Although the financing of consumer goods and services is not a new concept, there has been a recent, rapid evolution in the methods, means, and speed of providing point-of-sale financing to consumers. The history of consumer credit traces back to retailers permitting consumers to pay for goods and services over time. Financing of goods and services was later outsourced to banks and finance companies who took on the risk, and reward, of financing on the retailer’s behalf. As time went on, the correlation between the creditor and the retailer became closer, at times becoming difficult to differentiate between the retailer and the creditor through the sales and financing process. Despite this point-of-sale financing evolution, roughly the same disclosure regime remains in place from 40 years ago.
Existing model disclosures are built for a physical world, but exponentially more transactions are taking place electronically, with this number drastically increasing due to the recent pandemic. The devices consummating these transactions are getting smaller and more mobile. Many model forms are built for 8½ × 14 paper, yet the size of Apple’s latest iPhone is 5.78 inches by 2.82 inches. Few creditors are deviating from model forms given the regulatory safe harbors afforded. Unfortunately, this practice does not always provide for the best consumer experience. Although retailers continue to provide products and services to consumers through consumer-preferred mediums—now, primarily mobile devices—partnering creditors are unable to adopt their financing disclosure regime to meet the customer sales experience that consumers have come to expect on these retailers’ platforms.
Several options are available to creditors to reconsider their disclosures framework. First, although creditors take comfort in model forms, using model forms is not the sole method to comply with the letter and spirit of the law. Creditors may consider creating alternative disclosures that comply with the technical requirements of the disclosure mandates in a mobile-device-friendly manner. Second, creditors may engage with retailers to determine customer pain points and evaluate whether to update model forms. In addition, the Consumer Financial Protection Bureau (CFPB) has provided avenues to test new disclosures, including the trial disclosure sandbox, where creditors can improve existing disclosures and test new forms with the CFPB. Additionally, creditors may engage with the CFPB’s Office of Innovation to request a no-action letter for a CFPB-approved disclosure or process.
As financing continues to integrate further with point-of-sale transactions, it remains pivotal that consumers are aware of when they are interacting with a bank (with consumer credit disclosures being the epitome of a consumer recognizing bank interaction) and when consumers are interacting with the retailer. This distinction is critical for several reasons, including true lender and privacy purposes. Regulatory developments and cases evaluating this issue have been rapidly increasing, likely due to more point-of-sale financing agreements and the interconnectedness of retailers and financers. The Office of the Comptroller of the Currency is attempting to address bank-partnership uncertainty through proposed regulation, while states continue to evaluate true lender concerns impacting their respective residents. In addition, privacy concerns for both the retailer and the creditor include ownership of information collected and usage rights with respect to that information, including the sharing and usage of information by third parties. An understanding of these increasingly complex data flows is important to evaluate issues under federal law, including the Fair Credit Reporting Act, as well as under state law, including the newly revised California Online Privacy Protection Act.
Finally, drawing clear lines delineating the retailer’s and the creditor’s responsibility is important for regulator interactions. Defining responsibilities clearly assists regulator inquiries and examinations as well as ultimate responsibility (which many times rests with the regulated entity) if there is a problem with the program. Regulators will be evaluating both the form and the substance of point-of-sale financing programs, and parties are well served to have clearly delineated ownership lines.
Point-of-sale financing continues to evolve faster than the times and legislation itself. For long-term success in this renewed growth opportunity, retailers and finance partners must look to both ancient and novel regulations while remaining closely connected to shifting consumer needs and behaviors.
When the calendar turned to 2020, my first thought was about how futuristic the year sounded and what kind of interesting things it had in store. At that time, no one could possibly have imagined that some of those interesting things would be face masks, working from home, and wearing the same loungewear so often that you begin to lose any concept of time. Still, the COVID-19 pandemic has hammered home the point even further that technology touches nearly every facet of our everyday lives. Consider something as benign as a lamp: you can purchase it on Amazon, turn it on or off using Google, and pay for the electricity that powers it via app. Given this and the current state of the world we live in, it should come as no surprise that modern technology has even impacted financial services industries and the regulatory environments in which they operate. Through RegTech and SupTech, both industry and regulatory agencies are finding ways to modernize compliance and create a more efficient and increasingly digital regulatory landscape.
What Are RegTech and SupTech?
“RegTech” refers to technology that has been developed for industry to address regulatory challenges. Those challenges might include meeting compliance requirements, assessing risk management, and reporting data. “SupTech,” on the other hand, describes the use of technology by supervisory and regulatory agencies to improve efficiency in their duties overseeing industry. SupTech includes streamlining administrative and operational procedures, as well as utilizing automation in the supervision process. Ultimately, the combination of RegTech and SupTech ideally will lead to a more robust compliance environment through proactive monitoring by supervisory agencies, enhanced reporting from industry, and better overall oversight. An added benefit of this efficiency is lower costs for industry in complying with regulations and better allocation of resources by supervisory authorities. A true win-win.
Developments in RegTech
RegTech is a booming industry, expected to be worth over $55 billion by 2025. With such growth comes some inevitable questions. How do regulators view RegTech? Do RegTech programs have the blessing of the agencies with which they are trying to comply? Regulators at both the state and federal level recognize the impacts RegTech has on industry and are actively trying to keep up with the innovation they are seeing.
In July 2019, New York Department of Financial Services (NYDFS) Superintendent Linda Lacewell announced the establishment of the NYDFS Research and Innovation Division. The Division’s intent is to ensure that NYDFS keeps pace with innovation in all sectors of the financial services industry. NYDFS further showed its dedication to fostering and tracking innovation by joining the Global Financial Innovation Network (GFIN) in October. GFIN seeks to support financial innovation by providing more efficient ways for firms to interact with regulators to develop new products that will benefit consumers.
In an August 2019 speech, Federal Deposit Insurance Corporation (FDIC) Chairman Jelena McWilliams emphasized the growing role of RegTech, noting that the FDIC will need to step in if regulators do not agree on joint guidance regarding bank use of artificial intelligence. Banks could potentially use AI to comply with laws and regulations concerning anti-money-laundering controls and other vital compliance programs. Small banks, as McWilliams noted, are more likely to turn to technology for competitive advantages and must be sure that their attempts at innovation will not be stifled by regulatory uncertainty.
Developments in SupTech
Despite the heightened emphasis on tracking industry innovation, regulatory agencies aren’t merely sitting back and watching industry utilize technology. In fact, groups of agencies have banded together to explore SupTech initiatives that allow them to better leverage technology in supervising and communicating with industry.
Back in 2017, the Conference of State Bank Supervisors (CSBS) launched Vision 2020, an effort to modernize state regulation of nonbank financial companies. Vision 2020 focused on six major initiatives: (1) creating the Fintech Industry Advisory Panel, which allows industry to provide input on state regulation; (2) redesigning the Nationwide Multistate Licensing System & Registry (NMLS) with a more automated and data-driven approach; (3) harmonizing multistate supervision through uniformity in examinations and consistent best practices; (4) assisting state banking departments in recognizing weaknesses in order to perform at a higher standard; (5) enabling banks to service nonbanks by addressing the risks involved and demonstrating how to comply with state and federal laws; and (6) improving third-party supervision through support for federal legislation to amend the Bank Services Company Act to allow state and federal regulators to better coordinate supervision.
In January 2020, CSBS released its Vision 2020 Accountability Report. Prepared by the Fintech Industry Advisory Panel, the report outlines progress made on the group’s initiatives to streamline state licensing and supervision of fintech companies. The report focuses on the increased use of technology for licensing and exams. Notably, CSBS has: (1) expanded the use of NMLS across all license types for nonbank financial services, (2) developed state licensing guidelines that are consistent across multiple states, and (3) launched a new state examination system. The report also noted a more consistent and streamlined approach nationwide to the licensing and regulation of money service businesses.
As part of the Vision 2020 initiative, CSBS announced in February 2020 the nationwide roll out of the State Examination System (SES). SES is designed to allow state agencies to securely perform examinations, investigations, consumer complaint processing, and enforcement actions. The customer complaint management system—released just this past September—allows state financial regulators to input, manage, and address customer complaints electronically. Summaries of all complaints entered will be available to any state regulator using SES, allowing state regulators to identify trends and potential bad actors. Although SES is clearly a SupTech solution, it also has some RegTech elements. The goal of SES is to bring every interaction a company has with state regulators onto a single platform. Giving companies a one-stop-shop digital platform for all regulator interactions would create massive time and cost efficiencies.
Much has been written in recent years about lawyers’ duties to preserve the confidentiality of client information under the rules of professional conduct and to take reasonable precautions to strengthen cybersecurity in order to avoid data breaches. Executing those duties has become more difficult amid an increase in the frequency and sophistication of state-sponsored and criminal cyberattacks directed at law firms and their clients. Further complicating matters for lawyers is knowing when disclosure to clients of a law firm data breach is required by the rules of professional conduct even though the threat of exfiltration or loss of client confidential data is in doubt. Below we examine opinions of the American Bar Association that offer some guidance on when client notification of a data breach is appropriate to ensure protection of client confidentiality and minimize exposure to legal malpractice liability. In addition, we will discuss the requirements of bar associations in various states and analyze law firms’ exposure to potential professional liability.
