Commercial real estate markets have experienced significant challenges over the last decade in all regions and sectors of the country, from retail to office to medical to senior living to golf courses. Some facilities and developments have thrived and continue to thrive, while others are subject to relentless external changes and influences in our economy. Every real estate sector in the country has experienced changes in their markets due to increases in internet and online sales, shifts in spending habits and interests, changes in demographics, declines in revenues, increases in over-built areas, increases in virtual offices, and declines in population centers, among other factors. Given these market challenges, the repurposing of commercial properties will likely focus on who the ultimate owner is to solve them, what the obstacles are in reshaping the property, and what some of the solutions to the challenges include. No doubt, innovation, creative thinking, and capital investment will be needed for the repurposing of spaces in these sectors.

As for retail, news articles are full of stories reporting that over 8,000 stores were closed in 2017, and 2018 is on track to see the same or a higher number of store closures. Some retailers have gone out of business completely; others have downsized significantly, decreasing the number of stores and concentrating on their more profitable areas. On the other hand, Amazon and other similar types of businesses with increasing online sales have expanded their distribution centers and are experimenting with ventures with other businesses in brick-and-mortar areas to fill in their business models. Consumers have changed their spending trends, which has caused retailers to chase them via online sales, thus choosing a different kind of shopping cart.

Landlords have been significantly impacted by store closings and have had to change their tenant mix and repurpose their shopping centers. The owner, the landlord, the lender, and the ultimate buyer of the property have all had to adjust and evolve to repurpose and redevelop their projects. Capital investment of course is needed. In some limited situations, shopping malls have been razed or “de-malled.” In others, significant renovations and redevelopment have taken place. There are multiple examples of landlords and owners changing the mix of shops and restaurants and activity centers to include theaters, gyms, walk-in medical centers, entertainment spaces, museums, aquariums, bowling alleys, arcades, and other experimental and service-oriented tenants in what has traditionally been retail sales space. Other changes include nonretail uses, such as charter schools, community colleges, call centers, libraries, multifamily housing, medical space, and a mix of uses to increase traffic and neighborhood involvement. Some proposals require zoning and other entitlement changes. It is plain to see that creativity, flexibility, and capital are needed to repurpose the changing landscape in retail space.

As for healthcare and senior living space, the aging population will continue to drive this sector for years to come. Trends toward more outpatient care have grown in order to provide lower costs and have impacted the traditional healthcare space. Medical office space has continued to increase, and hospitals have seen growth in metropolitan areas, although declining revenues have impacted community and rural hospitals. Driving the pressure were problems such as payment delays, bad mergers, overexpansion, reimbursement changes, rapid changes in the healthcare environment, and tort litigation, among others. Some of the senior living facilities also experienced challenges with deferred maintenance, capex constraints, slow revenue increases, and competition in increased outpatient care. In addition, the industry is complex due to nonprofit ownership, state regulatory structures, single tenant usage, and public financing. Solutions exist, including consolidation of uses and administrative costs, expansion into independent living, and repurposing of facilities to include other, additional medical usages, and where appropriate closing facilities or buildings and repurposing the property for nonmedical uses. Struggles continue, but like the other real estate areas, creativity, capital, and community involvement can give this sector a much-needed shot in the arm.

As for golf courses and recreational properties, the challenges to the industry appear to be caused by factors such as overbuilt facilities, extensive costs for maintenance of facilities, declining demographics, and flat markets, among others. However, membership alternatives and a variety of users seem to be the keys to driving improvements in golf and recreational properties. Expansion of categories of membership, expansion of family facilities, reconfiguration of the course, or even consolidation of other clubs and courses into a new program all seem to be in the mix to repurpose this sector.

In sum, innovation, creative thinking, and capital investment are necessary to surviving and repurposing the changing landscape in all of these sectors of commercial real estate. Owners must challenge their traditional thinking on uses and users and try different concepts. In today’s market, there are a growing number of creative ideas, innovation, and applications of capital that appear to be part of the solutions that must be made to make the properties and industries profitable and productive again.

Blockchains reduce the need for “trust” in legal transactions. From a legal perspective, trust has some specific meanings with respect to custody, control, and transactional risk. It can be accurately defined as “reliance on assurance of others to reduce transactional risk.” Blockchains radically shift the economics of providing transactional assurances.

For example, blockchains reduce the cost and complexity of obtaining assurances of asset ownership and control. Blockchain offers a cheaper and more reliable mechanism of creating, storing, and proving evidence.

Commercial and financial legal processes currently rely on numerous systems to reduce overall transactional risk and give people enough confidence to transact. A critical legal inquiry regarding any kind of property is, who owned title, when, and what is the transactional history? In asset transactions, property registries provide custodial and financial histories. To risk buying an item or making a loan secured by property, a buyer or creditor must be able to verify that the person purporting to own the property really does have title, and that there are no other enforceable inconsistent claims.

For high-value, complex transactions, this means obtaining assurances of (1) proof of authoritative title to an asset (title is clean and untampered), and (2) proof that the proof of title is reliable (the source of assurance (1) is clean and untampered). Underpinning it all is property law. Rules of property law apply whether the object in question is a house, a retail installment contract, or a digital token. Critical to property law is the concept of title, or ownership of property.

Legal systems have developed multiple property registries and custodial systems to manage information and give buyers, lenders, and invested parties the ability to verify whether a specific deal represents an enforceable obligation. Financial market infrastructure spends tremendous sums to maintain structures that provide assurances of things like chain of custody and title.

Registries. Creditors and other interested parties file notices with deeds registries, secretaries of state, departments of motor vehicles, and places a creditor checks for notice of an adverse interest. Common examples are land registries and, in the United States, the U.C.C.-1 filing registry within a state. The registry record is deemed authoritative for legal enforcement of contracts, and insurers, lenders, buyers, and sellers rely on it equally to track rights and obligations. The records produced by central property registries supply chain of title and custody details.

