Canadian M&A Activity Continues to Grow as Securities Regulators Remain Focused on Protecting Minority Shareholder

Posted on November 1, 2017 by - Uncategorized

Notwithstanding the similarities between mergers and acquisitions (M&A) deal practice in Canada and the United States, there remains stark differences between our M&A landscapes.

For example, whereas securities legislation and regulators in Canada tend to focus on the protection of shareholder rights and ensuring minority shareholders have a voice in change-of-control transactions, U.S. courts appear to espouse a more director-centric model, which places a much greater emphasis on the role of boards. The focus on minority shareholder rights may simply be reflective of the fact that Canadian public companies are, on average, much smaller than their U.S. counterparts and are more likely to have controlling shareholders or groups of shareholders that materially affect control. As a result, transactions are more likely to be undertaken with insiders of a Canadian public company or other related parties, which could prove detrimental to minority shareholders.

The size of M&A transactions in Canada is another significant difference. Because Canadian companies are generally smaller than U.S. companies, transactions sizes are correspondingly smaller. The middle market continues to be the bedrock of Canadian M&A activity, and although the appetite for middle-market deals in the United States is similarly robust, the vast majority of M&A transactions in Canada have deal values under CDN$250 million.

This article reviews recent trends in the Canadian M&A landscape and then highlights two regulatory developments that reflect the ongoing focus of securities regulators on the protection of the rights of minority shareholders of Canadian public companies.

M&A Trends

The overall Canadian M&A climate in the last several years has been marked by significant growth. In Q1 2017, for example, announced deals represented a five-year high, or an 11 percent increase over the previous quarter, and a 28 percent increase over Q1 2016. Most significantly, however, is the fact that the majority of the activity (91 percent of all transactions with reported values) came from transactions with deal values under CDN$250 million. These trends were consistent with the data for Q2 2017.

Cross-border transactions continue to account for a considerable portion of activity, with 47 percent of all transactions involving either a foreign target or a foreign buyer. Despite the relatively weaker Canadian dollar, Canadian companies saw an increase in cross-border deal flow, with 152 (versus 132 in Q1 2016) inbound transactions, and 207 (versus 151 in Q1 2016) outbound transactions recorded in Q1 2017. Overall, however, outbound M&A continues to outpace inbound activity, with Canadian firms outnumbering the number of foreigners acquiring Canadian companies by a factor of 1.4 times. This is consistent with past trends whereby cross-border M&A is more weighted towards outbound investment from Canada into the United States in terms of both number and value of transactions. Indeed, the value of outbound transactions exceeded the value of inbound transactions in Q2 2017 by more than four times.

Regulation of M&A Activity

M&A activity in Canada is regulated under provincial and federal corporate laws, provincial securities laws (in each of the 10 provinces and three territories), and stock exchange rules. The two principal stock exchanges in Canada are the Toronto Stock Exchange (TSX) (senior market) and the TSX Venture Exchange (junior market). These exchanges regulate selected aspects of M&A activity.

The provincial and territorial securities regulatory authorities coordinate their activities through the Canadian Securities Administrators (CSA), a forum for developing a harmonized approach to securities regulation across the country. The CSA has developed a system of mutual reliance pursuant to which one securities regulatory authority acts as the lead authority for reviewing regulatory filings of “reporting issuers” (e.g., Canadian public companies). The Ontario Securities Commission (OSC) is generally regarded as the lead securities regulatory authority in Canada.

Changes to Take-Over Bid Legislation

On May 9, 2016, significant amendments to Canada’s take-over bid regime made by the CSA became effective. These changes provide boards of directors of target companies with significantly more time and leverage to respond to unsolicited take-over bids (or hostile tender offers as they are referred to in the United States). Under the amended regime, take-over bids required to be made to shareholders are subject to the following requirements:

1. Fifty Percent Minimum Tender Requirement. The bidder must receive tenders of more than 50 percent of the outstanding securities subject to the bid (excluding securities of the bidder and its joint actors) prior to taking up any securities.

2. Ten-Day Bid Extension. The bidder is required to extend the deposit period for a minimum of 10 days once the 50 percent minimum tender condition and all other terms and conditions of the bid are complied with or waived.

3. Bid Period of 105 Days. All take-over bids are required to remain open for a minimum of 105 days unless:

  • the target board agrees to a shorter deposit period of not less than 35 days (which reduced period will apply to all competing bids), or
  • the target company announces that it intends to effect an “alternative transaction”—effectively a friendly change-of-control transaction that is not a take-over bid (such as an arrangement), in which case all other take-over bids will be entitled to a minimum 35-day deposit period.

Despite fears that the adoption of these amendments would have a chilling effect on unsolicited take-over bid activity, in the year following the imposition of the new regime, there appears to be very little (if any) change in activity. What is clear, however, is that success for unsolicited bidders under this new regime has proven to be difficult without the eventual consent of the target board.

It will take some time to fully understand the impact of these new rules, but one of the key goals of regulators has been achieved: litigation before the securities commissions regarding the use of poison pills in the context of unsolicited takeover bids has been nonexistent. On the other hand, securities regulators are watching closely to see whether the newfound power of target boards is used to benefit their shareholders, as opposed to insiders, in a bidder’s pursuit to negotiate friendly transactions.

Fairness Opinions—Impact of MI 61-101

In Canada, five provincial securities regulators have adopted a regulation referred to as Multilateral Instrument 61-101—Protection of Minority Security Holders in Special Transactions (MI 61-101). MI 61-101 seeks to mitigate risks to minority shareholders by imposing enhanced disclosure, valuation, and majority of the minority shareholder approval requirements in respect of four forms of potential conflict-of-interest transactions: (i) bids made by insiders of a company (insider bids), (ii) bids by companies to buy back their shares (issuer bids), (iii) transactions that provide for the termination of a shareholder’s interest in a company without the shareholder’s consent (business combinations), and (iv) transactions with an insider or other related party of the company (related party transactions).

On July 27, 2017, staff of the securities regulatory authorities in each of the provinces subject to MI 61-101 published Staff Notice 61-302 (the Notice), which seeks to provide interpretive guidance and clarification on MI 61-101. Most notably, the Notice contains the staff’s positions with respect to the role of special committees and fairness opinions in material conflict of interest transactions. In the Notice, “material conflict of interest transactions” refers to insider bids, issuer bids, business combinations, and related party transactions that give rise to substantive concerns as to the protection of minority shareholders.

The Notice confirms that staff review material conflict of interest transactions on a real-time basis in order to assess compliance with the requirements of MI 61-101 and to determine whether a transaction raises public interest concerns. Accordingly, staff will typically initiate a review of a transaction upon the filing of the relevant disclosure document. Where staff identify noncompliance with MI 61-101 or potential public interest concerns, they reserve the right to take enforcement action or other appropriate orders.

In addition, the Notice provides guidance regarding the active role to be played by special committees of independent directors in the context of material conflict of interest transactions. Despite acknowledging that a special committee of independent directors is only mandated by MI 61-101 in the case of insider bids, staff are of the view that a special committee is advisable for all material conflict of interest transactions. To this end, the Notice sets out staff recommendations with respect to the formation, role, and mandate of special committees. For example, staff believe that special committees should be formed prior to the negotiation of a particular transaction, composed of independent directors, and have a mandate that includes the ability to: (i) conduct or supervise negotiations, (ii) consider alternative transactions, (iii) provide or withhold recommendations, and (iv) retain independent legal and financial advice.

With respect to fairness opinions, staff believe that a special committee cannot substitute the results of a fairness opinion for its own judgment as to whether a transaction is in the best interests of shareholders. Rather, it is generally the responsibility of the board of directors and the special committee to determine whether a fairness opinion is necessary, and similarly to determine the terms and financial arrangements for the engagement of an advisor to provide a fairness opinion.

However, in the context of material conflict of interest transactions and where a fairness opinion has been obtained, the Notice indicates that such disclosure should include:

    1. the compensation arrangement;
    2. how the compensation arrangement was taken into account;
    3. any other relationship between the financial advisor and the issuer;
    4. a clear summary of the methodology, information, and analysis underlying the opinion; and
    5. how the opinion was utilized by the board or special committee.

Following recent court decisions in Canada, there has been significant debate as to whether (i) reliance on a fairness opinion from an advisor that is paid a fee contingent on a successful outcome is appropriate, (ii) the specific amount of an advisors’ success and other fees should be disclosed (which disclosure is common in the United States), and (iii) fairness opinions should disclose the financial analysis underlying them. Although the Notice makes clear that staff expects a fairness opinion to disclose the financial analysis underlying the opinion, it did not set out any clear rules regarding the other two issues of controversy.

Over time, we would expect that more fulsome disclosure of fee arrangements will become the norm in Canada. On the other hand, there has been much resistance to retaining an additional advisor to provide a fairness opinion on a fixed-fee basis, particularly for middle-market or smaller transactions. Nevertheless, we expect that in contested M&A transactions, the retention of a second advisor to provide a fairness opinion on a fixed-fee basis will become more prevalent in order to provide additional protection for the transaction and insulate a board of directors. In other words, a second fixed-fee opinion in contested M&A transactions may be insurance well worth buying.

The conduct of Canadian boards in material conflict of interest transactions with respect to independent special committees and fairness opinions will no doubt evolve over the next few years due to the increasing oversight and heightened regulatory scrutiny that has been a feature of the Canadian regulatory landscape for well over a decade.

The Second Circuit’s Marblegate Decision and Third Party Legal Opinions in Debt Restructurings

Posted on November 1, 2017 by - Uncategorized

Is it premature for lawyers who are asked to give closing opinions on complex debt restructurings to breathe a complete sigh of relief now that the Second Circuit’s decision in Marblegate Asset Management, LLC v. Education Management Corp., 846 F.3d 1 (2d Cir. 2017) has confirmed the narrow scope of section 316(b) of the Trust Indenture Act of 1939, as amended (TIA)?