Several large international law firms have recently been hacked by foreign nationals seeking information in furtherance of an insider trading ring. A prominent Chicago law firm was sued in a class action alleging that it failed to maintain adequate safeguards to protect client confidential information. A New York entertainment law firm was subject to a ransomware attack in which the attackers claimed to have stolen privileged data about many of the firm’s high-profile clients. Panamanian law firm Mossack Fonseca was infamously hacked; the leaked documents published on the internet included the names of a number of the firm’s high-profile government clients, their shell corporations, and financial transactions, raising the specter of an alleged illegal money laundering scheme. The massive data breach and attendant unwelcome publicity coined the phrase “the Panama Papers” and inspired the Netflix movie The Laundromat, in which Meryl Streep portrayed a widow who was bilked by a client of the firm.
Against this backdrop, the organized bar has implemented guidelines, including published ethics opinions on cybersecurity, and reasonable measures to prevent data breaches—and ensuing professional liability. However, what should lawyers do when the unthinkable occurs, and their firm is the victim of a data breach or ransomware attack? What obligations do lawyers have to notify their clients that their confidential data has been or may have been compromised or accessed by a hacker?
ABA Ethics Opinion 483
In 2018, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which provides guidance on law firms’ duties to notify clients of data breaches under the ABA Model Rules of Professional Conduct. The committee wrote that, “an obligation exists for a lawyer to communicate with current clients about a data breach.” However, not all cyber episodes require client notification. Rather, Formal Opinion 483 defines a data breach as cyber episode in which “material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
Formal Opinion 483 further notes:
[N]o notification is required if the lawyer’s office file server was subject to a ransomware attack but no information relating to the representation of a client was inaccessible for any material amount of time, or was not accessed by or disclosed to unauthorized persons. Conversely, disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.
Thus, it would appear that Formal Opinion 483 is arguably inconsistent, leading to the question: Is mere access sufficient to trigger a duty to provide notification, or must there be a reasonable suspicion of tampering with or misappropriation of the data? Some guidance is given by state ethics opinions, which, like the ABA, suggest that lawyers have a duty to investigate and disclose the existence of a data breach to clients whose material confidential information is known to have been accessed or exfiltrated by an unauthorized intruder. As will be seen, the law firm’s duty to provide client notice may exist even in situations in which the data penetration did not result in exfiltration of or damage to the client’s data.
Other Ethics Opinions
Earlier ABA Ethics Opinion 95-398 (1995) addressed a law firm’s obligation to notify a client when a third-party document storage vendor sustains an intrusion that exposes client confidential information, concluding that a lawyer may be obligated to notify the underlying client of an unauthorized intrusion which “could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal matter. . . .”
The New York State Bar Association Committee on Professional Ethics has similarly concluded that a lawyer must notify affected clients of information lost through an online cloud data storage provider. N.Y. State Bar Ass’n Eth. Op. 842 (2010). According to the NYSBA, “If the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.”
The Maine Bar Association Professional Ethics Committee addressed client notification in its Ethics Opinion 220, which determined that client disclosure was fact-specific in the event of a law firm data breach but could be triggered by mere exposure rather than actual pilfering or manipulation of client data. According to the Maine Bar:
Notification requirements under the Maine Rules of Professional Conduct arise when confidences or secrets are exposed or the breach significantly impairs or impacts the representation of a client. A cyberattack or data breach alone may give rise to a duty to notify clients, depending on the circumstances. . . . Once the scope of an attack or breach is understood, the lawyer must promptly and accurately make an appropriate disclosure to the client.
(Citations omitted.) Thus, under the Maine Rules of Professional Conduct, mere exposure of client confidential information may be sufficient to trigger a disclosure obligation.
The Michigan State Bar has recently concluded that a law firm material data breach triggers an obligation to give notice to its clients. According to the Michigan Bar Ethics Opinion RI 381:
A lawyer has a duty to inform a client of a material data breach in a timely manner. . . . A data breach is “material” if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI protected by [Michigan Rule of Professional Conduct] 1.6 or other applicable law, or materially impairs the lawyer’s ability to perform the legal services for which the lawyer has been hired. The duty to inform includes the extent of the breach and the efforts made and to be made by the lawyer to limit the breach.”
Thus, at least under the guidance furnished by the Michigan Bar Association, if the lawyer can determine which clients’ data have been compromised, then assuming that the pilfered or exposed data are material, those clients should be notified. The law firm should also promptly investigate and remediate the breach.
Professional Liability Concerns
In addition to compliance with the rules of professional conduct, there are also professional liability issues inasmuch as a disgruntled client could bring a claim that its confidential information was insufficiently safeguarded, or that it was not timely notified of the breach. In such cases, adverse publicity could be generated by the mere filing of a public complaint.
For example, in March 2020, a lawsuit was filed by Hiscox Insurance against law firm Warden Grier for breach of contract, breach of fiduciary duty, and malpractice. Hiscox accuses the law firm of failing to notify it of a major data breach in 2016, in the course of which client confidential information was penetrated by an intruder, posted on the dark web, and held for ransom, which the firm paid. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP (2020). According to the complaint, the law firm learned of the data breach in December 2016, but did not notify clients for over 16 months that their personal identifying information (PII) had been accessed by the “Dark Overlord” intruder and posted to the dark web. Julia Weng, Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid, Data Breaches.net, July 25, 2020. In July 2020, a federal district court denied Warden Grier’s motion to dismiss Hiscox’s complaint, ruling that the complaint provides a cause of action for breach of contract and breach of implied contract, reasoning that the carrier’s litigation management guidelines constituted a binding contract that required the law firm to take specified precautions to protect the security of clients’ PII. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. Jul. 23, 2020). The law firm did not move to dismiss the negligence cause of action, which remains intact.
In 2016, a former client of Chicago law firm Johnson & Bell filed a class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity. The class action alleged that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security by failing to properly encrypt an online attorney time-tracking system and by the use of a virtual private network. The purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration.
Regulatory Issues
In addition to professional liability concerns, law firms should be mindful of statutory obligations imposed on all businesses. For example, Massachusetts enacted a pioneering data-protection law in 2010 known as Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls to protect sensitive consumer information. The Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that is written in one or more readily accessible parts.” It also contains safeguards to protect and encrypt confidential consumer information.
Lawyers who represent insurance companies in particular should take note of cybersecurity regulations promulgated in 2017 by the New York Department of Financial Services (DFS), which regulates the insurance industry. These new cybersecurity rules, which apply to all entities under DFS jurisdiction, including insurance companies, insurance agents, and banks, require encryption of all nonpublic information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer, who must report directly to the board of directors and issue an annual report setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.
Of particular interest to law firms that represent financial institutions or are retained by insurance companies is section 500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” See . Thus, insurance companies that provide access to PII to third-party vendors must certify not only that their own information systems are adequate, but also that the information security systems of vendors, presumably including law firms with whom they do business, are also secure and protected. In other words, law firms who do business with regulated financial service companies are expected to comply with the cybersecurity standards of their represented clients.
Conclusion
As explained above, the rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has about the breach, and the materiality of the improperly accessed data. The consensus of the organized bar, as exemplified in the ethics opinions discussed above, recommends client notification of a data breach affecting clients’ confidential data that are material and reasonably suspected to have been accessed, disclosed, or lost.
The materiality of the data and their importance to the client are fact-specific. For example, if the intruder accessed the first draft of a brief filed 18 months ago in a closed case, ABA Ethics Opinion 483 probably would not require notice. On the other hand, a nonpublic client’s private financial statement, current merger plans, misconduct by the client’s CFO, or a nonpublic sexual harassment complaint would probably be the sort of information that a corporate client would reasonably consider material and expect to be notified about in the event of a breach. However, lawyers should ensure that they comply with clients’ litigation management guidelines, which may require notifications in situations broader than those required in bar association ethics opinions.
Law firms should proactively prepare for a future cyber intrusion and mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, undertaking a prompt and thorough investigation, and employing third-party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.
Jennifer Goldsmith is vice president, professional liability claims, at Ironshore Insurance, an attorney at law, and a graduate of The George Washington University Law School. David Standish is a graduate of New York Law School, at attorney admitted in New York, and an assistant vice president and cyber/tech claims manager at Ironshore Insurance. Barry Temkin is a partner at Mound Cotton Wollan & Greengrass in New York, an adjunct professor at Fordham University School of Law, and immediate past chair of the New York County Lawyers’ Association Committee on Professional Ethics. The views expressed in this article are the authors’ alone and do not reflect the views of Ironshore Insurance, Fordham University, or the New York County Lawyers’ Association.
The foregoing information is for informational purposes only. It is not a substitute for legal advice from a licensed attorney, nor does it create an attorney-client relationship. The authors disclaim all liability arising out of this resource.
