The Importance of Cybersecurity Due Diligence in M&A Transactions

Posted on September 28, 2017 by - Uncategorized

Most enterprises today are almost totally dependent on digital data and network systems. Virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. This has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. However, the resulting dependence on electronic records and a networked computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders in the event of a security breach.

Accordingly, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defenses the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.

As recent security incidents have made clear, intruders can operate from anywhere in the world, and by stealing, changing, or destroying critical corporate information, or exploiting access to a company’s systems to harm and disrupt its operations, they have been able to inflict significant damage on numerous businesses. No enterprise is immune from cyberattacks; none are impregnable. Virtually all enterprises have been breached and have had at least some of their sensitive information compromised.

In FY 2006, federal agencies reported 5,503 information security incidents to the U.S. Computer Emergency Readiness Team (US-CERT). In FY 2014, the reported incidents totaled 67,168—an increase of 1,121 percent. Given that corporations are loathe to report cybersecurity breaches and may not detect successful incidents, the number of reported incidents probably represents only the “tip of the iceberg” of cyber attacks and intrusions.

Over the past three years, the consequences to organizations affected by such security breaches have been significant, and in some cases near catastrophic. One need only consider the injury suffered by organizations such as Target, Home Depot, Sony, and Yahoo!, or to victims of the recent “Petya” ransomware attacks such as Federal Express, DLA Piper, and A.P. Moller Maersk to realize the significance of such events.

It should be critically important to a prospective acquirer of a target enterprise to understand and evaluate the extent to which the enterprise is vulnerable to a cyber attack. Equally important, an acquirer must know if the target may have experienced an attack that compromised its high-value digital assets without management’s awareness or clear comprehension of the severity of harm to critical corporation information and IP assets. Otherwise, the acquirer in an M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liability from incidents it suffers. In short, it will not comprehend the potentially devalued nature of the assets it is acquiring, nor the magnitude of liabilities it may incur at closing.

Cyber Threats to M&A Deals

M&A practice may at times overlook the significance of the cybersecurity risks facing target enterprises, including the risk that cyber attacks could already be devaluing the digital assets of a target without the target’s awareness and without the acquirer’s knowledge. By December 2014, such risks had become widely reported, as demonstrated by the following bleak recap by Nicole Perlroth in The New York Times:

In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers, and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. . . . But the value [of stolen credit cards during this period] . . . which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of the United States corporations, universities and research groups by hackers in China—so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. . . . Most large organizations have come to the painful recognition that they are already in some state of break-in today.

Most recently, numerous businesses, organizations, and governments found their digital data imperiled by a world-wide dispersal of two waves of malware. The first wave, a ransomware attack dubbed “WannaCry,” began on May 12, 2017. Globally, it infected “230,000 computers in 48 hours,” locking down the computers it infected, and encrypting and rendering inaccessible all of their stored data. The WannaCry worm caused kinetic effects—“paralyzing hospitals, disrupting transport networks, and immobilizing businesses.” WannaCry should make people treat cyber-crime seriously, The Economist, May 20, 2017.

The second wave of malware, called “Petya,” began on June 27, 2017, and severely disrupted operations of “some of the world’s largest companies, including WPP, Roseneft, Merck, . . . AP Moller-Maersk[,] . . . Saint-Bobain and the DLA Piper law firm.” Global groups hit by fresh ransomware cyber attack, Fin. Times, June 28, 2017, at 11. For example, one day into the Petya attack, integrated global transport and logistics company A.P. Moller-Maersk “tweeted” on June 27, 2017, that the malware had brought down its “IT systems . . . across multiple sites and select business units.” By the second day, Maersk had “shuttered many of its ports around the world.”

WannaCry and Petya vividly demonstrated the vulnerability of many companies to a crippling cyber attack, and the experience of Target Corp. provides insight into the costs of a major breach. In 2014, Target Corp. experienced a breach of its networks affecting 40 million credit- and debit-card numbers and personally identifiable information for up to 70 million individuals. The remediation costs had a material impact on the company. Target eventually reported that it “incurred $252 million of cumulative Data Breach-related expenses, partially offset by $90 million of expected insurance recoveries, for net cumulative expenses of $162 million.”

Despite the ubiquity of cyber incidents, and the cost and disruptive impact of cyberattacks, such risks appear to remain “below the radar,” underestimated, or belatedly addressed in many M&A deals. Yet with the value of so many enterprises dependent upon the condition of their high-value digital assets, and with so many of those assets vulnerable to cyber attack, consideration of adding a cybersecurity due diligence review would seem a good and prudent precaution at the start of any proposed M&A deal.

Illuminating the Impact of Cyber Incidents on M&A Deals

The cybersecurity experiences of two companies involved in recent M&A transactions demonstrate the critical importance of cybersecurity due diligence.

Neiman Marcus

Luxury department store Neiman Marcus experienced, unawares, a cyber incident that began as early as July 16, 2013. The incident involved injection of malware into the retailer’s customer payment-processing system, ultimately compromising data on about 350,000 customer payment cards.

Several weeks later, on September 8, 2013, as the intruders operated undetected within the retailer’s networks, Neiman Marcus agreed to be acquired by a group led by Ares Management and a Canadian pension plan. On October 25, 2013, the acquisition of Neiman Marcus closed. Five days later, on October 30, 2013, the card-scraping activity of the malware inside the retailer ceased. No report of the incident suggests that Neiman Marcus or its acquirers knew, as of the closing, that the digital assets of the retailer had been compromised by intruders.

On December 17, 2013, Neiman Marcus received the first of several reports indicating fraudulent use of customer credit cards at its stores, and on January 10, 2014, Neiman Marcus publicly disclosed the incident. Shortly thereafter, affected customers filed class-action complaints alleging the retailer failed to protect them adequately against the breach and to provide them timely notice. Although Neiman Marcus sought to dismiss the suit by arguing that there was no harm to the plaintiffs, and thus no standing to sue, the Seventh Circuit allowed the case to proceed, holding that:

[i]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.

In so holding, the Seventh Circuit pointed to the continuing risk, noting that: “stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.” In March 2017, Neiman Marcus entered into a settlement with the class-action plaintiffs and agreed to create a settlement fund in the amount of $1,600,000 to cover claims, legal fees, and other litigation-related expenses.

Apparently, neither the buyer nor the seller knew that Neiman Marcus digital assets had been compromised as of the closing, nor did they foresee the future risk of harmful use of such data. As the Neiman Marcus incident illustrates, there is a growing need to assess a target’s cyber vulnerabilities and the potential repercussions from incidents so that they can be given their appropriate weight in the negotiations of a deal.

Yahoo!

In late 2014, senior officers and legal staff of Yahoo!, Inc. learned that unauthorized access to its computer network had been gained by what Yahoo! identified as a “state-sponsored actor.” Yahoo! did not, at that point in time, publicly disclose the incident. Yahoo!’s board apparently did not receive a report of the incident or learn of it until almost two years later.

On July 23, 2016, Yahoo! and Verizon Communications Inc. entered into a stock purchase agreement by which Verizon agreed to acquire “one or more subsidiaries of Yahoo holding all of Yahoo’s operating businesses, for approximately $4.83 billion in cash . . . .” The acquisition of Yahoo! was “expected to close in the first quarter of 2017.” Verizon Communications Inc., Form 10-Q for the period ending June 30, 2016, filed Jul. 29, 2016, at 10.

Around the time that Yahoo! and Verizon signed their agreement, “a hacker claimed to have obtained certain Yahoo! user data. [T]he Company could not substantiate the hackers claim [but] . . . intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014.” Yahoo, Inc., Form 10-Q for the period ending September 30, 2016, filed Nov. 9, 2016, at 40.

Thereafter, Yahoo! issued a statement to the U.S. Securities and Exchange Commission (SEC) that said it had no knowledge of “any incidents” of “security breaches, unauthorized access or unauthorized use’ of its IT systems.” Yet less than two weeks later, in September 2016, Yahoo! disclosed to Verizon, and shortly thereafter to the public, that a “copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the First Security Incident).” After disclosing the incident, Yahoo! began notifying potentially affected users, regulators, and other stakeholders.

On December 14, 2016, five weeks after Yahoo! filed its Form 10-Q with the SEC that addressed the First Security Incident, Yahoo! disclosed on its website and in a Form 8-K that analysis of data by Yahoo!’s outside forensic experts convinced Yahoo! that a separate cyber incident involving almost 1 billion accounts had also occurred (the Second Security Incident).

After further negotiations and as a result of the two cyber incidents, Yahoo! agreed with Verizon to modify the terms of the deal as follows:

As the cyber incidents at Neiman Marcus and Yahoo! demonstrate, cybersecurity now deserves to be an integral part of M&A due diligence, and to be done properly, it must begin at the earliest practicable time in the transaction. Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.

Assessing a Target’s Cybersecurity Defenses

Assessing the quality of a target’s cybersecurity defenses and its experience with cyber incidents poses a challenging risk assessment for an acquirer, and one quite different from other risk assessments in an M&A deal. How does an acquirer’s counsel evaluate the target’s cybersecurity program or inquire into its probable experience with cyber incidents? How does counsel assess the potential devaluation of the target’s high-value digital assets without evidence of what was accessed and exploited? How does counsel determine the “materiality” of apparent cyber incidents without knowing, other than by inference, the nature of the digital assets at risk or the harm that could flow from their compromise?

Cybersecurity due diligence might not yield a precise and exact picture, but it has the capability to provide an acquirer with a far closer approximation of the actual condition of the target’s digital assets by revealing the cyber vulnerabilities of those assets, whether the target has been adequately safeguarding and monitoring the control of those assets, and any records of cyber incidents that may have resulted in compromises of those assets. Knowing such facts, the acquirer’s counsel will be in a better position to structure the definitive acquisition agreement to mitigate the risks identified.

To accomplish its goal, the acquirer’s M&A cybersecurity due diligence process should address six categories of topics, as follows:

  • identify the target’s high-value digital assets and evaluate the relative importance of those assets to the target’s business;
  • evaluate the target’s internal cybersecurity program to protect those high-value digital assets, e.g., whether it is appropriate for the business; whether it is complete, etc.;
  • assess the target’s cyber-risk-management efforts as they relate to third parties on which the target depends for goods, services, data, outsourced business functions, and joint business initiatives;
  • identify the target’s prior breaches and assess its incident-response capabilities;
  • evaluate the status of the target’s cybersecurity regulatory compliance, i.e., identify applicable compliance requirements, determine whether the target is in compliance with its cybersecurity legal obligations, and evaluate the risks posed by any failure of such compliance; and
  • consider and evaluate the target’s overall resilience and general ability to withstand a direct cyber attack on its digital assets.

Evaluating a Target’s Cyber Incident Experiences

In cases where the target company has experienced a recent security breach, it is important for M&A cybersecurity due diligence teams to assess whether a target company has the means to know five fundamental facts about the target’s experience with any cyber incidents.

First, what data might the attackers have gained (or still be gaining) access to? Did they read files? Did they change permissions so that they could log in and appear authorized? Did they make copies of customer lists? Or worst of all, did they modify data? It is important that the target have the answers to such questions.

Second, what data might the attackers have viewed and exfiltrated copies of? It is possible the attackers saw something they wanted, such as the company’s password file or key product designs. Knowing what data was taken is key to evaluating the scope of the damage done, as well as the potential for future damage.

Third, what data might the attackers have changed? This is often the real bugbear. Did the attackers modify data contained in certain files and, if so, what changes did they make? This can be far more difficult to determine than whether the attackers accessed or removed a copy of a file’s data. For example, in the case of a defense contractor, the attackers might not only have removed a copy of the manufacturing design for a stealth fighter’s aileron, but also modified the target’s copy so that further use of that design data will embed defects or flaws that were not in the original design. No one at the target will know that has happened unless they are extraordinarily familiar with the data and happen to make a close comparison of the currently active file with a back-up that is reasonably good, i.e., that the attackers did not alter. Given that sophisticated, stealthy attacks may continue undetected for months or years, however, how far back does a target’s personnel have to go to obtain a reasonably good and reliable back-up in order to ensure the copy is of the original design and not of the design as modified by the attackers? Even small, seemingly insignificant changes to critical data can have catastrophic impact on products and on users.

Fourth, what defenses of the target did the attackers force the target’s system to reveal? Attackers now have tools that can force a target’s system to “reveal secrets that are relied upon for security.” Such a tool works analogously to the flying of aircraft towards or extremely close to an adversary’s border (or even crossing it briefly and departing) in order to prompt the adversary to turn on its most sophisticated air-defense radar, thereby revealing its location, signature, strength, and other features. In cyber attacks, as with probing air defenses, the prospective attackers want to determine what actions will cause the defensive measures to be activated, or “turned on,” and when it counts, what actions will not cause the defensive measures to “turn on” and enable the attackers to bypass them. Not knowing what the attackers have learned may cause a target to be far more vulnerable to future cyber attacks than the target (or an acquirer) may realize. It may also cause the target’s officers to become overconfident or complacent about their company’s cybersecurity.

Fifth, did the attackers gain entry by breaching a layer of the target’s system that did not have the same defenses as other layers? Many target companies are unaware of the fact that a protection system is only “reliably effective against attacks” that occur “at the same system layer in which the protection system” has been implemented—and that at some of a target’s computer-network system layers there may be fewer or different protections than at others. As a result, the cyber attackers can breach a system by going through a layer that lacks protections at a higher or lower layer, just as attackers in medieval warfare could get past a deep moat and insurmountably high castle wall by tunneling beneath and past both of those defensive layers.

A target’s exposure to cyber intrusions will be a function, in part, of how well prepared it is with tools to address those five features of a cyber incident.

