Petitioners were 18 individuals and entities who owned working interests in some 70 oil and gas leases in three Texas counties (the Assets).[1] The petitioners (Sellers) wished to sell the Assets after development was complete. The Sellers designated Chalker Energy Partners III, LLC (Chalker) as their representative for the sale process, who then hired Raymond James to conduct the sale.
The bidding process involved the usual steps, beginning with providing bidders access to a data room after signing a confidentiality agreement (NDA). The bidders were to then submit bids, and after receiving the bids the Sellers had 24 hours to select the winning bid. After a bid was approved by the Sellers, Chalker was to negotiate a definitive purchase-and-sale agreement (PSA) with the winning bidder.
The NDA contained a “no obligation” clause providing that “the Parties hereto understand that unless and until a definitive agreement has been executed and delivered, no contract or agreement providing for a transaction between the Parties shall be deemed to exist.” The clause goes on to provide that “the term ‘definitive agreement’ does not include an executed letter of intent or any other preliminary written agreement or offer, unless specifically designated in writing and executed by both Parties.”
Le Norman Operating LLC (LNO) expressed interest in purchasing the Assets and signed the NDA. On the deadline for the bidding procedures, November 5, LNO submitted its bid for $332 million for all of the Assets, stating that the bid was subject to “a mutually acceptable (PSA).” These negotiations eventually fell through after multiple conversations back and forth regarding an increased sale price.
The Sellers subsequently decided to sell 67 percent of the Assets, and LNO responded on November 19 with an e-mail titled “RE: Counter Proposal.” LNO specified a list of items in the proposal and gave the Sellers until 5:00 p.m. the next day to accept.
The Sellers voted to move forward with the sale based on the November 19 e-mail from LNO. Before LNO’s deadline to respond on November 20, Chris Simon, the Raymond James employee guiding the sale process, e-mailed Chalker’s vice president of land and business development, Bill Dukes, to inform him that the Sellers were “on board to deliver 67% subject to a mutually agreeable PSA.” Mr. Dukes sent LNO a revised PSA.
On November 22, Jones Energy presented Chalker with a new offer, and the Sellers elected to pursue the transaction with Jones Energy instead of LNO. Chalker and Jones Energy executed a PSA on November 28. That same day, LNO, unaware of the deal between Chalker and Jones Energy, sent a redline PSA to Chalker.
Once LNO discovered the deal with Jones Energy, LNO demanded that the Sellers honor the alleged contract entered into through e-mail exchange. Subsequently, LNO sued the Sellers for breach of contract, alleging that the Sellers breached the “agreement” that Mr. Simon and Le Norman reached through their e-mails on November 19 and November 20 to sell 67 percent of the Assets.
Analysis and Conclusion
The issue before the court was whether the e-mails between the two parties constituted a “definitive agreement.” Both parties agreed that “unless and until a definitive agreement has been executed and delivered, no contract or agreement providing for a transaction between the Parties shall be deemed to exist.” The no-obligations clause in the NDA was evidence that the parties agreed that a definitive agreement was a condition precedent to contract formation. Chalker’s acceptance stating that the purchase was “subject to a mutually agreeable PSA” demonstrated that a definitive agreement between the parties was a condition precedent to contract formation.
The court compared the exchanged e-mails between Chalker and LNO to a “preliminary agreement,” which the signed NDA specifically stated was not a definitive agreement. As further evidence that no definitive agreement had been reached, the court found that the parties had multiple documents that had yet to be negotiated, including an escrow agreement, a noncompete agreement, and a joint operating agreement. Additionally, LNO continued to modify the PSA demonstrating that there were ongoing negotiations between the parties after the e-mails were exchanged on November 19 and November 20.
LNO argued next that there was a fact issue as to whether the Sellers waived the condition precedent by the e-mails sent on November 19 and 20. The court held that those e-mails were not a waiver of the bidding procedures and that the parties did not waive their right to a definitive agreement. Further, the court found that the no-obligation clause was unambiguous and provided both parties with the “freedom to negotiate without fear of being bound to a contract.”
Notably, the court mentioned that Chalker (and the Sellers) were protected by stating in the NDA that the term of the Agreement was one year or on the date that the parties entered into a further written agreement covering confidentiality. This was clear evidence that both parties agreed that the NDA would govern negotiations for the sale of the Assets. Additionally, the NDA stated that Chalker had the right to “conduct the process relating to a possible transaction in any manner it deems appropriate or change the procedure for conducting that process.”
Finally, the court addressed whether the Sellers and Chalker had waived their right to a definitive agreement. To waive this right through conduct of the parties, the party alleging waiver must point to evidence showing intentional relinquishment of that right or intentional conduct inconsistent with claiming that right. Although LNO points to inconsistencies in Sellers’ conduct, including a deviation in deadline and format from the specific bidding procedures the Sellers had in place, this was not sufficient evidence to show an intentional relinquishment of the right to a definitive agreement.
[1] No. 18-0352 (Supreme Court of Tex.) (argued Dec. 4, 2019, decision published Feb. 28, 2020).
A new framework for regulating virtual asset businesses in the Cayman Islands will add a welcome degree of certainty and help maintain the jurisdiction’s position as an attractive domicile for legitimate virtual asset businesses.
Introduced by the Cayman Islands Government on May 20, 2020, the new Virtual Assets (Service Providers) Law (“VASP Law”), which will come into force upon issue of a commencement order, derives from recommendations made by the Financial Action Task Force to provide for the regulation of virtual asset businesses and for the registration and licensing of persons who are providing “virtual asset services.”
As part of this framework, amendments have also been made to other pieces of legislation which will provide coherent regulation for businesses intending to issue virtual assets and businesses carrying on or intending to carry on virtual asset services.
According to definitions outlined in the VASP Law, it will likely capture all cryptocurrencies, security tokens, utility tokens, or other digital assets that are tradeable or transferable, with the exception of digital fiat currencies. It applies to any person, service provider or intermediary providing virtual asset services, such as virtual assets issuance, virtual asset trading platforms, and custody services.
Under the new law, those wishing to undertake virtual asset services from the Cayman Islands must register and/or receive an appropriate license from the Cayman Islands Monetary Authority (“CIMA”), and they will be subject to ongoing requirements, such as providing regular audited accounts and undertaking AML audits.
The VASP Law also introduces the concept of a sandbox license that provides CIMA with the flexibility to regulate relevant businesses that utilize innovative technologies and activities by imposing additional requirements to, or allowing certain exemptions from, the standard requirements within the VASP Law.
A sandbox license is meant to operate for a limited timeframe so that CIMA can assess how best to regulate a sandbox license applicant and whether legislative changes may be required to further promote the development of the innovative technologies or activities subject to the licence.
Meanwhile, the Government has also amended a number of existing laws to extend to virtual assets. These include amendments to the Mutual Funds Law (“MF Law”) and the Securities Investment Business Law (“SIB Law”), which are expected to come into force at the same time as the VASP Law.
The definition of “equity interest” under the MF Law has been amended to include “any other representation of an interest.” This amendment is broad enough to capture digital tokens or other virtual assets. The result is that open-ended funds issuing redeemable tokens instead of shares or other equity interests are now covered by the MF Law and will need to be registered or licensed under that law.
The SIB Law has also been amended to extend to virtual assets. In particular, the definition of “securities” now includes virtual assets which can be sold, traded or exchanged immediately or at any time in the future that could potentially be covered by Schedule 1 of the SIB Law. The securities listed in Schedule 1 of the SIB Law are traditional securities including equity interests, debt instruments, options, and futures.
This will mean that registration or licensing under the SIB Law will be a requirement to deal in, arrange deals in, manage, or advise on virtual assets that are securities.
One significant exclusion applies for private issuers of virtual assets that are securities under the SIB Law. Where a private issuer issues, redeems, or repurchases its own virtual assets that represent shares, limited partnership interests, units in a unit trust, debt, or warrants of the private issuer, the activity is excluded. This means that private issuers issuing certain types of security tokens will not be required to register or be licensed under the SIB Law (although they may still need to be registered under the VASP Law).