October 2020 was the 75th observance of National Disability Employment Awareness Month (NDEAM), annually administered by the U.S. Department of Labor as part of its efforts to ensure that employers include and accommodate workers with disabilities in the workplace. This year’s NDEAM is especially noteworthy given its coincidence with the 30th anniversary of the signing of the Americans with Disabilities Act. It also carries deeper significance in light of the COVID-19 pandemic and the ongoing national reflection on issues of diversity, opportunity, and social justice.
According to the Centers for Disease Control and Prevention, more than one in five Americans lives with a disability, and although Title I of the ADA legally prohibits employers from discriminating against people with disabilities, disabled workers remain severely underrepresented in the workforce. Although employment statistics for people with disabilities have gradually improved in recent decades, the pandemic has reversed many of these gains, in recent months driving the unemployment rate for disabled workers to nearly double the national average, according to Bureau of Labor Statistics data.
Despite the pandemic’s hardship for so many American workers and for workers with disabilities in particular, its upheavals have also presented opportunities for change and greater inclusion in the labor market as the nation recovers. Out of necessity in recent months, vast numbers of people have transitioned to working from home. As a result, many have discovered something of the access barriers and logistical challenges that have long confronted workers with disabilities. In turn, ensuring workplace accessibility has quickly become a priority for a much broader segment of the American workforce in an effort to reduce the disruptions posed by the virus and physical separation.
This newfound commitment to accessibility among nondisabled workers can ultimately benefit workers with disabilities as well. The proliferation of people working from home and connecting remotely has helped more individuals from diverse backgrounds to access work environments that might previously have been off limits. For example, working from home may present opportunities for people with mobility or visual disabilities who might otherwise have difficulty traveling to a distant office. Likewise, an employee with a speech or hearing disability may thrive in meetings held via online platforms, using chatboxes to more easily ask questions and communicate with colleagues.
With workplace routines changing, savvy employers will realize that anyone with the right setup and environment is able to do the work required, and that in many cases physical presence in an office may no longer be an essential job function. Companies may reconsider outdated practices and routines and recognize that jobs are not necessarily made harder by people performing them a bit differently. Particularly in these challenging times, employers may better appreciate the determination and creativity that people with disabilities bring to their work. Indeed, disabled workers are innovative by nature, routinely improvising solutions and workarounds in order to meet the demands of the workplace and of life in general. Workers with disabilities can bring the sort of creative thinking and unique perspectives that can help businesses be more productive and competitive in an uncertain environment.
This underscores a broader point understood by many companies: workplace diversity is not simply a matter of social responsibility or obligation, but an asset that makes businesses stronger. Companies looking to attract and advance more workers with disabilities can leverage practices from their diversity and inclusion programs in order to do so. This can include expanding recruiting efforts, a cultural commitment to inclusion, promoting disability awareness to enhance trust and communication for workers with disabilities, and consistently prioritizing accessibility to ensure that employees with disabilities can make full use of their talents. Any inconvenience or expense that a company may incur in maintaining barrier-free spaces or accessible technology is typically minimal and vastly outweighed by the blessings of a diversely talented workforce. Companies that thoughtfully and consistently furnish their workers with the tools and accommodations they need create a win-win situation , as individual employees can rise to their full potential and can collectively help their companies to achieve a marketplace edge.
As companies continue settling into new work environments and business patterns, their law firms and legal departments are being asked to step in on a variety of fronts. In many cases, these legal advisers are reinforcing their own teams with contract attorneys to help them address not only immediate issues triggered by the coronavirus pandemic, e.g., shoring up expertise gaps in areas such as employment and cybersecurity, but also longer-term matters related to contract breaches and corporate restructurings.
Some of the areas of expertise in particularly high demand are discussed below.
Employment experience. When employees were sent home to work due to the COVID-19 pandemic, businesses scrambled to get everyone set up with the technology and security they needed. If they remained open, they needed to look at their workplace through the lens of protecting their employees from potential physical harm. In each of these cases, employment policies and protections have come under intense scrutiny. Sound legal counsel is essential to getting it right.
Among other tasks, employers have amended or replaced their employee handbooks to reflect new protocols for work schedules, and approved equipment and security procedures as well as flexible solutions for employees who now hold caregiving responsibilities at home. Companies with a continuing on-site presence must also incorporate appropriate health screening measures and set out standards for workplace safety and hygiene.
These companies are calling in lawyers with employment expertise to help them rewrite their policies and handbooks; review, draft, and negotiate staffing agreements; and manage claims filed by employees. What kind of claims? Workers’ comp, OSHA, CARES Act—you name it. In fact, here is a partial list of the types of claims we are seeing in the employment space:
COVID-19 exposure, such as workplace safety and health, and OSHA whistleblower claims
WARN Act and EEOC claims related to terminations or furloughs
Labor law claims with the NLRB
Coronavirus Aid, Relief and Economic Security (CARES) Act and Families First Coronavirus Response Act (FFCRA) claims for paid sick/emergency family leave
Retaliation claims
Disability accommodation claims
Wage and hour claims related to working from home
Claims from nonessential workers who have been required to come to work
Wrongful death and injury claims
The speed with which employers have had to adapt their businesses and policies has left many open to labor and employment litigation. Lawyers who can help them sort it all out are in tremendous demand.
Cybersecurity, SaaS, privacy and GDPR expertise. Working remotely has created a sea of security challenges for businesses, which are tasked with putting systems and processes into place to protect their data, networks, and employees.
For starters, as employees are now required to conduct business virtually, they are using communication technologies that may be new to them. They need guidelines for using these technologies securely and understanding any potential for data breaches or other cybercriminal activity. Without the stringent security protocols of their corporate offices, these employees may become far more vulnerable to scams such as phishing, which aims to trick them into exposing sensitive company data. Attorneys with knowledge and experience in cybersecurity, privacy, and GDPR law are in high demand as new policies and agreements are put into place.
Software as a service (SaaS) agreements have become a hot-button issue as well. Companies are increasingly turning to SaaS solutions to satisfy their software needs, and drafting these complex agreements to protect client interests requires specialized knowledge.
Niche experience. Fallout of the pandemic looks different depending on the industry, and so lawyers with niche experience are in high demand. In the financial industry, for example, companies are seeking additional help from lawyers versed in drawing up market data, credit and securitization, and consignment agreements. Law firms are looking for experience in investment management, private funds, asset management, and bankruptcy law.
Beyond these industry-specific needs, demand for complex commercial litigators is ramping up as breach of contract and other disputes are arising based on companies’ inability to fulfill certain obligations. We might also expect to see a growing need for real estate litigators as companies strive to renegotiate their lease agreements, and for M&A attorneys as strategic transaction opportunities arise in the wake of the pandemic.
Of course, in addition to offering support in these specialized areas, contract attorneys must also be technologically proficient. Automation plays an increasingly pivotal role within the law firms and corporate legal departments who engage such attorneys. Digitization helps organizations streamline processes and rein in costs; attorneys must be able to navigate databases and systems as part of their daily work. Tech-savvy contract lawyers will continue to be in demand for the foreseeable future.
Regardless of the legal challenges brought about by the COVID-19 pandemic, contract attorneys can provide businesses with a viable, cost-conscious approach to bolstering their knowledge, expertise, and experience.
In late September, California enacted the California Consumer Financial Protection Law (“CCFPL”), which renamed the California Department of Business Oversight (now the California Department of Financial Protection and Innovation) and granted the department broad authority “to regulate the offering and provision of various consumer financial products or services under California consumer financial laws” and to “exercise nonexclusive oversight and enforcement authority under California consumer financial laws and, to the extent permissible, under federal consumer financial laws.”[1] Modeled off of the federal Consumer Financial Protection Bureau (“CFPB”), some have dubbed the newly named Department of Financial Protection and Innovation (“Department”) a “mini-CFPB.”
In addition to granting the Department broad oversight and enforcement authority, the CCFPL makes it unlawful for a “covered person” or “service provider” to engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (“UDAAP”) with respect to “consumer financial products or services.”[2] The CCFPL gives the Department extensive rulemaking authority to implement the new law. For example, the Department may by rule identify acts or practices that the Department deems unlawful, unfair, deceptive, or abusive in connection with any transaction with a consumer for a consumer financial product or service.[3] In the provision giving the Department UDAAP rulemaking authority for consumer financial products or services, the CCFPL requires the Department to interpret the terms “unfair” and deceptive” in a manner that is consistent with Section 17200 of the California Unfair Practices Act[4] and case law thereunder.[5] The CCFPL adopts the broad definition of “abusive” acts or practices that appears in Title X of the Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd–Frank Act”) and instructs the Department to interpret the term “abusive” in a manner that is consistent with the Dodd–Frank Act.[6]
The aforementioned UDAAP rulemaking provision and most of the other rulemaking provisions in the CCFPL permit the Department to promulgate rules applicable to persons involved with “consumer financial products or services,” defined, in relevant part, as “a financial product or service that is delivered, offered, or provided for use by consumers primarily for personal, family, or household purposes.[7] Despite the law’s name and the scope of its focal provisions, the CCFPL gives the Department the authority to identify by rule UDAAPs in connection with small business financing products and to require data collection and reporting on small business financing products. Specifically, the CCFPL permits the Department to:
Define unfair, deceptive, and abusive acts and practices in connection with the offering or provision of commercial financing, as defined in Section 22800(d), or other offering or provision of financial products and services to small business recipients, nonprofits, and family farms. The rulemaking may also include data collection and reporting on the provision of commercial financing or other financial products and services.[8]
The CCFPL incorporates the definition of “commercial financing” from the relatively new California Commercial Financing Disclosure statute, which term covers a host of small business financing products such as merchant cash advances, asset-based lending, commercial loans, commercial revolving credit, and lease financing. [9] These products typically do not meet the definition of “consumer financial products or services” in the CCFPL and persons involved with these products should not be “covered persons” or “service providers” subject to other provisions of the CCFPL.