The Second Circuit held that section 316(b) protects only bondholders’ formal legal right to the payment of principal and interest and not their practical ability to collect principal and interest, reversing a decision by the SDNY that had created great uncertainty among practitioners concerning out-of-court bond workouts. (For prior discussions of the Marblegate litigation, see “Current Opinion Practices in Connection with Section 316(b) of the Trust Indenture ActThe Marblegate and Caesars Decisions,” WGLO Addendum (Spring 2016 Legal Opinion Seminar Summaries), In Our Opinion (Summer 2016, vol. 15, no. 4) at A-8–A-10; “Opinion White Paper (§ 316(b), Trust Indenture Act,” In Our Opinion (Spring 2016, vol. 15, no. 3) at 28, and the Addendum thereto (the Opinion White Paper).) Two Marblegate funds had challenged a complex restructuring of Education Management Finance Corp. (EMFC) (to which they did not consent) based on the argument that it violated section 316(b), which provides that “. . . the right of any holder of any indenture security to receive payment of the principal of and interest on such indenture security . . . shall not be impaired or affected without the consent of such holder.” The district court had held that, even though the restructuring did not change the terms of the indenture, it violated section 316(b) because it completely eliminated nonconsenting bondholders’ “practical ability to receive payment.”

The Second Circuit, in a 2-1 decision, concluded that the restructuring was permissible because the transaction as a whole neither amended any “core payment terms” of the indenture (i.e., the amount of principal and interest owed or the maturity date) nor prevented the objecting bondholders from suing the issuer for payment:

To summarize, we hold that Section 316(b) of the TIA does not prohibit the [challenged restructuring] in this case. The transaction did not amend any terms of the Indenture. Nor did it prevent any dissenting bondholders from initiating suit to collect payments due on the dates specified by the Indenture. Marblegate retains its legal right to obtain payment by suing the EDM Issuer, among others. Absent changes to the Indenture’s core payment terms, however, Marblegate cannot invoke Section 316(b) to retain an ‘absolute and unconditional’ right to payment of its notes.

The majority agreed with the district court that the text of section 316(b) was ambiguous, but then looked to the legislative history and concluded that section 316(b) protects only against formal amendments of core payment terms. Judge Straub dissented because he viewed the restructuring as “annihilating” the bondholders’ rights to recover on their bonds in violation of the plain language of the statute.

The legal opinion most directly affected by Marblegate is that the transaction does not violate section 316(b), which is given most frequently to indenture trustees as part of an opinion letter confirming that that the issuer has validly authorized an indenture amendment, and all conditions precedent under the indenture to execution of the amendment by the trustee have been satisfied. This is a uniform requirement in indentures, and opinion preparers have little to no flexibility to change the wording of the opinion or add assumptions or qualifications. The lower court’s decision had extended the reach of section 316(b), whereas the Second Circuit restored the traditionally narrow interpretation, holding that it only “prohibits non-consensual amendments of core payment terms (that is, the amount of principal and interest owed, and the date of maturity) [and] bars ‘collective action clauses’—i.e., indenture provisions that authorize a majority of bondholders to approve changes to payment terms and force those changes on all bondholders.”

Although we are back to pre-Marblegate with respect to giving standard section 316(b) opinions to indenture trustees, those are not the only opinions that address the legality of a debt restructuring affecting the rights of holders of indenture securities. Many restructurings require opinions to: (i) lenders under existing, new, or amended loan agreements that often include as closing conditions modifications to the terms of outstanding debt, (ii) dealer-managers acting for the issuer in connection with the solicitation of consents to indenture amendments (including so-called exit consent to strip out of the indenture, to the detriment of nonparticipating holders, covenant, and other protections) or exchange offers in which new securities are to be issued in exchange for outstanding bonds, and (iii) typical closing opinions and negative assurance letters to underwriters or placement agents for offerings of new equity or debt securities. Thus, a complex debt restructuring often involves many different agreements and multiple steps affecting different creditors, intermediaries, and agents, where the order of the steps matters and each step builds upon prior ones. Opinions often cover due authorization, validity, receipt of all necessary consents, no breach of other agreements, and no violation of law, all issues that are too inter-related for the opinion preparers not to look to all the opinions taken together, including under the misleading opinion rubric with respect to reliance on assumptions, not just to each opinion within its four corners.

Although the Second Circuit’s opinion in Marblegate provided welcome clarity with respect to the meaning of section 316(b), the court, in dicta, cast a potential cloud over its ruling:

Limiting Section 316(b) to formal indenture amendments to core payment rights will not leave dissenting bondholders at the mercy of bondholder majorities. . . . By preserving the legal right to receive payment, we permit creditors to pursue available state and federal law remedies. . . . The foreclosure in this case may be challenged by creditors under state law. . . . [C]reditors may be able to sue the new entity [that foreclosed on the debtor’s collateral pursuant to the reorganization] under state law theories of successor liability or fraudulent conveyance. . . . We obviously take no view on the potential merit of any state law or federal law claims in the context of [the restructuring transaction] at issue here.

The Second Circuit’s dicta in Marblegate leave the door open for unhappy hold-outs in complex debt restructurings to convince a judge that the transaction violated their rights as creditors or was unlawful under state or federal law other than the TIA. Where courts will take the Second Circuit’s dicta is an open question. In May 2017, seizing upon the dicta in Marblegate, the holdouts in the EMFC restructuring shifted their focus to post-restructuring entities, demanding that the indenture trustee file a complaint asserting a claim for successor liability against those entities. Although the theories mentioned by the Marblegate court are not novel, the decision invites nonparticipating bondholders whose practical ability to recover principal and interest is impaired through out-of-court restructurings to pursue their grievances with new vigor. However, if no amendments to the indenture are needed to effect the restructuring, or any required amendments have been consented to by the requisite majority of bondholders without violating section 316(b), challenges based outside the TIA to the process of foreclosure on collateral by senior creditors are likely to face arguments that they are rendered moot as a result of the issuer itself having consented to the foreclosure. Claims for successor liability or fraudulent conveyance are always a matter of fact and equity. Many indentures include the same language as section 316(b) and therefore specify as a matter of contract that the right of any bondholder to receive payment of principal and interest shall not be impaired or affected without its consent. Issuers have begun not including this language in indentures. If an indenture is subject to the TIA, the language is automatically deemed to be part of the indenture, and issuers have no reason to include it. If an indenture is not subject to the TIA, issuers also have no reason to include the language, although purchasers of bonds may oppose omitting it. As practice evolves, differences in language may develop among indentures, opening the door for nonconsenting bondholders to argue that the parties intended the contract to mean something different from section 316(b).

Although the district court and the Second Circuit agreed that the language of section 316(b) is ambiguous, future courts should, to the extent that the “impair or affect” wording of an indenture tracks the text of section 316(b), interpret it the same way as the Second Circuit interpreted the statute. Interpreting the TIA, the Second Circuit in Marblegate reiterated its view that boilerplate indenture provisions are to be interpreted by courts as a matter of law in the interest of uniformity of interpretation. Courts applying state contract law to the same language should feel compelled to follow the same interpretation. Precedent exists for uniformity in interpreting under state contract law terms that under federal or state statutes (including the UCC) have an understood technical meaning, even when the statute does not apply as a technical matter. Going forward, however, as noted above, some indentures may omit section 316(b) language while others will include it, or investors may be successful in pushing for different language. Under rules of evidence, the facts of the case, or state law precedent (typically New York law), however, courts may not feel constrained to interpret the language the same way, particularly if the words are not exactly the same. An opinion is an expression of professional judgment as of the date of the opinion about what the highest court of the applicable jurisdiction would hold. Assuming the opinion letter covers New York law, the opinion preparers need not extrapolate from the Second Circuit’s dicta in Marblegate that the New York Court of Appeals (New York’s highest court) would interpret language mimicking section 316(b) more broadly than section 316(b) itself as interpreted by the Second Circuit. Moreover, the non-TIA-based avenues for recourse suggested by the Second Circuit for nonparticipating bondholders are not new or novel. Therefore, opinion givers have no more reason today than before to consider whether they can give opinions covering no breach or default and no violation of statutes, rules, or regulations other than the TIA.

Many lawyers believe that the Second Circuit’s decision heralds a permanent return to pre-Marblegate opinion practice because the novelty of the district court’s decision was to treat the language of section 316(b) as a far-reaching basis for challenging out-of-court debt restructurings. Those lawyers maintain that the Second Circuit definitively closed the book on attempts to interpret “impair or affect” broadly, and its dicta did nothing more than list existing non-TIA avenues for recourse by nonparticipating bondholders. Other lawyers point out that Marblegate can be limited to its facts, and too much ink was spilled while Marblegate, and other cases dealing with similar issues like Meehancombs Global Credit Opportunity Funds, LP v. Caesars Entertainment Corp. (Caesars I), 80 F. Supp. 3d 507 (S.D.N.Y. 2015), and BOKF, N.A. v. Caesars Entertainment Corp. (Caesars II), 144 F. Supp. 3d 459 (S.D.N.Y. 2015), wound their way to a final decision or settlement, including in Judge Straub’s dissenting opinion, for the book to be closed. If a debt restructuring involves a majority-approved amendment, nonconsenting bondholders can be expected to challenge the removal of important structural protections like guaranties or collateral or waivers through an exit consent in reliance on a collective action clause. For example, some lawyers have pointed out that subsidiary guaranties of bonds issued by the parent are separate indenture securities. In the meantime, cases based on fraudulent conveyance or other theories pointed to by the Second Circuit’s dicta will likely increase, which at a minimum argues for drafting the bankruptcy and equitable principles exceptions to apply generally to all opinions, not only to the enforceability opinion, which is what many opinion preparers already do and should not be a controversial step.

Debt restructurings are notoriously complex transactions where great time and attention are spent on structuring to overcome “blocking positions,” where investors at different levels in the capital stack wrestle for control, and where disclosure documents often caution about contingencies and uncertainties, including legal uncertainties, that could affect various parties adversely or cause the outcome to be different from what the letter of the transaction agreements provide. That is precisely the context in which Marblegate, Caesars I, and Caesars II arose. Against this backdrop, lawyers who are active in this segment of transactional practice should be vigilant, keep on top of evolving case law and practice, and exercise caution when giving closing opinions in complicated or controversial situations.

Cyber Risk in the Vendor Ecosystem

Posted on November 1, 2017 by - Uncategorized

The past several years have demonstrated a transition from enterprise-wide cyber-risk management to ecosystem-wide cyber-risk management. In enterprise-wide cyber-risk management, each individual company protects the security of its own information assets and systems. The ecosystem approach recognizes that other parties outside of the company may increase or reduce the company’s cyber-risk exposure and attempts to manage this external risk. This article provides an overview of the vendor ecosystem, addresses cyber risk assessment, and concludes with a discussion of cyber risk mitigation by contract.