Importantly, the Cayman Government’s intention has been to provide for appropriate regulation without stifling innovation. As such, it should help to maintain Cayman’s position as an attractive domicile for legitimate virtual asset businesses.
The U.S. Supreme Court held in GE Energy Power Conversion France SAS, Corp. v. Outokumpu Stainless USA, LLC, No. 18-1048, 2020 WL 2814297 (June 1, 2020), that in certain circumstances, even nonsignatories to an agreement may compel arbitration of international disputes. This ruling clarifies that the doctrine of equitable estoppel currently recognized under chapter 1 of the Federal Arbitration Act (FAA), which governs U.S. domestic arbitrations, can also be applied to international arbitration proceedings governed by chapter 2 of the FAA.
Facts and Procedural History
ThyssenKrupp Stainless USA, LLC (TS) entered into certain contracts in 2007 with F.L. Industries, Inc. (FLI) for construction at U.S.-based plants owned by TS. The contracts contained clauses requiring all disputes to be resolved through arbitration, seated in Germany, in accordance with the International Chamber of Commerce’s Rules of Arbitration (collectively, the Agreements). The Agreements also provided that FLI and all of its subcontractors would be treated as one entity for purposes of applying the terms of the Agreements. Thereafter, FLI entered into subcontract agreements with GE Energy Power Conversion France SAS, Corp. (GEP) with respect to designing and manufacturing equipment to be utilized at TS’s plants. Outokumpu Stainless USA, LLC (OS) acquired ownership of a TS plant and claimed that the equipment manufactured by GEP under the Agreements failed and caused substantial damages to OS.
OS commenced suit in state court against GEP, and GEP then removed the case to federal court and moved to compel arbitration under the Agreements. The district court granted GEP’s motion to compel arbitration and dismissed the case, holding that GEP qualified as a “party” under the arbitration clause even though it was not a signatory to the Agreements.
On appeal, however, the Eleventh Circuit concluded that the decision to compel arbitration was inconsistent with the U.N. Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the New York Convention), which requires that an agreement to arbitrate be “signed by the parties.” The appellate court found that because GEP had not specifically signed the Agreements, and unlike TS and FLI was not a party to the Agreements, GEP had no right to compel arbitration. The court did not find persuasive the fact that the Agreements specifically provided that FLI and its subcontractors should be treated as one and the same, which would therefore include GEP. The Eleventh Circuit held that “[p]rivate parties cannot contract around the requirement that the parties actually sign an agreement to arbitrate their disputes in order to compel arbitration.”
In support of its argument that OS should be compelled to arbitrate, GEP had relied heavily upon the doctrine of equitable estoppel, which in this circumstance would mean that a nonsignatory to a written agreement containing an arbitration clause may compel arbitration when a signatory brings a claim arising out of the agreement against the nonsignatory. The Eleventh Circuit held that this doctrine was applicable in cases concerning domestic arbitration under chapter 1 of the FAA, which does not expressly restrict arbitration to the specific parties to an agreement, but it found that in cases concerning international arbitration, which are governed by chapter 2 of the FAA, the doctrine is not applicable because the New York Convention (as applied to international arbitration agreements) imposes such a restriction.
Decision
Upon review, the U.S. Supreme Court reversed the Eleventh Circuit and in a unanimous decision held that the New York Convention did not conflict with the doctrine of equitable estoppel and was actually silent on the question of whether nonsignatories could enforce an arbitration agreement. The court noted that the New York Convention was never intended to “set a ceiling that tacitly precludes the use of domestic law to enforce arbitration agreements.” The court found that the only provision of the New York Convention that addressed the enforceability of arbitration agreements was Article II(3). Although Article II(3) of the New York Convention mandates that the courts enforce written arbitration agreements, Article II(3) does not restrict the courts from enforcing arbitration agreements under other circumstances. The court held that because the New York Convention was “drafted against the back drop of domestic law, it would be unnatural to read Article II(3) to displace domestic doctrines in the absence of exclusionary language;” and was in fact drafted in a manner that was intended to allow domestic contract law to “fill [any] gaps in the Convention.” The court also recognized that courts of numerous contracting states to the New York Convention permit nonsignatories to compel arbitration under their domestic laws. As a result, the court reversed the Eleventh Circuit and remanded the case for further proceedings consistent with its ruling.
Conclusion
By expanding the application of arbitration to international commercial agreements comprised of multitiered arrangements whereby nonsignatories can seek to compel arbitration, the Supreme Court continues to encourage the use of arbitration as a viable and attractive means to resolve disputes.
As workforces shifted to remote work during the pandemic, trade secret information may have been subject to relaxed protective measures, inadvertent disclosures, or misappropriation. Employees, business partners, and vendors may have accessed information using unsecure personal devices, uploaded information to less secure cloud storage systems (intentionally or unintentionally), or printed sensitive documents on home printers, among other possibilities. As shuttered offices reopen, companies should develop a process to understand how employees, business partners, and vendors stored, transmitted, and otherwise used (or misused) trade secret information while working remotely and act to identify issues and resolve any problems identified.
Below is a five-step process companies can follow as employees, business partners, and vendors return to their workspaces. By taking these steps, a company can assess and address the impact of any relaxed protective measures, inadvertent disclosures, and misappropriation. This applies both to trade secrets owned by the company and those owned by a third party, entrusted to the company pursuant to an NDA or other protective measures. Moreover, should a misappropriation occur in the future, evidence that the company took these precautions will aid the company in proving it took “reasonable efforts” to maintain the information’s secrecy. For that reason, the company should document all efforts taken to preserve trade secret information as employees return to the office.
Step 1: Understand How Employees Used Information While Working Remotely
Companies should first take stock of how employees protected, used, or accessed trade secret information while working remotely. In secured office environments, employers enjoy a wealth of tools to safeguard proprietary information: access to rooms or entire floors can be restricted with keycards or biometrics; employees can be monitored to enforce personal device policies and ensure only secure devices are used; company devices can include multiple layers of protection and virus defense, and paper documents can be easily collected for secure destruction. That is not necessarily true or consistent of remote work, where employees may be tempted or required by necessity to access or store data on unsecure personal devices, transmit data through less secure systems (unable to use secure systems), and create and/or keep sensitive paper documents. Simply put, risks abound when employees work from home. The first step in protecting trade secrets is to identify those risks.
Survey employees to identify all company property used offsite. In addition to big-ticket items like computers, confirm whether employees took home tablets, printers, peripheral devices, USB flash drives, hard drives, or any other digital storage device, as well as paper documents.
Confirm whether employees accessed or stored business information on personal devices. Employees may have accessed company databases or downloaded and stored company information onto a personal computer, tablet, cell phone, external hard drive, or cloud-based system. Employees also may have printed information using a home printer. The risk with printers is threefold: in addition to creating a paper record of sensitive information, modern printers often feature memory storage (where the information may remain in digital form) as well as network or internet connectivity (potentially exposing that information to hackers or other third parties).
Determine whether information was exposed to unapproved software or systems. If an employee sent or received information using a personal e-mail account or unapproved chat or collaboration tools, that information could remain stored on the software provider’s servers unless and until it is deleted. Even if the company has a confidentiality agreement in place with the service provider, that agreement may not apply if the employee uploaded information to a personal or consumer account not associated with the company. Pay special attention to employees’ use of cloud storage services and SaaS systems. Many such solutions automatically sync with personal devices. For example, a file downloaded to an employee’s smartphone may automatically upload to the employee’s personal cloud account, perhaps without the employee’s knowledge. Employers should ask whether employees have made use of cloud storage accounts or SaaS systems and, if so, confirm whether those accounts sync automatically with employees’ devices.
Step 2: Ensure Information Is Returned, Deleted, or Destroyed
After determining how employees used or accessed sensitive information, companies should take steps to ensure that information is returned to the company’s custody, deleted, or destroyed. The goal is to ensure that no proprietary information exists beyond the company’s control. In pursuing that goal, employers should take a nonaccusatory and collaborative approach with employees, keeping in mind that (1) the shelter-in-place/stay-at-home regimes were largely imposed with little notice or preparation time; (2) employee access to hardware, software, and related support may vary greatly within an organization; and (3) employee technical sophistication should be expected to vary.