The Department’s “surprise” UDAAP and data collection rulemaking authority for small business financing products does not directly affect all small business financing providers. The CCFPL exempts a number of regulated entities including, but not limited to, banks, California-licensed finance lenders and California-licensed finance brokers.[10] However, a future rule could apply to merchant cash advance providers, unlicensed (but legal) loan brokers, and other non-exempt vendors that provide services in connection with the offering or provision of small business financing products. Because vendors supporting small business financing products could be subject to a future UDAAP or data collection rule by the Department, exempt entities may be indirectly affected by a future rule.
On the federal level, the Federal Trade Commission (“FTC”) has asserted its broad jurisdiction under the Federal Trade Commission Act and other laws “to stop deceptive, unfair and other unlawful practices by small business financing providers and their marketers, services or collectors.”[11] In mid-September, the CFPB released and sought comments on an outline of proposals to implement Section 1071 of the Dodd–Frank Act, which requires financial institutions to collect select data in connection with credit applications by women-owned, minority-owned, and small businesses and to report the data to the CFPB annually.[12] Whether and to what extent the FTC’s use of its unfair or deceptive acts or practices authority and the CFPB’s promulgation of a small business data collection rule will impact the Department’s use of its rulemaking authority for small business financing remains to be seen. Of course, as a populous, individual protections-oriented state, California’s use of its UDAAP and data collection rulemaking authority could influence the actions of federal agencies with similar authority and other states. The Department’s use of its new rulemaking authority for small business financing is a development to watch. The CCFPL becomes effective on January 1, 2021.
A few weeks ago, we launched a series of articles on the commitments and contributions of business to racial justice and equality.[1] As this is written, almost five months have passed since the death of George Floyd, and the world is awash in public statements by businesses and their leaders, many of which were issued just days or weeks after Floyd’s death. If someone wanted to say something, he or she should have said it by now. Nonetheless, it is important to consider the process of “taking a stand” since words will be closely scrutinized and serve as foundational guidance for all the actions that follow.
Whether or not to take a public stance on political or social issues and on events such as those that have played out following Floyd’s death is often a difficult decision for companies, many of which are concerned about alienating certain groups of customers by associating their brands with “controversial” positions on sensitive issues that are dividing society. However, pressure from employees, consumers, and investors has been building in recent years for business leaders to explain where they stand and how their values are being incorporated into the decisions they are making about products, messaging, their treatment of their workers, and community relationships.
While there is a risk of losing those who may not agree with their positions, companies argue that taking a stand is a moral imperative and that the overall health of the business will improve over the long term as a result of building a stronger personal connection with employees and customers. Floyd’s death and the protests that followed marked a tipping point for many companies, pushing them to go on the record regarding racial injustice. As Netflix explained on Twitter: “To be silent is to be complicit. Black lives matter. We have a platform, and we have a duty to our Black members, employees, creators and talent to speak up.”
Unfortunately, we can be reasonably certain that the events surrounding George Floyd’s death will not be the last time that business leaders need to consider whether to “take a stand” and how it should be done. In those situations, businesses are understandably under pressure to respond quickly. However, it is important to avoid being too reflexive and making public statements that are not supported by solid research and thoughtful dialogue with the company’s own stakeholders. A good deal of the debate and dialogue on what governments, police departments, communities, and businesses should be doing in the wake of George Floyd’s death was focused on systemic racism and racial injustice. A review of the news makes it clear that these are, and will remain, much debated and highly contentious concepts in America. It is also apparent that there are political leaders who concede that Floyd’s killing was wrong while denying that systemic racism exists or is a problem.
While business leaders can, like any other citizen, weigh into that debate, their first obligation is to do the research on their own that is required for them to understand the potential flash points. The landscape is quite broad. Consider one well-known definition of systemic racism offered by Joe Feagin and used in sociology:[2]
Systemic racism includes the complex array of anti-black practices, the unjustly gained political-economic power of whites, the continuing economic and other resource inequalities along racial lines, and the white racist ideologies and attitudes created to maintain and rationalize white privilege and power. Systemic here means that the core racist realities are manifested in each of society’s major parts . . . each major part of U.S. society—the economy, politics, education, religion, the family—reflects the fundamental reality of systemic racism.
Additional arguments and empirical support for the existence of systemic racism and its adverse impact on people of color can be found in a wide range of sources, including surveys compiled by Balko and Cole.[3] Moreover, according to a poll published in June 2020 by Edelman, a public relations firm, nearly two-thirds of Americans, including 57 percent of whites, were “very” or “extremely” concerned about systematic racism. In addition, big majorities of both blacks and whites expressed hostility toward “performative activism,” or posturing in which companies made floury statements but failed to take meaningful actions. The respondents also made it clear that silence was not a good option: Over half of the whites surveyed expected brands to take a stand on racial justice, and over two-thirds of the Republicans who answered said a company’s response to the protests following the George Floyd killing would determine whether its brand kept or gained trust.[4] A June 2020 Harris Poll found that 82 percent of Americans thought that it was either “very” or “somewhat important” for companies to work on making a positive difference on racial equality, and sizable numbers of the respondents called on companies to incorporate their views into advertising, speak out on racial equality, do business with others that share similar standards when it comes to combating racial inequality, and contribute to organizations that combat racism. However, only 21 percent of the respondents to the Harris Poll felt that companies had actually made a “very positive” impact, and many in the survey called out companies for failing to do enough to increase diversity in their leadership or for making meaningful efforts internally to address racial equality.[5]
However, contrary views should also be sought out and considered in order to anticipate objections to actions that may be proposed by political, community, and business leaders. For example, in an essay on lessons for talking about race, racism, and racial justice, The Opportunity Agenda listed several “counternarratives” that commonly appear in discussions regarding racism: “racism is ‘largely’ over or dying out over time,” “people of color are obsessed with race,” and “civil rights are a crutch for those who lack merit or drive.”[6] An op-ed piece published in the Wall Street Journal on June 2, 2020, which was widely circulated on social media, agreed that police officers should be held accountable for using excessive force, but argued that there was no evidence of widespread racial bias.[7] Business leaders should not get too bogged down in arguing each of these points, but they do need to be mindful of what some others might be thinking as they set out to engage in meaningful conversations to develop responses that can be implemented with broad societal support. No statement will be universally accepted, since independent and scientifically based polling continuously identifies different perspectives and experiences between the members of different racial groups and disagreements among them regarding preferred policy solutions.[8]
In its guidance on talking about race, racism, and racial justice, The Opportunity Agenda counseled leading with shared values, including justice, opportunity, community, and equity, all of which are aspirations that should be universally acknowledged regardless of race. The purpose of this approach is not to avoid difficult discussions regarding race, but rather to focus on potential solutions. The Opportunity Agenda also recommended describing how racial bias and discrimination is a problem for everyone in society and prevents society from realizing its full potential. According to surveys cited by The Opportunity Agenda, eight in ten Americans believe that society functions better when all groups have an equal chance in life. Another way to increase engagement with the issues surrounding racial injustice is to remind others of instances in which they may have felt excluded. This is a powerful approach given that there is evidence that six in ten Americans have reportedly felt discriminated against at one time or another on the basis of race, ethnicity, economic status, gender, sexual orientation, religious beliefs, or accent.[9]
In his advice to CEOs and directors on how they can lead on racial injustice, Scott pointed out that, while words alone were not a sufficient response to the situation, a company’s stakeholders, from employees to customers to community members, expect that its leaders will speak out and clarify the company’s position. The tone and content of the messaging will vary, but it should be made clear that the company supports racial justice and is committed to taking tangible and measurable actions to embed equity and diversity into its organizational culture and the actions to be taken with respect to operations and relationships with stakeholders. Like others, Scott argued that statements from company leaders are important cues to everyone in the organization as to what will be expected of them and how they should act.[10]
Although business leaders certainly need to look inward to their own experiences and values while working on the company’s public position on racial injustice, and must settle on a statement that is aligned with their personal values, they need not work in a vacuum. The actions that the company ultimately takes in furtherance of its position will necessarily be a collective effort involving everyone in the organization. The CEO should create a special working group to develop the company’s initial action plans relating to racial justice, ensuring that there is diverse representation in the group who can understand the concerns raised by stakeholders and identify and implement solutions that will truly be seen as responsive by those who have been most pained by past experiences. In addition, leaders should reach out to others who can help them understand the underlying issues and provide feedback on the steps that might be taken in formulating and executing the company’s commitments. Scott recommended that business leaders (i.e., directors and CEOs) seek advice on handling racial inequalities from their peers at other companies, perhaps borrowing from initiatives that those companies have already launched to address the issues the company is facing. Companies should also be prepared to turn to qualified and experienced outside consultants and advisors to assist in the process, recognizing that existing internal expertise may not be sufficient.