Unfortunately, the means for discovering vulnerabilities, closing gaps in defenses, detecting intrusions, figuring out what has been accessed, what has been done to it, and what awful things may happen at a time and place of the cyber intruder’s choosing, are the trailing-edge technologies. Methods of cyber intrusion, of conducting exploits, and of postponing their detection with stealth continue to outpace any improvements in defenses. A victim’s first knowledge of an attack may come only when the damage or misuse of digital assets becomes conspicuous or is reported by third parties. As a result, “companies often do not discover a data breach” or compromise of their digital assets “until an extended period of time after they have been hacked.” Clifford G. Tsan & Michael D. Billok, Cybersecurity Insurance: Facing Hidden Risks and Uncertainty, N.Y.L.J., May 2, 2016.

For an acquirer there are actually two risks of breaches of the target that may initially be difficult to distinguish from each other. In one kind, the target remains unaware of the attacker’s intrusion and does not know what the attackers have done to or with the high-value digital data they accessed and compromised. In the other kind, the target may have discovered the breach months or years before the start of the acquisition, but for various reasons postpone from disclosing it to the acquirer until the definitive agreement has been signed and due diligence may be quite advanced.

Conclusion

Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them. In light of the transactional difficulties that cyber incidents can create, as observed in the Neiman Marcus and Yahoo!/Verizon deals, the inclusion of cybersecurity due diligence early in a proposed M&A deal should be recognized as essential to protecting an acquirer’s interests.

What Can Structured Negotiation Offer the Business Attorney? A Lot!

Posted on September 28, 2017 by - Uncategorized

Have you ever paid an expert bill and cringed? Have you ever dreamed of brushing aside the procedures that bog down litigation, and instead quickly get to the real issues that brought your client to court? Have you ever represented a party who had a legal claim and wanted to preserve its relationship with the party it was forced to sue?

If you answered “yes” to any of these questions, Structured Negotiation is a dispute-resolution process that might be able to help.

What Is Structured Negotiation?

Structured Negotiation is a dispute-resolution method that happens without a lawsuit on file. It is a strategy to resolve legal claims that focuses on solution and encourages relationships between parties—and their counsel. Structured Negotiation trades the stress, conflict, and expense of litigation for direct and cost-effective communication and problem solving.

Structured Negotiation avoids the negative publicity that can accompany litigation and replaces expert battles with respected joint experts. It substitutes round-table discussions for contentious depositions, and it gives clients a seat at the table and a meaningful role in resolving claims.

With roots in the disability-rights movement, Structured Negotiation has potential application to many types of civil claims handled daily by business lawyers.

How Did Structured Negotiation Develop?

Structured Negotiation grew out of the blind community’s quest for financial privacy and access to financial technology. In 1995 my co-counsel and I wrote letters to Bank of America, Citibank, and Wells Fargo on behalf of three groups of blind clients and an advocacy organization. The issue was ATMs: not a single one in the United States talked, which meant that not a single blind person could use one.

We wrote those letters as an alternative to filing lawsuits under the Americans with Disabilities Act. We offered to negotiate with each financial institution about the development of “talking ATMs” and other services and technology for blind customers. Four years later we had negotiated comprehensive settlement agreements with each bank that produced some of the earliest talking ATMs in the world, compensated our clients, and provided for our attorney’s fees as allowed by civil rights laws. No lawsuit needed.

Joint press releases, beginning in the fall of 1999, heaped praise on each institution and resulted in an avalanche of positive press. Strong monitoring language and a commitment by our negotiating partners resulted in smooth implementation of each agreement.

Buried in the Bank of America 2000 press release was reference to the bank’s agreement to develop and design its online banking platform so that blind people could bank independently on the web. It was the first settlement in the country to address the disability community’s need for accessible websites. (Seventeen years later, on June 12, 2017, a blind shopper of the Winn-Dixie grocery chain won the very first web accessibility trial under the ADA.)

We used a mediator to help us in each of those early cases, but never had to file a lawsuit. The banks saved untold amounts of money, and relationships were built that continue to this day. Had it just been luck? Or had we stumbled on a way to practice law that avoided conflict, saved money, focused on solution, and preserved relationships?

The 18 years since those first agreements have proven that it was not just luck. As my colleagues and I named the process “Structured Negotiation” and began to use it across the country, some of the largest organizations in the United States said “yes” to a new a dispute-resolution process.

Walmart, Anthem, Inc., Major League Baseball, Target, E*Trade, Charles Schwab, and others have worked with my clients in Structured Negotiation to resolve claims under the ADA and related laws. Structured Negotiation with the City and County of San Francisco, the City of Denver, and Houston’s transit agency demonstrate the method’s usefulness in claims against government entities. A Structured Negotiation settlement with the American Cancer Society shows how the process can benefit nonprofit organizations.

These cases involved the civil rights of disabled people to access information and technology in the 21st century. Many of them were about web (and later mobile) accessibility. Today, digital access is a hot-button issue, with a significant number of new court filings and judicial rulings monthly. Structured Negotiation has been helping some of America’s largest companies make their digital content available to everyone since that early Bank of America commitment in 2000. No lawsuits, bad publicity, or run-away costs required.

Why Structured?

In 1999, after the early successes with Wells Fargo and Citibank, we named the process Structured Negotiation to emphasize that it was a robust alternative to filing a lawsuit. We knew our early negotiations had been successful because they had a structure, and for the past two decades the elements of that structure have been refined through practice. Those elements are listed here. Elaboration of each element, with stories from cases, can be found in my book about the strategy, Structured Negotiation, A Winning Alternative to Lawsuits.

  • A conscious decision by clients and their attorneys to pursue claims resolution without filing a lawsuit.
  • An opening letter that invites participation. The language change is deliberate: the first correspondence is not a demand letter in the traditional sense. It can (and often should) even say something nice about the recipient while calmly describing the legal and factual basis of the claims.
  • A period of uncertainty when all counsel begin communications about both the claims and the dispute-resolution process, and would-be defendants determine whether to participate. This period includes both waiting for a response and evaluating a response that might be laden with legal jargon and still leave room for negotiation. Without skillful handling of this element, a Structured Negotiation can fall apart before it begins!
  • A ground rules document signed by all parties that identifies negotiating topics, preserves confidentiality, protects statutory rights to damages and attorney’s fees, and tolls applicable statutes of limitations.
  • A period of information sharing involving written documents, meetings (live, virtual, and/or by phone), and site visits when needed. Meetings take a “show don’t tell” approach with a constant subtext of forming and maintaining relationships. They allow clients to have a meaningful seat at the table and are the cornerstone of the most successful Structured Negotiations.
  • Sharing expertise (most often via joint experts and client participation) in a manner that avoids expert battles and run-away costs and values client contributions.
  • Taking baby steps toward resolution. Pilot programs, interim measures, and partial agreements before final resolution have been key to many successful negotiations.
  • Recognizing and dismantling fear through honest conversation and effective listening practices.
  • Drafting the settlement, a process that begins cautiously and with joint acknowledgment that the time is right to formalize commitments.
  • Negotiating about money, an aspect of Structured Negotiation to be undertaken with particular care because it is easy to slip into traditional adversarial lawyering when the subject is money.
  • Use of a mediator when appropriate to guide parties around points of conflict. Although used in all three of the first cases, as I learned to be a better negotiator I found I needed third-party help less frequently. Structured negotiation has been referred to by one of my big-firm negotiating partners as “mediation without the mediator.” Most often direct communication in a collaborative environment is all that is needed to get to the finish line, but parties should not be afraid to use a mediator when third-party help might be useful.
  • Settlement monitoring, a task made easier by positive relationships developed during the process. Skillful and direct communication among parties and counsel typically make court enforcement unnecessary even when implementation does not go as planned.
  • Media strategy that avoids negative press releases in favor of jointly issued positive statements.
  • Use of collaborative language. Structured negotiation avoids terms that detract from an environment of problem solving. Why call someone a “defendant” if you do not want them to defend past practices? Why say “opposing counsel” if you do not want opposition?
  • Development and maintenance of the Structured Negotiation mindset. This might be the most important element of all and maybe the trickiest for most lawyers. Without patience and trust, operating in the absence of the safety net of a filed case can lead to frustration and failure. Grounded optimism, equanimity, and empathy give Structured Negotiation participants needed tools when the going gets tough. In my experience, when appreciation and friendliness infuse interactions, parties can more quickly reach resolution.

Can Business Lawyers Use Structured Negotiation?

Although I have never been a business lawyer, I pose the question: Why not?

  • What is the downside of trying a dispute-resolution method that saves tremendous amounts of money? If Structured Negotiation proves ineffective, the litigation route is still available. In my book I quote a litigation partner in a national law firm: “I found Structured Negotiation to be fairer to my client than litigation. I like the process because it gives my client the opportunity to do the right thing and avoids costly litigation. And if the negotiation does not succeed, my client has not waived the right to engage in an aggressive, strategic defense.”
  • What is the downside of seeing if relationships can be preserved while working out disputes?
  • Is your case likely to settle “at the end?” Why not at least try to settle early?
  • Would you rather give up control and prove to a judge that your client is right, or put aside legal differences and get to the heart of the matter?

It is critically important to preserve the litigation system in the United States, and many times filing a lawsuit is the best and most effective tool for our clients; however, when all you have is a hammer, everything looks like a nail. A filed lawsuit is a hammer. Structured Negotiation is another tool in the tool box.

I hope that business lawyers will find Structured Negotiation a tool worth exploring in appropriate cases. Along with other early dispute-resolution strategies such as pre-suit mediation, Structured Negotiation can speak to a host of client needs. It can offer a winning alternative with a 20-year track record to a public craving litigation alternatives that are cost-effective and preserve relationships. It holds the promise of a strategy that avoids conflict and minimizes stress, encourages trust over fear, and even kindness over anger.

The New Oil: The Right to Control One’s Identity in Light of the Commoditization of the Individual

Posted on September 28, 2017 by - Uncategorized

This is the third article in a three-part series exploring Europe’s Right to be Forgotten in the context of an American Right to Dispute Personally Identifiable Information directly with private entities, such as consumer reporting agencies or search engines. It reaches the conclusion that based on the magnitude of consumer-specific data in the possession of such private entities, the debate has shifted from the inherent fairness of generating temporary “snapshots” of creditworthiness or moral character to the fundamental control of one’s identity in light of the “commoditization of the individual.”

***

The Commoditization of the Individual: Who Legally Controls Information Equating to One’s Identity?

Data, particularly consumer data, has been officially labeled “the new oil.” This metaphor characterizes the observation or notation of one’s personally identifiable information (PII), such as one’s biometrics, DNA, geolocation history, Internet browsing history, or character, as a commodity, and commodities may be “exploited.” In one sense, the exploitation of a commodity involves the process by which a raw material is processed to serve a more valuable purpose. In another sense, such an exploitation may infer the receipt of an unfair benefit at the expense of another. The Digital Age is set to experience the production of more than 163 zettabytes (i.e., one-trillion gigabytes) of data per year by 2025, much of which will be consumer-specific. Andrew Cave, What Will We Do When The World’s Data Hits 163 Zetabytes in 2025?, Forbes.com (Apr. 13, 2017). How will such massive quantities of consumer data be used? The FTC has found that within large companies known as data brokers, individual profiles have been created on nearly every U.S. consumer for the purpose of discriminating between them. Edith Ramirez, et. al., “Data Brokers: A Call for Transparency and Accountability,” FTC Rep. 8, 46 (2014). Data brokers do not generate consumer reports, however, and are subsequently not regulated by existing U.S. consumer-protection or privacy laws limiting who and for how long one may see negative information prior to being “forgotten.” Thus, any exploitation of such data remains unregulated. This article will explore existing exploitations of PII that are resulting in the consolidation of massive troves of comprehensive, consumer-specific PII that may equate to the commoditization of one’s identity.

The Existing Exploitation of PII in Relation to Individual Liberty

Automobiles need oil to function. Petroleum requires refinement for an automobile to operate as expected. The exploitation of crude oil serves an important purpose in allowing individuals to travel according to their needs or desires. Such an exploitation enhances individual autonomy and liberty. Servitude, on the other hand, allows one individual to take unfair advantage of the fruits of the labor of another individual. Such exploitations significantly diminish individual autonomy and liberty. Meanwhile, slavery and indentured servitude facilitate a mechanism of empowering one individual to comprehensively control another individual’s person. Such exploitations decimate individual autonomy and liberty. Consequently, the spectrum for interpreting the meaning of an exploitative act—in terms of liberty—is one of degrees ranging from augmentation to annihilation. Perhaps George Orwell was right about the notion of “doublespeak” in that no term is more fitting to describe existing collection and consolidation efforts of PII than the term “exploitation.” Current collection efforts have both the power to enhance individual liberty or extinguish it. The key will be determining the core purpose for which PII is collected.

PII is primarily gathered and aggregated for marketing and predictive analytics, people-search functions, risk mitigation, and predictive voting models.