Confirm company property was returned. Consider preparing a checklist for each employee listing all company property used offsite, including paper documents. Employers may obtain written confirmation from each employee that the list is complete, and all listed items have been returned to the company’s custody.
Inspect company devices—and potentially personal devices—to identify security risks. While working from home, employees may have downloaded unapproved programs or software applications onto company devices (e.g., software to connect to home printers, music streaming software, and the like). Unapproved programs can be potential security risks in that they may expose the device or company systems to intrusion, such as spy-ware, or may send sensitive data to third-party servers for any number or reasons or purposes. Companies should accordingly consider inspecting each company device used in a home setting to ensure that no such software is present, or if it is, address it. Under some circumstances, employers may also consider performing a more comprehensive forensic analysis to verify whether an employee downloaded business information onto personal devices, such as a USB drive. A forensic analysis may be appropriate if the employee is known to have worked with trade secret information from home (such as a software engineer on a development team), gave evasive answers in response to the company’s property use survey, could not remember whether he or she transferred information to a personal device, or allowed others to use company devices for noncompany purposes, including children engaging in remote learning on a company device.
Collect paper documents for proper destruction. If an employee took home paper documents or printed business information at home, require the employee to return the documents to the company (or the company’s vendor) for proper destruction unless the employee can confirm proper shredding at home. Make it easy for the employee to comply because some employees possessing voluminous paper records may be tempted to simply toss them in the trash. Consider sending a courier to pick up the documents, using a remote shredding company that will perform house calls, or supplying prepaid boxes to return paper documents by mail to the company.
Consider inspecting personal devices to ensure no information remains. If the company has a device inspection policy granting it the right to examine personal devices, consider exercising that right and verifying that no business information remains on such devices. Consult legal counsel before inspecting personal devices to ensure the company does not violate privacy rights.
Confirm information has been deleted from personal devices and software. Obtain each employee’s written confirmation that no company information remains stored on any personal device or in any personal software account, including personal e-mail or cloud storage accounts. Provide detailed information as to where data may reside and offer technical assistance to employees who may be unfamiliar with how to properly locate and/or delete data. Remind employees of any confidentiality obligations set out in their employment agreement or proprietary rights agreement with the company.
Step 3: Reinstate Relaxed or Suspended Policies and Security Protocols
In the rush to transition to remote work or based on technical necessity, companies may have relaxed or even suspended policies or protocols designed to preserve trade secret information. Now is the time to reinstate those policies and protocols and to determine whether any inadvertent disclosures occurred. For example, if the company temporarily lifted restrictions on the use of personal devices for company tasks, the restriction should be reinstated once employees have returned to their workspaces. Similarly, if the company loosened access to systems housing sensitive information (such as allowing remote access to certain records outside of a VPN), prior restrictions should be restored. To avoid confusion, the company should clearly communicate to employees which policies have been reinstated and provide training as needed.
Step 4: Confirm Business Partners and Vendors Are Protecting the Company’s Trade Secrets Following a Similar Process
Depending upon the scope of a company’s contract rights and its respective bargaining power with its business partners and vendors, especially technology vendors (e.g., contract manufacturers and designers), companies should take steps similar to those detailed above for returning employees to assess and address the impact of any relaxed protective measures, inadvertent disclosures, or misappropriation by their business partners and vendors stemming from remote working. Some contracts require that a party receiving a company’s trade secret or confidential information must invoke protective measures at least as strong as the receiving party applies to protecting its own trade secret or confidential materials. Some contracts require the receiving party to enact and follow specific, defined protective measures (such as government, regulatory, or industry standards) or measures at least as strong as the disclosing party follows. Moreover, as a verification or confirmation mechanism, many of these contracts provide the disclosing party audit rights or rights to request a certification that the required policies and protocols are in place and followed. Companies should carefully review their contracts on these points with legal counsel.
It is especially important for companies that derive great value from their trade secrets (including competitive advantages and differentiation), and that disclose those materials to business partners and/or vendors subject to NDAs or other protective measures, to follow these steps or similar steps and not limit the investigation to their own internal employees. This is because under state and federal law, trade secret information may lose its trade secret status if inadvertently disclosed or otherwise not reasonably protected, regardless of who is to blame for the inadvertent disclosure or for the failure to follow reasonable protective measures. In other words, a failure by a company’s business partner or vendor to maintain the secrecy of the company’s information could invalidate the trade secret. As a result, trade secret owners must remain vigilant and not blindly relinquish stewardship of their trade secret information to their business partners and vendors. Companies should consult with legal counsel and review applicable agreements before reaching out to business partners and vendors.
Step 5: Be Particularly Vigilant With Employees, Business Partners, and Vendors With Whom the Company Separated During the Pandemic
The pandemic and associated stay-at-home orders forced many companies to furlough and lay off employees, including senior engineers and executives with access to important trade secret information. Similarly, the resulting changes to the economy have forced companies to curtail supply relationships, suspend new product lines, exit or shut down joint ventures, and cancel contracts. Whether justified or not, these actions can result in hurt feelings and worse. Under these circumstances, former employees, business partners, and vendors may be inclined to take or retain a company’s critical business information on the way out the door, including passwords, source code, customer lists, personal and technical data, business plans, financial information, and more. In some cases, the departing employee, business partner, or vendor intends to use the information to establish operations elsewhere. In other cases, the intent is more nefarious and meant to harm the company.
In any event, as return to work occurs, it is critical to use whatever tools may be at hand to review what may have been kept or taken by departed colleagues and partners, and to use legal tools to get the information back. Companies should carefully review the termination clauses in their employment agreements, joint venture agreements, and other contracts with legal counsel and affirmatively exercise their legal rights to obtain or destroy information that might otherwise leave the company inadvertently. If information is missing that includes personal identifiers, it may be necessary to evaluate the company’s obligations under U.S. and international privacy laws as well.
The unprecedented impact of COVID-19 on the American economy has forced many businesses of all sizes and in all industries to seek some form of financial relief. Perhaps the most prominent source is the Coronavirus Aid, Relief, and Economic Security Act (commonly known as the CARES Act), which provides over $2 trillion in assistance through the largest economic stimulus package in U.S. history. A common example of funding under the CARES Act is through the Paycheck Protection Program (PPP) in the form of loans to certain businesses. The CARES Act allocates funds through numerous provisions, the two largest of which are dedicated to corporate and small business loans. Many businesses that receive federal funds will also seek recovery from a second, hotly debated source: insurance. Whether companies are pursuing payment for business interruption, event cancellation, or some other loss, the coming years will bring litigation over coverage and a critical question: Are insurance companies entitled to an offset for any relief that a business receives from the CARES Act (or are losses reduced by any of the ancillary payments for other reasons)? As is often the answer in the legal world, it depends.
While insurers may insist that any CARES Act payment must reduce what is owed under a policy, the analysis begins (and may sometimes end) with the policy itself. The right to an offset is just that—a right that must be grounded in the insurance contract. Many insurance policies contain clauses that specifically address how recoveries from other sources will impact the insurance payout. This frequently takes the form of a “Salvage and Recoveries” provision, “Collection from Others” provision, or some type of subrogation clause. If a policy is devoid of any such language, this should end the inquiry. While different states may have common law doctrines that could affect the outcome, an insurer has no contractual basis to complain. It could have addressed this risk in its policy and failed to do so. As is the case in many jurisdictions, the coverage must be construed broadly and the benefit of the doubt goes to the party that suffered the loss—not the insurance company.
Even when an insurer does address other-source recoveries in its policy, an offset is not necessarily required. Just as before, the policy language and law are key. Generally speaking, one kind of policy provision addressing offset is intended to reduce the carrier’s obligation to pay for the same losses that a policyholder has already recovered from another source. As courts have explained, this requires consideration of the intent behind the “other” funds received by the policyholder. If the statute’s intent is to compensate the company for something other than its losses, courts have held that such a recovery does not entitle the insurer to an offset. That is because the insurance company is obligated to pay for one thing, and the collateral payment may be used to compensate for something different.