The leaders’ initial public statements regarding the company’s position on racial injustice should be amplified in a series of internal events that allow leaders to meet face to face with people from all parts of the organization to discuss the stated position and solicit input on specific initiatives the company should take to fulfill its commitments. These events create an opportunity to reinforce the company’s position, providing employees with ideas about how they should act and the factors they should consider when making decisions during their day-to-day activities. This will also give employees a sense of participation in the process. Employees should be encouraged to share their own experiences of racial injustice, both inside the workplace and outside in the world they live in. However, because many employees may be uncomfortable holding these conversations in a group setting, it is important that the company develop processes that employees can use to share their experiences anonymously. Including people of color as spokespersons for the company’s racial justice initiatives lends credibility to the efforts. Yet, they should not be asked to defend or justify past missteps, nor should they be prevented from explaining their own pain and discomfort.
At the same time as leaders are meeting with employees, engagement should be continued with external stakeholders who can provide insights into how the company has been handling situations in which racial justice issues might arise. For example, consideration should be given to how the company has treated customers (e.g., have there been complaints of racial discrimination against customers, either in how products and services are provided or in the ability of people of color to readily access the company’s products and services?). Dialogue should be undertaken with legitimate representatives of community groups to understand how the company is perceived by those who live and work in the neighborhoods where the company operates. Investors should be consulted and are increasingly likely to insist that their portfolio companies establish and report on specific targets relating to diversity and inclusion. Business leaders should also reach out to partners up and down their value chains to understand their responses to the situation. There might be opportunities to collaborate with these partners on racial justice initiatives. Moreover, companies also need to be certain that they are not exposed to reputational damage from affiliation with businesses that engage in practices that undercut diversity and inclusion.
[1] Alan S. Gutterman is the Founding Director of the Sustainable Entrepreneurship Project (www.seproject.org), a California nonprofit public benefit corporation with tax-exempt status under IRC section 501(c)(3) formed to teach and support individuals and companies, both startups and mature firms, seeing to create and build sustainable businesses based on purpose, innovation, shared value, and respect for people and the planet. Alan is also currently a partner of GCA Law Partners LLP in Mountain View, California (www.gcalaw.com) and a prolific author of practical guidance and tools for legal and financial professionals, managers, entrepreneurs, and investors on topics including sustainable entrepreneurship, leadership and management, business law and transactions, international law, and business and technology management. He is the co-editor and contributing author of several books published by the ABA Business Law Section, including The Lawyer’s Corporate Social Responsibility Deskbook, Emerging Companies Guide (3rd Edition) and Business and Human Rights: A Practitioner’s Guide for Legal Professionals (Forthcoming Fall 2020). More information about Alan and his work is available at the Project’s website and his personal website at www.alangutterman.com. This article is adapted from the chapter on Racial Equality and Non-Discrimination recently released on the Project’s website: https://seproject.org/wp-content/uploads/2020/07/EDI-_C1-Racial-Equality-and-Non-Discrimination.pdf.
[2] J. Feagin, Racist America: Roots, Current Realities, and Future Reparations (New York: Routledge, 2010).
[7] H. McDonald, The Myth of Systemic Police Racism, WALL STREET JOURNAL (June 2, 2020), https://www.wsj.com/articles/the-myth-of-systemic-police-racism-11591119883. See also R. Merry, What Is “Systemic Racism,” Really?, THE AMERICAN CONSERVATIVE (June 8, 2020), https://www.theamericanconservative.com/articles/what-is-systemic-racism-really.
[8] Poll: Americans’ Views of Systemic Racism Divided by Race (University of Massachusetts Lowell, September 23, 2020), https://phys.org/news/2020-09-poll-americans-views-racism.html.
After a long and arduous path, the Supreme Court of the United States finally heard Google v. Oracle.[1] In this case, Google faces potential liability for over $8 billion in damages because it copied the computer code as well as the structure and organization of that code from the original developer, Sun Systems, now owned by Oracle. The questions before the Court included whether the code and organization are copyrightable despite the merger doctrine and, even if so, whether Google’s use of the declaring code in the Android operating system constitutes fair use.
Some background is necessary to understand the scope of the dispute. Google copied the declaring code of 37 APIs. Java is a programming language and platform designed for programmers to “write once, run anywhere,” first popularly used for web applications. API stands for application programming interface, a set of code that enables two different software products to communicate—in this case, the APIs allowed Android written with the Java language to interface with the Android device. While the implementing code performs the actual program, the declaring code tells the programmer what the program does, which information is needed to perform the program, and where the program fits in the Java hierarchy. Programmers use calls that mirror the declaring code in order to invoke the API.
If you are feeling a bit lost, you are not alone. During oral argument on Wednesday, October 7, 2020, lawyers for Google, Oracle, and the weaved through a flurry of comparisons as the justices—like the lower courts previously—sought to gain a better understanding of the role of the declaring code and APIs more generally. In a line of questioning for Google, Chief Justice Roberts began by comparing Google’s copying to theft:
But, you know, cracking the safe may be the only way to get the money that you want, but that doesn’t mean you can do it. I mean, if it’s the only way, the way for you to get it is to get a license.
The justices then jumped from one analogy to another, comparing the declaring code itself to football playbooks and mathematical proofs, and then to the organization of the code to the QWERTY keyboard, the periodic table, and grocery store aisles. The first set of comparisons are instructions similar to the uncopyrightable methods of operation discussed in Baker v. Selden, where the Supreme Court held that copyright over an accounting book does not extend to the underlying accounting method. The second set are selections and arrangements which may be copyrightable. However, like the QWERTY keyboard, there were many ways for Sun Systems to organize the Java declaring code originally, but, by the time Google developed the Android system, app developers were used to Java’s hierarchy, according to Google’s argument. As emphasized by Justice Breyer and perhaps colored by with granting a monopoly over any of these ideas or standard organizations.
As the justices tried to tether the situation to something more familiar, the attorneys emphasized the importance of their ruling. For Google, a ruling in favor of Oracle represents a complete disruption of the programming world. As underscored in an amicus brief by eighty-three computer scientists—referred to repeatedly during oral argument—“the computer industry has long relied on freely reimplementing software interfaces to foster innovation and competition.” They suggest that finding the declaring code or organization of the declaring code copyrightable would force programmers to needlessly reinvent the wheel before progressing to something new.
Naturally, Oracle disagreed, arguing that the “the software industry rose to world dominance since the 1980s because of copyright protection,” and, rather than respect that protection and spend millions developing new code like Apple and Microsoft did, Google took 11,000 lines of code in an effort to catapult the nascent Android phone market off the hard work and original expression of Sun System’s programmers. Oracle and the government warned that a ruling for Google will “decimate the incentive to create high-quality, user-facing declaring code” that many companies actually license. Some legal scholars have criticized Oracle’s argument as arguing sweat-of-the-brow, a copyright doctrine repeatedly rejected by the Supreme Court, while others point out that companies license potentially uncopyrightable works all the time in order to avoid a future dispute.
Even if the Court agrees that the declaring code is copyrightable, then the Court must wrestle with whether to uphold the jury’s verdict that using Java’s declaring code for mobile phones was transformative fair use. While Google highlighted the “enormous creativity that is unleashed by the ability to reuse the [declaring code],” Oracle importantly underscored that fair use is notoriously tricky, poorly defined, and will lead to uncertainty for programmers.
No matter how the Court rules, the opinion, which is expected by June 2021, is sure to shake up the software industry. If the Court holds that the declaring code is not copyrightable, then programmers will breathe a sigh of relief, unburdened by the need to verify licensing in an industry built on the shoulders of giants. If the Court holds that the declaring code is copyrightable and the use is not transformative, then code licenses and lawsuits alleging infringement will flood Silicon Valley. Finally, if the Court holds that the use is transformative, even if the code is copyrightable, then attorneys must grapple with counseling companies on specific uses, navigating through the murky waters of fair use.
[1] Michael Arin is a recent graduate of the University of Minnesota Law School. His research focuses on the intersection of intellectual property, consumer protection, and antitrust, with a specialization in the esports industry. The views expressed herein are the author’s own.
As digital transformation progresses, large and established corporations, but also medium-sized companies, are increasingly coming under competitive and innovative pressures. Start-ups are developing disruptive business models, which are competing with traditional models or even threatening to replace them. The former needs access to innovation and the latter needs investment, providing a mutually beneficial opportunity for corporate venture capital (CVC) to provide a solution, giving traditional companies access to the newest innovation on the market (a so-called “window on technology”).