I. Overview of the Vendor Ecosystem

In evaluating the cyber risks posed by a vendor relationship, the customer (Customer) should consider the entire ecosystem of the vendor (Vendor). The Customer-Vendor relationship is not binary. Rather, the Vendor is a Customer of other vendors and a contractor to its various subcontractors; it may have other relationships that could impact the Vendor’s services to the Customer or the Customer’s cyber-risk exposure.

Figure A shows the Vendor’s subcontractors and service providers on the Extended Ecosystem to the left of the Vendor. To the right of the Vendor are Customer-related parties that may interface with the Vendor or its subcontractors or service providers. These include the Customer’s subcontractor, customers, and customers’ customers, as shown.

The Vendor operates downstream from its various licensors and service providers and is dependent upon these third parties to provide services to the Customer. Consider a Vendor providing licensed software (Licensed Software) in a software-as-a-service (SaaS) environment. The Vendor grants a limited license to the Customer in the Licensed Software but retains possession of the Licensed Software and operates and maintains the Licensed Software on the Customer’s behalf. The Vendor may own the Licensed Software but has likely licensed third-party components of the Licensed Software from other owners or licensors, and has licensed other software from third parties that acts in combination with the Licensed Software to provide the SaaS service to the Customer. For these types of risks, the Vendor may be limited in its ability to select or influence its upstream service providers and in its ability to promise or pass on to the Customer certain assurances and commitments, rights and remedies, and service levels from its upstream providers.

The Vendor subcontracts various aspects of its operations to service providers. For example, in the SaaS context, the Licensed Software may be owned by the Vendor, but maintained and operated at a third-party data-processing center. This means that although the Customer contracts with the Vendor for the SaaS service, it may directly interface with the Vendor’s subcontractor that operates the data-processing center, or the data-processing center may otherwise have access to the Customer’s information or systems. In this context, the quality of the services and the extent of the cyber risk may be dependent upon the performance of the Vendor’s subcontractors. For the types of risk posed by the Vendor’s primary subcontractors, the Vendor may have greater bargaining power than in the upstream scenario and may be able to “flow down” certain requirements and performance standards to the subcontractors. The Vendor would be expected to have the ability to monitor and mitigate risks posed by subcontractors. Figure B shows how Vendor-related parties may be involved in providing services to the Customer.

The Customer may have obligations to its Customers or its customers’ customers that may impact the Vendor services and attendant cyber risk. Using the SaaS example, the Vendor’s subcontractor data-processing center may have access to consumer data owned by the Customer’s customers. For example, consider a Customer that offers payroll services to its customers, which involves consumer data of its Customer’s employees. The Customer outsources the ACH processing of the payroll to the Vendor, and the Vendor subcontracts with a data-processing center to prepare the ACH files to make payroll payments from the accounts of the Customer’s employer customers to the accounts of their consumer employees. The Customer’s customers’ responsibilities to preserve the security of employee information will be delegated by the Customer to the Vendor, which will in turn delegate that to its subcontractor that operates the data-processing center. The cyber risks to the consumer employee information may be exacerbated at each point of access to the employee information.

The Customer’s subcontractors and upstream service providers may also interface with the Vendor or provide information to the Vendor or impose requirements on the Customer that would apply to the Vendor. The Customer must consider the cyber risk arising out of contacts between these third parties and the Vendor.

Figure A: Vendor Ecosystem

Figure B: Vendor-Related Parties

Cyber-Risk Assessment in the Vendor Ecosystem

The initial cyber-risk assessment conducted by the Customer with respect to a proposed vendor arrangement may be complicated by the web of upstream service providers and subcontractors that touch the Vendor’s or Customer’s information or systems. When the Customer’s information is classified as proprietary or confidential, the Customer should first identify all information access vectors and risk exposures posed by the vendor relationship. The next step is to identify all third parties involved in those access vectors and determine whether the third parties are upstream service providers or subcontractors of the Vendor, or customers or subcontractors of Customer, or some other third party. Other third parties may include regulators, law enforcement, or other nonparties that may have access to confidential information or that may mitigate risk to the security of such information.

The information-security risk assessment regarding the third parties that operate within the Vendor ecosystem will vary depending on whether the third party is an upstream service provider or subcontractor, and to the extent that the third party has the ability to access, modify, disclose, or exfiltrate the proprietary and confidential information of or interface with Customer or Vendor systems. These types of third parties are described in the “Extended Ecosystem” inside ring in Figure A.

Consider the SaaS context described above. If an upstream third-party component of the Licensed Software infringes an intellectual property right of another, then the Customer’s liability exposure for infringement may be heightened; if the third-party licensor does not touch the Customer’s information, however, the information-security risk may be negligible. If a subcontractor of the Vendor is understaffed, and there are delays in service but no impact on Customer information, the transactional or reputational risks to the Customer may be heightened, but not necessarily the information-security risks.

Some risks may implicate a variety of service providers. For example, again in the SaaS context, if there is a widespread power outage, the access vector (interface with the data-processing center) may not be available, but there may be no ensuing risks to the Customer information if all access is suspended. If a data-processing center loses power, however, and does not have adequate back-up capabilities and resiliency, the Customer’s information that is maintained by the data-processing center may be at risk. In order to manage this risk, the Customer would likely decide to address the Vendor’s responsibilities in the event of a power outage. Power outages are foreseeable risks that may not be managed by the Customer directly with the Vendor’s subcontractor’s power company.

Steps in this assessment include:

  • identifying the types of third parties that may access the Customer’s proprietary and confidential information (whether from the Customer directly or from another third party)
  • classifying the third party as an upstream service provider or a subcontractor of the Vendor
  • identifying the specific types of risks posed by the Vendor and each third party
  • assigning a risk level posed by the Vendor or each third party for the types of risks identified
  • determining whether third-party risk requires mitigation by the Customer and/or the Vendor

Certain third parties may require direct assessment by the Customer if an entire Vendor function (or comparable access to information or systems) is delegated to the third party. For example, in the SaaS context, the Customer may engage in due diligence of the data-processing center directly and require the Vendor by contract to monitor and manage risks posed by the center.

The outer ring of Figure A identifies possible external risk factors that may serve to mitigate the cyber risks posed by the Vendor ecosystem. These include:

  • cyber insurance coverages held by the Customer or by the Vendor that would apply to certain types of risks identified during the assessment process
  • payment system rules or regulatory oversight applicable to the Vendor regarding certain cyber risks
  • external audits (like SSAE 16 or SOC-2 audits or National Automated Clearing House Association (NACHA) audits) or certifications (like PCI compliance or ISO 27001) made of the Vendor (or the Vendor-related parties) addressing the types and levels of cyber risk

Consider again the payroll processor example above. The Customer is the payroll processor providing services to its customers by facilitating wage payments to its customers’ employees. The Customer outsources the ACH debit-origination process to the Vendor; the Vendor will be bound by the NACHA operating rules and must format payments as required by the rules. This external requirement serves to mitigate certain security risks attendant in the payment process.

Similarly, if the Vendor subcontracts with a data-processing center and the center is SOC-2 audited annually, the risk posed by the security protocols and standards observed by the center should be mitigated, or at least monitored, by the SOC-2 assessment process.

The types and levels of cyber risk to the Customer posed by the extended Vendor ecosystem in the inside ring of Figure A should be mapped to any external cyber-risk mitigants, like those set forth on the outer ring of Figure A. In that way, the Customer can quantify its level of cyber risk posed by the Vendor relationship and its ecosystem, and identify any gaps that may require additional mitigation.

Mitigation of Cyber Risk in the Vendor Ecosystem

Generally, the Customer-Vendor contract should identify which contracting party is responsible for managing the specific types of cyber risk posed by the relationship. The contract between the Vendor and the Customer should address each party’s obligations regarding the cyber risks that it poses and third parties that pose information-security risk to the other party (i.e., key third parties). The types of Vendor-related parties that should be considered are shown in Figure B and are addressed in greater detail above. The Customer’s ability to mitigate information-security risk posed by key third parties will vary depending on whether the key third party is an upstream service provider or a subcontractor of the Vendor. The ability to manage these cyber risks by contract will be further dependent on the following:

  • the terms of the Vendor’s contracts with the key third parties
  • the Vendor’s bargaining leverage with the key third parties
  • the Vendor’s ability to monitor the key third parties

In many instances, the Vendor’s contracts with key third parties may be confidential. Moreover, the Customer will not likely be a third-party beneficiary of such contracts. Therefore, it is important that these risks be addressed directly in the Vendor-Customer contract or otherwise mitigated by the Customer or the Vendor (whether through due diligence, independent monitoring, reliance on other third-party monitoring, or other practical way to address key third-party risk).

The goal of the contract should be to mitigate cyber risks that are not otherwise mitigated or to incorporate external mitigants as part of the Contract. Examples of external mitigants are shown on the outer ring of Figure A and were discussed above.

Key cyber risks identified by the Customer during the risk-assessment process should be addressed in the Vendor-Customer contract. The following types of contract terms should be considered: the imposition of specific requirements, mechanisms for the Customer to monitor whether such requirements are met, and remediation in the event of any failures by the Vendor.

The Vendor-Customer contract may require the Vendor to ensure that the Vendor and key third parties comply with general contractual standards. For example, nondisclosure agreements typically require the recipient of protected information to limit any permitted disclosures to third parties who have agreed with the recipient to adhere to confidentiality requirements at least as stringent as those set forth in the bilateral nondisclosure agreement. This approach effectively requires the recipient to contract with any permitted third parties to protect the information and may require reliance on the Vendor’s assurances that such contracts are in place.

Another approach involves imposing specific security requirements on the Vendor and requiring the Vendor to specifically “flow down” certain requirements to key third parties. This method may require the Vendor to amend its contracts to ensure that they align with the specific contractual requirements. This approach is likely more feasible with primary subcontractors. Flow-down terms could be incorporated as an exhibit or appendix to the Vendor-Customer contract.