This issue was considered in Northrop Gruman Corp. v. Factory Mut. Ins. Co.,[1] where Northrop made an insurance claim for lost earnings from property damage caused by Hurricane Katrina. The federal court in California rejected the insurer’s argument that it was entitled to an offset for federal income tax relief that Northrop received under the Katrina Emergency Tax Relief Act of 2005. Because the Tax Relief Act “was conceived as an incentive to retain employees rather than compensation for a loss,” the court found that the credit received by Northrop was “not a ‘recovery’ or ‘collection for such loss from others’ under the policy language.”
Subrogation clauses are another type of provision on which insurers may rely to claim entitlement to an offset. Such a clause typically provides that “if any person or organization to or for whom we make a payment under this Coverage Part has rights to recover damages from another, those rights are transferred to us to the extent of our payment.” Addressing an offset claim under this language, a Louisiana federal court held that the insurer, RSUI, needed to establish that the policyholder had a “right to recover damages” from the other source.
In Cameron Parish Sch. Bd. v. RSUI Indem. Co.,[2] CPSB was entitled to recovery under its flood insurance policy and received assistance from the Federal Emergency Management Agency policy (“FEMA”) in the wake of Hurricane Rita. RSUI argued that it was entitled to an offset because CPSB was attempting to “re-characterize and ‘double recover’ alleged losses . . . that [were] already [] allotted or promised from FEMA.” The court rejected this argument, holding that “RSUI has not demonstrated that CPSB has a ‘right to recover damages’ from FEMA, and as such, RSUI is not entitled to receive an offset for FEMA funds.” The insurer failed to present evidence of FEMA payments or cite any authority where an insurer was entitled to receive an offset from FEMA payments.
Determining whether CARES Act payments create offset rights for insurers can be impacted by the section under which payment is made and how the recipient ultimately spends the money. For example, one of the most popular sections of the Act is the Small Business Paycheck Protection Program, which is generally open to small businesses with 500 or fewer employees. Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities. At least 75% of the forgiven amount, however, must have been used for payroll. None of these elements are expressly intended to compensate businesses for lost income due to the COVID-19 pandemic. But this is where the policy language becomes key. Business interruption policies may address some of these elements, potentially creating room for debate as to whether an offset is appropriate. Other policies, however, provide coverage entirely unrelated to the compensation that a business might receive under the CARES Act. The greater the distinction between the coverage and the statutory payment, the less likely it is that an offset is due.
Regardless of the type of policy provision at issue, the burden of proving entitlement to an offset will almost uniformly fall to the insurance company. And, as is the case in most jurisdictions, any uncertainty will be interpreted in favor of the policyholder and broader coverage. This was precisely the case in Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp.,[3] where the court ruled in the insured’s favor after the insurer failed to demonstrate which portions of a separate recovery entitled the carrier to an offset. Policyholders are placed at an advantage from the outset, as the evidentiary burden and the benefit of the doubt are both in the insured’s favor.
Though insurance companies may seek to deduct any CARES Act recoveries from their insurance payouts, the inquiry is more nuanced than simple arithmetic. Carriers will be quick to point the accusatory “double recovery” finger at policyholders to ensure that they pay out as little as possible. But the “double recovery” accusation assumes the answer. Policyholders, in turn, must be prepared to show that a setoff is not warranted. Ultimately, courts will have to carefully consider whether there is overlap between the statutory payment and the insurance coverage at issue and if there is a basis in the insurance policy to allow the insurer to an offset or to otherwise reduce the loss it is obligated to pay. As with many other aspects of COVID-19 and its ramifications, it is too early to tell how all of the different insurance angles will play out.
[3]Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp., No. 1:10-CV-1333, 2011 WL 4829933 (E.D. Va. Oct. 11, 2011) (noting that the party who asserts an offset must prove its claim, and that the insurer failed to offer sufficient evidence to show which portions of a separate judgment and security deposit required an offset under its policy).
Throughout the 20th and 21st centuries, every national crisis in the United States has left a long wake of investigations in its trail at all levels of government. Those governmental investigations and enforcement actions have followed a familiar pattern when arising out of a public crisis.
First, investigative and regulatory bodies at both the federal and state levels target the obvious scammers. In the context of the COVID-19 crisis, this includes obvious frauds such as selling snake oil as a panacea to COVID-19; selling fake tests to consumers and to states; and promising to deliver medical supplies to hospitals, receiving payment from the government, and then disappearing before ever delivering the goods. This “first wave” of enforcement actions generally takes priority among regulators because the conduct at issue directly impacts public safety. Indeed, the Office of the Inspector General (OIG) announced a “strategic plan” outlining the following four goals relating to the enforcement and protection of the Department of Health & Human Services’ (HHS) COVID-19 response and recovery efforts: (1) protect people, (2) protect funds, (3) protect infrastructure, and (4) promote effectiveness of HHS programs—now and into the future.[1] Unsurprisingly, COVID-19’s first wave has already begun.[2]
Once the first wave is well underway, the government shifts focus to its next target: the more reputable companies and businesses operating in a potentially “grey” area. Typically, the targets of these cases believe they complied with the law but have a genuine disagreement with the government about how a law, regulation, or contractual condition should apply or be interpreted. Although these cases are more resource-intensive, they correspondingly present an opportunity for the government to recover larger amounts of money and generate bigger headlines. These cases constitute the “second wave” of enforcement; notably, most investigative and regulatory bodies follow this two-wave paradigm, whether it be the U.S. Department of Justice (DOJ), the state attorneys general, the Federal Trade Commission, the Consumer Financial Protection Bureau, or the most recent player, local governments.
In the context of the COVID-19 crisis, the second wave is coming, and when it hits, it will be a tsunami.
1. What the COVID-19 Tsunami Will Look Like
The second wave of the COVID-19 crisis is likely to be more extreme and long-lasting than ever before. The factors leading up to the second wave are unprecedented in our history—the federal government has disbursed trillions of dollars to the private sector with minimal federal oversight—and those factors create an environment that is ripe for downstream allegations of fraud. The federal government will have a groundswell of public support to exact retribution against those companies and individuals who took advantage of the public trust during the crisis. In parallel, state and local governments are starving for revenue as a result of severe budget shortfalls caused by COVID-19. As such, the need for funding will usher in an unparalleled era of state and local enforcement action, where states, led by state attorneys general, and localities will rely on lawsuits and investigations as a means of recapturing lost revenue for both consumers and the governmental entities more so than ever before.
A. The Federal Government’s Disbursement of Funds
Whenever the federal government disburses funds to private actors, especially at alarming rates, an environment exists for fraud to flourish because those funds are typically disbursed with numerous conditions tied to them. Such conditions can take the form of details in the statute, regulations promulgated by agencies, or even less formal regulatory guidance. Yet, the risk that many companies accepting those funds run is the failure to comply, even inadvertently, with the “fine print,” thus exposing them to claims of having wronged the government.
In such times, the federal government will turn to a familiar and favorite tool in its box: the Federal False Claims Act (FCA), 31 U.S.C. § 3729–3733. The FCA is no stranger to the healthcare, medical device, or pharmaceutical industries in that the DOJ has used it extensively for decades to successfully combat fraudulent claims for reimbursement submitted to Medicare, Medicaid, TRICARE, and other governmental payors, and to recover tens of billions of dollars in the process. The FCA is a particularly potent tool because it enables the federal government to recover not only treble damages, but also statutory penalties of $5,500 to $11,000 per violation. The crippling exposure that the FCA often generates, sometimes in the billions, is enough to strongarm most companies into lucrative settlements, even where those companies have highly meritorious defenses.
This tool is likely to be front and center in the investigations and enforcement space over the next five to ten years. In the first three months of the COVID-19 crisis, the federal government disbursed trillions of dollars to stimulate the economy to save small businesses and to facilitate the transfer of personal protective equipment (PPE), ventilators, testing, swabs, prescription drugs, and other medical supplies to states and localities. In an effort to contribute during the national crisis, numerous companies have answered the call to provide the necessary medical supplies that states and the nation required to save lives, accepting federal government dollars as payment for those services.
To the extent those companies did not fully comply with all of the terms and conditions of taking those funds, however, they face the very real risk of allegations of fraud or other impropriety by employee whistleblowers or the federal government. That risk is heightened by the speed at which these contracts were executed and funds received, where there often was insufficient time for a thorough review of the associated obligations by outside counsel or even in-house legal departments in some cases.