  • Marketing and Predictive Analytics. The FTC recognized that large data brokers consolidate aggregate PII for the purpose of utilizing predictive analytics to discriminate among consumers regarding their race, economic status, age, credit worthiness, health status, familial status, and propensity to default to or engage in a crime, etc. Ramirez at 19–21, App’x B. Marketing purposes include thousands of data points designed to consolidate an individual’s prior actions for the purpose of predicting future behavior (i.e., predictive analytics). Id. For example, Cambridge Analytica has created profiles consisting of: (i) demographics/geographics (e.g., age, gender, ethnicity, race, income); (ii) “psychographics” (i.e., advertising resonance, consumer data, lifestyle data, political engagement, cellular/mobile opinions); and (iii) personality to predict how an individual will act when confronted with a specific purchasing decision or an opportunity to vote. Alexander Nix, The Power of Big Data and Psychographics, Concordia Summit (Sept. 27, 2016), available at https://www.youtube.com/watch?v=n8Dd5aVXLCc.
  • People Search. Data brokers are engaged in consolidating broad data sets for the purpose of tracking and locating specific individuals. According to the FTC, these products allow users to “research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers.” Ramirez at 34.
  • Risk Mitigation. Data brokers engaged in risk mitigation provide services that allow users to conduct identity verification and fraud prevention. For example, financial institutions utilize these services to comply with “know your customer” identity verification requirements pursuant to the USA PATRIOT Act. Ramirez at 32–33 (e.g., knowledge-based authentication (KBA) and fraud detection).
  • Predictive Voting Models. Data brokers engaged in predictive voting models aggregate thousands of types of PII for the express purpose of predicting how an individual will react to voting advertisements or propaganda. See, for example, Nix (discussing the “OCEAN” Paradigm (i.e., Openness, Conscientiousness, Extraversion, Agreeableness, and Neuroticism)).

These efforts have both the power to increase individual liberty or suffocate it. On the one hand, individuals may receive enhanced product offerings with expedited purchasing options, increased social connectivity, better searchablity of public or private figures, enhanced digital security when engaging in sensitive online financial transactions, or more relevant political information during elections. On the other hand, all such records containing aggregate PII in possession of these entities—by virtue of existing—are discoverable by government authorities, exposed to significant risks of unauthorized access or theft, and may be used in illegally discriminatory ways to limit, inter alia, the individual’s ability to access credit (i.e., mortgage, educational loans or auto loans) or procure certain types of employment. Consequently, existing exploitations are in need of effective regulation to ensure that such information is not misused.

Scope of Collection Efforts

Data brokers acquire PII not from the individuals themselves, but from other businesses or government entities. Ramirez at iv, 49. Consequently, data brokers afford no choice or consent options to the individuals impacted by the collection of such data. There are both government and private actors, such as administrative agencies like the NSA, data brokers, search engines, social media giants, and consumer reporting agencies, that have feasible and independent capacities to collect and store vast quantities of data on each of the approximately 8 billion people presently living on this planet. See, for example, Utah Data Center (last visited Aug. 25, 2017) (stating that one facility has the capacity to store one yottabyte of data). For example, Facebook alone has confirmed that it has consumer-specific data on nearly one-quarter of the entire global population. Jack Flemming, Facebook reaches 2 billion users, L.A. Times (June 27, 2017). The FTC has confirmed that individual data brokers each house billions of consumer transactions. This information is consolidated into profiles on nearly every U.S. consumer and used to generate millions to billions of dollars for these entities. Ramirez at 8, 23; IAB Internet Advertising Revenue Report, IAB.com (2017). There are approximately 2,500 to 4,000 data brokers in the United States alone. E.g., Paul Boutin, The Secretive World of Selling Data About You, Newsweek (May 30, 2016). Thus, existing collection efforts have the technological capacity to collect and store consumer-specific data on every human being on Earth.

Furthermore, each data broker has the capacity to consolidate PII and categorize it for discriminatory purposes based on thousands of criteria, ranging from household size, personal relationships, societal memberships, personal preferences, medical-related purchases, employment activity, educational opportunities, and political and religious leanings, to name a few. See Ramirez at App’x B. Such PII may include government IDs, biometrics, account numbers, purchase histories, etc. See, for example, Ramirez at 11–15; Adam Schwartz, End Biometric Border Screening, EFF.org (Aug. 9, 2017). In fact, the power now exists to create independent registries that may be synonymous with the power to control one’s actual identity within society. Such entities have converted the intangible nature of one’s existence into intellectual property that may be purchased and sold without any regard to the choice or the consent of the individual. Thus, private and public entities have power to commoditize one’s identity.

Can PII Ever Equate to an Individual’s Identity?

PII has been defined as any information about an individual, such as data that can “distinguish or trace an individual’s identity” (e.g., name, Social Security number, date and place of birth, mother’s maiden name, or biometric records) or that is “linkable to an individual” (e.g., medical, educational, financial, and employment information). NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), ¶2.1 (2010). The U.S. Constitution was drafted in a day when an individual’s “papers and effects” were physical tangible pieces of property. U.S. Const. amend. IV. The Founders’ intent on codifying this natural right likely had little to do with protecting the intrinsic value of the actual paper or effect in question, and everything to do with protecting the information or content contained thereon. Consequently, it was the information that might be revealed via an illegal search or seizure that was protected. Thus, the right to control one’s personal information has always been a protected Constitutional interest.

In the 21st century, property has been transferred into bits and bytes of data that may seamlessly and instantaneously flow across intercontinental land masses via satellite or Internet transmission. An individual’s “person” in terms of character, creditworthiness, thoughts, desires, geolocation, biometrics, DNA, expenditures, business ventures, religious, political, or social preferences may now be gathered, processed, consolidated, sold, purchased, and transferred into registries that have the potential of defining who they are, what their potential is, and what their social desirability is without ever physically entering their home or their land or without coming into contact with their physical person. These essential elements of a person, having been reduced to bits and bytes of data, have effectively transformed the person into property.

In isolation, PII is a reproduction, a writing, or a record of a physical object, characteristic, attribute, behavior, or action of an identifiable human being extant in the tangible world. In its simplest form, PII is merely the annotation of data like a name or address. When aggregated, however, PII has the potential of becoming the digital equivalent of a living person’s identity. If an unauthorized third party spied on another person and collected saliva samples containing DNA, fingerprints, faceprints, complete lists of past addresses, employers, educational institutions attended, and close relationships, journals, thoughts, ideas, desires, innovations, writings, wants, purchase histories, vacation destinations, acts of religious observance, political statements and leanings, and economic status, would the law grant a superior property right to that individual in relation to the person to whom the data related? The answer lies in whether aggregated PII may become something more than property: a right to control one’s identity.

Does an Enforceable Cause of Action Exist to Safeguard the Right to Control One’s Identity?

Currently, many scholars and practitioners most closely categorize the harm associated with an unauthorized collection of PII with protections afforded by the fundamental right to privacy. The harm, however, transcends right to privacy precedence because the control of one’s identity is fundamental to liberty. When analyzing government actors, the Supreme Court has bifurcated the fundamental right to privacy subjecting data privacy to rational basis review, thus allowing government actors to easily subvert such privacy rights. See Whalen v. Roe, 429 U.S. 589, 598 (1977). With regard to private actors, the FTC observed that data brokers are not currently regulated under the Fair Credit Reporting Act (FCRA) or other federal consumer-protection laws because data brokers do not generate “consumer reports.” Given that there is no direct relationship with a consumer, UDAAP laws, Dodd-Frank, and Gramm-Leach-Bliley arguably do not apply. Thus, analyzing the unauthorized collection of PII pursuant to existing right to privacy precedence equates to analyzing the harm associated with this conduct in a laissez-faire economy or deregulated environment. The individual is thus subject to the will of those with far greater resources to track or acquire their PII. See Mark T. Andrus, Not without My Consent: Preserving Individual Liberty in Light of the Comprehensive Collection and Consolidation of PII, 20 J. Internet L. 9 (Mar. 2017).

There exists another relevant aspect of the right to privacy that goes beyond a “right to be let alone” to a right “to not be harmed.” Cf. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890); Thomas McIntyre Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract 29 (2d ed. 1888) (expounding a right of complete immunity to be free from injury). William Prosser propounded that the right to privacy was rooted—in relevant part—in the tort of appropriation. He defines an “appropriation” as the “exploitation of attributes of a plaintiff’s identity.” William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 401 (1960). The Supreme Court later affirmed this definition. See, for example, Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 571 (1977). The Restatement Second of Torts requires “the appropriation [i.e., taking] of another’s name or likeness for the use or benefit [i.e., gain] of the defendant.” Restatement (Second) of Torts § 652C. The right is designed to protect a person against the harm of forfeiting something of value (i.e., profit) associated with the individual’s identity. The harm is rooted in a lack of consent. Prosser notes that it is the plaintiff’s attribute “as a symbol of his identity” that creates an appropriation action. Prosser at 403.

Furthermore, the U.S. Supreme Court has recognized “right to publicity” laws in which an individual possesses rights that protect their interest to reap benefits from proprietary interests in any rewards from their endeavors, which include the unauthorized use of characteristics of their identity. See, for example, Zacchini, 433 U.S. at 562. The Restatement Third of Unfair Competition defines the right of publicity as “one who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purposes of trade.” Restatement (Third) of Unfair Competition § 46 (emphasis added). Thus, rights to control a benefit associated with one’s identity are currently extant.

Although these causes of action are rarely utilized and would be matters of first impression in a data acquisition case, they provide a framework that goes beyond trespass, intentional torts, or intellectual property, which are areas of law not well suited to address the potential harm involved in amassing troves of aggregate PII. The harm is not one associated with an interference preventing an individual from using his or her own PII, but rather in empowering an unauthorized third party with the ability to control and profit from that individual’s identity. The harm is wholly distinct from mere interference or invasion.

Is There Actual Harm When an Unauthorized Third Party Collects PII on an Individual?

Historically the element of actual injury required a tangible harm. For example, trespass laws allowed courts to remediate harm associated with unauthorized physical invasions of land and chattel. Trespass to an individual’s person was governed based on harm associated with an unconsented touching, fear, apprehension, or confinement through battery, assault, and false imprisonment laws. When analyzing the modern acquisition of PII, there is often no physical invasion, no confiscation of actual property, and no physical touching, apprehension, or confinement. Physical invasion is no longer relevant. One series of cases has attempted to analyze harm associated with the unauthorized acquisition of PII as a trespass to chattel. This analysis requires actual interference with the physical functionality to the tangible computer system. Intel v. Hamidi, 71 P.3d 296 (Cal. 2003); see also eBay, Inc., v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000). Unfortunately, the root harm has been largely overlooked.

The lesser yet substantial harm associated with an unauthorized comprehensive collection of PII is an unconsented and forfeited benefit from the value of such property through the appropriation of the individual’s identity. The greater and more compelling harm associated with these acts is a loss of liberty and autonomy, particularly if biometrics (i.e., facial profiles, fingerprints, DNA, etc.) are involved. See, for example, Amy Korte, Federal Court in Illinois Rules Biometric Privacy Lawsuit Against Google Can Proceed, IllinoisPolicy.org (Mar. 8, 2017). Comprehensive PII profiles may literally include not only preferences and consumer’s past dealings with businesses, but also one’s biology and genetic makeup. If used for malevolent purposes (e.g., eugenics-based sterilization), one’s aggregate PII, or identity, could be manipulated or abused by those in possession of such data. Could an individual in such a society be denied educational, employment, or familial opportunities based on predictive analytics? If so, such a harm would be more akin to servitude or slavery than a lost wallet. Some harms truly are irreparable.

Exclusive Rights and the Right to Control One’s Identity

Owners of real property may bring trespass actions based on their exclusive rights for the use and enjoyment of the property. Existing intellectual property rights, such as copyright, trademark, and patent laws grant an owner exclusive rights to any benefit derived from such property. The U.S. Constitution expressly grants exclusive rights to “authors and inventors” to their respective “writings and discoveries.” U.S. Const. I. sec. 8 cl. 8. Such “writings” include the act of converting such content to bits and bytes of digital data. See, for example, The Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860. In articulating a right to privacy, Louis Brandeis and Samuel Warren argued that any individual desiring to make “public” private sentiments (e.g., with paintings or words) had exclusive rights to limit any disclosure. Consequently, publication was prohibited absent consent. Which is more worthy of exclusive rights: a painting or an individual’s right to control their identity? No third party should have a greater right to control aggregated data equating to the identity of another.

Regulating the Acquisition and Consolidation of Aggregated PII: Consumer Reporting v. Social Control

The FCRA was primarily enacted to govern and regulate private parties engaged in gathering, storing, and transferring consumer-specific data for the purpose of improving the effective interest rate or premium that the consumer would be offered based on the consumer’s risk of nonrepayment or filing an insurance claim. In theory, the collection and processing of this data increased the efficiency of the banking and insurance markets, thus increasing the likelihood that consumers would have access to credit or insurance products when needed. The overall regulatory scheme was constructed to exploit consumer data for the purposes of increasing consumer access to credit and arguably liberty. Furthermore, the consumer-specific data was limited to only those parties with a valid permissible purpose, and negative information was required to be deleted, or “forgotten,” no later than seven to ten years from the first date of delinquency.

Existing data-collection efforts by private parties such as data brokers, search engines, and social media giants far exceed anything that Congress attempted to regulate in consumer-protection statutes such as the FCRA or other consumer-protection laws. Such efforts go beyond consumer reporting and have the potential to create new mediums for social control. Current data-collection efforts go beyond liens, late payments, and bankruptcy filings by including biometrics, DNA reports or analyses, geolocation records, browsing history, vast records of social relations, public commentaries, and political, religious, or social leanings. Yet, consumer records that consolidate these types of data are not classified as “consumer reports.” See Ramirez at 7–10. Thus, they are not regulated by consumer-protection laws.

The entire data-gathering/consumer-reporting process must be revisited and redefined in light of the harm inherent within aggregated PII, such as a loss of liberty, both in terms of consent to benefit from the economic use of the individual’s indicia of identity and in terms of a forfeiture of the control of one’s identity. The key will be in regulating PII in a way that allows for the positive exploitation of such data while minimizing the comprehensive consolidation of aggregated PII that may allow a third party to control the identity of another. These objectives will be best achieved by applying underlying principles associated with the separation of powers doctrine (e.g., a sectoral mandate, such as a prohibition on consolidating medical/genetic PII with consumer financial PII), by requiring the eventual anonymization of PII (e.g., businesses may continue to benefit from generalized statistics and analytics involving PII; however, PII itself could only be possessed for a set period of time), and by recognizing an exclusive or inalienable right to control aggregated PII equating to one’s identity. The U.S. Constitution is founded on “Creator-created” inalienable rights (i.e., granted by “Nature and Nature’s God”) as opposed to man-made or man-revoked civil rights. See Andrus at 18–23. Such rights may not be legally transferred. No third-party entity should have a superior right to control aggregated PII equating to one’s identity.