Alternatively, the parties could agree by contract that the Vendor will require key third parties to adhere to certain laws or third-party information standards or processes, such as the NIST framework, FFIEC CAT, or ISO standards or EU Commission directives (or GDPR next year), all risk mitigants of the type identified on the outer ring of Figure A. In this approach, the contract would require the Vendor to ensure that key third parties comply with these requirements, and that any failures by key third parties trigger notice and specific remediation and liability requirements.

Yet another alternative is that the parties could rely on external certifications for or audits of the Vendor or key third parties, such as PCI compliance, SOC or ISO audits, or examinations by governmental agencies. As above, the contract would require the Vendor to comply and ensure that key third parties comply with these requirements, and that any deficiencies are reported to the Customer. The Vendor should also be required by contract to provide evidence of compliance, such as summaries or copies of such independent reports.

A key part of any contract term addressing cyber risk is the inclusion of complete, concrete requirements that may be objectively measured. “Reasonable security,” “industry standards,” and “due care” are evolving standards in this context and may be lacking depending on the level of cyber risk posed by the relationship.

Any single contract may involve a hybrid of these approaches based on the larger ecosystem. For example, in the SaaS context in which the Vendor outsources data-processing center operations, the contract could require that:

  • the subcontractor that operates the data-processing center has agreed to preserve the confidentiality of Customer information in a manner at least as stringent as the nondisclosure terms in the contract between the Vendor and the Customer;
  • the subcontractor be located in the United States (or the contract could identify the subcontractor by name and location and could provide for Customer approval or notice to the Customer in the event of any change in subcontractor or data-processing center location);
  • the subcontractor comply with all applicable law regarding the handling of Customer information (whether that be the law applicable to the information, the Customer, the Vendor, or the subcontractor);
  • specific information-security procedures that are included in the Vendor-Customer contract be flowed down to the subcontractor; and
  • the subcontractor be required to conduct annual SOC-2 compliance assessments, with concomitant reporting and remediation requirements.

In all events, the contract would include specific monitoring and reporting requirements and remedies, and the Vendor would remain primarily liable for the acts or omissions of the data-processing center.

Conclusion

The Vendor-Customer ecosystem can be quite complex. Each party will have their own subcontractors and upstream service providers. Questions to consider include the following:

  • How far into the Vendor’s ecosystem must the Customer look (Figure B)?
  • How much of the Vendor’s ecosystem must the Customer try to shore up?
  • How much negotiating power does the Customer have over the Vendor, particularly with regard to requiring changes to the other party’s third-party contracts?
  • How much bargaining leverage does the Vendor have over its key third parties?

Consider requiring the contract RFP to list all Vendor key third parties (by type if not by name) and the functions of each. The parties should consider how these risks and factors may be addressed during the RFP and contract process. For example, if there are specific flow-down terms or third-party audits that the Customer would like the Vendor and its key third parties to undertake, it may be easier to raise these specific requirements during the RFP process. At a minimum, the RFP process should require the Vendor to identify all of its upstream service providers, subcontractors, and other third parties that may have access to the Customer’s confidential and proprietary information or systems accessing or maintaining such information during the term of the contract.

The specific approach or combination of approaches that the Customer should take and the answers to the questions above will be determined by the level of risk posed by the proposed relationship and the availability of extra-contractual methods to monitor and mitigate such risk. This process requires the identification of valuable proprietary and confidential information that may be impacted, the access vectors and proposed uses of such information, and the permitted uses and disclosures by the Vendor regarding such information.

Shareholder Activism 2017: An Overview

Posted on November 1, 2017 by - Uncategorized

Shareholder activism, a catalyst for change in corporate boardrooms, is on the rise. According to FactSet’s 2016 Shareholder Activism Review, there were 519 activist campaigns in 2016. Although this represents a 16-percent decrease from the 622 campaigns in 2015, it nevertheless reflected a 22-percent increase from, and the second-highest total since, 2009.

Of the total number of activist campaigns in 2016, FactSet identified 319 as “high-impact activism,” defined as campaigns in which the objective is board control, board representation, the maximization of shareholder value, or removal of officer(s)/director(s).

This year has been a robust one for activism, as evidenced by the recent Proctor and Gamble proxy battle and ADP’s ongoing battle with Pershing Square Capital Management. Among the most recent high-impact activist campaigns in 2017, three are particularly notable: Elliott Management’s campaign against Arconic Inc.; Marcato Capital Management’s campaign against Buffalo Wild Wings, and Jana Partner’s campaign against Whole Foods Market, Inc.

Arconic Inc.

Arconic, a $12 billion aerospace supplier, found itself under pressure from activist investor Elliott Management Corporation, Arconic’s largest shareholder with an 11.6-percent stake, to cut costs and improve profit margins. Elliott, consistently recognized as one of the top ten activist investors in the United States by Activist Investing and FactSet, launched ten activist campaigns in 2016. The campaign against Arconic, launched in January 2017, called for the removal of the CEO due to underperformance as well as the addition of four, new Elliott-backed board members.

In response, Arconic indicated that nine new board members were added in the prior 16 months, three of which were proposed by Elliott. Independently, the CEO resigned in April after having sent an unauthorized letter to Elliott’s founder that the board determined showed poor judgement and that Elliott deemed inappropriate.

Proxy advisers generally supported Elliott, with Institutional Shareholder Services (ISS) recommending two of Elliott’s nominees and Glass Lewis & Company endorsing all four of Elliott’s nominees.

On May 22, 2017, just three days before the scheduled Annual Meeting, Arconic and Elliott reached an agreement whereby Elliott gained three additional board seats (one of which would serve on the CEO search committee), thereby giving it major control with a total of six out of 13 seats.

Buffalo Wild Wings

Buffalo Wild Wings, a $2.3 billion restaurant chain with over 1,200 locations worldwide and with declining sales found itself challenged by Marcato Capital Management LP. Marcato disclosed its initial 5.1-percent interest in a 13D filing on July 25, 2016. Subsequently, it expressed concerns on multiple occasions regarding Buffalo Wild Wing’s strategy and business model, specifically that the percentage of franchised stores should increase from 49 to 90 percent. On February 6, 2017, Marcato nominated four members to the board of directors. Two months later, Marcato called for the removal of the CEO.

As did Arconic, Buffalo Wild Wings noted that it had already implemented several of Marcato’s recommendations, including adding five new directors (including one of Marcato’s nominees), engaging a consulting firm, and increasing share buybacks. Not sufficient. Notwithstanding the months of discussion, unlike Arconic, a settlement was not reached prior to the annual meeting.

By May 2017, Marcato’s stake in the company stood at 9.9 percent. ISS recommended three out of Marcato’s four nominees to the board, after which shares increased six percent. Glass Lewis recommended that shareholders adopt the company’s slate of directors. At the annual meeting on June 2, 2017, the CEO announced her retirement, and shareholders voted to elect three of Marcato’s nominees, one of which included Marcato’s founder. These seats, combined with the previous gained seat, gave Marcato control of four out of nine board seats.

On June 19, 2017, the company announced the launch of its franchise initiative with 83 restaurants in multiple locations including Canada, Pennsylvania, Texas, and Washington, DC.

Whole Foods Market Inc.

Whole Foods Market, the organic food pioneer, has seen a steady erosion in sales and a decline in shareholder value since 2013. Concerned with declining sales and a failure to remain competitive by adopting new technology and data analytics in an industry renowned for low margins, Jana Partners, LLC, Whole Food’s second-largest shareholder with over eight percent of shares, and Investment Manager Neuberger Berman, with a 2.7-percent stake, independently of each other began to press the company to explore a sale in April 2017.

In May, Whole Foods announced a series of changes, including the appointment of a new CFO and a chairman of the board, as well as the appointment of five, new independent directors whose tenure would be limited to a 15-year term. Ponder whether a 15-year term represents board reform, but everything is relative.

Notwithstanding these changes, Amazon.com acquired Whole Foods in June for $13.7 billion, paying $42.00 per share and driving shares up 27 percent. In July, Jana sold its total position in Whole Foods, generating a profit of approximately $300 million.

Several themes emerge from these campaigns:

1. Activism prevails. In each campaign, the activist prevailed. Elliott Management—three additional Arconic board seats and the removal of the CEO; Marcato—three additional board seats and the removal of the CEO; and Jana Partners—sale of the business to Amazon.com.

2. Prior acquiescence and adoption of recommendations will not insulate a company from further activism. Arconic, Buffalo Wild Wings, and Whole Foods Market each adopted activist recommendations governing board composition. None were sufficient to address the fundamental issues underlying the activism: business strategy and governance.

3. Activism as a catalyst for business strategy. Fundamentally, each activist (Elliott, Jana, Neuberger, and Marcato) recognized and sought to address the company’s business model. In the case of Arconic, it was Elliott’s focus on cost cutting, operational improvements, and product focus; for Buffalo Wild Wings, it was shifting the business model to decrease corporate store ownership and increase franchises; and for Whole Foods Market, it was Jana and Neuberger’s concern about the company’s failure to be more innovative by adopting new technology to maximize sales and profits. Elliott and Jana now have a controlling board interest and concentration of power that effectively allows them to drive their agenda.

4. Settlement is the preferred option. Of the three companies, Buffalo Wild Wings did not prevail in this regard. It is ultimately in a company’s best interest to settle and attempt to negotiate an agreement with an activist shareholder rather than wage a costly and protracted proxy contest. According to Fact Set, in 2016, the median cost of a proxy fight, including proxy solicitation and consulting fees, was $1 million for a target company, almost 100 percent more than in 2015.

Given this landscape, as a matter of good corporate governance, companies are well advised to do the following:

1. Heed the directive of the Shareholder Director Exchange (SDX) Protocol. Established in 2014, the SDX Protocol arose out of “the shifting balance of power toward shareholders” and increased shareholder activism. From January 2010 through November 2015, shareholder interventions increased more than 100 percent. SDX, a blueprint for institutional shareholder-director engagement, recognizes that the power of communication prior, rather than subsequent, to an issue escalating into major public discourse or a proxy battle, cannot and should not be underestimated. Notwithstanding clear evidence of increased shareholder activism, PwC’s Governance Insights Center found that in its review of 100 proxy statements, only 28 percent disclosed a process for shareholder engagement. This is staggering and particularly critical for small-cap companies, given that 75 percent of activist campaigns last year involved firms with market caps less than $1 billion, with the median target company market cap being $249 million, according to FactSet.