For these reasons, a spike in FCA investigations and lawsuits is likely coming. Indeed, the OIG has already stated its intentions to audit fund recipients in connection with its goal of protecting HHS funds.[3] Although no industry is immune, the healthcare, pharmaceutical, biotech, and medical supply industries are especially at risk; similarly, companies that participate in the manufacturing, distribution, and brokerage of medical equipment are likely to be hard hit. In the same vein, hospitals, long-term care facilities, testing labs, and nursing homes must be on high alert.
B. The State Response and the Role of State Attorneys General
States, meanwhile, are in dire straits as a result of budget shortfalls caused by COVID-19. The impact will likely continue to plague states for at least the next three to five years. The stay-at-home orders across the country have decreased sales tax revenue, delayed deadlines for filing state income tax returns and paying state income taxes due, and vastly reduced the use of public transportation and toll roads. At the same time, the federal government has largely required the states to assume the responsibility for procuring PPE, tests, ventilators, and other medical supplies at their own expense. Neither the CARES Act nor other federal legislation disbursing federal funds provided significant relief to the states in this regard.
Making matters worse, many states claim to be victims of fraud and contractual breaches at the hands of the private sector. The governor of Massachusetts, for example, claimed that “millions of pieces of [medical] gear evaporate[d] in front of us” after confirmed orders with private vendors. Likewise, Maryland canceled a $12.5 million contract for PPE with a firm that allegedly failed to deliver masks and ventilators as promised. That matter has already been referred to Maryland’s attorney general for review.
States, though, have more ability than ever to combat these two problems simultaneously. Most states have noticed the potency of the federal FCA and enacted state analogs to that statute over the past three decades; however, only recently have states started enforcing them aggressively. That trend is likely to intensify because the state false claims acts empower states to recover treble damages and statutory penalties of approximately $5,500 to $12,000 dollars per violation against actors who defraud the state—a windfall in this era where states are desperate for dollars. Even some large localities, like Miami-Dade and Philadelphia, have tagged along and implemented analogous ordinances, and like their federal counterpart, the exposure generated by these state and local false claims acts often force companies to the settlement table, even where they have worthwhile legal defenses. Such settlements, even at the state or local level, are rarely cheap. Consequently, states and localities will have incentive to file claims under these statutes to pursue revenue windfalls that can help offset their budgetary gaps.
In addition, state attorneys general have ratcheted up enforcement actions in recent years. In addition to prosecuting cases under the state false claims acts, state attorneys general also have power to bring actions against companies that are reported for violations that harm consumers under state consumer protection acts. In light of the public harm that COVID-19 has inflicted, consumer protection act cases are likely to skyrocket in coming months. For these reasons, companies must look not only at the activity of DOJ and federal regulatory bodies, but also at enforcement trends and activity commencing at the state and local level.
Together, the forthcoming investigation and enforcement actions by the federal, state, and local governments will create a tsunami, the likes of which the private sector has never seen.
2. How Companies Can Prepare
There are several steps companies can take to reduce the risk of, and defend against, regulatory inquiries:
Prioritize compliance programs and involve both the compliance department and in-house legal department in all aspects of decision-making during the COVID-19 crisis, including the decision to accept federal funds. Document in detail decisions that were made and the reasons for doing so.
Carefully consider all aspects of accepting federal funds, including the statutory, regulatory, and contractual terms implicated by that acceptance. Closely scrutinize any submission to a government actor that could be construed as a misrepresentation or material omission.
Ensure complete transparency when interacting with federal, state, and local government actors when a government contract or public funds are involved.
Carefully think through the ethical or moral implications of decisions involving governmental funds or contracts. Dilemmas raising ethical or moral considerations are the type to generate media coverage and public interest when a company makes a controversial decision and are also the type that can catch the attention of regulators.
Seek the outside advice of someone with expertise in this area of the law when confronting novel or thorny issues that implicate the federal, state, or local government.
Monitor settlements and enforcement actions because they will provide visibility into ongoing regulatory trends.
Among the interesting data points highlighted in a new report on M&A appraisal litigation in Delaware is the steep decline in both appraisal petitions and cases since 2016.[1] That year, the Delaware Court of Chancery saw its highest-ever number of petitions (76) and cases (47), but over the past two years, those numbers have declined significantly. There were only 26 petitions in 2018, the lowest number since 2012; likewise, cases decreased to their 2012 levels as well. What explains this multiyear decline?
The Delaware Supreme Court’s reversal in DFC Global Corporation v. Muirfield Value Partners L.P.,[2] an appraisal decision on the 2014 acquisition of DFC Global Corporation, occurred in August 2017, and it is likely no mere coincidence that the trend line for appraisal petitions entered its swoon shortly thereafter. In DFC, the Chancery Court gave less weight to the deal price in favor of a “blend of three imperfect techniques”—including deal price, company valuation, and discounted cash flow (DCF) valuation, each equally weighted—and then proceeded to reach a deal price of $10.30 per share, an 8.4 percent premium over the deal price of $9.50 per share.
On appeal, the Delaware Supreme Court reversed and remanded. Chief Judge Leo Strine stopped short of embracing a full-scale presumption in the accuracy and reliability of deal price, but did make clear that under the prevailing circumstances, deal price should receive greater weight. He reasoned that “[m]arket prices are typically viewed superior to other valuation techniques because, unlike [for example], a single person’s discounted cash flow model, the market price should distill the collective judgment of the many based on all the publicly available information about a given company and the value of its shares.”
Furthermore, because the “Court of Chancery found that the sales process was robust and conflict-free,” the Supreme Court found no reason to justify giving the deal price merely one-third weight. The Supreme Court concluded its decision by rejecting the Chancery Court’s argument that the nature of the buyer—in this case, a private equity firm—reduced the fairness of the deal price because a private equity firm’s willingness to pay a certain price does not necessarily equate with an unfair value.
The Delaware Supreme Court’s stance on the primacy of deal price in DFC was further clarified shortly thereafter when the court weighed-in once more in Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd.,[3] again reversing the Chancery Court’s decision and reaffirming its view of deal price as a useful metric, yet again stopping short of endorsing it as the sole and decisive metric. Ignoring both the company’s pre-deal announcement stock price and the deal price in reaching its fair value determination of $17.62—a 28.1-percent premium over the deal price of $13.75—the Chancery Court relied instead on its own DCF analysis. The Supreme Court reversed, holding that the record “suggested that the deal price deserved heavy, if not dispositive, weight.” As in DFC, however, the Supreme Court in Dell refrained from giving full weight to the deal price, stating that creating a presumption in favor of deal price runs afoul of the Delaware appraisal statute’s guidance to “consider all relevant factors.” Nevertheless, the Supreme Court cautioned that in particular cases, one factor—such as the deal price—may rise above others in terms of importance, depending on the evidence supported by the record. The Supreme Court also criticized the Chancery Court’s decision to award a fair value that is higher than what the market was willing to pay for Dell’s stock, taking a position that both courts would later endorse.
These two reversals form the backdrop against which we have seen the rapid decrease in appraisal litigation in Delaware. For those who might have hoped for a signal from the Delaware Supreme Court that it is backtracking on its embrace of deal price, the court’s April 2019 en banc opinion in Verition Partners Master Fund Ltd. v. Aruba Networks, Inc.[4] provides very little reason to believe the court is growing more skeptical of the primacy of deal price. Although the Aruba decision sheds light on the Supreme Court’s existing precedent, it leaves some related questions unanswered, particularly regarding target valuation in the take-private context.
Like DFC and Dell, which were decided while the Aruba appeal was still pending, Aruba involved a Delaware statutory appraisal claim by the shareholders of Aruba Networks, Inc. following its acquisition by Hewlett-Packard. Notwithstanding the precedent established in DFC and Dell, the Chancery Court ultimately relied solely on the unaffected trading price of the seller leading up to the transaction—that is, the average trading price of Aruba Networks’ shares during the 30 days prior to when the news of the merger with HP emerged. The Chancery Court considered two other valuation methods, including the parties’ competing DCF analyses and the merger price less synergies, but dismissed both as unreliable measures of fair value.