Registries like these developed out of need: without a reliable system for registering, or “perfecting,” one’s interest in property, market confidence in buying, selling, and lending is disincentivized. Functional registries make functional markets.

Custody and Control of Intangibles. Second-and-third order monetization of a value stream often involves intangible property. For example, financial products leverage contract rights and obligations to create additional assets and revenue streams like securities and derivatives. In pre-internet commerce, custody and control of intangible assets were proved by “possession”; a lender holding a note as a security pledge against a loan might actually take possession of the note. It is impractical to run valuable paper instruments from holder to holder in real time, so the notes were placed with a trusted third party who acted as intermediary, for example, holding the notes in custodial trust, matching and settling promises to pay. The market assigned possessory rights to custodial agents who held assets “in trust” and maintained their chain of title so deals were free to flow without paper slowing them down.

Electronic Contracts. With the advent of electronic contracts, the law evolved a new method of perfecting a security interest in digital originals of notes and chattel paper. The key, when vaulting an electronic contract, is to prevent multiple copies that might result in adverse claims, or “double spends” of the same obligation. Sounds familiar!

Electronic contracting laws like Uniform Electronic Transactions Act (UETA) established standards for vaulting and proving custody and control of digital assets. The UETA drafters, however, noted that their recommendations were based on late-20th-century technological capabilities to establish “control.” UETA’s custodial “control” requirements substitute for possession to perfect electronic contracts in the absence of a unique digital “token” to represent a contract. The drafters looked to the market to develop better systems of digital asset control.

Where Blockchain Comes In

A better property registry. Blockchain gives us a decentralized, tamper-evident record of what happened and when with respect to data stored in specific tokens. This tamper-evident ledger means less reliance on central authorities to prove the integrity of assets. A blockchain-based property registry proves its own transactional history.

Assets that prove their own chain of custody. Blockchain-based data objects can represent any number of property types extrinsic to the blockchain, as well as assets that are native to digital technology, e.g., tokens. A blockchain-native asset represented by a token is inherently and immutably tied to its transaction history. This means assets stored in a blockchain can prove their own titles, chains of custody, and transactional records.

Blockchains can get chain of custody right. Without structures that prove chain of custody, the lack of reliable proof structures has a chilling effect on legitimate commerce. Blockchain offers a low-cost way to scale legal infrastructure and build commercial rails on the bedrock of rule of law.

Poorly controlled legal proof structures are also a problem with existing custodial systems. For example, after the 2008 recession, we learned of multiple frauds in the system of keeping chain of custody of loan records. Many assets were so poorly tracked that when it came time to enforce legal rights, creditors were left holding assets with chains of custody any lawyer could challenge to defeat the creditor’s claim. Blockchain storage of contract assets solves this problem, ab initio.

Blockchain proof of title, custody, and transaction history reduces the need to rely on external assurances. This opens economic potential wherever there was previously a lack of reliable legal infrastructure. Along the way, blockchain will shed light upon, and drive the transition to, more efficient methods of proof in digital infrastructure.

Nina Kilbride

Introduction

On October 17, 2018, the Cannabis Act came into force in Canada, establishing a comprehensive legislative scheme governing the licensing, production, distribution, and sale of cannabis and related products for recreational use. Canada’s nascent recreational cannabis industry has faced its share of growing pains, but there is reason for optimism moving forward. Statistics Canada estimates that the illicit market for cannabis was worth approximately CDN$5 – $6 billion (US$3.79 – $4.55 billion) in 2015, while a 2018 Deloitte report suggests that the total Canadian cannabis market could generate up to CDN$7.17 billion (US$5.44 billion) in sales in 2019. If the sales figures forecast by the Deloitte report are achieved, that would put the cannabis market on the same footing as both the Canadian wine industry and the Canadian spirits industry.

Excitement surrounding legalization has led to a flurry of capital markets activity in Canada, resulting in billion dollar market capitalizations for several Canadian cannabis companies traded on the Toronto Stock Exchange (“TSX”), as well as the one Canadian cannabis company that currently trades solely on the NASDAQ.

Investor optimism is not fueled exclusively by the market potential that exists within Canada’s borders; rather, international opportunities represent a significant growth target. A 2018 report published by CIBC suggests that the global cannabis market could reach approximately CDN$25 – $30 billion (US$18.96 – $22.75 billion) in 2020. The U.S. could play a significant role in the global cannabis economy, as a study conducted by the Brightfield Group estimates that Canada and the U.S. will account for more than 86% of global cannabis sales in 2021.

Although cannabis is currently legal for recreational use in ten U.S. states and for medical use in 33 states and the District of Columbia, cannabis remains a Schedule 1 narcotic under the U.S. federal Controlled Substances Act. This classification has prevented Canadian cannabis companies from entering the U.S. market. Although cannabis may be exported from Canada for medical or scientific purposes under the Cannabis Act, an export permit may be refused if such exportation would contravene the laws of the country of import, or if such exportation would not comply with the permit for importation issued by a competent authority of the country of import.

Notwithstanding these obstacles, enthusiasm regarding the U.S. market was on full display when Tilray Inc.’s shares jumped 28.95% on the same day it was reported that the Canadian cannabis producer had received approval from the U.S. Drug Enforcement Agency to export cannabis to California for a clinical trial.

What does this mean for U.S. cannabis companies?

U.S. stock exchanges are regulated by federal legislation and, as a result, you will not find any pure play U.S. cannabis companies listed on the major American stock exchanges. Similarly, the TSX and its affiliated TSX Venture have taken the position that companies with operations or investments in the U.S. cannabis industry will be in violation of the listing requirements of their exchanges and thus subject to de-listing.