At an absolute minimum and as a best practice, irrespective of market size, every publicly traded company should have a shareholder engagement policy that articulates who engages on what topics under which circumstances. A shareholder engagement policy will not insulate a company from investor activism; however, it is a risk mitigation tool that promotes communication.

2. Embrace and adhere to the Investor Stewardship Group (ISG) corporate governance principles. Scheduled for implementation in January 2018, the six ISG corporate principles enunciate what ISG believes “are fundamental to good corporate governance at U.S.-listed companies.” Key among these for the purposes of shareholder activism is Principle 3: Boards should be responsive to shareholders and be proactive in order to understand their perspectives.

Shareholder activism will continue to mount as investors seek to maximize shareholder value. The trend will not abate. One of the most effective strategies for companies to neutralize, but not eliminate, potential shareholder opposition is to engage strategically, thoughtfully, and consistently.

Litigators Must Be Mindful of Discovery Compliance under the Revised Federal Rules

Posted on November 1, 2017 by - Uncategorized

Federal courts are now handing down firm decrees, stating that althoughold habits die hard,” counsel must revise their “form” discovery responses immediately to comply with the Federal Rules of Civil Procedure. In two recent orders, courts have decried the “widespread addiction” lawyers have with the “menacing scourge” of “boilerplate” objections. Liguria Foods, Inc. v. Griffith Laboratories, Inc., 14-3041-MWB (D. Iowa Mar. 13, 2017); Fischer v. Forrest, 1:14-CV1304-PAE-AJP (S.D.N.Y. Feb. 28, 2017). Because no litigator wants to be the subject of a strongly worded discovery order, it would benefit counsel to heed these courts’ warnings. This is especially so because both make clear: “admonitions from the courts [are] not . . . enough . . . only sanctions will stop this nonsense.”

So what should counsel do? As a starting point, Rule 26 sets out the boundaries of discovery succinctly. “[T]he concepts of materiality, relevancy, and discoverability are [not] fixed,” and a party is entitled to use discovery as an “investigatory tool” to explore freely its “theories of the case . . . .” In contrast, the party subject to a discovery request cannot avoid its duty to respond through “bald assertions” of privilege or other objections. Rather, it must first object and respond to the request specifically and utilize Rule 26(c) as a last resort if the issue is pressed. Liguria Foods, at 23–27.

Within this Rule 26 paradigm, litigants should avoid a variety of discovery practices. Lawyers should immediately stop using general andboilerplate” objections. “The key requirement in both Rules 33 and 34 is that objections require ‘specificity.’” Liguria Foods, at 28. It is “simply not enough” for attorneys to assert vague and conclusory objections to interrogatories or requests to produce without specifying “how” a particular discovery request is “deficient,” and without “articulating the particular harm” that will accrue if forced to answer. Id.; accord Fischer, at 5 (stating if a party objects that a request is overbroad” orunduly burdensome,” then explain: “Why is it burdensome? How is it overly broad?”).

However, even if counsel specifically explains the basis for an objection, more must still be done. Counsel must identify whether any responsive materials are being withheld on the basis of that objection.” Fed. R. Civ. Pro. 34(b)(2)(C); 2015 Adv. Comm. Notes to Rule 34. “[S]imply stating that a response is ‘subject to’ one or more general objections does not satisfy the ‘specificity’ requirement[.] . . . [Rather,] it leaves the propounding party unclear about which of the numerous general objections is purportedly applicable as well as whether the documents or answers provided are complete . . . .” Liguria Foods, at 32–33.

In addition, privilege logs should always accompany any responses that assert a privilege. Otherwise, the objection “hamper[s], rather than facilitate[s], the timely and inexpensive determination of privilege issues.” Liguria Foods, at 31. Further, going forward, discovery responses must either (1) state that all requested documents will be produced at the time specified in the request, or (2) state “another reasonable time for production “specifically . . . in the response.” Fischer, at 2–3, 5; Fed. R. Civ. Pro. 34(b)(2)(C). Ifit is necessary to make the production in stages,” thenthe response should specify the beginning and end dates of the production.”

So what is the take-away from these opinions? Courts simply will not tolerate these practices, no matter how entrenched or harmless they may seem to be. Remember, when objecting, “specificity” is key. “[A]n objecting party does not have the unilateral ability to dictate the scope of discovery . . . .” Liguria Foods, at 32. Thus, practitioners should remove vague and conclusory objections from their discovery toolbox altogether. Counsel must also explain the reasons underlying their objections and, if objecting to a document request, state whether documents were withheld from production. Be proactive and cooperate with opposing counsel to the extent possible. If a discovery dispute arises, “request an extension of time to respond and confer on troublesome discovery requests,” or “request an ex parte and in camera review” from the judge, “who might quickly render an opinion on whether [the request] in question [is] discoverable.” Liguria Foods, at 34. Lastly, always produce your privilege log and documents at the time your responses are due, or cooperate with opposing counsel for an extension.

Secured Parties Still Must Be Aware of Patent Rights in Goods

Posted on October 29, 2017 by - Uncategorized

The U.S. Supreme Court’s May 30, 2017 decision in Impression Products, Inc. v. Lexmark International, Inc., 137 S. Ct. 1523 (2017), should provide some comfort for secured parties and the lawyers who advise them, but not too much comfort. Caution is still needed before lending against inventory manufactured pursuant to a patent, particularly if the debtor is a manufacturer.

The Lexmark case involved a claim of patent infringement against Impression. Lexmark manufactured toner cartridges.  It sold some at full price and free of restrictions on resale and reuse. It sold other cartridges at a discount but subject to restrictions on resale and reuse. The restricted cartridges had a microchip that made them inoperative if they were refilled. Impression bought restricted cartridges, allegedly with knowledge of the restriction, altered or removed the microchip, and then refilled and resold the cartridges. Lexmark sued for patent infringement.

The district court had ruled that Lexmark’s initial sale exhausted its patent rights pursuant to the so-called first-sale doctrine. The Court of Appeals for the Federal Circuit reversed. It acknowledged the existence of the first-sale doctrine, but concluded that a sale made under a clearly communicated, otherwise-lawful restriction as to post-sale use or resale does not confer on the buyer—or on a subsequent purchaser with knowledge of the restriction—the authorization to engage in the use or resale that the restriction precludes. The decision created a potential problem for secured parties. A secured party is not normally bound by the debtor’s contractual promises to third parties that limit the debtor’s rights to use or sell the collateral (see U.C.C. §§ 9‑406, 9-408). The circuit court’s decision did not alter that rule, but by preserving and extending a patentee’s patent rights in goods sold to the debtor, it subjected a secured party that knew of and violated those patent rights to statutory damages and injunctive relief, even if the patentee had no provable damages under contract law (with possible treble damages for a willful violation under 35 U.S.C. § 284).

The Supreme Court, in a near unanimous decision, reversed the circuit court. In so doing, the Court adopted an expansive view of patent exhaustion: “a patentee’s decision to sell a product exhausts all of its patent rights in that item, regardless of any restrictions the patentee purports to impose,” and “[t]he purchaser and all subsequent owners are free to use or resell the product just like any other item of personal property, without fear of an infringement lawsuit.”

The Court’s decision is welcome news for secured parties that finance distributors or retailers that have purchased patented goods. Even if the patentee has imposed restrictions on the borrower’s resale of the goods, such as by limiting sales to a specified geographic area or to transactions in the ordinary course of business, the borrower would be free—as a matter of patent law, not contract law—to ignore those restrictions. More importantly, the secured party would not, when enforcing its security interest, be bound by those restrictions. Any disposition of the inventory by the secured party that did not comply with those restrictions would not violate the patentee’s patent rights because those rights will have been exhausted by the patentee’s prior sale of the goods. Moreover, the secured creditor will not be in privity of contract with the patentee, and thus, presumably will have no contract liability for breach of the restrictions.

It bears emphasizing that Lexmark does not prohibit patentees from restricting their buyers’ resale or reuse of the goods by contract. As a result, if a borrower purchases patented goods pursuant to a contract that imposes restrictions on resale or reuse, and if the borrower breaches those restrictions, the borrower might have undisclosed liabilities that will affect its creditworthiness and, indirectly, affect the likelihood of repaying the secured lender. Nevertheless, that risk is far less significant than the risk of subjecting the secured party to patent liability if it were to dispose of the goods.

Unfortunately, related but different risks survive. The Supreme Court was quite clear that the doctrine of patent exhaustion applies only when the patentee sells patented goods. It does not apply when the patentee licenses its patent rights. As a consequence, if a secured lender is financing a manufacturer, rather than a distributor or retailer, and if that manufacturer has made goods that are subject to a patent license, the secured lender must be cognizant of the restrictions imposed in the patent license. For example, a prohibition on sale in specified geographic areas or to specified types of buyers would not only limit the borrower’s ability to sell the goods, but could also apply to a disposition of the goods by the secured lender. Any unauthorized sale of the goods will expose the seller—whether the borrower or the secured lender—to liability for patent infringement.

Moreover, the risk of patent infringement exists even if the license does not impose a restriction on resale or reuse. If the borrower breaches the patent license (e.g., by failing to pay license fees), that breach might result in the termination of the license. In such a circumstance, the borrower might lose all rights to sell the goods, such that any sale would also be an infringement of the patentee’s patent rights. Unless the secured party obtains an independent right or license directly from the patentee, the secured party’s right to dispose of the goods would be subject to the same patent limitations. A security interest in goods that cannot be sold, either by the borrower or by the secured party, is not a very valuable security interest.

Finally, secured lenders and the transactional lawyers who advise them should note that the Lexmark decision does not deal with a situation in which the borrower is the owner of the patent rights. In such a case, the secured lender should consider whether it needs a security interest in the patent itself. Irrespective of whether the patent is available as collateral, the secured lender should consider having the borrower grant the secured lender, in the security agreement, a royalty-free, noncancelable license to use the patent in connection with any post-default disposition of the goods.

Cybersecurity Issues in PPP

Posted on October 29, 2017 by - Uncategorized

A public/private partnership (“PPP”) is a cooperative arrangement between the public sector and the private sector for the delivery of a specific infrastructure project or service. The public and private sectors each have strengths and weaknesses relative to each other with regard to the performance of certain tasks. A PPP seeks to exploit those strengths while mitigating the weaknesses. Typically, the public sector sets out the goals and objectives for the project by defining the level, quality, and scope of the required service or project while ultimately retaining ownership and, consequently, a measure of oversight over the finished asset. The private sector brings its managerial, technical, and financial expertise to the venture and is responsible for delivering an output which satisfies the goals and objectives defined by the public sector.