The Supreme Court once again reversed in an unusually combative opinion. Rejecting the Chancery Court’s reliance on Aruba Networks’ market price, the court reiterated the position it expressed in Dell that market prices “can be a proxy for fair value” and that “the price a stock trades in an efficient market is an important indicator of its economic value that should be given weight.” The Delaware Supreme Court concluded that Vice Chancellor Laster erred in finding “that an informationally efficient market price invariably reflects the company’s fair value in an appraisal.” Conversely, the Supreme Court reiterated that an efficient market price “further informed by the efforts of arm’s-length buyers” to find a fair deal price based on a diligence-driven analysis “is even more likely to be indicative of so-called fundamental value.” In other words, “after a process in which interested buyers all had a fair and viable opportunity to bid, the deal price is a strong indicator of fair value, as a matter of economic reality and theory.” The court made clear that its decisions in DFC and Dell did not compel “rote reliance” on market price when calculating fair value, but clearly held the conclusion that deal price less synergies is the best method to assess Aruba’s going concern value, where “synergies” is defined as “other value the Buyer expects from changes it plans to make to a company’s ‘going-concern’ business plan.” The valuation of such synergies is a matter of fact to be assessed based on the record.
Among its many noteworthy takeaways, Aruba strengthens the focus on deal price in an arm’s-length transaction and goes a step further than DFC and Dell by deducting the synergies from the deal price in order to get to the fair value price. Though critical of the Chancery Court’s opinion, the Delaware Supreme Court sides with the Chancery Court’s position—and reinforces recent Delaware jurisprudence—by holding that the deal price should act as a ceiling for a valuation, a result that will likely reinforce the trend in place since 2016 toward decreasing numbers of appraisal petitions. For example, the Supreme Court’s fair value appraisal in Aruba resulted in a 22.6-percent reduction from the deal price, an outcome that would remind petitioners not to overly rely on the statutory appraisal right, especially if there is no clear and convincing basis for such an appraisal claim.
However, Aruba did backtrack in one notable instance. In a clear change of positions, the Supreme Court in Aruba agreed with past Chancery Court arguments, noting that the type of buyer—such as a private equity firm versus public company—might impact the fair value determination because the synergies to be deducted from the deal price could be different based on the new owner. Unlike the case of a public company buyer with characteristically broad stock ownership, ownership of companies in the private equity setting tends to be far more concentrated, which can create efficiency and reduce agency costs. This circumstance can lead to a potentially different calculation for the cost of synergies to be deducted from the deal price. How this precedent will be applied to the valuation of targets in take-private transactions is not entirely clear from the recent jurisprudence, but we see no reason to believe that a return to 2016 levels of appraisal litigation is in the offing.
Chauncey M. Lane is a partner in the Dallas office of Reed Smith LLP. He regularly advises domestic and international clients on buy- and sell-side mergers, divestitures, asset acquisitions, going-private transactions, debt and equity offerings, and corporate governance. He also counsels fund sponsors on all aspects of fund formation, capital raises, and investment adviser compliance, often serving as outside general counsel.
George Khoukaz is an associate in the Kansas City office of Husch Blackwell LLP and a member of the firm’s Corporate and Securities practice group. He regularly advises domestic and international clients on complex commercial and capital market transactions.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 4, No. 1 (2020).
The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.
Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.
Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.
The California Attorney General Remains Steadfast on the California Consumer Privacy Act
The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.
In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”
In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.
European Regulators Signal Flexibility
The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”
The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.
The EDPB also issued two new guidelines: (1) “Guidelines 03/2020” on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) “Guidelines 04/2020“on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. “Guidelines 03/2020” allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. “Guidelines 04/2020” discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.
Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.
Department of Health and Human Services Relaxes Enforcement of the Health Insurance Portability and Accountability Act
Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.
While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.
Federal Trade Commission Warns of Increasing Threat
On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.
Congress Proposes Competing COVID-19 Privacy Legislation
Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.
What You Need to Know
The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.
As the world grapples with the continued spread of COVID-19, along with the unsettling public health and economic concerns, there are a number of uncertainties surrounding data security and privacy.* Efforts to contain the virus differ from country to country, as do the strategies surrounding the collection of data to aid in “contact tracing” that will surely be the subject of debate for years to come, with legal experts defining—or redefining—just how far governments and tech companies can go.
In order to counter the threat of the virus, countries have been adopting drastic measures, such as utilizing geolocation data and social contact history, leading to a number of complex privacy questions for both public and private entities involved in the process. This has created a substantial need for clarity from legal professionals and data protection authorities (DPAs) across the globe, many of whom are publishing guidance on best practices for collecting and processing personal data related to COVID-19 in order to stay in line with obligations under privacy and data security laws.
Most discussed in the public eye currently is Google and Apple’s recent announcement about their extensive coronavirus partnership. In the next few months, they will unveil updates to their operating systems to enable contact tracing to help identify carriers of the virus so they can be isolated from the public. It works by tracking with whom one comes into contact by recording where one’s Bluetooth connects with other nearby devices. Once approved, government health agencies will be able to utilize the app to track physical proximity among phones. The system is Bluetooth-only, fully opt-in, and collects no location data from users.
It all sounds good in theory; however, security experts are pointing to potential flaws in the system, including techniques that could reveal the identities of COVID-19-positive users and help advertisers track them, or invent false positives from users with malicious intent.
Most countries affected by COVID-19 are adopting their own version of contact tracing, and nearly all are going digital and leveraging the power of smartphones through Bluetooth or geolocation data. The Google and Apple announcement has propelled public attention and concern on the topic of privacy laws.
Governments Consider Surveillance Methods That Push Limits
In China, telecommunications organizations helped the government track and contact those who had traveled through Hubei province in the early days of the virus. Location data was then channeled to China’s Health Commission, which allowed them to trace the steps of those infected.
In Israel, the government passed an emergency law to use mobile phone data to track those who test positive for COVID-19 as well as identify others with whom they have come into contact and may have infected. This method has typically been reserved to counter-terrorism operations, but it is now being used to track infected patients and their phone contacts. If someone found to be positive for COVID-19—or someone who was in close contact with one—disobeys quarantine, they receive a text message or call ordering them to return home. If they don’t, the police are called.
Since the start of the pandemic, countries to the west have been paying close attention to how countries like China and Israel have used data collection and apps as part of their public health response. Many critics have raised concerns about privacy and potential illegal use of data, especially as the virus has spread through Europe and the United States.
The European Union and a “Pan-European” Approach
In the European Union, contact tracing must be compliant with the EU’s privacy law, the General Data Protection Regulation (GDPR), as well as separate laws specific to the given EU country. Still, EU nations can make their own exceptions to the rules temporarily for emergencies. For example, Italy adopted a decree to address the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data-protection rights could be halted to combat the coronavirus.
GDPR Article 6 provides that processing personal data without consent is lawful where it is necessary for compliance with a legal obligation to protect the public interest or to protect an individual. In fact, it provides specific language on not needing consent for monitoring epidemics, pandemics, and their spread, or in situation of humanitarian emergencies.
Earlier this month, Human Rights Watch and more than 100 other organizations issued a joint call for legal protections on how government can use digital surveillance, including mobile phone location data, to fight the pandemic. Europe is under intense scrutiny by these groups as the European Commission scrambles to develop coronavirus tracking apps, seeking an “EU approach” to contain the disease. As a result, hundreds of researchers from eight countries in Europe have been working on the Pan-European Privacy Preserving Proximity Tracing Project (PEPP-PT) to develop a single app that any county can use and that is compliant with EU privacy laws.
U.S. Law
Although there is no main data-protection law at the federal level in the United States like the GDPR, there are several federal and state laws that offer privacy protection to certain types of data, like health information, employment, and location data.
As the United States continues to control the spread of the virus and develop plans to potentially reopen the economy, government agencies have put into place—or contemplated—a variety of tracking and surveillance technology that examines the limits of personal privacy—everything from geolocation tracking that oversees the location of people through their mobile devices, to facial-recognition programs that analyze pictures to determine who may have come into contact with those who later test positive for the coronavirus. In fact, we know that data-mining firm Palantir Inc. has worked with the Centers for Disease Control and Prevention (CDC) to model the virus and its outbreak and continues to do so.