However, Canada’s more junior exchange, the Canadian Securities Exchange (the “CSE”), has welcomed Canadian and U.S. cannabis companies alike, listing 116 companies that operate in the cannabis industry, as of the date of this writing. Rather than prohibiting issuers with ties to the U.S. cannabis industry, the CSE has taken a disclosure-based approach, requiring its issuers to disclose the extent of its activities in the U.S. and the risk that its activities present from a U.S. legal standpoint.

Investor response to CSE listed cannabis companies has been extremely positive, with investors showing a particular appetite for companies offering exposure to the U.S. cannabis market. While historically being considered a “third-tier” Canadian stock exchange, the CSE is gaining notoriety, attracting industry-leading U.S. cannabis companies that have been denied access to more traditional exchanges.

For example, in May 2018, MedMen Enterprises Inc., a leading cannabis retailer in the U.S., began trading on the CSE at an implied value in excess of US$1.6 billion and on November 16, 2018, filed to raise CDN$75 million (US$56.88 million) via bought deal.  In October 2018, Curaleaf Holdings Inc., a vertically integrated cannabis cultivator and retailer, closed a private placement on the CSE which raised approximately US$400 million, implying a valuation close to US$4 billion. The most recent debut on the CSE was that of Acreage Holdings, a multi-state cannabis producer that boasts former House Speaker John Boehner and former Canadian Prime Minister Brian Mulroney as board members. Acreage Holdings began trading on the CSE on November 15, 2018, shortly after raising US$314 million in a private placement, implying an enterprise value of approximately US$2.1 billion.

How are U.S. cannabis companies becoming listed?

The most popular approach to listing on the CSE  by far is the reverse takeover, or “RTO”. RTOs involve the entity acquiring a publicly-listed shell or dormant company to pursue listing. RTOs are typically completed by way of a statutory amalgamation or arrangement and may require approval of each company’s shareholders, depending on the structure of the transaction and constating documents of the companies.

Compared to an IPO, RTOs are generally less time consuming and expensive and do not necessarily need to be accompanied by a concurrent equity financing—although MedMen, CuraLeaf and Acreage Holdings each completed private placements connected to their respective RTOs.

Another primary driver of expediency in RTOs is that they do not require regulatory review by securities regulators, and rather only require approval of the stock exchange. While a document with prospectus-level disclosure is still a requirement, eliminating the review of the securities regulators is one less obstacle to face in an RTO process.

Looking forward

There has been growing support to amend federal cannabis laws in the U.S. On June 7, 2018, Senators Cory Gardner and Elizabeth Warren introduced the Strengthening the Tenth Amendment Through Entrusting States (STATES) Act in Congress, which would amend the Controlled Substances Act to make it impossible to prosecute individuals and corporations who are in compliance with U.S. state laws on cannabis. A companion bill was introduced on the same day in the House of Representatives by Representatitives Earl Blumenauer and David Joyce.

The STATES Act would not remove cannabis as a Schedule 1 narcotic, meaning that cannabis would remain federally illegal. However, the STATES Act provides that compliant transactions would not be considered trafficking and would therefore not result in the proceedings accompanying an unlawful transaction. With this distinction in mind, it remains unclear what impact the STATES Act, if passed, may have on the willingness of U.S. stock exchanges and federally regulated banks to participate in the U.S. cannabis industry.

While much uncertainty remains with respect to the long-term outlook of the U.S. cannabis market, there appears to be a significant appetite among investors to participate in this burgeoning industry. As of right now, the most attractive way for U.S. cannabis companies to capitalize on this enthusiasm and to access capital markets is to look north of the border, where the CSE awaits with open arms.

While hanging around the water cooler the other day, I took an informal survey of a few colleagues. “How many of you are finding the task of addressing private information in compliance with increasingly complex laws, regulations, and corporate mandates to be hugely fun?” Unsurprisingly, the feedback was unanimous; everyone was loving it. They couldn’t get enough. They clamored for greater records management responsibilities and litigation response obligations. They also mentioned that there is no better end to a long workday than an involved information-security training, provided that their lunchtime could be interrupted for dental work with no anesthesia.

As it turns out, employees in the real world don’t really like doing anything beyond their real jobs, and certainly don’t want to have anything to do with the perceived tedium of classifying their files according to a growing set of company rules. For the vast majority of people, information management is about as fun as a root canal. And yet, effectively managing information has always been essential and is more and more a differentiator for organizations. This capability impacts a company’s reputation, risk profile, and innovation initiatives.

What can companies do? They can’t outsource their obligations—even if a third party is brought in to do some of the legwork, ultimately the obligation to comply lies with the company. Neither can they ignore the issue because there are increasingly more laws that prescribe how companies and their employees must manage information from its creation to its proper destruction. Similarly, there are far more consequences in failing to get it right. It’s an unenviable position for companies; they need their employees protecting the company’s information assets, but most employees are disinterested at best, viewing themselves to be full up with “real” work that trumps a concerted focus on these efforts.

Generally, there are two kinds of employees: the ones who are motivated by carrots, and the ones who must be inspired by sticks. There are some employees who will follow rules because they are told to and because being proactive is good for the company. However, if there is no compelling reason for employees to do something, they often fall into the latter category of needing a consequence, a penalty, or a loss of some benefit or privilege before they will dream of doing a task at work outside of their perceived job scope.

That brings us to a confluence of realities: more downside, more attacks on the IT systems, more laws dictating what is required and penalizing companies when they fail to comply, and more employees behaving badly, uninspired to lift a finger to help your company better manage information.

Here are seven keys to fix such a problem.