Conclusion

A right to control one’s identity in light of existing exploitations of PII rests on the degree of control a third party has by virtue of possessing aggregate PII. Possession is ninth-tenths of the law of ownership. No third party should have an ownership interest in an individual’s comprehensive PII, particularly when such data may reasonably equate to the ability to control one’s identity. Although the “new oil” may be exploited for purposes that benefits the consumer and enhances liberty, the risks associated with the existence of individual profiles on societal-wide populations are significant. Regulation is required to ensure that existing data-collection efforts properly safeguard and protect liberty interests. Although there is currently no official recognition of a right to control one’s identity, torts of appropriation and rights of publicity protect an individual’s right to control their identity. The right to control one’s identity is fundamental to liberty and should be recognized as inalienable. Absent such recognition or regulation, data gatherers will continue to commoditize the individual by converting the tangible person into intangible property that may be bought or sold at will, regardless of the consent of the individual.

Whistleblowers Can Face Tax Problems

Posted on September 28, 2017 by - Uncategorized

Whistleblower claims are brought under a variety of federal and state statutes and are usually handled for contingent fees. On big recoveries, a legal fee of 40 percent—or any other customary contingent fee—can be a lot of money. That means the tax treatment of the gross recovery and the legal fees can be a very big issue.

Most plaintiffs and whistleblowers assume that the most that could be taxable to them by the Internal Revenue Service (or by their state) is their net recovery. Lawyers often receive the gross amount, deduct their fees, and remit only the balance to the plaintiff or whistleblower. Their net take-home pay after legal fees and costs is not the only money the IRS sees, however.

For many plaintiffs and whistleblowers, the first inkling that the gross recovery may be their income is the arrival of Forms 1099 in January. The statute under which the claim is made can impact taxes materially. The oldest whistleblower statute is the federal False Claims Act, dating back to the Civil War. See 31 U.S.C. §§ 3729–3733. However, there are state versions of this law, IRS whistleblower claims, and SEC whistleblower claims. The latter emanate from section 922 of the Dodd-Frank Act, Pub. L. No. 111-203, 124 Stat. 1377 (July 21, 2010).

To say that not all whistleblower claims are created equal when it comes to taxes would be an understatement. Not all claims qualify to have legal fees deductible “above the line,” which means essentially off the top, so the whistleblower does not pay any tax on the legal fees. Otherwise, you must claim a miscellaneous itemized deduction, which is subject to a number of limits.

If you obtain a huge recovery and must pay 40 percent or more to your lawyer, you will care very much about what type of deduction you receive for those fees.

Contingent Fees and Gross Income

Clients often have a hard time understanding this rule. They might ask, “How can I be taxed on something I never received?” Generally, amounts paid to a plaintiff’s attorney as legal fees are gross income to the plaintiff, even if paid directly to the plaintiff’s attorney by the defendant. See Comm’r v. Banks, 543 U.S. 426 (2005). For tax purposes, the plaintiff is considered to receive the gross award, including any portion that goes to pay legal fees and costs.

The IRS rules for Form 1099 reporting bear this out. Under current Form 1099 reporting regulations, a defendant or other payor that issues a payment to a plaintiff and a lawyer must issue two Forms 1099. The lawyer should receive one Form 1099 for 100 percent of the money actually paid to the attorney. The client should receive one, too, also for 100 percent. The client, however, will invariably receive a Form 1099-MISC that reports 100 percent of the money. When you receive a Form 1099, you must put the full amount on your tax return. Not every Form 1099 is correct, is ordinary income, or is necessarily income at all.

Plaintiffs receive Forms 1099 in many other contexts, which they must explain. For example, plaintiffs who are seriously injured, and who should receive compensatory lawsuit proceeds tax-free for their physical injuries, may still receive a Form 1099. In those cases, they can report the amount on their tax return and explain why the Form 1099 was erroneous.

Plaintiffs and whistleblowers do not have this argument because they are required to report the gross payment as their income. The question is how the plaintiff or whistleblower deducts the legal fees and costs. Successful whistleblowers may not mind paying tax on their net recoveries, but paying taxes on money their lawyers receive has long been controversial.

In 2005’s Comm’r v. Banks, the U.S. Supreme Court resolved a bitter split in the circuit courts about the tax treatment of attorney’s fees. The court held—in general at least—that the plaintiff has 100 percent of the income and must somehow deduct the legal fees. That somehow is important.

In 2004, just months before the Supreme Court decided Banks, Congress added an above-the-line deduction for attorney’s fees, but only for certain types of cases. The above-the-line deduction applies to any claims under the federal False Claims Act, the National Labor Relations Act, the Fair Labor Standards Act, the Employee Polygraph Protection Act of 1988, and the Worker Adjustment and Retraining Notification Act as well as claims under certain provisions of the Civil Rights Act of 1991, the Congressional Accountability Act of 1995, the Age Discrimination in Employment Act of 1967, the Rehabilitation Act of 1973, the Employee Retirement Income Act of 1974, the Education Amendments of 1972, the Family and Medical Leave Act of 1993, the Civil Rights Act of 1964, the Fair Housing Act, the Americans with Disabilities Act of 1990, chapter 43 of title 38 of the United States Code, and sections 1977, 1979, or 1980 of the Revised Statutes.

The above-the-line deduction also applies to any claim under any provision of federal, state, or local law, whether statutory, regulatory, or common law, that provides for the enforcement of civil rights or regulates any aspect of the employment relationship. Beyond that, a deduction for attorney’s fees and costs would be a miscellaneous itemized deduction. That is below-the-line, under I.R.C. Section 212. An above-the-line deduction means you pay no tax on the attorney’s fees.

An above-the-line deduction, as a matter of tax mathematics, is like not having the lawyer fee income in the first place. Despite the holding in Banks, an above-the-line deduction means paying tax only on your net. In contrast, a below-the-line deduction faces numerous limitations. It is aggregated with your other itemized deductions. There is a two-percent threshold, and there are deduction phase-outs that start with surprisingly little income. These limits can cut deep.

Arguably worst of all, the alternative minimum tax, or AMT, can mean no deduction. It is why in some famous cases, “successful” plaintiffs have actually lost money after attorney’s fees and taxes. Spina v. Forest Preserve Dist. of Cook County, 207 F. Supp. 2d 764 (N.D. Ill. 2002). Running some tax calculations both ways (with above- and below-the-line deductions) can bring the point home in stark terms with almost any set of numbers. In short, the distinction between above-the-line and below-the-line can be significant.

SEC Claims

I.R.C. Section 62(a)(20) was enacted as part of the American Jobs Creation Act of 2004. It allows taxpayers to deduct above-the-line attorney’s fees and court costs paid by the taxpayer “in connection with any action involving a claim of unlawful discrimination.” The term “unlawful discrimination” is defined in I.R.C. Section 62(e).

The law also allows for the deduction of legal fees connected with many federal whistleblower statutes. I.R.C. Section 62(a)(21) allows for the deduction of legal fees incurred in connection with federal tax whistleblower actions that result in qui tam awards from the IRS. Under I.R.C. Section 62(a)(20), any action brought under the federal False Claims Act is a claim of unlawful discrimination and can therefore qualify for an above-the-line deduction of legal fees. See I.R.C. § 62(e)(17).

However, these provisions do not explicitly include SEC whistleblower claims. Indeed, there are at least some indications that when Dodd-Frank was being considered, some senate staff working on the bill specifically acknowledged that Dodd-Frank did not qualify for an above-the-line deduction. See Letter by Harold R. Burke to Mary Schapiro, Chairwoman, Securities and Exchange Commission (Sept. 14, 2010). Moreover, a former SEC Senior Counsel similarly suggested in 2013 that Dodd-Frank does not qualify under this above-the-line deduction. See Gary Aguirre, “Unfair Tax Liability for Whistleblower Awards under Dodd-Frank,” Government Accountability Project (Apr. 11, 2013).

To an SEC whistleblower, this may not be conclusive, but it is sure worrisome. Of course, there can sometimes be an overlap. For example, whistleblower claims often arise out of employment. In my experience, many SEC whistleblowers were employed by the firms whose conduct they reported.

There is also an awfully broad “catch-all” provision of I.R.C. Section 62(e)(18). That provision provides that a claim of unlawful discrimination includes a claim under any provision of state law “regulating any aspect of the employment relationship including . . . [any provision] prohibiting the discharge of an employee, the discrimination against an employee, or any other form of retaliation or reprisal against an employee for asserting rights or taking other actions permitted by law.” I.R.C. § 62(e)(18)(ii) (emphasis added); see Robert W. Wood, Tax Aspects of Settlements and Judgments, 522 T.M., Part V.G.1., A-63 (2015).

This language in I.R.C. Section 62(e)(18) is nearly identical to the language in I.R.C. Section 62(e)(17). I.R.C. Section 62(e)(17) provides that legal fees for suits involving claims of retaliation against whistleblowers in violation of any federal whistleblower protection laws can qualify for the above-the-line deduction. The SEC whistleblower rules contain robust whistleblower protections against employment retaliation. See Dodd-Frank Act § 922(h), codified as 15 U.S.C. § 78u-6(h).

The SEC whistleblower protections created by the Dodd-Frank Act allow SEC whistleblowers who have been retaliated against other remedies, too. They may be entitled to reinstatement; double back-pay, with interest; and compensation for their legal expenses and attorney’s fees. In fact, if an SEC whistleblower has been retaliated against, there is a strong argument that they can deduct their legal fees above the line.

However, it is less clear whether an SEC whistleblower who has not been retaliated against can qualify for the above-the-line deduction. If such a line can be drawn, the public-policy implications seem odd. After all, Congress surely hoped to create every incentive possible for SEC whistleblowers to come forward.

Indeed, retaliation is expressly discouraged. It seems perverse to create incentives for whistleblowers to try to prompt retaliation against them (or to allege retaliation that did not occur) to qualify for an above-the-line deduction. Nevertheless, under the current law, whistleblowers bringing suit might understandably cross their fingers in hopes of at least some measure of retaliation. Paradoxically, retaliation might be good if it is the ticket to claiming an above-the-line tax deduction.

Allocating Among Claims

The above-the-line deduction is available for any action “involving a claim of unlawful discrimination.” Of course, many complaints allege multiple claims. Read literally, this language suggests that if one claim in a lawsuit qualifies as a claim of unlawful discrimination, then all of the legal fees may be deducted under I.R.C. Section 62(a)(20). One might make the same observation about an SEC whistleblower’s claim of retaliation, however minor that retaliation might be.

However, knowing the IRS, you might reasonably assume that there be some kind of allocation—that is, if only 10 percent of the case is about “unlawful discrimination,” perhaps only 10 percent of the fees would be covered. For example, assume you have a tax-free, physical injury recovery, but 50 percent of the damages are punitive. With damages that are 50 percent tax-free and 50 percent taxable, the legal fees must be divided, too. One generally treats 50 percent of the legal fees as attributable to each part of the case. If 50 percent of the damages are tax-free, 50 percent of the legal fees are, too. That means there is no need to include the tax-free portion in income and try to deduct it. The punitive damages are taxable, and the 50 percent of the legal fees attributable to those damages are also income to the plaintiff. So, the plaintiff must report the gross amount of punitive damages (including the legal fees), and then deduct the fees.

That usually means a miscellaneous itemized deduction, which is treated unfavorably. One potential answer is a non-pro-rata allocation of legal fees. The IRS says that the presumptive allocation of fees is pro-rata, but you can have another allocation if you can support it. For example, suppose that 90 percent of the lawyer’s time in the case was devoted to compensatory damages, with only 10 percent to punitive damages. If lawyer bills and declarations support that, it could mean large tax savings. Anything better than 50/50 might help.

Allocating SEC Claims

With this background, should legal fees in SEC and other whistleblower recoveries be allocated in some way? Assume an SEC whistleblower collects $10 million, allocated as follows: 90 percent from the target’s bad conduct exposed in the claim, and 10 percent for relation against the employee-whistleblower. Does this suggest an above-the-line deduction for 10 percent of the legal fees, and a miscellaneous itemized deduction for 90 percent of the fees?

It should not, in my opinion. I worried about this issue in 2004 when the above-the-line deduction was enacted. See Robert W. Wood, “Jobs Act Attorney Fee Provision: Is it Enough?,” 105 Tax Notes 8, 961 (Nov. 15, 2004). However, I have seen no suggestion since then that the IRS would require it. I have also not encountered other practitioners who seem worried about it. Where one claim qualifies for an above-the-line deduction under I.R.C. Section 62(a)(20), I think it is likely that all legal fees allocable to taxable recoveries can be deducted above the line. See also Robert W. Wood, Tax Aspects of Settlements and Judgments, 522 T.M, Part V.G.2., A-64 (2015).

The IRS has provided at least one indication that it might agree. In Chief Counsel Memorandum 20133501F (Aug. 30, 2013), the IRS described I.R.C. Section 62(e)(18) as providing “an above-the-line deduction for attorney’s fees and costs incurred in an action or proceeding involving any aspect of the employment relationship.” (Emphasis added.) At the very least, this language seems to suggest a liberal application of I.R.C. Section 62(e)(18) for actions where at least one claim involves the employment relationship.

More generally, 13 years have elapsed since the above-the-line deduction was enacted. In that time, I have seen large numbers of legal-fee deductions claimed, audited, and disputed. In my experience, the IRS in the field interprets the above-the-line liberally, which seems to me to be entirely appropriate.

