unconstitutional. The holding presages a tsunami of constitutional challenges against not only these two regulators but also other federal agencies operating under similar statutory structures.

The Federal Agency Enforcement Paradigm

Both the SEC and the FTC partake of an enforcement model that is common to many federal agencies. Each commission has the option to bring an action in federal court, but they also have (and typically prefer) the option of proceeding via an administrative complaint. When the cards are dealt that way, the deck is stacked in favor of the agency. If the respondent does not fold and agree to some form of consent order but decides to litigate, the matter will go before an ALJ. ALJs are removable “only for good cause,” e.g., “neglect of duty” or “malfeasance,” as determined by a separate federal entity, the Merit Systems Protection Board (whose members likewise are removable only for good cause).

Hearings before ALJs typically allow only such discovery as the rules of the federal agency may permit. Like any other judge, the ALJ hears witnesses, makes credibility determinations, decides what evidence will be admitted, weighs the evidence, and reaches a decision. That decision, however, is only a recommendation.

Appeals by either the agency enforcement staff or the respondent (or both) go to the full commission—the same commission that authorized the investigation and the enforcement proceeding to begin with—and that commission then makes a decision based solely on the administrative record. Even if the ALJ found the evidence overwhelmingly favored one party, the commission is free (even though it had no opportunity to hear the evidence firsthand or assess the credibility of witnesses) to disregard the ALJ’s recommendation. It is only when the commission issues a decision that there is “final agency action” within the meaning of the Administrative Procedure Act (“APA”).^[4]

Then, and only then, may the respondent obtain judicial review, but it is not de novo review in a district court. Rather, the review is before a federal appeals court, is based on the administrative record, and is circumscribed by the deferential APA standards of judicial review (i.e., “substantial evidence” / “arbitrary” and “capricious”).^[5]

This enforcement paradigm is followed by many other federal agencies. For example, each of the three bank regulatory agencies—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation—uses the same model.

Constitutional Backdrop

While the amount of relevant precedent is considerable, some decisions vital to an understanding of the Axon decision delineate the shift in the judiciary’s assessment of the administrative state:

• Humphrey’s Executor v. United States.^[6] This now oft-questioned 1935 SCOTUS precedent upheld for-cause limitations on the President’s ability to remove an FTC commissioner. At that time, the Court believed the FTC (then barely twenty years old) was not only nonpartisan but “neither political nor executive,” and exercised “predominantly quasi-judicial and quasi-legislative” powers.^[7] The Court thought it “essential that the commission should not be open to the suspicion of partisan direction.”^[8] 
• Thunder Basin Coal Co. v. Reich.^[9] This 1994 SCOTUS decision established a tripartite analysis to determine whether Congress intended to preclude a federal district court from exercising jurisdiction over challenges to federal agency action. The three factors are (1) whether preclusion of district court jurisdiction could foreclose all meaningful judicial review, (2) whether the challenge is wholly collateral to the statute’s review provisions, and (3) whether the claim is “outside the agency’s expertise.”^[10]
• Free Enterprise Fund v. Public Company Accounting Oversight Board.^[11] This 2010 SCOTUS decision invalidated certain limitations on the president’s removal power over executive branch officials. Significantly, in order to reach that question, the Court concluded that it had jurisdiction to review a challenge to the legitimacy of an ongoing SEC investigation, even though that investigation had not yet resulted in a final order.
• Seila Law, LLC v. Consumer Financial Protection Bureau.^[12] This 2020 SCOTUS decision gave Humphrey’s Executor a narrow construction and held that the Consumer Financial Protection Bureau (“CFPB”) was unconstitutionally structured, because the combination of a single agency director and termination only for “inefficiency, neglect of duty, or malfeasance” ^[13] (the same standard at issue in Humphrey’s Executor) violated Article II of the U.S. Constitution. Thus, the President can remove the head of the CFPB without cause.
• Jarkesy v. Securities & Exchange Commission.^[14] This 2022 Fifth Circuit decision held that an enforcement proceeding by the SEC seeking civil money penalties was unconstitutional because (1) seeking such penalties is sufficiently similar to common law fraud actions and sufficiently involves private rights (as opposed to public rights) that the targets of such actions are entitled to trial by jury, (2) Congress unconstitutionally delegated legislative power to the SEC by failing to provide an “intelligible principle” to guide the SEC’s determinations whether to file cases as federal court actions or internal administrative proceedings, and (3) the statutory restrictions on removing SEC ALJs from office violate Article II.^[15] 

The Road to Axon

Two cases were consolidated in the recent Axon opinion: Cochran v. Securities & Exchange Commission^[16] and Axon Enterprise, Inc. v. FTC.^[17]

Cochran v. Securities & Exchange Commission

Michelle Cochran, a CPA, was suspended from practicing before the SEC for five years based on an alleged failure to comply with auditing standards established by the Public Company Accounting Oversight Board. After losing at an administrative hearing, Cochran decided to fight on, but then the Lucia decision intervened, and so the SEC went back to square one with newly (and, this time, constitutionally) appointed ALJs. Cochran, however, filed an action in federal district court contending that even if a substitute ALJ were constitutionally appointed, the ALJ would still be unconstitutionally insulated from the president’s removal power because of multiple layers of for-cause protections against removal from office.