1. Set the Tone at the Top. The CEO in some respects is the soul of the company in that he or she sets the big-picture objectives for the organization. This is commonly communicated through a mission statement, vision, and code of ethics. These concepts and values are then seen as calls to action by others in the organization and rapidly become operationalized. When the CEO or other executives message the importance of a company initiative or action, the employees (everyone below them) are more likely to listen and follow their lead. For example, if the CEO decides that being a “greener” company is important, then initiatives that advance that idea will get more attention and funding. Employees will more likely do what it takes to make the company greener. Thus, one thing that will be essential to making information activities come to life in the company is for the executive team and others in management to support the information project or program and message its importance to all employees. Another way they can show support is by funding such activities and publicly recognizing successful efforts.

2. Make It Part of the Job. One of the best ways to get folks to take on protecting private information is to make it a part of their job responsibilities. For many businesses, at most they develop policy and expect that employees will read, understand, and follow the directives. That is usually the last time the policy is addressed until something bad happens. Then everyone wants to know what went wrong. What commonly goes wrong is that employees have a black and white view of their roles and responsibilities. They disregard policies as irrelevant to their jobs if adequate context isn’t provided.

The company can “legitimize” the activity by making it a part of the employees’ job responsibilities in writing and by making it clear that failure to do as required will, for example, impact performance incentives. When compliance with a policy is tied to compensation, it tends to get employees engaged. That would be more of the stick approach.

In terms of the carrot, why not have high-potential employees nominated by senior leadership to serve as information stewards? Formalize the role, make it a coveted position, and recognize and reward them for participating. You will find that you have inspired these employees to be your eyes and ears in the business. This causes a chain reaction whereby those around them start caring more as well.

3. Train the Employees. A policy itself, no matter how comprehensive and clear, is only as good as the training and change-management that accompanies it. Parking a myriad of policies on a website and thinking employees will search to find and master them is wholly unrealistic. Not only that, but having policies that no one follows is a liability. “Isn’t it true that your company has a privacy policy, you didn’t know about the policy, and in fact were never trained on the policy . . .” You get the idea.

Providing a written policy or other directive tells employees what is expected; training them on it helps ensure they understand what they must do in greater specificity. In other words, policy is not enough. Training and perhaps even testing on the mastery of the training is far more effective.

Remember, however, that employees can’t take in endless training sessions on one topic after another. Be mindful to not put too much in front of them at once and spread it out to maximize the training’s effectiveness. In other words, limit how much training employees receive, given the law of diminishing returns.

Training should be an important tool in your arsenal when it comes to ensuring that employees are able to digest and apply vital policy concepts. It is a stepping-stone to behavioral change. One point of consideration is to consolidate trainings where possible. Companies often have a “code of ethics” or “code of conduct” that provides high-level principles regarding the company’s position on such matters as privacy requirements, books and records management, cyber-security fundamentals, and beyond. Publishing such a code for public/external consumption bolsters a company’s reputation for being trustworthy and of sound integrity. Is it possible to consolidate your trainings on various governance topics into one large “code of ethics” training that can be taken in modular format? This then strengthens and unifies the company’s position on various interdependent information-management directives while streamlining the training experience for employees.

4. Gamify. In the last few years, gamification of training has helped create better-trained employees and kept employees engaged with longer-term retention of the topic. Gamification is a process where an employee is engaged at a deeper level to make the training like a game. This means launching awareness campaigns that involve features like points, levels, and awards. The goals of gamification are to create a sense of intrinsic motivation, achievement, and mastery. The more employees interact with the training material or policy in a game context, the more likely they are to understand the material and be able to act upon it. Bottom line is that it works.

5. Auditing/Monitoring. The only real way to know whether employees are doing what is required of them is by looking. In the workplace, that is typically done by watching their actions in real time (monitoring) or looking at what they have done after the fact (auditing). Auditing and monitoring programs help ensure that employees are getting it right. These programs also allow the company to help employees better perform tasks and fix training or implementation issues across the company as they become known.

In highly regulated industries, auditing and monitoring are part of the normal course of business. In fact, internal audit and quality assurance teams can be excellent partners in building an audit readiness program and in conducting the audits themselves.

6. Whack with Love or Not, but Be Consistent. When employees get something wrong, there may be a need to reprimand them. Thus, when policies provide that noncompliance may result in disciplinary action, the company must follow through. Failure to discipline may result in claims that such policy or disciplinary action is applied in a discriminatory fashion. Remind and follow up with employees to ensure they are getting it right, and when they don’t, act swiftly, fairly, and consistently to address the failure. Remember, word travels fast, and others will take note, which tends to change behavior in a positive way.

7. Repeat. Training, behavioral change, and the business transformation that follows are not one-time projects or instantaneous outcomes. Begin the process of training on key topics from the very beginning of an employee’s tenure at your company during orientation. For topics that are essential for employees to master, such as information security, training should be routinized and part of an established schedule. Not only that, policy principles and core concepts should be patiently and persistently reiterated via meetings with communities of practice, company newsletters, annual refresher trainings, and embedded within spotlights on governance initiatives when there has been a “big win.” Making employees care about managing information well means making these conversations part of your company’s culture.

Conclusion

Information has become the lifeblood of organizations. Oftentimes, it’s pumping life without rhyme, reason, control, or direction, and that has to change. Unless leadership institutionalizes the management of information, the employees will likely do as little as possible or nothing at all. With value, volume, growth in legal requirements, and consequences all intensifying around information management, however, companies must have their work forces engaged. The seven keys may not build love, but they will build a reasonable, repeatable, and defensible process “hook” for litigators to hang their hats on when failure occurs, and it always does.

On September 28, 2018, California became the first US state to specifically regulate the security of connected devices (otherwise known as ”Internet of Things” or “IoT devices”).

The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that in 2018 there are over 23 billion IoT devices currently in use, and this number is expected to grow to over 26 billion in 2019 (Gartner has estimated 20 billion such devices will be online by 2020). Unfortunately many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with no passwords, default passwords (think ”123”, ”admin” or even worse, ”password”) or otherwise hard-coded passwords that cannot be modified or updated. 