Moreover, I have not seen a single case in which the IRS has tried to allocate legal fees between above-the-line qualifying fees (such as employment) and other legal fees. I have seen cases in which the issue could have been raised, but was not. It is true that SEC whistleblower claims might be viewed differently, given the statute, but hopefully they will not be.

Deductibility Limits

One detail of the above-the-line deduction that is easy to miss relates to gross income. Normally, a cash-basis taxpayer is eligible to claim a deduction in the year the underlying payment was made. See I.R.C. § 461(a); Treas. Reg. § 1.461-1(a)(1). However, I.R.C. Section 62(a)(20) limits the available deduction to the income derived from the underlying claim in the same tax year. As a result, a deduction allowable under section 62(a)(20) cannot offset income derived from any other source or received in any other year. This is usually not a problem, but occasionally it can be. For example, where there is a mixture of hourly and contingent fees, the issues can be thorny and may require professional help.

Trade or Business

Before leaving above-the-line versus below-the-line deductions, it is appropriate to consider an additional way that taxpayers may qualify for above-the-line deductions. A taxpayer operating a trade or business and incurring legal fees—contingent or otherwise—need not worry about these issues. In a corporation, LLC, partnership, or even a proprietorship, business expenses are above-the-line deductions.

Some plaintiffs have even argued that they were in the business of suing people. This may sound silly in the case of plaintiffs in employment cases. That is where the argument first appears to have surfaced (long before the above-the-line deduction was enacted in 2004). See, e.g., Alexander v. Comm’r, 72 F.3d 938 (1st Cir. 1995). However, it is quite credible in the case of some serial whistleblowers.

Some file multiple claims, and some go on the lecture circuit, especially after their claims bear fruit. Thus, there is a distinct possibility that a whistleblower can, in a very real sense, be operating a business. A proprietor—a taxpayer operating a business without a legal entity—reports income and loss on Schedule C to his or her Form 1040.

To be sure, you are not likely to want to make a Schedule C argument if you have a good argument for a statutory above-the-line deduction. Schedule C to a Form 1040 tax return is historically more likely to be audited than virtually any other return, or portion of a return. In part, this is due to the hobby-loss phenomenon, with expenses usually exceeding income. It is also due to self-employment taxes. Placing income on a Schedule C normally means self-employment income, and the extra tax hit on that alone can be 15.3 percent. Over the wage base, of course, the rate drops to 2.9 percent.

Even so, most whistleblowers and plaintiffs do not want to add self-employment tax to the taxes they are already paying. Still, when it comes to deducting legal fees, the Schedule C at least deserves a mention. Plaintiffs or whistleblowers who have been regularly filing Schedule C for business activities in the past stand a better chance of prevailing with their Schedule C.

Conclusion

Long before and shortly after the Supreme Court’s Banks case in 2005, there was considerable discussion about the tax treatment of legal fees. Plaintiffs’ employment lawyers were especially vocal in the years leading up to 2004, and they were particularly effective in lobbying Congress. That led to the statutory change in 2004, which ended up covering some whistleblower claims, too.

In part, the statutory changes in late 2004 blunted the impact of the Banks case, which even the Supreme Court itself noted in its opinion. Yet vast number of plaintiffs—and some whistleblowers—are still stuck with the dilemma of how to deduct their legal fees. In the case of SEC whistleblower claims, some people seem to assume that the above-the-line deduction surely must apply. Some people say it does not—not technically. Some seem to ignore the issue entirely. Given the dollars that are often involved, however, it would be wise to consider the income and deduction side of legal fees and costs. A large number of successful plaintiffs and some whistleblowers end up surprised at tax time. As more SEC whistleblower claims are paid, there will hopefully be no successful whistleblowers surprised by their tax preparer, or worse still, by the IRS.

The Future of Financial Services Enforcement at the FTC

Posted on September 28, 2017 by - Uncategorized

Over 25 years ago, C.K. Prahalad and Gary Hamel coined the term “core competencies,” which consists of the “collective learning” in an organization. Prahalad and Hamel contended that by identifying this intellectual core, businesses could obtain a competitive advantage by focusing on their unique strengths; firms could separate the wheat from the chaff, allocating resources away from nonessential things and towards core activities that provide substantial value to consumers.

As the acting director of the Federal Trade Commission’s Bureau of Consumer Protection, I have the privilege of managing part of an agency that has over 100 years’ worth of collective learning. That history has allowed the FTC to develop some extraordinarily effective tools to combat harmful conduct. The FTC’s core competency with regard to financial services is now civil law enforcement, with business guidance, consumer education, and research and policy development activities supporting and furthering such enforcement.

Yet even “old dogs” like the FTC need to learn new tricks. As Acting Chairman Maureen Ohlhausen observed, the FTC must evolve so that its law enforcement and other financial services work still serve the interests of consumers in a rapidly changing world. The fundamental question for the FTC is how to apply its core law-enforcement competency in light of on-going changes in law, technology, and markets. The FTC and the Bureau of Consumer Protection in the past identified some financial markets on which the agency was focusing its work. This article addresses the broader question of how, under the new leadership of Acting Chairman Ohlhausen, the FTC is likely to apply its core law-enforcement competency in light of on-going changes in law, technology, and markets. This article provides some initial thoughts on an overall FTC approach to consumer financial services enforcement. For purposes of this article, “financial services” does not include privacy and data security, which are topics best addressed separately and comprehensively.

Combating Financial Fraud

As part of her positive consumer-protection agenda, Acting Chairman Ohlhausen has emphasized generally that she will “re-focus the agency on our bread-and-butter fraud enforcement mission.” As she explained, “[t]hese cases may not forge new legal ground or prompt huge headlines, but such actions defend consumers harmed by an unscrupulous con artist and assist the legitimate business owner who loses business to the cheat. These obvious benefits explain why such efforts have long had broad bipartisan support both at the FTC and in Congress.” Fighting fraud, in short, is good policy and good politics. When it comes to allocating its scarce resources, stopping fraudulent schemes allows the FTC to get the most consumer-protection bang for its buck.

The FTC’s general refocusing on fraud enforcement applies to the financial-services context as well. Under the leadership of Acting Chairman Ohlhausen, the FTC will direct its enforcement work even more at preventing, deterring, and remedying fraudulent practices in financial services. In particular, the FTC will focus on fraud that causes harm to financially distressed consumers. Fighting fraud will be the centerpiece of the FTC’s financial-services enforcement agenda.

The FTC has a strong record of bringing cases to halt serious misconduct by providers of financial services. It has long brought actions to protect consumers from abusive debt collectors (such as “phantom” debt collectors), unscrupulous payday lenders, and fraudulent debt-relief operations. For example, the FTC recently brought an action against S&H Financial Group and its officers, alleging that they masqueraded as a law firm and used unlawful intimidation tactics in collecting debts, even going so far as to make phony claims that people would be arrested or imprisoned if a debt was not paid. In another recent action, Strategic Student Solutions, the FTC alleged that a student loan debt-relief operation bilked millions of dollars from consumers by falsely promising to reduce or eliminate the consumers’ student loan debt and offering nonexistent credit-repair services.

The FTC will continue strong and sustained enforcement against bad actors that harm consumers of financial services; however, FTC enforcement will also target entities that support the ecosystem of fraud. These include money-transfer companies, payment processors and platforms, loan lead generators, and others that directly participate in another’s fraud or provide substantial support while ignoring obvious warning signs of another’s illegal activity. For example, the FTC recently announced a $586 million settlement against Western Union for failing to maintain appropriate safeguards against fraud-induced money transfers and continuing to employ corrupt Western Union agents who were complicit in such fraud. In addition, in its action against AT&T, the FTC recently refunded the company’s customers more than $88 million in allegedly unauthorized charges for third-party subscriptions to text message services for horoscopes, celebrity gossip, and other items. When companies directly participate in another’s fraud or they provide substantial support to another while ignoring their fraud, they make large-scale financial fraud possible. Focusing FTC law enforcement even more against these actors allocates the agency’s limited resources to maximize the prevention, deterrence, and remediation of fraud.

Financial fraud is not static. Some financial frauds are of course the same frauds that the FTC has fought for many years. Scammers, however, are not only resilient, but also cunning. Fraud artists are adept at developing new schemes and locating new and vulnerable victims. What the next generation of financial frauds will look like is unclear. What is clear is that the FTC’s core competency in law enforcement, its experience in prosecuting financial fraud, and its tracking of technological changes, as discussed below, mean that the FTC is as prepared as an agency can be to combat future financial frauds, whatever they prove to be.

A critical caveat is necessary: the FTC will still bring cases against those who are not engaged in financial fraud but otherwise violate laws the FTC enforces. Some of these will be traditional cases challenging the conduct of financial service providers as unfair or deceptive in violation of Section 5 of the FTC Act, for example, challenging false or misleading claims that nonbank mortgage lenders make for their loans. Others will be traditional cases challenging the conduct of financial service providers as violating various financial services statutes and regulations the FTC enforces, such as violating the Fair Credit Reporting Act and its implementing Regulation V or the Children Online Privacy Protection Act and its implementing Children’s Online Privacy Protection Act Rule. Providers of financial services should not misinterpret the FTC’s refocusing on financial fraud as a license to violate other laws the FTC enforces.

Selection of Enforcement Targets

As the D.C. Circuit noted 30 years ago, we live in “an age of overlapping and concurring regulatory jurisdiction.” Thompson Med. Co. v. FTC, 253 U.S. App. D.C. 18, 791 F.2d 189, 192 (D.C. Cir. 1986). Such regulatory and law-enforcement overlap, which the FTC shares with agencies such as the Consumer Financial Protection Bureau, the Federal Communication Commission, the Food and Drug Administration, and the Securities and Exchange Commission, does provide advantages. For example, knowing another agency also has jurisdiction can allow an agency to focus on, and therefore gain expertise in, certain complex areas and ensure there are no enforcement gaps between agencies’ statutory boundaries.

Nonetheless, such overlap also can lead to enforcement inefficiencies and inconsistencies. To mitigate the risk of these disadvantages to regulatory and law-enforcement overlap, agencies should define their clear priorities so that sister agencies know when to act. At the same time, however, agencies should not abdicate their responsibilities in areas that may not be a priority but still fit within their statutory boundaries.

The FTC is doing just that with financial services enforcement. Although the FTC will be refocusing its enforcement on fraudulent conduct, the agency generally will be careful to select targets for which Congress has made the FTC the main federal agency enforcer or in which the FTC has extensive enforcement experience. In addition, where the FTC and another agency have concurrent enforcement authority, the Commission generally will focus on targets that are not subject to another agency’s extensive supervision, examination, or other oversight. Careful FTC target selection is instrumental in ensuring that FTC law enforcement is both efficient and effective.

The FTC will make it a priority to engage in significant enforcement where Congress intended it to be the main enforcer among federal agencies. For example, the FTC is the leading federal agency enforcer under Section 5 of the FTC Act and other financial services statutes for many auto dealers—generally dealers that routinely assign financing to unaffiliated, third-party financing institutions. Other examples include the Credit Repair Organizations Act for providers of credit-repair services and the Telemarketing and Consumer Fraud and Abuse Prevention Act and its implementing Telemarketing Sales Rule for telemarketers. Given the leading role Congress assigned to the FTC under these laws to protect consumers, the agency will remain vigilant in monitoring, investigating, and prosecuting those who violate these laws.

Even where Congress has not made the FTC the primary federal agency enforcer, the FTC still may have developed substantial expertise through many years of enforcement experience. For example, over the course of 40 years, the FTC has brought numerous actions against debt collectors for violating the Fair Debt Collection Practices Act. The FTC also has extensive experience in bringing actions against debt-relief operations for violating Section 5 of the FTC Act and the Telemarketing Sales Rule as well as against mortgage-relief firms for violating Section 5 of the FTC Act and Regulation O. The FTC’s substantial expertise with regard to these types of entities assists the agency in targeting potential wrongdoers for investigation and prosecution. It also assists the FTC in fashioning relief that is effective in remedying law violations and preventing and deterring future law violations, yet not imposing unnecessary or undue burdens on industry. Given the clear advantages of making use of its accumulated expertise, the FTC will continue to be an active enforcer over these types of entities.

Although the FTC has had concurrent enforcement with other agencies for many years in connection with a variety of financial services statutes and regulations, the Dodd-Frank Act in 2010 fundamentally reworked these schemes. In particular, under the Dodd-Frank Act, the FTC and the CFPB have concurrent enforcement authority over many nonbank financial service providers under many statutes and regulations. When faced with such concurrent enforcement authority, the FTC and the CFPB must be careful to avoid duplication and the imposition of conflicting standards. As directed by Congress, the two agencies entered into a Memorandum of Understanding (MOU) in 2012 and renewed it in 2015 to address these concerns to some extent. These MOUs fundamentally create a process by which the FTC and the CFPB can coordinate. They do not allocate financial service providers between the FTC and the CFPB where the two agencies have concurrent enforcement authority.

Nevertheless, to ensure that it allocates its enforcement resources wisely, the FTC considers the nature and scope of the CFPB’s activities. For instance, the FTC generally would not expend its limited enforcement resources to focus on types of targets where the CFPB is already devoting substantial resources or has particular expertise that could be brought to bear on a specific matter. Debt-collection enforcement is a useful illustration. For larger market participants in the debt-collection market, the CFPB not only can bring enforcement actions, but also can subject firms to on-going, extensive, and burdensome supervision and examination. Given its comparative advantage in tools relative to the FTC relating to larger participants in debt-collection markets, the CFPB in many cases will be in a better position to address the consumer protection problems those debt collectors cause, although that does not necessarily mean that the enforcement actions it may bring are necessary or appropriate. Nevertheless, there still may be circumstances in which the FTC might bring law-enforcement actions against larger market participants in the debt-collection markets. Among other things, it would be appropriate for the FTC to bring an enforcement action if: (1) the FTC is investigating a group of related firms, one of which is a larger market participant; (2) a collector is close to the larger participant threshold; or (3) the action furthers other FTC priorities, as was the case with GC Services Limited Partnership.