This is leading to a struggle among those in the tech industry and among government officials to find a balance between the deployment of technology and safeguarding patients’ data, specifically medical information. At the same time, privacy advocates worry that little has been announced about what has already been implemented or about to be deployed as governors across the country determine when and how to reopen their states.
Healthcare and Location Data Biggest Concern in United States
Just like in the European Union, the United States has issued guidance on privacy and data security relating to COVID-19. The Department of Health and Human Services (HHS) has waived sanctions and penalties against covered hospitals for certain provisions under HIPAA. The waiver includes the requirement to obtain a patient’s consent before speaking with friends or family members about care, the requirement to distribute a notice of privacy practices, the patient’s right to request privacy limitations, and the patient’s right to request confidential communications.
As the crisis continues in the United States, much-needed additional guidance is being issued by local, state, and federal agencies.
The United States does have The Health Insurance Portability and Accountability Act Privacy Rule, which protects the privacy of a patient’s health information, although its protections are not unconditional. Just this past February, HHS released a bulletin outlining when disclosure of health data is permitted, which includes for public health reasons and “to prevent an imminent threat.”
The U.S. Constitution, specifically the Fourth Amendment, also protects certain expectations of privacy, including one’s physical location. Reference Carpenter vs. U.S., for example, in which the U.S. Supreme Court looked at how to apply the Fourth Amendment to cell phone records, particularly cell-site location information (that looks at a person’s past movements). The government had obtained the records as part of a criminal investigation and argued Carpenter should not have an expectation of privacy in them because he voluntarily provided it to third parties (cell phone carriers). However, the Supreme Court ultimately ruled that the government invaded Carpenter’s reasonable expectation of privacy when it accessed cell-site location information from wireless carriers.
It is likely that as COVID-19 cases continue to exist, creating the need for contact tracing, there will be more discussion in the United States on privacy interests like those discussed in the Carpenter case. As such, the need to quickly address it because of this public health issue seems likely as well.
Main Takeaways
It is evident that contact tracing and testing technology will very much play a role in forming a sound, strong recovery strategy. Understanding what our privacy laws require in specific situations, like pandemics or public emergencies, as well as how they are applied are going to be crucial to continue managing COVID-19 and reopening our economies.
By tapping into people’s phones and medical records, researchers and public health authorities are hoping to quickly identify potentially infected patients and curb the pandemic. In fact, the federal agency in the United States in charge of policing data breaches already announced it will back off enforcement of some privacy rules to make it easier for healthcare facilities and their vendors to share patient records with public health officials.
Scaling back of these health privacy rules—and justifying them during a crisis—raises the question of what happens when the pandemic ends. Will life return to normal, or will we redefine what we historically knew as our right to privacy? Will we have another version of the Patriot Act in the United States? Will we have countries around the world tracing their citizens movements freely under the excuse of this pandemic?
On a more positive note, how will countries across the globe learn from one another to develop best practices for tracking diseases that, hopefully, respect our privacy?
*John Neocleous is the founder and managing partner of NCI Law Group, a multinational law practice in the United States, United Kingdom, and Switzerland.
The healthcare industry remains a significant portion of the U.S. economy and will be so for the foreseeable future.* The U.S. Centers for Medicare and Medicaid Services (CMS) reported that in 2018, the overall share of U.S. gross domestic product (GDP) related to healthcare spending was 17.7 percent. Moreover, national health expenditures are projected to grow at an average annual rate of 5.4 percent for 2019–28 and to represent 19.7 percent of GDP by the end of the period. A large portion of that spending is related to payment for the provision of healthcare services. As such a large portion of the economy, both activity and interest in acquisitions of healthcare services companies has been incredibly robust for at least the last 25 years. There does not seem to be any indication of a significant slow-down any time soon. In middle-market private equity transactions alone, valuation of healthcare services companies continues to rise to unprecedented levels.
Given the large portion of the economy that healthcare represents and the market interest in acquisition activity, an understanding of the major, material healthcare regulatory risks that an acquirer might face is important to an effective and meaningful acquisition. That understanding can assist an acquirer in either eliminating risk or at least mitigating it appropriately. This article will provide a summary of those major, material health regulatory risks, some basic diligence requests to address in pretransaction diligence, and thoughts on representation and warranty issues in transaction documents.
Before discussing risks, a definition of “healthcare services” is important to understanding the types of businesses that face these risks in ways that can be material to the business. For purposes of this article, healthcare services includes businesses that provide professional/clinical healthcare services to patients; brick-and-mortar, in-patient and out-patient healthcare providers; and businesses that provide ancillary healthcare services. To be specific, these healthcare services businesses include, but are not limited to: hospitals and health systems, nursing homes, behavioral health providers, physicians and healthcare professional groups, home health and hospice providers, outpatient clinics, ambulatory surgery centers, out-patient rehabilitation, substance use disorder services, senior housing and services, and continuing-care retirement communities.
Most if not all of the aforementioned healthcare services businesses face a majority of certain material health regulatory risks. These material risks fall within five categories that include government reimbursement, fraud and abuse, licensure, excluded parties, and healthcare privacy-related issues. A summary discussion of each of these risks is contained in the sections that follow.
Category 1: Government Reimbursement
CMS, the administrator of the Medicare and Medicaid programs, is the single largest payer for healthcare services in the United States. The dollars it spends on healthcare services far exceed any other payer, including commercial payers. CMS administers the Medicare program (Parts A, B, and D) through its administrative contractors as well as through managed care plans (Part C). CMS partners with states, which partially fund Medicaid programs, to administer the Medicaid programs. In order to participate in either Medicare or state Medicaid programs, healthcare services businesses agree to comply with a significant regulatory framework mostly in the form of conditions or requirements for participation (a Regulatory Condition) as well as specific requirements relating to the submission of claims for services or supplies provided (a Claim Submission Requirement).
Material liability risks for healthcare services businesses can arise from a significant failure to meet a Regulatory Condition or a Claim Submission Requirement. Random or targeted government inspections and complaints from patients or clients can result in a citation for a failure to meet a Regulatory Condition. Those citations can culminate in civil fines that in some cases may carry per-day penalties. They can also result in potential termination from the Medicare or Medicaid program. Civil penalties can range from minor amounts to major material liabilities for the business. In that respect, understanding what, if any, (i) inspections/citations a healthcare services business has been subject to historically; and (ii) what may be currently outstanding is important to assessing risk in a possible acquisition. Failures to pay civil fines may also result in termination of participation in Medicare or Medicaid.
Complying with Claim Submission Requirements is likely one of the most important issues for healthcare services businesses that participate in government payment programs. Failures to comply can result in demands for recoupment or allegations of overpayments. In some cases, what a business may see as a simple error, the government or its contracted agents view as an intentional act to defraud. A missing provider signature or a failure to document a patient’s vital signs can result in a failure to meet a Claims Submission Requirement. These failures can be minor or they can be significant and carry millions of dollars in repayment liability.
Reimbursement diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:
documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
documents relating to corrective action plans imposed on the business or implemented by the business
documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
documents relating to any self-disclosures or voluntary disclosures made to any governmental authority
documents relating to internal audit reports of billing and coding reviews or audits
documents relating to any third-party reports and related deliverables from consultants engaged to billing and coding audits or reviews
In addition to conducting appropriate diligence, the material transaction document should contain representations and warranties from the seller that broadly address: (i) general compliance with healthcare laws; (ii) compliance with government programs and claims filing obligations; (iii) the absence of any material overpayment or claims filing repayment obligations; and (iv) no affirmative inappropriate or illegal conduct.
Category 2: Fraud and Abuse
Fraud and abuse in the healthcare system has been a concern of federal and state regulators almost since the inception of organized health care and certainly became a significant issue with the passage of legislation creating the Medicare and Medicaid programs. Major fraud and abuse laws include the Federal Anti-Kickback Statute (AKS), 42 U.S.C. §1320a-7b(b), the Physician Self-Referral Prohibition (the Stark Law), 42 U.S.C. §1395nn, and the Criminal and Civil False Claims Acts, 18 U.S.C. §287 and 31 U.S.C. § 3729. These laws prohibit certain business practices as well as provide for penalties relating to fraudulent claims to government payment programs.