According to the 2018 Global CVC Report, there were 2,740 deals with a combined value of USD 53 billion throughout 2018 worldwide. These investments were often limited to seed and Series A financing due to the smaller financial resources of most CVC units compared to traditional VC investors.[1] Nevertheless, CVC investments accounted for around 23% of all investments in start-ups worldwide in 2018.[2] Compared to the global market, Germany still plays a limited role with only 5.3% of all deals in the years 2000 to 2018.[3] However, Germany’s largest publicly traded companies, the DAX30, now offer start-up and innovation programmes and have established their own CVC units.[4] As a result, the number of CVC investments in Europe in the first half of 2019 rose to 426 deals with a volume of EUR 6.1 billion, while the volume of CVC investments in Europe was at EUR 8.8 billion for the whole year of 2018.[5]
The term CVC covers three types of participation and cooperation between large and medium-sized companies and start-ups. In addition to the CVC unit participating in a classic venture capital fund and setting up of incubator or accelerator programs, the most common model found on the market is direct or indirect equity participation or, often, debt financing of start-ups by the respective CVC company. According to a survey by Tilburg University, 58.5% of all start-ups already work with corporations and medium-sized companies.[6]
In this article, we discuss the various possible legal structures for CVC units to participate in start-ups from a corporate and tax law perspective. We also look at the legal challenges in implementing corporate governance at the target company.
2. Possible business structures as a starting point for participations in companies
There are various legal structures for participating in suitable target companies. Participation can occur either directly by the traditional business or indirectly through an investment vehicle, with CVC companies usually acquiring minority stakes in their portfolio companies.[7]
2.1 Direct participation
Direct participation in the target company is the simplest legal structure. The investing company acquires shares directly in the portfolio company and so becomes one of its shareholders. In Germany the portfolio company is usually a limited liability company (or GmbH: Gesellschaft mit beschränkter Haftung).[8] As a direct shareholder, the CVC investor is entitled to all the property, administrative and control rights provided by law—which is set out in the appropriate code since Germany is governed by civil law. How much influence the CVC investor actually has in the target company depends largely on the size of its investment/shareholding. As with classic venture capital investments, subscription rights, anti-dilution protection, and liquidation preferences can be negotiated and documented.
From a tax law perspective, direct participation has advantages. Profit distributions from one corporation to another corporation are generally tax-free, provided the participation in the target company is above 10% (Section 8b paragraph 4 sentence 1 of the German Corporation Tax Act (KStG)).[9] The tax exemption also applies in principle to capital gains, although 5% of the capital gains are considered non-deductible business expenses subject to corporate tax and trade tax.[10]
Direct participation is rare in practice, as it carries disadvantages. On the one hand, there is no separate limitation of liability (the trading entity is a direct shareholder in the start-up), and direct participation is inflexible from a company’s legal perspective. On the other hand, direct participation of the CVC unit in the parent company often requires formal approvals and leads to lengthy decision processes, which is difficult to reconcile with the investment decisions to be taken and the flat hierarchical culture of a start-up. Successful CVC investment therefore usually requires a strategic reorientation of the parent company’s usual approach to corporate decisions for its core business. To achieve an agile company culture, it is usually better to consider a different separate business structure.
2.2 Indirect participation
CVC activities of traditional companies regularly occur through the formation of separate and legally independent CVC units.[11] These CVC units are not only composed of employees of the parent company, but often also of external venture capital experts. By legally separating the CVC units from the parent company, the CVC investor can act more flexibly and faster. The CVC units differ from traditional VC companies primarily because the parent company is the sole investor in the CVC company. More than 70 CVC units already exist in Germany.[12]
(1) Indirect participation through a German limited liability company (GmbH)
The participation through a GmbH is the standard model. The parent company holds 100% of the shares in the CVC-GmbH. The CVC-GmbH in turn holds the shares in the target company. The same applies to the contractual arrangement of the investment between the CVC-GmbH and the target company, as in the case of a direct participation by the parent company. The legal advantage of indirect participation is that the liability for the investment in the target company is limited to the CVC-GmbH and the separate entity provides greater flexibility under company law. The disadvantage is that the standard model creates additional taxation. However, the same comments above apply to the tax burden on the CVC-GmbH, which means that in principle, capital gains are tax-free, although 5% of the capital gains are considered non-deductible business expenses, which are taxable.[13]
The additional taxation can be compensated by forming a tax group between the parent company and the CVC-GmbH. A tax group is a taxation unit consisting of two independent companies: the controlling company and the controlled company. Both companies form a single taxpayer, so that taxes only have to be paid at the level of the parent company. The prerequisite for the formation of a tax group (pursuant to Section 14 paragraph 1 sentence 1 KStG) is the documentation of a profit and loss transfer agreement between the controlling company and the controlled company, according to which the latter undertakes to transfer its profits to the controlling company.[14] Pursuant to Section 14 paragraph 1 no. 3 sentence 1 KStG, the profit and loss transfer agreement must be in place for at least five years and be actually implemented during this period.[15]
(2) Indirect participation through an investment company (German: Unternehmensbeteiligungsgesellschaft (UBG)).
Indirect participation is also possible through an investment company. A UBG must be recognized as such by the competent authority according to Section 1a paragraph 1 of the Investment Companies’ Act (UBGG). It can also be operated in the legal form of an AG, GmbH or KGaA (Kapitalgesellschaft, orlimited liability company). The UBGG does not create a new legal structure of its own but refers to certain already existing business structures. The UBGG offers tax advantages: If recognised, the UBG is exempt from trade tax under Section 3 No. 23 of the German Trade Tax Act (GewStG). Apart from that, however, the normal corporate tax regulations apply, as long as the UBG is organised in the legal structure of a GmbH or AG (Aktiengesellschaft, or stock company).[16]
The UBGG regulates certain investment and participation limits. A distinction is made between open and integrated investment companies. Unlike the integrated UBG, the open UBG can only be organized as a subsidiary of the parent company for five years (Section 7 paragraph 1 sentence 1 UBGG). In contrast, the integrated UBG may in turn only participate in companies in which there is at least one natural person entitled to manage the company and who holds at least 10% of the voting rights of the company (Section 4 paragraph 4 sentence 1 UBGG).
In practice, it is problematic that the investment company can only grant loans to companies in which it already has a stake (cf. Section 3 paragraph 2 UBGG). If the investment company does not have participation in the start-up, it will not be possible to grant the respective start-up a convertible loan, often used for early-stage financing. As a result, investment companies are rarely used in practice and mainly invest in banks, where the granting of loans to the portfolio company is often not market standard and so avoids the application of equity substitution rules.[17]
(3) Indirect participation through a GmbH & Co. KG (German: Gesellschaft mit beschränkter Haftung & Compagnie Kommanditgesellschaft)
Another possible option for CVC participation is the indirect participation through a partnership in the form of a GmbH & Co. KG. General and limited partners do not have to be natural persons.[18] For this option, both a limited partnership (Kommanditgesellschaft) and a general partner in form of a GmbH have to be established. In this case the CVC-GmbH & Co. KG holds the shares in the target company. The parent company holds all shares in the GmbH & Co. KG and in the general partner GmbH.
The participation through a GmbH & Co. KG has several advantages over the simpler GmbH structure mentioned above:
1. flexibility under company law,
2. limitation of liability for the parent company,
3. tax transparency as a partnership and
4. the relatively simple incorporation procedure of the GmbH & Co. KG without any further requirement of notarisation.[19]
The disadvantage of this arrangement is that with the formation of the general partner GmbH and the GmbH & Co. KG, the investment structure becomes more complex and administratively complicated.
(4) Indirect participation with capital participation of the management
The most complex form of indirect participation by the CVC unit is through capital participation of the management.[20] First, the previous model, which involved an indirect participation through a CVC GmbH & Co. KG, is constructed. Only the CVC-GmbH & Co. KG alone holds the shares in the target company. However, a further company is added as a carry vehicle, in which the management team participates. This enables the profit (“carry”) to be shared individually between them. Due to the advantages described above under (3), the legal structure usually chosen for the carry vehicle is the limited partnership, as it is fiscally transparent and provides limited liability to the management.[21] The carry vehicle participates in addition to the parent company as a limited partner with a capital participation in the CVC-GmbH & Co. KG (giving it “skin in the game”).[22] The general partner GmbH does not have a share in the assets of the CVC-GmbH & Co. KG and is held 100% by the capital management company in the form of a Management GmbH, which is also the managing limited partner of the CVC-GmbH & Co. KG and the carry vehicle. The latter also makes sense from a tax perspective, as the tax authorities consider the non-trading characteristics of the CVC-GmbH & Co. KG and the carry vehicle so that no trade tax is payable.[23]
The profit participation of the management is usually disproportionate to the capital. Typically, the carry is around 20% of total earnings.[24] The fund agreement must specify the further details of profit distribution, in particular the extent to which profits from the CVC company’s investments may be retained for reinvestment and whether the parent company is entitled to any preferential return (the “hurdle rate”).[25] There are two standard models for calculating the carry: either all investments during the entire term of the fund are taken into account in the profit participation or only the individual exit is taken into account. From the point of view of the parent company, the overall view is preferable, as otherwise the management receives carry payments early on, even though later investments may be less successful, which in turn has to be compensated later after deduction of taxes (“carry clawback”). However, a payment of the carry late in the life of the investment can in turn have a negative impact on the management team’s motivation.