These concerns are not merely speculative. By way of ‘real life’ example, beginning September 2016, massive distributed denial of service (DDoS) attacks took down various US Internet infrastructure companies/DNS providers, leaving much of the Internet inaccessible on the east coast of the United States and incapacitating popular websites (including AirBnB, Amazon, Github, HBO, Netflix, Paypal, Reddit, the New York Times and Twitter, just to name a few). Originally created by three teenaged hackers, the Mirai malware responsible for the attack was specifically designed to target and infect susceptible IoT devices such as security cameras, home routers, air-quality monitors, digital video recorders and routers using a table of more than 60 common factory default usernames and passwords.  These devices were turned into a network of remotely controlled bots that were used to launch the DDoS attacks which later spread globally, impacting such diverse organizations as OVH (a large European provider), Lonestar Cell (a Liberian Telecom Operator) and Deutsche Telekom. At its peak, Mirai infected over 600,000 vulnerable IoT devices.

These two new substantially similar IoT laws (California Senate Bill 327, chapter 886 and Assembly Bill No. 1906, “Security of Connected Devices” (2018 Cal. Legis. Serv. Ch. (S.B. 327)(to be codified at Cal. Civ. Code § 1798.91.04(a)) (collectively, the “IoT Laws”) require manufacturers of connected devices to equip the device with a ”reasonable” security feature or features that meet all of the following criteria: (i) appropriate to the nature of the device; (ii) appropriate to the information it may collect, contain, or transmit; and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. The IoT Laws broadly define a ‘connected device’ to mean any devices or other physical object that is capable of connecting to the Internet (directly or indirectly), and that is assigned an Internet Protocol address or Bluetooth address, meaning that consumer, industrial, and other IoT devices are covered.

Additionally, if the connected device is equipped with a means for authentication outside of a local area network, either of the following requirements must be met before it shall be deemed to possess a “reasonable security feature”: (i) it must have a preprogrammed password unique to each device manufactured; or (ii) the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.

The IoT Laws broadly capture “manufacturers” to include the producers of the devices themselves and those who manufacture on behalf of such organizations, connected devices that are sold or offered for sale in California. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device. Contracts with organizations or persons involving the mere purchase of connected devices or purchasing and branding a connected device are excluded. 

Manufacturers are obliged to allow users to have full control and/or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces or other means of purchasing software or applications to review or enforce compliance with these statutes.

The IoT Laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under US federal law, regulations or the guidance of federal agencies (presumably FDA-regulated medical devices, for example). They do not prevent law enforcement agencies from continuing to obtain connected device information from a manufacturer as authorized by law or pursuant to a court of competent jurisdiction. They also do not apply to the activities of covered entities, providers of health care, business associates, health care service plans, contractors, employers, or other persons subject to the U.S. federal Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA) or California’s Confidentiality of Medical Information Act.

Significantly, the IoT Laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the Attorney General, a city attorney, a county counsel, or a district attorney has the authority to enforce these requirements.

The IoT Laws are scheduled to come into force on January 1, 2020.

The enactment of the IoT Laws was clearly motivated by the desire to improve the security of smart devices and mitigate security vulnerabilities that leave such devices open to cyber-attacks such as Mirai malware. By not mandating what security features are ”reasonable,” the legislation is effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test described above. Guidance from agencies such as the National Institutes for Standards and Technology (NIST) and other industry self-regulatory guidelines can help determine what will be reasonable under the circumstances (in fact NIST is currently seeking comments on its draft guidance document which includes recommendations for addressing security and privacy risks associated with IoT devices—see Draft NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.)(“NIST Guidance”).

The new IoT Laws are not without their flaws and skeptics. Critics charge that certain aspects of the IoT Laws are vague and ambiguous given the lack of clear standards (what does “reasonable security feature or features” mean practically?) with no way to validate that the manufacturer actually designed to those standards. While the IoT Laws may address the security threats associated with hardcoded or default passwords that are easily guessable and may force manufacturers to in turn force consumers to change their passwords before using such devices (or otherwise install unique passwords), they do not address many other security concerns or truly enhance device security. These concerns include the failure of many manufacturers to routinely update the software/firmware accompanying many IoT devices (or otherwise compel consumers to update such software/firmware if patches/upgrades are actually available) to address security and other concerns. Other pre-market security means to enhance security are also ignored (device attestation, security audits for firmware from third party providers, improvements in device access, management, and monitoring, requirements to remove unnecessary insecure features, etc.). As the NIST Guidance has noted, an IoT device may be a black box that provides little or no information on its hardware, software, and firmware or may not offer any built-in capabilities to identify and report on known vulnerabilities. And users can still deploy terrible passwords. 

However, while arguably incomplete from a security perspective, California is a large market and a standard setter for the U.S., and the IoT Laws may serve as an example for other jurisdictions to follow. Accordingly any manufacturer of an IoT device that intends to ship its products into California must start employing better security features that meet the requirements of the IoT Laws; as such the IoT Laws may be the catalyst required to nudge IoT-connected devices in the right direction to better security.

Lisa Lifshitz

Blockchain technology (or as some commentators prefer, “distributed ledger technology”) is a major technological innovation that promises to significantly alter the way we do business in several fields. Those changes, in turn, will bring new legal challenges that our laws, courts, regulatory agencies, and other institutions must address. As promising as blockchain technology is, however, it is no panacea. It can offer concrete benefits over prior approaches, but it also comes with real costs that can limit or preclude its use in some applications. To better assess the legal challenges facing existing and new applications of blockchain technology, it is important to understand the benefits and costs of the technology; that, in turn, requires at least some level of understanding what blockchain technology is.