The district court dismissed her case for lack of subject-matter jurisdiction on the ground that the relevant statute implicitly stripped district courts of jurisdiction to hear challenges to ongoing SEC enforcement proceedings by providing for review of final SEC orders in a circuit court of appeals.^[18] On appeal, a divided Fifth Circuit panel affirmed the dismissal,^[19] but then the Fifth Circuit, sitting en banc, reversed, holding that Cochran’s constitutional challenge was cognizable by, and within the jurisdiction of, the district court because the claim was “wholly collateral” to the SEC’s administrative proceeding.^[20]

Axon Enterprise, Inc. v. Federal Trade Commission

When Axon, a manufacturer of body cameras and other equipment for law enforcement, sought to purchase a failing competitor, the FTC commenced an antitrust investigation. The agency subsequently filed an administrative complaint against Axon’s consummated acquisition of the competitor^[21] and asserted that the acquisition violated section 7 of the Clayton Act.^[22] The FTC demanded that Axon spin off the acquired company and share its own intellectual property.

Seeking to enjoin the FTC’s administrative proceeding, Axon sued in federal court alleging, inter alia, that the combination of investigative, prosecutorial, adjudicative, and appellate functions within a single agency violates due process, and, similar to what Cochran argued against the SEC, the dual layer of protection given to the FTC’s ALJs insulated them from presidential removal power in violation of the Appointments Clause. The FTC argued that the district court lacked jurisdiction because Axon had to bring its claims in the administrative proceeding and, if it did not prevail, only then seek judicial review in the court of appeals. The district court agreed and dismissed the complaint.^[23]

On appeal, a divided panel of the Ninth Circuit affirmed. The majority concluded that Axon would have meaningful judicial review of its constitutional claims because the Supreme Court held in Thunder Basin that such claims “‘can be meaningfully addressed in the Court of Appeals,’ even though the petitioner there similarly had argued that the agency process itself would violate its constitutional rights.”^[24]

The Axon Enterprise Decision

Authored by Justice Kagan, the Court’s opinion concluded that neither the statutory provision governing FTC enforcement proceedings nor the statutory provision governing SEC enforcement proceedings divests federal district courts of jurisdiction to hear collateral constitutional challenges to administrative proceedings. Reviewing the three Thunder Basin questions, the Court answered each in the affirmative. On the first factor of “meaningful judicial review,” the Court reasoned that precluding district court jurisdiction of these constitutional challenges would effectively foreclose meaningful judicial review of these sorts of claims. The analysis was straightforward: “A proceeding that has already happened cannot be undone. Judicial review of Axon’s (and Cochran’s) structural constitutional claims would come too late to be meaningful.”^[25] The Court emphasized the “here-and-now injury” that Cochran and Axon suffered by being subject to proceedings they believed to be unconstitutional.^[26] A similar result was reached on the second factor, as the constitutional challenges are collateral to the proceedings “because they are challenging the Commissions’ power to proceed at all, rather than actions taken in the agency proceedings.”^[27] Finally, observing that issues of constitutionality fall outside the expertise of both the FTC and the SEC, the Court concluded that those sorts of claims are not “of the type” that the FTC’s and SEC’s statutory schemes address and, accordingly, are properly reviewable by the district court.^[28]

Justice Thomas authored a concurring opinion in which he expressed doubt that Congress may vest administrative agencies with primary authority to adjudicate “core private rights” to life, liberty, and property.^[29] Congress might be violating separation of powers by compelling the judicial branch to defer to the executive branch on matters that the Constitution vests in the judiciary. Similarly, because agencies are not courts of competent jurisdiction, Congress might be violating due process by empowering federal agencies to deprive citizens of core private rights. Finally, Thomas noted that “the appellate review model” might violate the Seventh Amendment because agencies adjudicate “what may be core private rights without a jury.”^[30]

Justice Gorsuch concurred only in the judgment. He wrote separately to express dissatisfaction with the Thunder Basin balancing test, which he regards as an incoherent “judge-made” device.^[31] In his view, the Court need only review the relevant statutory text to assess whether (A) Congress “has actually carved out some exception” to jurisdiction, and (B) the general federal question jurisdiction statute, 28 U.S.C. § 1331, grants district courts the ability to hear the claims at issue.^[32]

Conclusion

Axon goes hand in glove with increasing disillusionment at the results of uncritical Chevron deference and with last year’s invocation, in West Virginia v. Environmental Protection Agency,^[33] of the “major questions” doctrine to curb the authority of federal agencies to act on “decisions of vast economic and political significance” absent clear congressional authorization.^[34] At a minimum, the Axon Enterprise decision will create hurdles for agency enforcement actions. Beyond that, the case can be seen as part of a larger trend toward increased skepticism by the Court of overbroad powers—and potential abuses of those powers—by federal administrative agencies.