Ultimately, this fund structure offers the advantage that the management of the CVC unit participates in the success of the CVC company and thus creates a further incentive for the management to achieve the highest possible profits for the CVC company. At the same time, capital participation ensures that the management also participates in the economic risk of the CVC company. The “fund structure” allows a balance between the interests of the managers and the CVC investor, which cannot be achieved by a mere contractual agreement of the management team’s compensation (possibly with additional bonuses if defined targets are reached).
3. Implementation of corporate governance at the level of the portfolio company
The term “corporate governance” covers general principles of proper management. Although these principles are primarily aimed at listed companies pursuant to Section 161 of the German Stock Corporation Act (AktG), compliance with them is also recommended for non-listed companies.[26] Having said this, a CVC investor has an interest in implementing its corporate governance principles in its portfolio companies as well. After all, management within the portfolio company that is inconsistent with the parent company’s corporate governance also has a negative effect on the parent company. The following focuses on the cornerstones of implementing some of the aspects of corporate governance in the start-up portfolio company, without addressing all aspects and topics of the investment agreement.[27]
(1) Compliance, due diligence, and warranties
Any company, regardless of its size, may be subject to claims for damages and/or fines in the event of compliance violations. However, while a consistent compliance management system is usually already implemented in the parent company, the pursuit of agility in the start-up often stands initially in diametric opposition to such adoption. Fixed structures should be avoided in start-ups to speed up processes and make them more flexible.[28]
In later phases of European start-ups, however, there is a focus on issues surrounding data protection, regulation, and, increasingly, cyber security and consumer protection[29] due to the risk of potentially substantial fines. The same applies to start-up exits, where the purchase agreement of the company focuses on due diligence checks and warranty catalogues, so that the selling shareholders focus on data protection, consumer protection, and IT compliance at an early stage in order to avoid having to accept valuation adjustments or extensive exemptions later in the exit process.
(2) Advisory board and approval requirements
The formation of an advisory board has established itself as an important component of corporate governance. Most start-ups in Germany are organized as a GmbH, whose statutory bodies are limited to the management and the shareholders’ meeting. However, it is possible to set up an advisory board based on the articles of association, if included, or based on a contract (organschaftlichen oder zumindest schuldrechtlichen Beirat).[30] Both types of advisory boards can take on advisory, monitoring, or management functions. Like the management body, the advisory board can also be staffed by third parties from outside the company.[31] CVC investors secure their influence on the portfolio company by, among other things, being granted the right in the shareholders’ agreement or partnership agreement to appoint (at least) one advisory board member and/or a so-called “observer” to the advisory board. A further characteristic of good corporate governance is transparency.[32] This can be reached through the agreement of extensive information rights and obligations.
The Corporate Governance Code becomes particularly relevant when interpreting general company law clauses such as Section 43 of the German Limited Liability Companies Act (GmbHG) or Section 93 AktG. According to the Business Judgement Rule, the decisive factor is whether the respective management body has made decisions in the best interests of the company and—based on appropriate information—in a reasonable manner. This legal standard leaves a great deal of leeway for management boards and managing directors, which can be contractually limited by rights of approval. Thus, special majority requirements, veto rights of individual shareholders, and reservations of approval of the shareholders’ meeting or the advisory board are regularly found in shareholder agreements and articles of association of (C)VC-financed start-ups.
(3) Vesting
For CVC investors, it is also particularly important to commit the management of the start-up to comply with corporate governance for as long as possible.
One way to implement these requirements is to include vesting provisions in the investment agreement. Vesting is primarily implemented through the transfer of founder’s shares, subject to the condition precedent of the occurrence of a pre-defined event before the end of the vesting period, which generally lasts three or four years.
Particularly relevant in practice is the event of termination of the managing director’s service contract or the employment contract of the founder for good cause. Such reasons can be extensively negotiated and often include a (significant) violation of a code of conduct or other compliance guidelines by the founder. With no “employment at will” in Europe, such provisions need careful thought at the time of investment.
4. Summary
The indirect participation of the parent company through a participation vehicle works best for both the CVC investor and the target company. The specific form of company that should be chosen for the investment vehicle depends on the interests of the parent company. Particularly crucial is the question of whether the management should participate in the profits (and losses) of the CVC unit. Ultimately, the challenge for CVC investors is to find a form of participation that offers the greatest possible agility and enables rapid decision-making processes.
The internal corporate governance requirements of the parent company should not be too overwhelming for the start-up but should nevertheless be respected. For start-ups, it is crucial that the contribution of the CVC investor supports rapid progress and that the contractual documentation provides access to the CVC investor’s technological know-how, production and development resources, distribution channels and cooperation partners (“smart money”).
Finally, the investment agreement should ensure that the interests of all stakeholders involved (especially founders, business angels, VCs, and CVCs) are aligned as far as possible and focuses on increasing the value of the start-up.
*Robin Eyben and Maximilian Vocke are lawyers at Osborne Clarke in Berlin. Special thanks to Dana Alpar, legal trainee at Osborne Clarke, Berlin.
[6] Tilburg University, 2018 Global Startup Fundraising Survey, 2019 Corporate Venturing Report. Available under: www.corporateventuringresearch.org/.
[7] Grub/Krispenz: Auswirkungen der Digitalisierung auf M&A-Transaktionen. In: Betriebs-Berater, 2018, p. 235-239 (236).
[8] In later phases, start-ups are also organised in the legal form of an Aktiengesellschaft (AG) or Societas Europaea (SE).
[9] Schulz: § 11 Die Ertragsbesteuerung der GmbH und ihrer Anteilseigner. In: Beck’sches Handbuch der GmbH, 5. ed., Munich, 2014, no. 270.
[10] Schulz: § 11 Die Ertragsbesteuerung der GmbH und ihrer Anteilseigner. In: Beck’sches Handbuch der GmbH, 5. ed., Munich, 2014, no. 271. This taxation privilege does not apply to credit institutions and financial services institutions (§ 8 b VII S. 1
KStG).
[11] Klamar/Prawetz: Corporate Venture Capital Markt in Deutschland, Frankfurt am Main, 2018.
[12] BVK-Statistik: Zahl der Woche: Mehr als 70 CVC-Gesellschaften in Deutschland, 25.03.2019. Available under: https://www.bvkap.de/events-medien/videos/2019-03-25/zahl-der-woche-mehr-als-70-cvc-gesellschaften-deutschland.
[13] This taxation privilege may also not apply to credit institutions and financial services institutions at the CVC-GmbH level (§ 8 b Abs. 7 S. 2 KStG).
[14] Ebber: KStG § 14 Aktiengesellschaft oder Kommanditgesellschaft auf Aktien als Organgesellschaft. In: BeckOK KStG, Micker/Pohl, 3. ed., München, stand: 15.09.2019, no. 349.
[15] Premature termination, meaning before the end of the five-year period without good cause, results in invalidity from the outset, so that any profits are taxable retroactively at the level of CVC-GmbH.
[16] Veith: § 17 UBGG (Gesetz über Unternehmensbeteiligungsgesellschaften). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 13.
[17] Veith: § 17 UBGG (Gesetz über Unternehmensbeteiligungsgesellschaften). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 21.
[19] See Schwarz van Berk/Euhus: § 2 Wahl der geeigneten Fondsstruktur. In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 3.
[20] In the case of private equity funds, the fund management originally used to hold a participation of 1%, but now it is more likely to be 2-3%, see Mardini: § 11 Vergütung und Erfolgsbeteiligung (Management Fee, Carried Interest). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 64.
[21] Mardini: § 11 Vergütung und Erfolgsbeteiligung (Management Fee, Carried Interest). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 55.
[22] For the possible classification of Carry GmbH & Co. KG as an AIF or investor in an AIF see El-Qalqili/Volhard: § 4 Verwalter eines AIF (Anwednungsbereich des KAGB). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 39 et seq.
[23] Buge: § 25 Steuerliche Struktur des AIF. In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, München, 1. ed., 2018, no. 92.
[24] „Two and Twenty“ (2% Management Fee, 20% Carry), see Mardini: § 11 Vergütung und Erfolgsbeteiligung (Management Fee, Carried Interest). In: Private Equity und Venture Capital Fonds, Pöllath/Rodin/Wewel, Munich, 1. ed., 2018, no. 56.
[25] Due to the longer holding period, Venture capital funds often do not agree on a hurdle rate.
[26] Weitnauer: Teil E. Die Gründung. In: Handbuch Venture Capital, Munich, 6. ed., 2019, no. 338.