In contrast, for debt collectors that are not larger participants, the CFPB and the FTC both can bring law-enforcement actions, but neither can subject these debt collectors to supervision and examination. For these collectors, the FTC certainly is in a good position to address the consumer protection problems they cause, given its strong record of accomplishment in bringing cases involving these debt collectors, and the FTC will continue to bring cases against these collectors where appropriate.

Responding to Fintech

Refocusing on financial fraud and on targets where FTC enforcement will capitalize on its authority and experience is a sound approach for today, but what about tomorrow? To be effective, FTC financial services law enforcement must be flexible enough to adapt quickly to changes in markets and technology, especially so-called Fintech.

Fintech has certainly arrived. A myriad of technological developments has and will continue to rapidly transform the financial services sector to make it much more efficient. Fintech development implicates many financial products and services, such as credit scoring, peer-to-peer lending, blockchain transaction recording, smartphone payments, etc. A financial services enforcement agenda must account and prepare for the impact of Fintech on consumers of financial goods and services.

Fortunately, the FTC has vast experience in assessing technological and market developments that are likely to affect consumers, and of changing course to ensure its tools (especially law enforcement) to protect consumers remain effective. Since Congress gave it the authority in 1937 to prevent unfair and deceptive acts and practices, the FTC has applied these concepts successfully to business conduct involving a plethora of new technologies, such as communication technologies like television, faxes, cell phones, e-mail, text messages, social media, etc. The FTC has done so through combining research and policy development, business guidance, consumer education, and enforcement.

Consistent with past practice and prudence, the FTC is engaged in extensive research and dialogue with stakeholders relating to Fintech to assess how to protect consumers in connection with Fintech, while avoiding policies and enforcement that would chill or hinder Fintech or impose unnecessary or undue burdens on Fintech firms. For example, the FTC has held three forums on several Fintech topics, such as marketplace lending, crowdfunding, peer-to-peer payment systems, artificial intelligence, and blockchain. The FTC also recently announced its Debt Collection Fintech Initiative. As part of this initiative, the FTC is engaging in outreach with industry and consumer groups, conducting research, and taking other steps to continue building expertise on the use of existing and emerging technologies in debt collection. The agency will be exploring the costs and benefits to consumers and businesses of such technologies, including whether it can combat fraud and other harmful conduct, e.g., phantom debt collection.

The FTC has made institutional changes to ensure that the agency has the required expertise to consider carefully and consistently the benefits and costs of technology, including Fintech. Not only does the FTC have a chief technologist, it also has an Office of Technology Research and Investigation staffed with technologists who have the technical expertise to assess the benefits and costs of conduct relating to Fintech, and who conduct research and analysis, including a recent analysis of the online practices of large crowdfunding platforms. Maintaining this vigorous and extensive program of research and outreach to distinguish between helpful and harmful conduct is particularly valuable in Fintech because of the FTC’s broad enforcement jurisdiction over nonbank market participants (including retailers and technology companies).

The FTC’s commitment to obtaining a comprehensive understanding of Fintech to inform its work does not mean that the agency will not act where appropriate to protect consumers. The FTC’s recent work involving emerging billing mechanisms and technologies aptly illustrates the agency’s law-enforcement commitment. The FTC has brought a number of cases ensuring that basic consumer protections apply no matter what billing platform or method a company uses to do business. For example, a U.S. district court recently ordered Amazon to refund up to $70 million in unauthorized charges incurred by children in kids’ gaming apps. Although the technology was relatively new, the principle enforced in that case—that companies may not charge consumers for unauthorized purchases—is well established and straightforward.

A settlement involving Apple, Inc. further demonstrates the value of the FTC seeking and imposing order provisions that allow for technological innovation. In that case, the FTC alleged that Apple had violated the FTC Act by billing for charges that children incurred through in-app purchases without the express informed consent of their parents. To resolve this allegation, the FTC’s settlement with Apple required that the company obtain parental consent, but it did not specify what particular manner Apple needed to use (e.g., password entry) to obtain that consent. Apple, therefore, was later able to use the newer technology of fingerprint authentication to obtain parental consent in compliance with its order. When the FTC brings law-enforcement actions that involve Fintech and other rapidly developing technologies, the public interest is best served if the agency seeks or imposes order provisions that confer adequate protection on consumers without unduly or unnecessarily hindering or chilling the use of new technologies.

Conclusion

FTC financial services enforcement is beginning to change under the direction of Acting Chairman Ohlhausen. The agency will be refocusing on investigating and prosecuting fraud in consumer financial markets, building on the FTC’s strong anti-fraud program. The FTC will direct its attention to entities over which Congress has made it the leading federal agency enforcer or with which the FTC has significant long-term experience, as well as to entities where it has a comparative advantage compared to other enforcers with concurrent enforcement authority. The agency will engage in extensive research and policy development to understand Fintech developments and its impact on consumers. The FTC will apply core consumer-protection principles to providers of Fintech goods and services, with a keen recognition of the dynamic nature of Fintech and markets in crafting orders to protect consumers without stifling technological innovation.

The views expressed in this article are those of the author and do not necessarily represent the views of the FTC or any individual commissioner.

Blockchain and Beyond: Smart Contracts

Posted on September 28, 2017 by - Uncategorized

Imagine a future where contracts look like this:

./peer chaincode deploy -n ex01 -c ‘{“Function”:”init”, “Args”: [“{\”version\”:\”1.0\”}”]}’

The term “smart contracts” was originally coined by cryptographer Nick Szabo in the early 1990s. Szabo saw a contract as a set of promises agreed to by a meeting of the minds. He aptly noted that computers make it possible to run algorithms. First, the contract terms are translated into code—a series of if-then functions. Once a condition is met, the smart contract will take the next step necessary to execute the contract. Thus, the term “smart contracts” refers to computer transaction protocols that execute the terms of a contract automatically based on a set of conditions.

Although the concept of smart contracts has existed for a long time, a real-world application has only recently been made possible due to developments in blockchain technology. Blockchain is commonly defined as a decentralized digital ledger in which transactions are recorded chronologically and publicly. In its infancy stages, blockchain was the mechanism that tracked cryptocurrencies such as Bitcoin. However, as the technology evolved, variations such as private, permissioned, and consortium blockchains have emerged. Ultimately, blockchain technology can facilitate many types of business transactions.

Historically, we have relied on established institutions such as banks and government to authenticate transactions—to verify that the people with whom we are transacting are really who they claim to be. The institutions act as middlemen to build trust between two parties that are transacting with each other. However, these institutions are not incorruptible. At times, they have become victims of foul play by external or internal actors. In fact, it can be risky to consolidate trust into one institution because it creates a single point of failure.

In contrast to a centralized system where only certain people can view and modify transactions, blockchain was originally developed as a decentralized ledger open to the public. A key feature of blockchain is that multiple parties can verify transactions instantaneously. Once the transaction has been properly verified, it is added as a new block on the blockchain. Thus, blockchain is a string of transactions where a new block is permanently tied to a previous block and thus immutable. By distributing trust among multiple users, it is implied that a decentralized ledger will be more reliable in exposing any faults with transactions.

Smart contracting is a disruptive advancement that will have far-reaching impact for many industries, including financial services, government, real estate, manufacturing, and healthcare. For example, in securities trading, it currently takes several days to transfer assets, thereby increasing counterparty risk. Smart contracts that use blockchain technology could shorten settlement times and mitigate such risk. In the insurance industry, certain policy agreements could be automated. A smart contract for travel insurance can be automatically triggered once a flight is cancelled. Once the cancellation is posted, the smart contract makes a payment directly to the policyholder, thereby bypassing the claims process. Governments may use smart contracts to manage title recordings, social services, and e-voting. In manufacturing, smart contracts may replace current supply-chain processes such as bills of lading, proof of origin, or quality control. Another interesting application is tying smart contracts to the Internet of Things (i.e., cars, appliances, and devices). For example, a washing machine may contain a sensor indicating when it is low on detergent and then automatically reorder it.

One of the leading platforms for smart contracts is Ethereum, which was specifically designed to be a smart contracts platform. Although traditional cryptocurrencies, such as Bitcoin, can store and transfer value, Ethereum is also capable of carrying data in the form of arguments, which means that the platform can be programmed to take a specific action once certain conditions are met. Thus, contracts can be programmed to be self-executing because the platform can send money once the specified conditions are satisfied. Theoretically, given enough time, the platform will eventually be able to solve any computable problem. However, in practice, how well the platform runs depends upon network speed and memory.

Although many advances have been made in smart contract technology, it is still in an early development stage. There are issues such as scalability, centralization risk, and usability that must be addressed before mass adoption by the general public. The issue of scalability arises because the technology is dependent on network speed. More complex transactions require much higher network speed to which only some large entities have access. This may also lead to centralization risk if power is concentrated into a small number of hands. Such concentration means that a group of bad actors may conspire together to approve malicious transactions. Finally, these “smart contracts” are still primarily written in code and not easily readable by the average lawyer. Tools will have to be developed to bridge the usability gap.

In conclusion, as smart contract technology evolves, it will surely disrupt many industries. Major industries such as financial services, government, real estate, manufacturing, and healthcare have begun testing this new technology. It is only a matter of time before the technology is fully implemented. Lawyers can play an active role by staying abreast of changes that may affect their clients. Transactional lawyers may wish to learn more about the technical aspects of their future “smart contract” to ensure that it aligns with their client’s wishes and goals. In the future, litigation attorneys may no longer be litigating the “four-corners” of the contract, but rather expanding into the intent of the code.

When Information Security Became a Lawyer’s Thang

Posted on September 28, 2017 by - Uncategorized

In the case of NotPetya, it is not simply a matter of many individual enterprises being hit but rather entire supply chains being hit as well. Reckitt Benckiser Group just announced they will likely have issues hitting their quarterly numbers because they could not invoice for millions of dollars because production lines were impacted. While you may have heard about FedEx being hit, Moller-Maersk (the world’s largest sea logistics operations) will also have their top and bottom lines take a sizeable toll as thousands of shipping containers could not be off loaded due to system failures/compromises of sea ports. Understanding cyber risk is a core element of understanding today’s business risk. (Carter Schoenberg, Buying Cyber Insurance: Buyer Beware).

In May, a piece of ransomware known as “WannaCry” paralyzed businesses, government entities and Great Britain’s National Health Service in one of the largest global cyberattacks to date. The following month, it was “Petya,” another massive cyberattack that crisscrossed the globe, bringing Russian oil companies, Ukrainian banks and a mass of multi-national corporations to their collective knees. As the frequency of cyberattacks reach epidemic proportion . . . many businesses still lack adequate protection. By taking the time to understand the threats, how to prepare, and what to look for in a cyber liability policy, you can ensure that your business has the coverage it needs to survive a breach. (Evan Taylor, The Changing World of Cyber Liability Insurance).

Companies are exposed to an endless assault on their information technology (IT) infrastructure from a variety of anonymous hackers, ranging from mischievous (much less likely) to felonious (much more likely). Breaking into servers, computers, and Cloud providers in an attempt to steal valuable information has become mainstream in the last decade. It is clear today that lawyers must play an increasingly significant role in addressing information security (InfoSec) issues. Of course, managing this issue is of paramount importance because InfoSec has evolved from an IT issue to a C-Suite strategic problem, given that a company’s reputation, valuation, business vitality, and customer confidence can hinge on how it protects its information assets. This article explores how lawyers can and should play a greater role in dealing with InfoSec.

Introduction

In March 2014, the largest exploitation of government personnel data occurred when InfoSec personnel of the U.S. government’s Office of Personnel Management (OPM) detected a hacker (widely reported to be the Chinese government) trying to gain access to the OPM servers. OPM watched the hackers maneuver around the government’s IT environment for months—or longer—looking for the perfect treasure trove of information. Upon finding it, the hackers exfiltrated 22 million past and current U.S. governmental employees’ personnel files. A catastrophic event no doubt, but just one of the thousands of massive security breaches regularly impacting entities across the globe.

A common adage among technology professionals is that regardless of how much money or effort is expended to secure an IT environment, if someone wants to get in bad enough, they will. There is no perfect security. A hacker need only find one way in; whereas, the company must protect against an ever-increasing number of more sophisticated threats able to exploit the smallest technical chink in the IT armor.

As cyber defenses have become more robust over time, hackers likewise have become much more sophisticated. Whether moving undetected within a storage environment, hacking a military facility, stealing product design drawings, or holding information hostage through various Ransomware scams, we are entering the new era of information terrorism.

Vigilance in combating information terrorism is essential. Every facet of modern life is connected, and that connectedness can lead to more harm, done more quickly, with fewer ways to combat the problem. The assault on InfoSec and the fight against information terrorism will require multidisciplinary teams that enlist lawyers and legal departments to play a more active role in making InfoSec a reality for their organization. But what can lawyers do practically?

Contracting

Typically, most lawyers fail to view InfoSec as their problem. Anything related to technology is perceived as the exclusive province of the technology department. Historically, lawyers likely had only some contracting responsibility related to technology acquisition or a software license. That mindset has contributed to the InfoSec crisis and must change.

In recent years, lawyers have been negotiating (with IT help) security level agreements (SLAs) which dictate, among other things, the security requirements mandated by contract or limitations of liability for InfoSec failures. SLAs set up parameters the service provider will follow, minimum level of service requirements, and remedies if the provider fails. Given that each provider has its own SLA, lawyers should work to develop standardized requirements and language to be used on behalf of their client.