Increasingly, information collected and/or created in connection with PPPs is being digitized, stored, and accessed from complex networks and information systems. This information is often targeted by cybercriminals, state-sponsored players, and “hacktivists” by way of cyber attacks that can take the form of, for example, advanced persistent threats (APTs), malware (including ransomware), denial-of-service (DoS) attacks, domain name hijacking, social engineering, and phishing campaigns. Given the involvement of a public partner, the incidence of these attacks is increasing, and thus special attention must be given to cybersecurity risks. Public partners can draw on the technology capabilities of a savvy private counterpart to effectively reduce cybersecurity risks for a PPP.

Associated Risks

Cybersecurity attacks can have a significant impact on any organization, whether it is a private proponent or the public partner. For example, the attackers can steal or destroy key data, such as the organization’s intellectual property (often referred as the “Crown Jewels”), and/or customers’ personal information, which can result in financial and reputational losses and years of litigation. Moreover, a significant cyber attack can cause operational disruption and compound financial losses. These risks are multiplied in a PPP, where data is contained on information systems of two different entities, particularly with one in the private and one in the public sector, making a PPP increasingly vulnerable to cyber attacks.

Concerns about the risks associated with a cyber attack on PPPs have intensified in recent years. This is in part because the information necessary to conduct business and undertake projects is increasingly digitized and stored on servers of both the public proponent and the private partner. Given the potential high sale value of the data, the media coverage related to such attacks, and the ability of attackers to leverage an attack for political or social messaging, PPPs are frequently targeted.

In recent years, projects involving medical care, including hospitals, have been hit with cyber attacks for the purpose of extracting payment to release or unlock the system or to prevent disclosure. The nature of public activity, especially its participation in privately backed enterprise, makes it particularly prone to cyber attacks, as the consequences can be more significant and the pockets deep. In addition, public partners are increasingly concerned about protecting confidential and politically sensitive information, which makes such information more intriguing to attackers. Therefore, public enterprise has been the area of most significant cyber attacks for a variety of purposes in the last decade, and it is unlikely that such cyber attacks will lessen over the coming years.

Safeguards

While purchasing cyber insurance coverage is becoming more common in PPP transactions, the amount and scope of the insurance maintained by the organization may not be sufficient to cover losses resulting from a cyber incident or to adequately compensate the organization for the resulting disruptions.

Increasingly, laws require organizations to implement security safeguards to protect this type of information from loss, theft, and unauthorized access, disclosure, copying, use, or modification. These safeguards can vary with the nature of the confidential information in question, with more sensitive information requiring a greater level of security. Protection mechanisms should include physical measures (including locked or restricted-access storage locations), organizational measures (including appropriate security clearances for employees and disclosure of personal information on a need-to-know basis), and technological measures (including encryption keys and passwords).

Individuals dealing with a PPP project and its proponents will want to ensure that the project fully considers (i) the adequacy of the security measures implemented in connection with the project, and (ii) the measures contemplated to mitigate the consequences of a successful cyber attack. Of course, individuals should always be cognizant of the information that they are sending over electronic media and consider if such information should be sent, particularly given the prevalence of cybersecurity attacks and the gravity of potential consequences.

Conclusion

Cybersecurity will need to be carefully addressed in PPPs where the project will involve the gathering and storing of sensitive information concerning private individuals or of a public commercial or sensitive nature. This risk should not be ignored when consummating a PPP transaction, and adequate safeguards, such as an adequate insurance product, should be considered from the beginning to help protect all parties involved.

A Lesson from Harleysville: Proper Planning for Technology Use Can Prevent Disclosures That Lead to Waiver of Privilege

Posted on September 28, 2017 by - Uncategorized

A recent decision from a federal magistrate judge in Virginia highlights the need for businesses—and their attorneys—to understand the technology their employees use and the risks associated with that technology, especially when confidential information is involved. The plaintiff in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15 cv 00057, 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017), used an online file-sharing service to exchange files with multiple users (including its counsel) at different times. Because the plaintiff did not limit access to the files by means of a password requirement or other control, opposing counsel was able to obtain the plaintiff’s confidential legal files. Describing the plaintiff’s actions as equivalent to publishing the files on the Internet, U.S. Magistrate Judge Pamela Meade Sargent held that both the attorney-client privilege and work-product doctrine had been waived. The court also sanctioned the defendant’s counsel for improperly accessing the unsecured files and not notifying opposing counsel of their privileged nature.

Notably, the Harleysville court indicated that both the plaintiff and its counsel should have recognized that the files were unprotected and acted sooner to preserve confidentiality. Indeed, an unintended disclosure like that in Harleysville is highly avoidable. With respect to file-sharing technology specifically, businesses should implement effective controls, such as password protections and file-availability time limits, to prevent unauthorized disclosure of confidential information. With respect to technology generally, businesses should adopt and enforce a comprehensive program of information-security policies, and then train employees on those policies. Law firms would also do well to adopt these practices, as they will enable attorneys to better meet their own confidentiality obligations and to identify risks in their clients’ practices.

Harleysville’s Failure to Limit Access to Files Results in Inadvertent Disclosure

In Harleysville, Harleysville Insurance Company (Harleysville) sought a declaratory judgment that it did not have to cover the claim of Holding Funeral Home, Inc. (Holding) for a 2014 funeral-home fire. An investigator for Nationwide Insurance Company (Nationwide), which owns Harleysville, uploaded a video about the fire damage to the file-sharing service of Box, Inc. (Box). On September 22, 2015, the Nationwide investigator sent an e-mail to a contact at the National Insurance Crime Bureau (NICB) with a hyperlink to the Box site. Although that e-mail contained a “confidentiality notice” indicating the e-mail contained privileged and confidential information and was subject to restrictions on its unauthorized disclosure or use, the file placed in the Box site was not password protected and was accessible by anyone who used the hyperlink.

Several months later, in April 2016, the Nationwide investigator used the same Box site to upload Harleysville’s entire claims file and Nationwide’s entire investigation file relating to the fire loss for the purposes of providing those files to Harleysville’s counsel. The investigator then sent an e-mail to Harleysville’s counsel with the same hyperlink he previously gave to the NICB contact.

In May 2016, the NICB responded to a subpoena from Holding by producing documents received from Harleysville, including the Nationwide investigator’s e-mail with the Box hyperlink. Holding’s counsel then used the hyperlink to access the Box site, which at that point contained the entire claims files of Harleysville and Nationwide. Holding’s counsel downloaded and reviewed those materials without providing any notice to Harleysville’s counsel.

Harleysville’s counsel did not discover the disclosure of the files on the Box site until October 27, 2016, after reviewing a thumb drive of discovery that Holding had produced in August 2016. In its initial review of that production, Harleysville’s counsel discovered it contained materials that were potentially privileged that the defendant had inadvertently produced. After contacting defense counsel and upon their request, Harleysville’s counsel destroyed the privileged documents that had been produced by the defense. For some reason, Harleysville’s counsel did not discover that the thumb drive also contained its own client’s claims file until late October. On November 2, 2016, Harleysville’s counsel requested that Holding’s counsel destroy its copy of the claims file, but by that time Holding and all of its counsel had reviewed the materials that were posted to Box. At some point thereafter, the plaintiff finally disabled the Box site.

Harleysville filed a motion to disqualify Holding’s counsel, arguing that defense counsel had improperly used the hyperlink to gain unauthorized access to Harleysville’s privileged materials. Holding opposed the motion, countering that Harleysville’s placement of the materials on Box, where it could be accessed by anyone, waived any claim of privilege or confidentiality. Although it conceded the files had been intentionally uploaded to Box, Harleysville argued that it had not waived privilege because it never authorized or intended disclosure of the files to anyone other than the NICB and its own counsel.

Failure to Limit Access to Files Available on the Internet Waived Privilege

Applying Virginia state law and precedent, the court found that, although Harleysville’s disclosure was inadvertent, it nonetheless waived the attorney-client privilege. The evidence showed that Harleysville failed to take “any precautions” to prevent disclosure of the information uploaded to Box. The court noted that the Nationwide employee had previously used the Box site and therefore knew or should have known that the information was unprotected. The disclosure was “vast” because the information was available to anyone who had access to the Internet. In addition, because Harleysville’s counsel used the unprotected hyperlink to access the information in April 2016, the court found that they knew or should have known the information was accessible on the Internet (but failed to take any remedial action until access to the site was finally blocked six months later). For similar reasons, the court also held that Harleysville had waived the work-product privilege under federal law.

Significantly, the court described the failure to password-protect the materials on Box as “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” The court found it “hard to imag[ine] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”

As a matter of public policy, the court urged businesses to exercise caution when using “rapidly evolving” technology to share information. Because a company controls the decision on whether to use new technology, it “should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

Defense Counsel Acted Improperly by Accessing Files Despite Privilege Flags

The court also criticized the conduct of Holding’s counsel, finding they acted improperly in accessing the Harleysville materials. The court assigned significance to the fact that the e-mail that contained the Box hyperlink had included a confidentiality notice that “should have provided sufficient notice to defense counsel that the sender was asserting that the information was protected from disclosure.” According to the court, Holding’s counsel should have realized, based on the confidentiality notice in the e-mail, as well as the extent of the materials on the Box site, that the materials were subject to privilege or other protection. Accordingly, they should have notified Harleysville’s counsel and sought a determination from the court regarding privilege and other protections before using or disseminating the information. Holding’s counsel had even consulted the state bar ethics hotline about the access, undermining their claims that they believed the access was proper.

Harleysville sought disqualification of Holding’s counsel, but the court found it not warranted because substitute counsel would have access to the same information in light of the privilege/protection waiver. Instead, the appropriate sanction was for Holding’s counsel to bear Harleysville’s costs to seek the court’s ruling on the matter.

Technology Provides the Problem but Also the Solution

Although Harleysville involves the pitfalls of file-sharing services, the case offers lessons that are applicable to the use of any new technology. Simple precautions can avoid, or at least mitigate the damages from, the risks that technology poses to confidential information.