The starting point for the technology was Satoshi Nakamoto’s release in 2008 of the white paper, Bitcoin: A Peer-to-Peer Electronic Cash System (Nakamoto was a pseudonym for the real and still-unknown authors), in which Nakamoto introduced blockchain technology for the first time along with a fully conceived platform for its use to implement digital cash.

By the time Nakamoto released his white paper in 2008, digital signatures were a well-understood feature of the mathematical field of public-key cryptography. Participants generate a key pair composed of a public key and a related private key. The public key is distributed to all participants while the private key remains secret. The relationship between the two keys is such that a message encrypted with one of the keys can only be decrypted using the other key.

In this system, a participant, Alice, can digitally sign a message by encrypting it with her private key, which only she possesses. Anyone can read the message by decrypting it with Alice’s freely available public key, but the fact that the message can successfully be decrypted using Alice’s public key proves that Alice—and only Alice—digitally signed the text with her private key because only Alice possesses that key.

Like some others before him, Nakamoto began by defining a digital coin as a chain of digital signatures, but digital signatures alone could not prevent network participants from spending the same coins more than once by signing multiple but inconsistent spending transactions—the “double-spending” problem. To prevent double-spending, the system must have some way to determine whether the sender, Alice, owns a spendable coin that has not previously been sent to someone else. Prior electronic payment systems typically solved the double-spending problem by relying on a trusted central party to keep track of all transactions. In contrast to such a centralized system, Nakamoto sought a peer-to-peer system that did not assign trusted status to a special central party.

Nakamoto reasoned that a peer-to-peer system could work if each node possessed the means to evaluate for itself the validity of the transaction. Thus, each node would have to maintain its own ledger of all transactions. This ledger—with identical copies distributed to all notes—is the blockchain. All new transactions would be distributed in blocks to all nodes, which would add them to their ledgers.

With each node maintaining its own ledger, there arose a need to ensure that the separate ledgers would remain consistent. Thus, Nakamoto needed a mechanism to achieve consensus among the nodes as to which transactions should be included and in what order. Nakamoto decided to use “proof of work” to achieve consensus on the Bitcoin network. Certain nodes—miners—would validate transaction blocks by performing a time-consuming calculation, adding proof of the successful completion of the calculation to each validated block. Then, in the event a node received inconsistent blocks to add to the chain, Nakamoto specified that nodes should select the valid blocks representing the largest amount of computational work. A proof-of-work mechanism requires a lot of computation, but it is essential to the functioning of the Bitcoin consensus system. Therefore, the system provides miners an incentive payment in the form of newly created bitcoins and transaction fees offered by the sender.

People soon realized that blockchain technology could be adapted to uses beyond Bitcoin. The first such use was to create new cryptocurrencies. Today, there are thousands of “altcoins” using blockchain technology. Beyond cryptocurrencies, many other human activities are amenable to representation in a ledger system like the one underlying Bitcoin. One obvious example is a blockchain used to keep track of assets such as real property, inventory items, and government records. The blockchains in these use cases might operate similarly to the Bitcoin blockchain, but instead of coins, they would employ coin-like tokens linked to the underlying physical assets.

Taking blockchain technology beyond Bitcoin, other developers have implemented systems that offer the ability to execute user-specified programming code on the blockchain itself. For example, the Ethereum platform begun in 2013 allows users to create complex computer code linked to transactions on a blockchain. As a result, some users speak not of submitting transactions on Ethereum, but of creating “smart contracts” (also called distributed applications, or dApps), which run on the blockchain. The availability of smart contracts in a blockchain system makes it possible to envision autonomous, distributed functioning of a number of complex activities that cannot happen today without manual control and intervention, or a centralized bureaucracy.

• Autonomous trading platforms. Smart-contract code automatically matches buyers and sellers and automatically performs trading on the blockchain in securities, commodities, or other assets.
• Supply chains. Actors at each stage of a supply chain—purchasing, manufacturing, transportation, delivery, payment—enter secure transactions into a blockchain system, and smart code automatically tracks products, initiates new orders, and allocates appropriate resources at the next stage of the chain.
• Peer-to-peer insurance. The pooling of risks, the events documenting the losses and claims, and the submission and payment of claims are represented by autonomous transactions on the blockchain.
• Organizational decision making and voting. Participants in an organization vote for new policies, investments, or candidates by recording secure transactions on a blockchain, and smart-contract code automatically tallies the results and effectuates the election results.

Although blockchain technology confers many potential advantages, its nature poses potential costs as well. Not all centralized ledgers are better replaced by distributed blockchain technology. Some of the potential advantages and disadvantages are described below. The successful use cases will be ones with a favorable balance of factors.

• Many business processes involve complex interactions among multiple individual or institutional intermediaries that are intended to serve as a check on one another. In a blockchain network, careful planning can allow cryptography and consensus mechanisms to take the place of human judgments about trust, just as they do in the Bitcoin network.
• Transparency and immutability. The basic operation of a blockchain system is the creation and addition of validated blocks to a chain of prior blocks. These blocks provide a complete record of all transactions and operations processed by the system. Cryptography insures that blockchain records, once recorded, cannot be forged or altered.
• Blockchains distribute the responsibility for storing and processing information across multiple nodes in a networked system. In doing so, they reduce the number of possible points of failure or points of attack.
• Automatic rule enforcement. The nature of blockchain systems disallows certain kinds of errors and malfeasance that in other systems might require specialized code or human intervention.
• User autonomy. Blockchain systems can allow users great autonomy in the control over their own transactions. In the Bitcoin network, for example, so long as the network continues to operate, there is no way to prevent a user from transferring bitcoins or to force an unwanted transfer without the user’s private keys.
• Performance and scalability. The features that provide blockchain technology its advantages come with performance and resource costs. Even if a blockchain system does not use the proof-of-work system of Bitcoin, blockchains frequently require significant storage, computing power, and network bandwidth. As a general matter, blockchain-based systems use more computing resources and scale less efficiently than systems based on centralized ledgers.
• Complexity, errors, and vulnerabilities. Blockchain systems can be highly complex and difficult to develop. Moreover, the design and programming of smart-contract systems utilizing blockchain systems is a separate source of complexity, and almost certain to produce significant bugs and vulnerabilities that can lead to execution flaws or vulnerabilities.
• The blockchain contains a full and detailed record of every transaction processed using the system, and the consensus mechanism of the system ensures the replication of that full record across multiple nodes of the system. These risks do not necessarily prevent the use of blockchain technology for sensitive information, but they can add complication to the design of the system.