In response to a shift to the Cloud as a cost-effective, scalable, storage solution, lawyers must also proactively address information ownership, access, discovery, security, privacy, and other compliance requirements in contract when negotiating with each new Cloud vendor. Further, as there are many ways to implement a Cloud technology solution, lawyers must become more conversant in the differences between “public” and “private” Clouds to be able to negotiate adequate Cloud agreements.

Evolving Nature of Legal Advice

Traditionally, lawyers guide their business “partners” on myriad legal and regulatory issues. Helping IT and business personnel understand the legal issues and implications of security matters is standard and seemingly straightforward. In the context of InfoSec, however, satisfying the letter of the law can be different than satisfying the spirit of the law. With InfoSec, advising requires a deeper technical knowledge.

For example, the broker-dealer regulations mandate built-in, InfoSec-driven data redundancy by requiring that an organization subject to the regulations “store separately from the original, a duplicate copy of the record stored on any medium acceptable under § 240.17a-4 for the time required.” There are firms that stored two copies of their important records on different floors of the World Trade Center and satisfied the “letter” of the law; however, IT and InfoSec best practices require that the copies be at least 30 miles apart. Needless to say, when the 9/11 disaster hit, all the records were destroyed.

Similarly, Regulation S-P (an SEC privacy rule) requires “clear and conspicuous” notices regarding any privacy policy. Translating legal language into a technical reality is complex, differs from technology to technology, and again demands that lawyers, privacy, and IT professionals cooperate to better translate the law into a technical reality.

In both examples, the lawyer’s advice on InfoSec or IT issues will require not only a greater familiarity with technology, but also a means of working with technology professionals to provide a holistic solution in a way that may otherwise be foreign.

InfoSec Disclosure Responsibility

In the last two decades, an entirely new type of law has emerged to deal with InfoSec failures when personal identifiable information (PII) is exposed. Deriving from California Senate Bill 1386, most states have disclosure rules about what a “controller” of certain classes of information must do if that information is breached or exposed. Some of the laws contain disclosure provisions that provide an “out” if the information is encrypted, whereas other state disclosure laws allow victims legal and financial redress. (See The National Conference of State Legislatures state security breach notification laws database). With the passage of the General Data Privacy Regulations (GDPR) in the EU and the varying nuances of U.S. state law, lawyers must stay on top of this evolving body of law.

Litigation and Insurance

In states that allow for legal and financial redress, lawyers may have to defend the organization’s IT practices because they could be on the hook for certain harm caused by their failure to secure information. Similarly, companies may have to seek redress from others concerning the “care, custody and control” of their information. This will likely become a greater battleground as more information is moving to the Cloud.

A proposed settlement has been reached in the landmark Anthem data breach case, which saw the personal information of nearly 79 million people stolen and is being referred to as the biggest data breach in history, lawyers involved with the case announced. The $115 million settlement, if approved by a judge as scheduled next month, is the end result of the massive class action lawsuit filed after a 2015 cyberattack on insurance giant Anthem and is said to be the largest data breach settlement in history, law firm Girard Gibbs said in a statement. (See Anthem Landmark Settlement in Anthem Data Breach Suit).

Litigation regarding InfoSec failures ultimately still faces challenges when it comes to the standards for damages:

Article III standing requires that a plaintiff show an injury in fact, a causal connection between the injury and the conduct complained of, and that the injury will likely be redressed by a favorable decision. An “injury in fact” may include the invasion of a legally protected interest that is concrete and particularized, and actual or imminent (i.e., not conjectural or hypothetical). In actions for loss of personal data, a frequent issue has been whether the possibility of future injury in the absence of actual harm is enough to satisfy the Article III “injury in fact” requirement.” (See Developments in Data Security Breach Liability).

However, one apparent trend of certain courts is to be more accommodating on the issues of “proving” damages and future harm as fallout from a breach. Even with that being said, most courts and even “[p]laintiffs’ attorneys have also increasingly sought to avoid the injury restrictions of Article III by pleading the violation of federal statutes that do not have an injury requirement.” (See Corporate Legal Compliance Handbook).

One avenue organizations should consider to mitigate liability and litigation costs is identity-theft management services. Following the massive OPM breach, all those affected were given “LifeLock” for three years.

Organizations may also address InfoSec risk through cyber insurance. “According to a May 2017 survey from the Council of Insurance Agents and Brokers, 32 percent of respondents purchased some form of cyber liability and/or data breach coverage in the past six months, compared to 29 percent in October 2016.” (See Cyber Insurance: Overcoming Resistance.) Despite growth in coverage, not enough companies are ready for the worst; regardless of The Changing World of Cyber Liability Insurance, “It is not just a means of protecting against financial loss, but it is a conduit to services to restore companies.”

Lawyers in concert with risk-management and IT professionals can work together to better assess risks and insure against them.

Make InfoSec a Team Sport

InfoSec is now center stage in most board rooms because a hack can exact significant harm to the company’s systems, its ability to function, its bottom line, and its reputation. Properly managing the complex InfoSec challenges requires professionals from several parts of the organization that can address the issue comprehensively. Lawyers must be part of the team to proactively address InfoSec in conjunction with the CISO, CIO, CTO, Chief Privacy Officer, and Head of Compliance and Audit, among others.

Economic Espionage

InfoSec has become a greater concern with the exponential rise in cyber theft of company trade secrets. (See Economic Espionage). In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has grown more insidious and more expensive to address. Lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $6.6 trillion in value added, or 38.2 percent of U.S. GDP in 2014. IP alone accounts for over 45 million U.S. jobs and over 50 percent of all U.S. exports.

Getting Lawyers (More) Involved

Think Big C Compliance and Little C Compliance, Too

Lawyers must ensure that their organizations are not only complying with laws and regulations, but also helping create an environment where InfoSec is “institutionalized.” Compliance methodology (including policies, executive responsibility, delegation, communication and training, auditing and monitoring, consistent enforcement, continuous improvement—see Information Nation: Seven Keys To Information Management Compliance) based on the Federal Sentencing Guidelines can be helpful in this regard. Compliance methodology is especially important when dealing with InfoSec because failure will happen at some point. Following a compliance process may mitigate the impact to reputational harm or how a court “penalizes” the organization for the failure. Put another way, following compliance methodology helps manifest what a good corporate citizen does, demonstrates “reasonableness,” and may be the difference between winning and losing.

Help Make the Pile Smaller

Businesses are producing mass amounts of data and information. In 2017, there is a new exabyte of data created every few hours. That is the data equivalent of 50,000 years of DVD movies created several times each day. Most company’s “information footprint” doubles every year or two. Unfortunately, much of this new data has limited long-term value.

Lawyers can be instrumental in helping their organization defensibly dispose of unneeded information. By evaluating information stores and doing the requisite diligence, information can be disposed without fear of spoliation. Properly disposing of outdated and unnecessary information promotes business efficiency, reduces storage costs, mitigates privacy and InfoSec risks, and reduces costs of discovery.

Applying Simplified Records Retention Rules

Making the pile smaller demands that content is destroyed when law and policy allow. Any information that is needed for an audit, litigation, or investigation must be preserved during the pendency of the matter. Records retention schedules (RRS) have been used as a way for companies to legally dispose of information when it is no longer needed. Some have described the RRS as “a license to clean house and not fear going to jail.”

Lawyers can help dust off their company’s old-school retention rules and work towards modernization and simplification. Revamped retention rules can be more readily applied to information, which will augment disposition at the end of information’s useful life. In this way, InfoSec, IT, and privacy needs are met by applying the RRS: smaller piles make for more efficient business and better risk mitigation.

Limit Places Information Is Parked

In addition to the volume of information, organizations also have to deal with an expanding variety of locations where information may be stored. Increasingly those locations may not be within the “care, custody, or control” of the company. When the marketing department publicizes a product on Facebook, or HR advertises job openings on LinkedIn, information will be created that may or may not have ongoing business value calling for retention to satisfy legal requirements. The problem arises when managing that information pile is now in the hands of a third party. How can information stored under such circumstances be protected? Can contracts adequately address the issues of InfoSec?

More directly, lawyers must develop policies around what information is appropriate for the Cloud, the contract terms regulating the relationship with any third party in possession of the company’s information, and guidelines that map the technical requirements for any storage environment against the regulatory and legal needs of the company.

Classification

Another way to address InfoSec risk is by developing and applying InfoSec classification rules (for example, which information is “highly confidential,” “confidential,” “trade secret,” or “public”) that delineate important information requiring protection, less protection, or none at all. Good InfoSec classification rules afford more attention and protection to information that is more valuable and worthy of greater precautions. It is reminiscent of the 80/20 rule. Eighty percent of the information (maybe more) is relatively worthless, possibly requiring little protection. Applying developed classification rules, the important 20 percent of information gets the needed InfoSec attention. The smaller the pile to protect, the greater likelihood it will be protected. Making sure clear classification rules are in place and followed is essential to help address InfoSec risk.

Encryption

Another way lawyers can help address InfoSec is through reviewing existing policies regarding the handling, management, and transmission of protected information. Usually those rules, if they exist, require encryption to scramble the content to preempt its exposure. The policies often exist but are ignored. Encryption policies should make clear when “confidential” information must be encrypted, and the lawyers, compliance, and audit professionals must ensure that employees are following policy. Technology can be harnessed to automatically encrypt at the system level to remove the burden from employees.

Training and Gamification

It is clear in the InfoSec space that breaches are increasingly commonplace, not because InfoSec technology is inadequate (such technology is constantly improving), but because the employees are a weak link in the InfoSec chain. Employees are routinely and unscrupulously used to obtain, steal, and exploit company information.

Training must become part of the culture. It is not a one-off project, but rather an ongoing process requiring resources and commitment. Training can become much more effective through gamification—a unique training methodology that reinforces material to be learned through game theory and reward.

Big Data and Anonymization

Conflicts within an organization regarding how information should be managed is normal, with countless business, privacy, and legal needs that may be diametrically opposed. For example, for “Big Data” to be most effective when using analytics tools, there must be more information stored for longer periods of time. InfoSec and privacy seeks to retain less information for shorter periods of time. Anonymizing data as much as possible tends to mitigate InfoSec and privacy risk. Unfortunately, analytics tools are less efficient when working within encrypted databases—another conflict to navigate. Lawyers can help navigate the many competing interests for information in organizations.

Conclusion

Information is the corporate life blood, and it is freely flowing in the streets far too often. Technology can only do so much in terms of protecting information and the systems that create, store, and transmit it. Employees are a big part of why InfoSec fails so frequently, leading to massive information breaches. Foolproof security does not and will never exist, but things can improve dramatically. Although InfoSec failure and risk will never vanish completely, lawyers can and should aid in fighting the InfoSec and information terrorism war.

Five Things to Know About D&O

Posted on September 28, 2017 by - Uncategorized

Serving as a director or officer of a company carries certain inherent risks—including the prospect of lawsuits challenging managerial actions. For that reason, companies often arrange to carry D&O insurance to attract and protect individuals who serve in such roles. Unfortunately, the first time that many officers and directors drill down into the details of coverage available to them as part of a policy is after a claim for damages is asserted against them.

Counsel for directors and officers should not allow clients to end up in that position. Rather, counsel should emphasize to clients that the time for understanding a policy’s protections is at the outset of a company’s purchase or renewal of insurance. Waiting until a claim is made is obviously not the time to attempt to redraft policy language or obtain additional protection. Counsel for individuals thinking of serving in director or officer roles can provide essential value by asking critical questions, obtaining certain answers, and securing appropriate policy provisions.

Set forth below are five essential aspects of D&O insurance that counsel should emphasize to clients in the current business environment. A recent Sixth Circuit opinion discussed below, Indian Harbor Ins. Co. v. Zucker, highlights the significance of these points. Counsel should emphasize these points to individuals serving or contemplating serving in the role of officer or director.

1. D&O Actions Commonly Arise in Distressed Situations

When a company encounters a period of distress—whether by market conditions, fraud, an overleveraged balance sheet, or other factor—it is common for the actions of the company’s directors and officers to be examined for possible causes of action. A typical scenario today is a quick sale of the company’s assets in a distressed situation. In the usual case where sale proceeds are not sufficient to satisfy all constituents, a fiduciary (such as a creditors committee or liquidating trustee) may bring litigation against the directors and officers with the goal of increasing the pool of funds available to creditors. In such a situation, the directors and officers will want to know that the company’s D&O policy will cover defense costs and satisfy any settlement or final judgement. Any indemnification rights the director or officer may have against the company are typically worthless in a distressed situation. Directors and officers most need the protection of a solid policy in the event of corporate distress, and in such circumstances, it is critical to ensure adequate policy language that will provide protection is in place. In the absence of adequate coverage, personal assets will constitute the most likely source of resources to satisfy an adverse judgement.

2. D&O Policies Are Not Uniform

It is difficult for a business person or lawyer who does not regularly work with D&O policies to appreciate potential grounds for an insurer’s denial of coverage embedded in a policy. Directors and officers with questions often will ask an insurance broker to provide an answer to a hypothetical situation. Yet, if a director or officer seeks coverage under an issued policy, the broker’s assurances will mean little to a court focused on the actual written words in the policy and how those words should be interpreted in a particular factual setting. Counsel should ensure that clients relying on a policy for risk mitigation understand the operative terms and how similar terms have been interpreted in prior disputes. Counsel should seek to obtain alternative formulations when necessary to provide greater coverage. Clients should be encouraged to actively seek out competing policies if doing so will help obtain more favorable terms.