To begin with, a business would be wise to require its employees to use only technology that the company has vetted and approved. The company should consider whether the service has the security features and other criteria that the business deems appropriate in light of the sensitivity of the information at issue and the threats to it as identified by the company. Because many file-sharing services operate in the Cloud, with respect to that particular technology this may include analysis of such questions as: What security protections are utilized, and how frequently are they tested and updated? Where will the service provider store the company’s information? Who will have access to the files and under what conditions? How long will the provider retain the data? How and when are backups conducted?

In addition to requiring that employees use only a company-approved file-sharing service, the company may also determine that employees’ use should be subject to certain security controls available within the service. For example, as Harleysville demonstrates, access to confidential files should be restricted (and perhaps tracked) by requiring the authorized users to enter a password or log-in information to obtain the files. Access can be further restricted by requiring multifactor authentication by which a second user-identifying factor beyond a password is necessary to gain access.

Another potential security control is to limit access to folders within the service to persons designated as authorized users. Separate folders can be established for specific target users. As to external users, this can limit permitted users to viewing only that information to which they are intended to have access. On an internal basis, limited access can serve to enforce ethical walls and need-to-know policies within the company. As a further precaution, the business can require that confidential information be encrypted before it is placed in a file-sharing service. That way, only intended recipients who have been given both access to the folder within the file-sharing service and the encryption key can access the sensitive information.

Beyond the need for password protections, Harleysville also illustrates the risk in making files accessible for a longer period than necessary. That risk can be reduced by ensuring the online file-sharing service does not become a long-term repository for sensitive information. A business can implement policies that prescribe how long files can remain posted in a file-sharing service, or even impose settings that automatically delete files after a specified period. The person sharing the file can implement security controls within the service to limit the time the file is accessible to designated users, as well as the number of times a file can be downloaded. Some services will also permit an organization to claw back documents after having been downloaded, so that a person accessing the file has only a temporary copy of the document.

Policies and Training Are Also Important in Data Protection

Although technology is certainly an important component of a company’s overall data-protection program, having effective policies in place is another key element. A company should strive to have a comprehensive scheme of policies that is tailored to address its specific needs in terms of protecting confidential information. Depending upon the company’s goals and the categories of information at issue, the policies may address such matters as limiting access to information based upon an employee’s need to know for his or her job role, mobile-device use and bring-your-own-device programs, remote network access, secure destruction of data kept in electronic and paper format, and monitoring of employee activity within the company’s network (including infiltration and exfiltration of data to and from the network and via other technology platforms, such as file-sharing services).

However, it does little good to adopt policies if the company does nothing to enforce them. A strong first step toward enforcement is education. Employees must be trained on the company’s policies. Ideally, this will be accomplished through a company-wide program that provides security-awareness training for employees at all levels of the company, from the executive suite to the lowest-ranking staff. A company may find it is effective to have different types of events and outreach, from in-person presentations by outside consultants, to e-mails with information-security tips, to online training exercises. It is also important that employees know who to contact with questions or concerns about policies and information protection. The goal is to ensure that employees know how the company expects them to handle confidential information and to enable them to identify and respond appropriately to matters that threaten the preservation of confidentiality.

Technology controls and security training could have gone a long way toward avoiding the Harleysville scenario. The opinion did not discuss whether the Nationwide employee was authorized to use Box as a file-sharing service, with or without password protections or other controls. Nor did it discuss the Nationwide employee’s previous use of Box in detail, although the court assumed that his previous use meant he was familiar with the site and the features available to protect information on it. That may have been true (or not), depending on how often he utilized the site and how frequently it underwent updates that changed its features. In any event, the opinion suggests there were less than adequate controls and training in place. In addition, the waiver of privilege surely has a detrimental effect on Harleysville’s success in the underlying coverage litigation, but a company could find itself in a worse position if the information improperly disclosed by an employee includes that of third parties who have entrusted it with their sensitive or legally protected information. In that instance, the company may find itself having to comply with federal or state laws that require notification when certain personally identifiable information is disclosed and potentially may face litigation over the disclosure.

Harleysville informs us that law firms likewise would bode well to employ technology controls and training programs. The court signified that plaintiff’s counsel should have realized the unprotected status of its client’s files because counsel itself used the unprotected link to access the files. In doing so, the court struck at the heart of an attorney’s ethical obligation of competency, which as adopted in most states includes having knowledge concerning the risks and benefits of relevant technology. Unless Harleysville’s attorneys had previous exposure to file-sharing services and their features, the attorneys likely would not have appreciated that access controls were not in place. Likewise, if the attorneys had a subordinate employee (such as a paralegal) access the files, the attorneys would be dependent on the subordinate to realize the risk to confidentiality and raise it with the supervising attorney. A firm-wide training program could help both attorneys and staff develop their technology competence and skills in spotting vulnerabilities that threaten the confidentiality of their clients’ sensitive information.

The Harleysville court afforded great significance to the confidentiality notice in the e-mail that was used to initially forward the Box hyperlink, but the case demonstrates how ineffective that type of notice is for protecting sensitive information. It is common for businesses (attorneys especially) to include a confidentiality notice at the bottom of their e-mails. Typically, such notices are boilerplate, automatically appended at the very end of an e-mail, following the confidential message they are meant to protect, and often ignored as part of the “wallpaper effect.” Technology provides much more effective methods for protecting confidential information, such as password protection and encryption. As a lesson from Harleysville, businesses and attorneys would be well served to educate themselves about those alternatives and the pitfalls of and best practices for using them.

Supreme Court Restores Order to Bankruptcy Claims Process

Posted on September 28, 2017 by - Uncategorized

Bankruptcy law is provided for in the U.S. Constitution under Article I, Section 8, Clause 4 and has existed in some form or another since the Bankruptcy Act of 1800. See Cent. Va. Cmty. College v. Katz, 546 U.S. 356, 370 (2006). Its primary purpose has long been to “relieve the honest debtor from the weight of oppressive indebtedness and permit him to start afresh free from the obligations and responsibilities consequent upon business misfortunes.” Local Loan Co. v. Hunt, 292 U.S. 234, 244 (1934). In the context of a Chapter 13 case, it furthers the fundamental purposes of the Bankruptcy Code system to adjudicate and conciliate all claims with respect to a debtor in her bankruptcy case. Universal Am. Mort. Co. v. Bateman (In re Bateman), 331 F.3d 821, 828, n.6 (11th Cir 2003).

The Bankruptcy Code provides an incredibly broad definition of “claim,” which includes a “right to payment whether or not such right is reduced to judgment, liquidated, unliquidated, fixed, contingent, matured, unmatured, disputed, undisputed, legal, equitable, secured, or unsecured.” 11 U.S.C. § 101(5). The broad definition of “claim” is intentionally broad. 11 U.S.C. § 101(5) and 1978 Legislative History (“By this broadest possible definition . . . , the bill contemplates that all legal obligations of the debtor, no matter how remote or contingent, will be able to be dealt with in the bankruptcy case.” H.R. Rep. No. 595, 95th Cong., 1st Sess. 309 (1977), S. Rep. No. 989, 95th Cong., 2d Sess. 21–22 (1978), as reprinted in 1978 U.S.C.C.A.N. 5787 at 5807–08 and 6266).

The Fair Debt Collection Practices Act (FDCPA) was enacted in 1977 due to “abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors [that] contribute to the number of personal bankruptcies . . . .” 15 U.S.C. § 1692(a). Congress made its purpose in enacting the FDCPA explicit: “to eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.” Owen v. I.C. Sys., Inc., 629 F.3d 1263, 1270 (11th Cir. 2011) (quoting 15 U.S.C. § 1692(e)).

For many years both the Bankruptcy Code and the FDCPA existed peacefully in separate jurisdictions. Attempts to inject FDCPA claims into bankruptcy cases were rare, and when attempted were often rejected by the bankruptcy courts themselves. Back in 2001, the Ninth Circuit Court of Appeals held that an FDCPA claim based upon an alleged violation of section 524 of the Bankruptcy Code was precluded by the Code itself because “while the FDCPA’s purpose is to avoid bankruptcy, if bankruptcy nevertheless occurs, the debtor’s protection and remedy remain under the Bankruptcy Code.” Walls v. Wells Fargo Bank, N.A., 276 F.3d 502, 510 (9th Cir. 2001). Several years later, the Bankruptcy Appellate Panel for Ninth Circuit specifically held that the Bankruptcy Code precludes application of the FDCPA in the bankruptcy claims process. B-Real, LLC v. Chaussee (In re Chaussee), 399 B.R. 225 (9th Cir. B.A.P. 2008). Specifically, the panel found that “in our opinion, the debt validation provisions required by FDCPA clearly conflict with the claims processing procedures contemplated by the Code and Rules. Simply put, we find that the provisions of both statutes cannot compatibly operate.” The Second Circuit expanded on this reasoning in Simmons v. Roundup Funding, LLC, 622 F.3d 93, 96 (2d Cir. 2010) when it held that “the FDCPA is designed to protect defenseless debtors and to give them remedies against abuse by creditors. There is no need to protect debtors who are already under the protection of the bankruptcy court, and there is no need to supplement the remedies afforded by bankruptcy itself.”

Simmons and Walls were rather broad in their preclusion of all FDCPA claims in bankruptcy cases, whereas other circuits began to take a more analytical approach to whether there was a conflict between the portion of the Bankruptcy Code at issue and the FDCPA provision at issue. See, for example, Randolph v. IMBS, Inc., 368 F.3d 726 (7th Cir. 2004) and Simon v. FIA Card Servs, N.A. 732 F.3d 259 (3d Cir. 2013). Although the Third and Seventh Circuits would permit FDCPA claims under certain situations, one thing remained constant: no court would permit an FDCPA claim based upon the filing of a proof of claim. See also Owens v. LVNV Funding, LLC, 832 F.3d 726 (7th Cir. 2016); DuBois v. Atlas Acquisitions, LLC, 834 F.3d 522 (4th Cir. 2016); Nelson v. Midland Credit Mgmt. Inc., 828 F.3d 749 (8th Cir. 2016).