1. 138 S. Ct. 2044 (2018). ↑

2. U.S. Const. art. II, § 2, cl. 2. ↑

3. No. 21-86, slip op. (U.S. Apr. 14, 2023). ↑

4. 5 U.S.C. § 551 et seq. ↑

5. 5 U.S.C. § 706. ↑

6. 295 U.S. 602 (1935). ↑

7. Id. at 624 (emphasis added). ↑

8. Id. at 625. ↑

9. 510 U.S. 200 (1994). ↑

10. Id. at 212–13. ↑

11. 561 U.S. 477 (2010). ↑

12. 140 S. Ct. 2183 (2020). ↑

13. Id. at 2193 (citing 12 U.S.C. § 5491(c)(1), (3)). ↑

14. 34 F.4th 446 (5th Cir.), reh’g denied, 51 F.4^th 644 (5^th Cir. 2022). ↑

15. Jarkesy, 34 F.4^th at 462–67. ↑

16. 20 F.4^th 194 (5th Cir. 2021). ↑

17. 986 F.3d 1173 (9^th Cir. 2021) ↑

18. 15 U.S.C. § 78y. ↑

19. Cochran, 969 F.3d 507 (5th Cir. 2020), rev’d, 20 F.4^th 194 (5^th Cir. 2021) (en banc). ↑

20. 20 F.4^th 194 (5th Cir. 2021) (en banc). ↑

21. In re Axon Enter. & Safariland LLC, FTC File No. 1810162 (last updated June 27, 2022). ↑

22. 15 U.S.C. § 18. ↑

23. Axon Enter. Inc. v. Fed. Trade Comm’n, 452 F. Supp.3d 882 (D. Ariz. 2020), rev’d, 986 F.3d 1173 (9^th Cir. 2021). ↑

24. 986 F.3d 1173 (9th Cir. 2021). ↑

25. No. 21-86, slip op. at 13 (U.S. Apr. 14, 2023). ↑

26. Id. ↑

27. Id. at 14. ↑

28. Id. at 16–17. ↑

29. Id. (Thomas, J., concurring) (slip op. at 1). ↑

30. Id. (Thomas, J., concurring) (slip op. at 8). ↑

31. Id. (Gorsuch, J., concurring in judgment) (slip op. at 2). ↑

32. Id. (Gorsuch, J., concurring in judgment) (slip op. at 6) (emphasis in original). ↑

33. 142 S. Ct. 2587 (2022). ↑

34. The “major questions” doctrine is a label applied to jurisprudence over the years where the Court has curtailed exercises of power by administrative agencies “beyond what Congress could reasonably be understood to have granted.” Id. at 2609 (citing King v. Burwell, 576 U.S. 473, 486 (2015); Utility Air Reg. Group v. EPA, 573 U.S. 302, 324 (2014); Gonzales v. Oregon, 546 U.S. 243 (2006); FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 159 (2000)). ↑

We all know that reading is power. At the ABA Business Law Section’s Hybrid Spring Meeting in April, the Section’s Rule of Law Working Group, led by Judge Alvin Thompson and John Stout, and its Pro Bono Committee spearheaded a fun and dynamic opportunity for members of the ABA BLS to read with elementary school students. Daniela Cimo (Chair of the Pro Bono Committee) and Tsui Ng (Co-chair of the Programs Committee) organized volunteers to work with Reading Partners, which partners with schools that identify students who are six months or more behind grade level in reading. (You can read more about the inspiration behind the initiative in Cimo’s article “How Civic Education, Pro Bono, and Professional Integrity Strengthen the Rule of Law.”) Students are paired with trained volunteers who provide one-on-one tutoring twice a week for forty-five minutes during the school year, following a structured curriculum. Students receive their own book every session to build their own home library.

As part of the curriculum, students practice reading out loud. BLS volunteers first received training and selected the book for their student to read to them. These books were donated by BLS members and ranged from stories exercising political and voting rights and stories about historical figures to simply funny stories.

The hour or so we spent working with Reading Partners was extremely meaningful, and admittedly, very fun. I had the honor to read with a powerhouse second grader who just turned eight, and who bounced into the room with her hoop earring, blue necklace, tie-dye purse, and a huge smile. We laughed together as she read me a book on how kids can help people to vote and why that is important. Without question, we all left our way too fast sessions with the students with more energy and hope than when we walked through the school doors. And because we all didn’t know each other before our volunteer session, we ended with a shared experience and new BLS friends.

Given the success of the program, the Rule of Law Working Group and the Pro Bono Committee are planning for another volunteer opportunity at the Annual Meeting in Chicago. I will be the first person to sign up.

This article is part of a series on intersections between business law and the rule of law, and their importance for business lawyers, created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.