[27] The investment agreement of (corporate) venture capital financed companies usually contains extensive provisions on the control of the company and the economic distribution of proceeds. In many of these regulations there is an asymmetry of interests between financial investors, founders and CVCs, especially if the latter are strategically motivated. For reasons of scope and focus, the presentation of these regulations and conflicting interests as well as the practically very relevant approaches to solving this problem is not subject of this article.
[28] Federmann/Hensel/Krause: CB-Beitrag: Compliance bei Corporate-Venture-Capital-Transaktionen. In: Compliance-Berater, 2019, p. 248-253 (250).
[29] So-called Omnisrichtlinie, see www.consilium.europa.eu/de/press/press-releases/2019/03/29/eu-to-modernise-law-on-consumer-protection/, accessed on 13.1.2020.
[30] Heermann: GmbHG § 52 Aufsichtsrat. In: GmbH-Gesetz, Ulmer/Habersack/Löbbe, Heidelberg, 2. ed., 2014, no. 316. Uffmann: Überwachung der Geschäftsführung durch einen schuldrechtlichen GmbH-Beirat? In: NZG, 2015, p. 169-176.
[32] See no. 6 of the German Corporate Governance Code (In the version of February 7, 2017 with decisions taken at the plenary session of February 7, 2017). Available under: www.dcgk.de/de/kodex.html.
The virus that causes COVID-19 has ushered in unprecedented times for our country and our global community. Certainly, the pandemic is impacting the way M&A transactions are looked at, papered, implemented, and even priced. This article identifies some of the higher-level, pandemic-related considerations evolving in the private company M&A world.
Legal Due Diligence
The typical buyer-side legal diligence checklist casts a broad net to bring to the surface legal risks and other potential concerns with the target business. Even with its breadth, the standard legal diligence checklist may need pandemic-specific questions, including those focusing on: force majeure clauses; supply-chain disruptions; employee accommodations; safe working environments; whistleblower claims relating to COVID-19; on-site contagion risk management; business continuity and disaster recovery plans; classification of business services as “essential”; CARES Act loans, credits, and the like; and analysis of relevant insurance coverage.
Target Representations and Warranties (Reps)
Many target reps customarily seen in an M&A agreement may need expansion to cover pandemic-related matters, and at the same time, those matters may warrant broader inclusion in the target’s disclosure schedules. The reps most likely to warrant specific pandemic consideration would be those covering the topics as noted above, likely including reps as to operation in the ordinary course and absence of a material adverse effect or change; compliance with laws; labor and employment matters; financial statements; and no undisclosed liabilities.
Earnouts
Earnouts are often helpful in bridging a “valuation gap” as between buyer and seller. A valuation gap is more likely to occur when the target is facing economic uncertainty, such as the impact of the COVID-19 pandemic. At the same time, earnouts bring their own uncertainty and may “kick the can down the road” and simply defer a “miss” in agreement as to pricing. Careful, precise language is critical so that the earnout—itself a tool for hedging against uncertainties—functions properly and as the parties intended, without bringing undue risks of disputes into the post-closing business venture.
Disclosure Schedules and Their Updating
Disclosure schedules provide fact-specific disclosures (or exceptions to specific statements) relating to a target’s reps. As such, they impact the scope of responsibility for those reps. The COVID-19 pandemic has underscored this aspect of M&A practice. Targets are seeking to disclose to buyers more pandemic-related matters and consequences—past, present, and future—on their disclosure schedules.
For transactions in which an M&A purchase agreement has been signed but has not yet closed, sellers are looking to their purchase agreements to see how the topic of disclosure schedule updating is addressed. The parties have a wide range of alternatives they can use to address disclosure schedule updating within a purchase agreement. These in turn raise deal points as to what can or must be disclosed and the effect of those updated disclosures on the buyer’s termination and pre- or post-closing indemnification rights.
Renegotiating LOI Terms
There may well be a “gap period” between when a normal, “nonbinding” letter of intent (LOI) is signed and a binding purchase agreement is entered into (either prior to or simultaneously with the deal closing). Even if nonbinding, typical M&A LOIs will set forth expectations on key deal points such as price, closing conditions, and the like. During that post-LOI period, sellers may experience pandemic-related impacts on operations that may decrease cash flow, revenues, and other metrics involved in the sale. Buyers may find that their expectations for cash flow, revenues, and the other metrics may be significantly depressed as they approach a binding commitment on terms. As a result, the parties may need to adjust the LOI terms.
It is important to spell out in an LOI what metrics may be subject to adjustment and when. This is important even if the LOI is nonbinding; even in that context, parties normally expect that key terms in the LOI will be honored absent unexpected circumstances or facts, and if nothing else, clarity as to whether the parties can revisit key terms will only help the deal dynamic should those discussions become necessary.
Net Working Capital Adjustments
Most purchase price adjustments (apart from those relating to indebtedness, cash, and transaction expenses) are based on net working capital of the target—specifically, the difference between net working capital at closing and a previously agreed-upon target level. This target working capital is usually intended to reflect a “representative” or “normalized” level of working capital for the business. However, this may be difficult to ascertain as a target level in light of the rate and extent to which the pandemic has impacted business conditions. Parties might consider a mechanism for adjusting the target working capital level between signing and closing if the original level becomes, with the benefit of knowledge learned through additional time, painfully optimistic.
Standalone Indemnities
The effect of the pandemic on a target’s preclosing business is potentially the “type” of topic or matter that a buyer might conclude should not be “its problem.” Buyers may reason that their deal pricing and modeling did not take into account pandemic-related economic risk, at least through closing. They may view pandemic issues, and their impact on the target business, as one of those “toxic” categories of risks that they consider to be “on the seller’s watch.” The scope of target reps on these matters is an important mechanism for risk allocation.
If the parties agree that all or some pandemic-related impact on the target business should be borne by the seller, a standalone indemnity—a mechanism already commonly used in M&A agreements for unusual or toxic risks—may, alongside target reps, be an important part of the overall structural solution.
MAC Provisions
“Material adverse impact” or “material adverse change” provisions (referred to together as MAC provisions or clauses) are commonly seen within M&A agreements and serve three purposes: (1) as the subject of an affirmative target rep (i.e., that since a certain date there has been no MAC); (2) as a qualifier and limitation to one or more other target reps (e.g., that the target business has qualified to do business in all applicable states except where the failure to qualify would not have a MAC); and (3) to provide a termination right to the buyer after signing but prior to closing, giving the buyer a right to walk away if a MAC occurs in the intervening period.
Under a plain reading of typical contemporary MAC provisions, the COVID-19 pandemic is likely to fall within one of the more common “causal exceptions” to a MAC, such as those for general economic conditions, acts of God, or natural disasters. It is possible that a particular set of pandemic-related circumstances may nonetheless fall within a customary “disproportionate effects” exception to the exclusion (thereby making it a MAC), though this will likely be an uphill battle as well because disproportionality is usually measured by reference to comparable businesses within the same industry.
Notwithstanding the likelihood that existing, best-practices MAC provisions will normally exclude pandemic-related consequences from coverage, parties are beginning to include MAC language that does so more expressly and affirmatively, either through a specific exclusion from a MAC definition for the COVID-19 pandemic and its effects, or within disclosures to MAC-related representations and warranties. At the same time, given present economic volatility, buyers may seek to include the pandemic as a MAC event for purposes of providing a termination right if pandemic-related consequences become materially worse (or to include a pandemic-specific termination right). Target companies and sellers will, of course, resist these efforts.
Other Purchase Agreement Provisions
Invariably, other provisions of a typical M&A purchase agreement must be re-examined in light of the COVID-19 pandemic. These could include provisions relating to outside closing dates (should outside closing dates be extended in the event of pandemic-related delays beyond the parties’ control, e.g., if third-party consents, confirmatory diligence visits, or government approvals are not forthcoming as quickly as would normally be the case); interim operating covenants (which may need refinement to reflect pandemic-related realities on the ground); and choice-of-law provisions (given that some states will have more established case law than others as to certain M&A topics of heightened post-pandemic relevance).
PPP Loans
Loans to a target company under the CARES Act through its paycheck protection program (PPP) also warrant specific attention as part of an M&A transaction. The parties will need to consider whether the transaction will alter the target’s eligibility as a PPP borrower (or applicant), whether prior to or after the closing or even the execution of a definitive purchase agreement, and whether approval of the U.S. Small Business Administration (SBA) is needed in connection with the acquisition of the target with outstanding PPP loans.
RWI Insurance
The use of representation and warranty insurance (RWI) in M&A transactions has exploded over the past 10+ years. As a general matter, RWI will cover unknown risks that trigger a breach of a target rep. Specified, known risks are routinely excluded, such as those disclosed within the target’s disclosure schedules, known industry risks, and the like. The COVID-19 pandemic now is, of course, a well-known matter. Accordingly, RWI underwriters are expressly including pandemic-related exposures and losses as known risks outside of the scope of a normal RWI policy. Insurers might also consider “reading in” an express pandemic exclusion to a MAC definition and/or carving out from coverage any target reps that are specifically related to COVID-19. Of course, all of this is happening in real-time in response to fast-changing circumstances on the ground.
Connect with a global network of over 30,000 business law professionals