Fraud and abuse liability can come in many forms and can result in both civil and criminal liability depending on the conduct and issues at hand. Moreover, fraud and abuse liability is rarely immaterial to a transaction unless the target involved is a large business facing a civil liability, and given the size of the target, the liability will not be material to its business operations. Even in those circumstances, however, the acquirer will likely not want to inherit the liability.
Fraud and abuse diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:
contracts between the target and other healthcare businesses or vendors
documents or memos analyzing any arrangement the target feels fits into a safe harbor to the AKS or exception to the Stark Law
business relationships with physicians and other healthcare professionals whether via ownership or compensation
business relationships with any individual or entity in a position to refer business paid for by governmental programs to the target business
marketing activities of the target
bonus and compensation plans
documents relating to governmental actions and other issues mentioned in the section on Claim Submission Requirements above
In addition to representations and warranties from the seller mentioned above in relation to government reimbursement, the material transaction document should contain representations and warranties with respect to fraud and abuse matters that address: (i) specific compliance with major federal and state fraud and abuse prohibitions; (ii) the absence of adverse criminal or civil settlements or civil monetary penalties; and (iii) the absence of any threatened or current civil or criminal litigation relating to fraud and abuse matters.
Category 3: Licensure
As one of the most regulated industries in the United States, an acquirer can expect that most, if not all, of the target companies they are looking to acquire have some type of license or permit to do what they do in health care. Ensuring that a target business has the correct licenses, has complied with all of the regulatory requirements relating to retention of those licenses, and has not been subject to any type of adverse finding by a licensure authority are integral to assessing any material risk in a potential transaction.
It is important to recognize that there are simple risks relating to licensure that might result in immaterial fines. However, multiple instances of immaterial fines might add up to revocation of a license that is necessary to operate the business. As a result, understanding the target’s regulatory compliance history through appropriate diligence is important to assessing risk.
Licensure diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:
all current regulatory permits, licenses, certifications, accreditations, certificates of need, and other required approvals that the target may have relating to its business
documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
documents relating to corrective action plans imposed on the business or implemented by the business
documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
documents relating to any suspension, termination, or revocation of a license
documents relating to any refusal to approve a license
Relative to licensure, seller’s should also provide, via the material transaction document, representations and warranties to the buyer that: (i) affirmatively state the seller has all of its required licenses; (ii) none of those required licenses have been subject to suspension, revocation, or termination; and (iii) there is no current action to suspend, revoke, or terminate a required license.
Category 4: Excluded Parties
Generally, excluded parties in the healthcare context are persons or entities (i.e., businesses) that have either been excluded from participation in federal healthcare programs or excluded from participation in federal contracts. The U.S. Department of Health and Human Services’ Office of the Inspector General (OIG) has the authority to exclude individuals and entities from participating in federal healthcare programs, which include Medicare, Medicaid, and any other healthcare program funded directly or indirectly by the federal government. Exclusion in its most basic sense means that no payment can be made for any items or services furnished, ordered, or prescribed by an excluded individual or entity. The OIG maintains a searchable list of excluded individuals and entities on its website.
In addition to OIG exclusions, the U.S. General Services Administration (GSA) maintains a comprehensive list of individuals and entities that have been excluded from participation in federal contracts. The GSA’s excluded parties list system contains a list of persons and entities that have been excluded by federal government agencies from receiving federal contracts or federally approved subcontracts, and from certain types of federal financial and nonfinancial assistance and benefits.
A target company that has in the past or is currently employing an excluded individual or has had, or has, a contract with an excluded party can have material risks associated with it. If the excluded individual or contractor “touched” (i.e., was associated with) significant federal dollars, the target entity could face material liability. Beyond simply a repayment of those associated dollars, there are also potential civil penalties that can be assessed. The civil penalties can become significant. As a result, there is a general expectation that healthcare services companies will have checked the appropriate databases periodically to screen for ineligible individuals and entities and steer clear of them.
Excluded parties diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:
whether the company has a process in place that screens for excluded parties
whether the company has ever had exposure to an excluded party and how that exposure was handled
In addition to the previously described representations and warranties, the material transaction document should contain one specific to exclusions that provides that the seller has not hired an excluded party and periodically checks to ensure it is not associating with excluded parties.
Category 5: Healthcare Privacy Issues
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national privacy standards to protect individuals’ medical records and other personal health information (PHI). It also establishes physical and electronic security standards for PHI. HIPAA applies to “Covered Entities,” which include healthcare providers, insurers, and other stakeholders that may use or disclose PHI. HIPAA requires Covered Entities to develop and follow procedures that ensure privacy and security of PHI and sets limits and conditions on the use and disclosure of PHI without patient authorization. Compliance with HIPAA is not only for Covered Entities, but also for their business associates (e.g., claims processors and bill collectors). Covered Entities that must share PHI with a business associate should have a written Business Associate Agreement (BAA) in place that requires the third party to comply with HIPAA requirements.
HIPAA violations can result in civil or criminal liability depending on the nature and extent of the violation. The civil penalties can end up being quite costly, ranging anywhere from $100 to $50,000 per violation. Additionally, Covered Entities must provide notification of a privacy breach to affected individuals, the Secretary of HHS, and in some circumstances, the media. Thus, acquirers should focus diligence efforts on existing HIPAA compliance processes and any prior or ongoing privacy-related investigations to assess not only the potential financial implications, but also the reputational implications.
Healthcare privacy diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:
the company’s HIPAA compliance policies and procedures covering at least the last three years
any HIPAA training materials and information on how personnel received HIPAA training
all BAAs in place over the last three years
documents relating to HIPAA compliance tracking and assessment
documents relating to any security breaches or incidents, follow-up response, and disclosure of the breaches/incidents to individuals or third parties
list of complaints or allegations of privacy/security breaches involving the company
Given the increased scrutiny on privacy compliance, the material transaction document should contain targeted representations and warranties from the seller that address HIPAA privacy and security compliance as well as the absence of any privacy or security breaches.
An Additional Note on Regulatory Compliance Programs
Regulatory compliance programs have become an increasingly important part of the healthcare industry. Despite there not being a significant regulatory requirement to have a compliance program, healthcare service providers are strongly encouraged to make them a priority. Additionally, as providers often became subject to federal False Claims Act allegations in particular, they became more aware of the U.S. Federal Sentencing Guidelines for Organizations and the process by which the guidelines can provide some mitigation in sentencing for organizations with effective compliance and ethics programs. Moreover, the OIG embarked on a campaign to encourage healthcare services providers to voluntarily develop and implement programs through its compliance program guidance.
The purpose of compliance programs is to help healthcare services providers develop controls for adherence to applicable healthcare law. Regulatory compliance programs are designed to monitor compliance and correct compliance issues before they become a significant problem. Most importantly, well-developed and effective compliance programs have become the yard stick by which buyers can measure a target company’s “culture of compliance.” Essentially, if a buyer finds that a company has a well-developed and effective program, they can get some comfort with respect to the company’s overall regulatory compliance. As a result, most if not all buyers conduct some form of diligence relating to a seller’s regulatory compliance program.
Regulatory compliance diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:
whether the company has an established compliance committee and officer
documents relating to regulatory compliance policies, procedures, and training materials
documents relating to corporate compliance tracking, assessment, and response
meeting minutes from the company’s compliance committee, if applicable
Although not a must-have, buyers should include in the material transaction document a targeted representation and warranty from the seller that specifically addresses the sellers implementation of a regulatory compliance program that meets OIG guidance, the federal sentencing guidelines, or both.
As transactions involving healthcare services providers increase, an understanding of the major areas of material risk discussed in this article will be an important tool for any business lawyer involved in such a transaction. This summary provides an outline for practitioners to help them ensure that important pretransaction regulatory diligence is conducted and the material transaction document allocates risk appropriately through representations and warranties.
*Ari J. Markenson, J.D., M.P.H., is a partner and co-chair of the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP. Cynthia Suarez, Esq., is an associate in the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP.
Connect with a global network of over 30,000 business law professionals