To practice law effectively, lawyers today need a basic understanding of modern technologies, which should include the fundamentals of blockchain technology.

In depositions and trials involving non-English-speaking parties and witnesses, clients represented by bilingual counsel have the clear upper hand. The advantage a bilingual attorney has over a nonbilingual attorney cannot always be offset by the services of an interpreter at deposition or trial, given that even the most skilled interpreter can make inadvertent mistakes and, more importantly, cannot comment on material credibility indicia of non-English-speaking witnesses, such as their intonation or sarcasm, while testifying. Consider these scenarios:

A plaintiff in a deposition testifies in Spanish, but neither the plaintiff’s nor the defendant’s attorneys speak Spanish. Out of necessity, both attorneys must rely on the interpreter’s translation of the plaintiff’s testimony (particularly if the proceeding is not videotaped), although neither attorney can be sure that the translation truly captured the meaning of the testimony the plaintiff gave in Spanish. Regardless, the interpreter’s translation stands without contest and becomes the official record of the deposition or trial. Clearly missing in an even accurate, verbatim translation of the testimony is an assessment of the witness’s credibility. Neither counsel will know whether the witness used certain words in a sarcastic or skeptical tone which, if known, would have prompted counsel to seek clarification or conduct follow-up questioning.

Consider another scenario, but one in which only one of the attorneys speaks the plaintiff’s native language. For this example, assume the bilingual attorney is defense counsel in the deposition of a Spanish-speaking plaintiff. Defense counsel, as the sole bilingual attorney in the proceeding, understands the plaintiff’s testimony in Spanish and understands the interpreter’s translations of counsel’s questions and plaintiff’s answers. In this scenario, the bilingual defense counsel has the ability to effectively challenge the accuracy and completeness of the interpreter’s translations during the deposition. Plaintiff’s counsel, the nonbilingual attorney, is at a clear disadvantage, unable to challenge defense counsel’s objections to the interpreter’s translations. Worse yet, the nonbilingual attorney may not be representing the client well if he or she fails to object to inaccurate translations defense counsel did not challenge. Besides the bilingual counsel’s ability to understand the Spanish testimony and translations, the bilingual counsel has another advantage. The Spanish-speaking witness may be more candid, cooperative, or feel less anxious if the witness knows the questioning attorney is bilingual.

The effectiveness of the legal representation a client receives in litigation involving non-English-speaking parties or critical witnesses often depends on the ability of a party’s counsel to understand the non-English-speaking party in his or her native language not only to ensure that the translations are correct, but more importantly, to assess witness credibility. Counsel at a deposition or trial should not rely on an interpreter for this purpose.

Just as court reporters in trials and depositions must transcribe testimony verbatim and without injecting subjective commentary, such as a witness’s intonation or sarcasm while responding to questions, interpreters in depositions and trials involving non-English-speaking witnesses must also act in neutral capacities. Interpreters can provide only verbatim translations of questions posed and answers given at depositions and trials. Interpreters may not add their own subjective commentary to translations, such as whether in a narrative response a witness used a particular word in a sarcastic, surprised, or skeptical tone. It is the responsibility of counsel to make important credibility assessments of witnesses—whether English-speaking or not—to effectively proceed with the interrogation or defense of a witness during a deposition or trial. It goes without saying that in addition to a witness’s substantive responses, a witness’s credibility involves an assessment of intonation, sarcasm, body language, and emphasis on certain words while testifying, particularly in harassment, discrimination, and other employment-related cases. The bilingual attorney who speaks the same language as the witness can pick up on important credibility subtleties and nuances (such as sarcasm, skepticism, fear, hesitation, etc.) that are not captured in interpreters’ translations and may be missed by counsel who are not bilingual. At a trial where jurors speak the same language as a witness, a bilingual attorney is in the best position to instantly gauge juror reaction to a witness’s intonation or emphasis of certain words while testifying and adjust trial strategy as necessary.

Aside from credibility assessment considerations, the bilingual attorney has other advantages. In the heat of trial or deposition, the bilingual attorney can quickly use his or her judgment in deciding whether to: pursue alternate questioning if a witness’s intonation while testifying indicates hesitation, discomfort, sarcasm, or skepticism; let awkwardly translated answers stand to avoid disrupting the flow of questioning or wasting limited time; forgo objections to certain translations of technical words or slang because they cannot be translated with precision; question a witness about foreign-language documents produced during a deposition; conclude that although testimony was not translated verbatim, an interpreter’s translation captures the essence of a witness’s testimony; call for a break upon detecting that an interpreter is becoming bored or tired as evidenced by labored or confusing translations of questions; or object to translated questions or testimony because the translations are inaccurate or incomplete.

Counsel may opt to videotape a deposition to capture a witness’s non-English testimony and an interpreter’s translations of same. Counsel should not count on using the videotape to challenge inaccurate translations after the deposition is concluded. Aside from possibly waiving such objections because they were not made during the deposition, it may not be feasible to reopen the deposition to conduct follow-up questioning based on the witness’s actual testimony. Moreover, the deponent may attempt to use the videotape to make substantive changes to the deposition transcript based on his or her responses as reflected in the videotaped deposition.