That all changed with Crawford v. LVNV Funding, LLC, 758 F.3d. 1254 (11th Cir. 2014). According to the Eleventh Circuit, “A deluge [had] swept through U.S. Bankruptcy courts of late. Consumer debt buyers—armed with hundreds of delinquent accounts purchased from creditors—are filing proofs of claim on debts deemed unenforceable under state statutes of limitations.” Unlike cases before it, Crawford likened the filing of a proof of claim to the filing of a lawsuit. Crawford reasoned that because the filing of a lawsuit on a debt that was beyond the statute of limitations violated the FDCPA, so too would the filing of a proof of claim on that same debt.

After Crawford, a new deluge swept through U.S. bankruptcy courts, but the new deluge was that of debtor’s attorneys filing FDCPA complaints against debt collectors for filing proofs of claims on debts that were subject to a statute-of-limitations defense. The Crawford case itself did not make it to the U.S. Supreme Court and, ironically, was ultimately dismissed on summary judgment because Crawford’s own FDCPA claim was barred by the one-year statute of limitations set forth in the FDCPA. One of the cases in the new deluge was Johnson v. Midland Funding, LLC, 823 F.3d 1334, 1336 (11th Cir. 2016), another case from the Eleventh Circuit. Like Crawford before it, the bankruptcy court and district court held that the filing of the proof of claim did not violate the FDCPA, and the Eleventh Circuit reversed. However, unlike Crawford, Midland specifically addressed the argument whether there was an irreconcilable conflict between the FDCPA and the Bankruptcy Code’s claim-filing process.

Writing for a 5–3 majority, Justice Breyer closed Pandora’s box and ended the new deluge almost three years after it began. Taking a practical approach, Justice Breyer examined the purposes of the FDCPA and what it intends to prevent: “false, deceptive, or misleading” statements and “unfair or unconscionable” collection practices. Midland Funding, LLC v. Johnson, 137 S. Ct. 1407, 1410–11 (2017). The court reasoned that a proof of claim cannot be false, deceptive, or misleading if, on its face, it indicates that the relevant statute of limitations has run. Given that a claim under the Bankruptcy Code is a “right to payment” which is determined by state law, the expiration of the statute of limitations did not extinguish the debt—the creditor still has a right to payment. The court rejected the debtor’s attempt to read the word “enforceable” into the definition of “claim,” noting that the word does not appear anywhere in the statutory definition. Rather, consistent with the text of the statute itself, the opinion notes that the definition of “claim” is extremely broad and even includes disputed claims.

Moving on to the unfair or unconscionable claims, the majority examined the purpose of a bankruptcy proceeding filed by the debtor and distinguished it from a collection lawsuit filed by a creditor, reasoning that the “features of a Chapter 13 bankruptcy proceeding make it considerably more likely that an effort to collect upon a stale claim in bankruptcy will be met with resistance, objection, and disallowance.” The court also rejected Johnson’s attempt to transfer the statutory burdens set forth in the claims process, noting that untimeliness is an affirmative defense. Ultimately, the majority determined that the differing purposes of the Bankruptcy Code and the FDCPA were at odds here, and applying the FDCPA would upset the “delicate balance” between the two. In the end, because Chapter 13 trustees and debtors have always had the burden to examine claims for potential defenses, the Supreme Court was not willing to try to craft a new exception to those well-established rules.

Unlike the majority, Justice Sotomayor’s dissent likened the filing of a proof of claim to that of filing a lawsuit. After spending a considerable amount of time discussing the debt buying process in general, the dissent also disagreed with the majority’s holding that the Chapter 13 trustee and the process itself will provide adequate protection to the debtor. Given the lengthy introduction, it appears that the dissent’s issue lies not only with the filing of proofs of claims for the older debts, but also with their collection at all. This, too, represents a fundamental disagreement between the two opinions, given that the majority views the filing of the proof of claim as a part of the process to discharge debts, whereas the dissent views it as an end run around a forbidden practice.

In the end, the majority held that “filing a proof of claim that is obviously time barred is not a false, deceptive, misleading, unfair, or unconscionable debt collection practice within the meaning of the FDCPA.” This opinion restores order among the circuits and requires the Eleventh Circuit to fall in line with the Second, Third, Fourth, Seventh, Eighth, and Ninth Circuits when it comes to the application of the FDCPA to proofs of claim. One thing that the majority did not do, however, was issue a broad holding that the FDCPA simply does not apply to bankruptcy cases like the Ninth Circuit in Walls or the Second Circuit in Simmons. On the other hand, the majority also did not necessarily endorse the irreconcilable-conflict analysis like the Seventh Circuit in Randolph or the Third Circuit in Simon. Nevertheless, the Midland opinion is obviously a welcome respite from the deluge for debt buyers and debt collectors.

Blockchain: Tapping Its Potential and Insuring Against Its Risks

Posted on September 28, 2017 by - Uncategorized

Blockchain is the distributed ledger technology (DLT) behind Bitcoin, Ethereum, and other cryptocurrencies. Blockchain is widely believed to be a game-changing trend for global business across sectors. Blockchain has been described by the creator of Bitcoin as a “peer-to-peer network using proof-of-work to record a public history of transactions” and by Forbes as “a distributed and immutable (write once and read only) record of digital events that is shared peer to peer between different parties (networked database systems).” In other words, Blockchain is a record of peer-to-peer (P2P) digital transactions categorized into blocks by a decentralized network of computers. Each transaction is time-stamped, encrypted, and linked to its preceding block, creating a “blockchain.” Each new block added to the chain must be validated by a consensus among the network of participants.

“Disruptive” Potential of Blockchain

The potential disruptive uses of blockchain technology in the marketplace have been compared to that of the Internet. The possibilities of blockchain are said to be endless across all industries, including fintech, health care, analytics, retail, energy, manned and unmanned vehicles, insurance, and the sharing economy. Over time, corporations using blockchain combined with artificial intelligence (AI) and the Internet of Things (IoT) will likely be able to better integrate their business partners and suppliers into the network, giving them a complete view of the supply chain and enabling them to conduct all transactions inexpensively, transparently, and securely through blockchain.

In June, a number of international banks selected a multinational technology company to use blockchain technology to build an international trading system called Digital Trade Chain. According to an Accenture and McLagan report, blockchain may “reduce infrastructure costs for eight of the world’s 10 largest investment banks by an average of 30 percent, translating to $8 billion to $12 billion in annual cost savings for those banks.”

A major automobile manufacturer has partnered with MIT’s Media Lab and others to identify the uses of blockchain technology in the automobile industry. A global retailer teamed up with a multinational technology company and recently announced the results of a test using blockchain technology in which it traced a food product from farm to shelf in seconds, as compared to the days-long process without blockchain technology.

The Blockchain Insurance Industry Initiative B3i, which includes global banks and financial services companies, is exploring the application of blockchain technology in the insurance sector. In June, a major insurer and a major multinational technology company announced a successful pilot program of a blockchain-powered “smart insurance policy.” Such smart insurance policies would be designed to execute the contract terms when specified conditions are met, provide for data continuity, trace the origin of a risk, and reduce fraud, among other benefits. In addition, numerous startups are marketing their blockchain-based platform to health care companies.

Security of Blockchain?

Because changes to a blockchain are displayed in real time and no central user controls the record, blockchain is said to be much less susceptible to hacking than a traditional database. For instance, if hackers wanted to modify information in a blockchain, they would first need to hack into both the specific block and all of the preceding and ensuing blocks in the blockchain across every ledger in the network at the same time. Because consensus among the network participants is required, the hackers’ change would likely be rejected as it would conflict with the other ledger entries on the network. Many observers believe this leads to an unparalleled level of security.

However, blockchain technology, like the Internet before it, will likely lead to unforeseen risks and exposures. For example, in 2013, Mt. Gox, a Bitcoin exchange handling 70 percent of all Bitcoin transactions at the time, suffered a technical glitch resulting in Bitcoin’s temporarily shedding a quarter of its value. That technical glitch was a fork in the blockchain, which resulted from the use of differing versions of the Bitcoin software. In 2015, Interpol identified an opening in blockchain used for cryptocurrencies that hackers could exploit to transfer malware to computers. In addition, blockchain is only as secure as its entry points. If the access systems used for blockchain are vulnerable to attack, the technology’s security may be undermined. In sum, blockchain is not risk-free and may not be hacker-proof. Given the value and potential high profile of transactions that may take place using blockchain technology, hackers will have incentives to invent new ways of using the technology for malicious purposes despite its protections.

Insuring the Blockchain

Because blockchain technology is not risk-free, companies should consider how their insurance policies, especially their cyber insurance policies, can protect against risks arising out of the use of blockchain technology—and whether they include provisions that could be used to deny coverage for claims with a connection to blockchain technology. For instance, one insurer’s cyber insurance policy form insures against disclosure of personally identifying information that results from unauthorized access into a system owned by either (a) an insured; or (b) “an organization that is authorized by an Insured through a written agreement to process, hold or store Records for an Insured.” Because blockchain is peer-to-peer, the insurer may argue it is not owned by any insured or any other “organization.” Thus, a policyholder experiencing losses due to the disclosure of personally identifying information arising out of the use of blockchain technology may face a coverage dispute with its insurer.

As another example, another cyber insurance policy form provides coverage for the “failure or violation of the security of a Computer System,” and defines “Computer System” to include “cloud computing” and “other hosted resources operated by a third-party service provider.” It is not clear whether the insurer would consider blockchain technology to fall within this definition, particularly because blockchains are peer-to-peer networks not operated by a central administrator. Policyholders also should review exclusions in cyber policies carefully, including those for accessing unsecure websites, self-inflicted losses, terrorism, and others.

Finally, policyholders should consider whether coverage for blockchain-related risks remains available under their traditional policies, such as technology professional liability policies, commercial crime policies, and specialty coverage forms. They should specifically review cyber, computer or technology, and data-related exclusions.

Conclusion

As the use of blockchain technology grows, cyber policies will adapt and begin to incorporate language addressing blockchain technology. However, the complexity of the technology, the lack of understanding of it, and the scarcity of data about its use may impede the development of the market for insurance covering operations or transactions involving blockchain. Nonetheless, as insurers increasingly conduct blockchain scenario analyses, follow developments in blockchain and related technologies, and improve their own understanding and analysis of blockchain’s risks, policyholders can expect them to offer new policies covering such risks. In the meantime, policyholders looking to conduct business using or involving blockchain should consider consulting experienced coverage counsel and carefully reviewing the policies they buy to ensure that those policies provide the insurance protection they need.