Large percentages of employment-related litigation in the United States are brought by non-English-speaking plaintiffs, particularly in states such as California where Latinos comprise almost 40 percent of the population. Given these demographic realities and to effectively represent their clients, counsel must be prepared to address the challenges presented in depositions and trials involving non-English-speaking witnesses.

In response to increasing public attention on the small percentage of women serving on corporate boards, the California Assembly passed Senate Bill 826 (the Act). The Act requires that all public companies headquartered in California have at least one female director and, beginning in 2021, a percentage of female directors based on the size of its board. Although championed by the National Association of Women Business Owners and other activists, the Act will face legal challenges to its implementation, and its overall impact may be muted.

Background and Requirements

California’s mandate is the most recent attempt in the growing movement to increase women on corporate boards across America. The first pages of the Act offer a litany of findings outlining the current state of affairs and the widespread historical exclusion of women from corporate leadership posts. The Act reads as follows:

For companies with a market capitalization of more than $10 billion, those with women directors on boards outperformed shares of comparable businesses with all-male boards by 26 percent. . . . As of June 2017, among the 446 publicly traded companies included in the Russell 3000 index and headquartered in California, representing nearly $5 trillion in market capitalization, women directors held 566 seats, or 15.5 percent of seats, while men held 3,089 seats, or 84.5 percent of seats. . . . More than one-quarter, numbering 117, or 26 percent, of the Russell 3000 companies based in California have NO women directors serving on their boards. . . . If measures are not taken to proactively increase the numbers of women serving on corporate boards, studies have shown that it will take decades, as many as 40 or 50 years, to achieve gender parity among directors.

The Act addresses these shortcomings through a two-pronged mandate. First, any publicly held domestic or foreign corporation whose principal executive office is in California (according to its 10-K) must have one female director on its board by December 31, 2019. Second, no later than December 31, 2021, those same corporations must have at least three female directors if there are six or more board seats, or two female directors if there are five board seats. The first violation of the Act (or a failure to file the mandated disclosure information) results in a $100,000 fine; each subsequent violation is $300,000.

Champions of the Act have realized the legal challenges to come (as discussed below), but viewed its passage and signing by Governor Jerry Brown as applying much-needed pressure to accelerate the elevation of women into corporate leadership positions. In his signing statement, Governor Brown expressed a desire for firm action despite the potential obstacles to implementation, stating: “There have been numerous objections to this bill and serious legal concerns have been raised. . . . Nevertheless, recent events in Washington, D.C.—and beyond—make it crystal clear that many are not getting the message.” After highlighting that corporations have been considered “persons” since at least 1886, well before women could even vote, Governor Brown further stated, “Given all the special privileges that corporations have enjoyed for so long, it’s high time corporate boards include the people who constitute more than half the ‘persons’ in America.”

Legal Objections

Beyond policy-based objections, critics have raised at least two legal arguments against the Act: (1) it violates equal protection by facially discriminating based on sex, and (2) because it applies to companies organized outside California, it violates the dormant commerce clause and the “internal affairs doctrine,” which requires that internal company affairs be under the regulatory purview of only one jurisdiction.

Taking these complaints in turn, the 14th Amendment equal protection argument is straightforward. Any law that discriminates based on sex must survive a heightened version of intermediate scrutiny. Per Justice Ginsburg’s 1996 majority opinion in United States v. Virginia, any sex-discriminatory law must have an “exceedingly persuasive justification” and be “substantially related” to an “important” state interest. Although remedying the long-standing exclusion of women from corporate leadership is no doubt an important state interest, California may struggle to show that its chosen means are a close fit with its legitimate end goals. The Act may apply both too narrowly (to the small subset of companies that are both publicly traded and headquartered in California) and too broadly (without consideration for whether a firm has previously engaged in discriminatory conduct or whether an industry may naturally attract more men or women) to survive scrutiny.

Second, by applying the mandate to companies organized outside California (so long as the executive offices are in California), the Act imposes a burden on foreign-organized corporations beyond California’s state interest and potentially requires companies to comply with incompatible mandates from competing jurisdictions. Due to these issues, the Act’s enforceability could be judicially limited to firms that are organized and located in California. If so, the Act would apply only to a small subset of local companies—one estimate puts the number at 72—and only one of the Fortune 500. See Joseph A. Grundfest, Mandating Gender Diversity in the Corporate Boardroom: The Inevitable Failure of California’s SB 826, Rock Center for Corporate Governance at Stanford University Working Paper No. 232 (Sept. 12, 2018).

Potential Impact on Board Composition and Governance

Although the number of companies directly impacted is relatively small (enforcement may well be limited to companies both chartered and located in California), the real value is in sending a signal that may prompt other states to begin pushing for and requiring more equitable board composition. The Act may also help to add momentum to diversity efforts undertaken by investors. Before the Act was passed, CalPERS sent a letter in 2017 to certain Russell 3000 companies asking each of them to “develop and disclose its corporate board diversity policy and implementation plan to address the lack of diversity.” State Street also attracted much attention for its diversity advocacy efforts when it installed “Fearless Girl” across from the “Charging Bull” in lower Manhattan at the center of the Financial District and announced that it would be engaging with companies about the importance of diversity. BlackRock likewise announced in 2017 that it would hold nominating and governance committees accountable if they do not achieve results. Passage of the Act keeps this issue at the forefront and may encourage other investors to follow suit.

California is blazing a new trail in the United States, but European countries began adopting quotas more than a decade ago when Norway adopted a 40-percent quota and France and Italy passed similar measures. Today, the composition of the boards of Norway’s public companies includes 41 percent women, a number well above that currently achieved in the United States. Whether the United States will be able to realize similar results will depend upon whether the Act and any other similar legislative efforts will be able to overcome legal challenges that are sure to make their way through the courts.