3. D&O Policies Are Claims Made

Directors and officers must understand that D&O policies are “claims made,” meaning that coverage exists only for claims made during the time period the policy is in effect. If a company begins to encounter challenging circumstances, it is essential that the policy not lapse. If the company needs to enter into some restructuring or liquidation proceeding, the company should acquire a “tail”—an extended time period for the reporting of claims for events occurring during the period in which the policy was in effect. Claims made while no policy or extended reporting period are in effect are not covered. In the Indian Harbor case, the policy at issue had a one-year term and was extended twice by the company; thus, the policy covered the time of the alleged violations of fiduciary duties by the officers. That good news, however, was offset by rather bad news as discussed below.

4. Understand Clauses That Can Eliminate Coverage

A critical aspect of any D&O policy is understanding the clauses that can eliminate coverage. Such clauses include, but are not limited to, the list of exclusions. One key exclusion is known as the “insured versus insured”—a provision at the heart of the decision in Indian Harbor. The policy in that case included language excluding from coverage “any claim made against an Insured Person . . . by, on behalf of, or in the name or right of, the Company or any Insured Person” except for certain derivative suits and employment claims. The litigation in Indian Harbor was brought by a liquidating trustee against former officers asserting breaches of fiduciary duties and seeking $18.8 million in damages. The insurer denied coverage on the basis of the insured-versus-insured exclusion—a position upheld by a panel of the Sixth Circuit. The particular facts of that case limited any potential recovery for creditors to funds available under the policy; the confirmed reorganization plan provided that no personal assets would be available to satisfy any adverse judgment. That fact-specific aspect of the case does not detract from the larger lesson: insured-versus-insured clauses can leave directors and officers exposed unless carefully drafted to provide an exception to that exclusion.

5. Negotiate Appropriate Exceptions to Exclusions

Directors and officers who want to ensure that an insured-versus-insured exclusion will not deny coverage must have previously negotiated an appropriate exception to that exclusion. Such an exception would allow coverage for claims brought by a liquidating trustee, bankruptcy trustee, or similar fiduciary. However, the exception itself must be carefully drafted because there is no “standard” language that will easily provide comfort of coverage. A director or officer may end up as a defendant in a suit brought by any number of differently named entities depending on the ultimate fate of the company, such as a debtor in possession, a chapter 7 trustee, a chapter 11 trustee, a liquidating trustee, a creditors committee, an assignee for the benefit of creditors, a receiver, and others. The exception to the insured-versus-insured exclusion should be well drafted with input from those experienced with the current market for such exceptions and with judicial interpretation of such clauses.

Conclusion

Directors and officers should know a great deal more than the above five points concerning D&O insurance. Indeed, each defined term in a policy deserves careful scrutiny from experienced eyes. Also requiring careful analysis are provisions governing allocation, retention, policy limits, and the priority of payments for so-called Side A (protecting individual directors and officers) with Side B (reimbursement to the company for indemnification claims) and Side C (coverage for the company for certain direct damages). Counsel should help clients drill down into the details of D&O policies as early as possible—and well in advance of any sign of distress—to ensure the protection clients think exists will actually be there when most needed.

Like Great Britain, a Limited Liability Company May Have an Unwritten Constitution

Posted on September 28, 2017 by - Uncategorized

Under Elf Atochem N. Am., Inc. v. Jaffari, 727 A.2d 286, 291 (Del. 1999), the operating agreement is indubitably the “cornerstone” of a limited liability company. This column examines the problems arising when that cornerstone is unwritten.

Under Most LLC Statutes the Operating Agreement Need Not Be in Writing

Almost 20 years ago, while on an ABA-ULC project, I made the acquaintance of a leading practitioner in the field. Although today he is as skilled and adept with limited liability companies as with corporations, he was then first entering the world of unincorporated business organizations. His reaction upon first hearing that an operating agreement may be oral was memorable. He was incredulous.

From a corporate perspective, his reaction made sense. Who, for example, has ever heard of oral by-laws? Generally, however, LLC law follows partnership law as to the governance of internal affairs, and the law of general partnerships has always accepted oral partnership agreements.

Although most LLC statutes require a limited liability company’s basic management template to be not only in writing, but also “of record,” with very few exceptions LLC statutes embrace the partnership approach and expressly authorize oral operating agreements. In many statutes, the authorization appears in the very definition of the concept. For example, ULLCA (2013) § 102(13) contemplates the operating agreement being “oral, implied, in a record, or in any combination thereof,” and the Delaware statute begins its definition of “limited liability company agreement” with the phrase “any agreement (whether referred to as a limited liability company agreement, operating agreement or otherwise), written, oral or implied.” Del. Code Ann. tit. 6, § 18-101(7). Consistent with the common law of contracts, these definitions also authorize terms and even entire agreements “implied in fact” (i.e., conduct of the parties). (Some statutes do not go so far. For example, the Georgia LLC statute provides: “Operating agreement, means any agreement, written or oral, of the member or members.” Ga. Code Ann., § 14-11-101(18). The Delaware statute was similarly limited until 2007, when the legislature added “or implied” to the definition. Del. Laws, c. 105, § 1 (2007).)

Unwritten Operating Agreements and the Problem of Indeterminacy

Authorized, however, is not the same as advisable; traps for the unwary abound. At the most basic level is the question of content. To what did the parties actually agree? As explained in the Restatement of Contracts, “The parties to an agreement often reduce all or part of it to writing. Their purpose in so doing is commonly to provide reliable evidence of its making and its terms and to avoid trusting to uncertain memory.” Restatement (Second) of Contracts (1981) (R.2dC), Chapter 9, Topic 3, Intro. Note. Put more colloquially, writings help avoid swearing matches.

Writings also help clarify understandings. As explained in an R. Guidon cartoon, “Writing is nature’s way of letting you know how sloppy your thinking is.” Or, as put more elaborately by various wags, “I know you think you understand what you thought I said but I’m not sure you realize that what you heard is not what I meant.”

In the LLC context, establishing content involves additional uncertainties. For example, although governance and economic relationships within limited liability companies may have similarities, none are so regular as to constitute “a usage having such regularity of observance in a place, vocation, or trade as to justify an expectation that it will be observed with respect to a particular agreement. R.2dC § 222(1) (defining “usage of trade”). “Course of dealing,” waiver, and estoppel may usefully apply in a limited liability company with only two members, but the concepts are fundamentally problematic in a company with more than two members:

When [such] doctrine[s] operate[] in the typical, bilateral situation, the benefits are confined to the party that relied to its detriment and the prejudice is confined to the party whose conduct occasioned the reliance. In contrast, such congruence will not necessarily exist in an LLC with more than two members. Estoppel and waiver may benefit parties who have not relied and prejudice parties who did directly occasion the reliance.

Bishop and Kleinberger, Limited Liability Companies: Tax and Business Law, ¶ 5.06[3][c][iii].

The “content” problem is especially acute when a limited liability company admits a new member. Under the uniform act, “a person that becomes a member is deemed to assent to the operating agreement,” ULLCA (2013) § 106(b), and any other result would produce chaos. Prudence thus demands that the existing, oral agreement be memorialized because otherwise the new member is doing worse than buying “a pig in a poke,” i.e., it, she, or he is agreeing sight unseen to whatever the existing members remember the operating agreement to be. Or, as stated less colloquially: “Given the possibility of oral and implied-in-fact terms in the operating agreement, a person becoming a member of an existing limited liability company should take precautions to ascertain fully the contents of the operating agreement.” ULLCA (2013) § 106(b).

Another Trap for the Unwary: Unwritten Agreements Authorized . . . Except Not Completely

Ironically, problems also arise because an LLC’s statute authorization of oral and implied-in-fact agreements may be incomplete. Some statutes permit unwritten operating agreements in general, but then identify particular statutory rules that may be changed only by a signed writing. For example, Ga. Code Ann. §§ 14-11-304(a) and 14-11-403, respectively, provide that “[u]nless the articles of organization or a written operating agreement [provide otherwise], management of the business and affairs of the limited liability company shall be vested in the members,” and likewise that profits and losses are allocated per capita unless provided otherwise in articles of organization or written operating agreement. Presumably, such provisions are so important that they warrant the evidentiary and cautionary protections that Professor Fuller identified as among the raisons d’étre for legal formalities. Lon L. Fuller, Consideration and Form, 41 Colum. L. Rev. 799 (1941).

The rationale is less clear for writing requirements with a narrower scope—for example, Cal. Corp. Code § 17352(c), which provides that: “Except as otherwise provided in the articles of organization or a written operating agreement, the managers or members winding up the affairs of the limited liability company pursuant to this section shall be entitled to reasonable compensation.” The provision is important in and of itself, especially considering that at one time the law of general partnerships provided the opposite result. But why is this particular provision more worthy of Fuller-type protection than, for example, the statutory rule allocating distributions among members? See Cal. Corp. Code § 17704.04(a).

Some writing requirements are sufficiently counter-intuitive as to warrant the label “trap for the unwary.” Texas law provides a good example. On the one hand, Tex. Bus. Orgs. Code Ann. § 101.001(1) defines “[c]ompany agreement” to mean “any agreement, written or oral, of the members concerning the affairs or the conduct of the business of a limited liability company.” On the other hand, Tex. Bus. Orgs. Code Ann. § 1.002(53)(A) defines “member . . . in the case of a limited liability company” to mean “a person who is a member or has been admitted as a member in the limited liability company under its governing documents.” See Perez v. Le Prive Enterprises, L.L.C., No. 14-15-00291-CV, 2016 WL 3634298, at *4 (Tex. App. July 7, 2016) (citing the governing-documents requirement in rejecting defendants’ contention that they and plaintiff had orally agreed to be members of a Texas limited liability company). (Emphasis added)

What About the Statute of Frauds?

The writing requirements just discussed could be styled as statutes of frauds, although they do not follow the template—that is, historically a statute of frauds provides that a contract pertaining to a specified subject matter is unenforceable unless evidenced by a signed writing.

The template does appear in several LLC statutes, which provide a statute of frauds for promises to make a contribution. For example, under Ohio Rev. Code Ann. § 1705.09(B): “A promise by a member to contribute to the limited liability company is not enforceable unless it is set forth in a writing signed by the member.” Given the general power of the operating agreement, this type of requirement is likely a default rule, although its override is probably subject to an implied condition—namely, that the relevant term of the operating agreement (rendering oral promises enforceable) be itself in writing and appropriately signed.

What of the generally applicable statutes of frauds? For example, may an oral operating agreement bind a member to contribute real property to the limited liability company, bind the company to employ a member as manager for three years, or obligate one member to guarantee the promised contributions of another? Does statutory authorization of unwritten operating agreements override the various written requirement imposed by statutes of frauds?

Most likely the answer is “no.” Almost by definition, a general authorization of oral agreements cannot oust generally applicable statutes of frauds. After all, Parliament adopted the original statute of frauds, 29 Charles II, c. 3, §§ 4,17 (1677), in the face of common-law rules making oral contracts generally enforceable.

The leading LLC case reflects this point. In 2009, the Delaware Supreme Court applied the statute of frauds to an alleged oral term of an operating agreement, reasoning that: “The legislative history of the LLC Act does not demonstrate the General Assembly’s intent to place LLC agreements outside of the statute of frauds.” Olson v. Halvorsen, 986 A.2d 1150, 1161 (Del. 2009) (applying the one-year provision to an alleged oral buy-out agreement).

The next year, the Delaware legislature overrode Olson, 2010 Del. Laws, ch. 287 (H.B. 372), §§ 1, 31 (putting LLC agreements outside all statutes of frauds), and Illinois has gone at least part way: “An operating agreement is enforceable whether or not there is a writing signed or record authenticated by a party against whom enforcement is sought, even if the agreement is not capable of performance within one year of its making.” 805 Ill. Comp. Stat. Ann. 180/1-46.

However, in the absence of such specific legislation, Olson’s reasoning still holds. Moreover, Olson is consistent with case law concerning oral partnership agreements: “Partnership agreements, like other contracts, are subject to the Statute of Frauds. Abbott v. Hurst, 643 So. 2d 589, 592 (Ala. 1994). (Emphasis added)

In any event, ousting the statute of frauds can cause considerable problems. For example, suppose RayandAndy, LLC (RayandAndy) is a Delaware limited liability company with four members and an unwritten operating agreement. RayandAndy owns several parcels of undeveloped land, which are to be sold to private developers “as the market matures.” However, just as RayandAndy prepares to make its first sale, Asha, one of its members, asserts a right of first refusal (ROFR).

In any other context, Asha’s claim would fall to the statute of frauds. If a lawsuit were to ensue, Asha’s failure to plead the necessary writing would entitle RayandAndy to judgment on the pleadings. In contrast, in the context of a Delaware limited liability company, Asha could avoid judgment on the pleading merely by pleading that the ROFR is part of RayandAndy’s unwritten operating agreement. In addition, unless the evidence were so one-sided as to compel a finding that no oral ROFR exists, Asha’s claim would also survive a motion for summary judgment.

For all the above-mentioned reasons, an unwritten operating agreement is “a consummation devoutly [not] to be wished.” (W. Shakespeare, Hamlet act 3 sc. 1) Transactional lawyers routinely advise their clients to memorialize “the deal,” which in the case of a limited liability company is what a good operating agreement does. However, even a well-written agreement can have an Achilles heel—namely, claimed oral modifications and separate oral agreements. The next article in this two-part series will describe these threats and suggest ways to anticipate and deflect them.

Changes in the Choice-of-Law Rules for Intermediated Securities: The Hague Securities Convention is Now Live

Posted on August 15, 2017 by - Uncategorized

Lawyers working in the commercial law field are familiar by now with the choice-of-law rules for transactions in intermediated securities provided by Articles 8 and 9 of the Uniform Commercial Code (the UCC). Those rules, appearing principally in certain subsections of UCC §§ 8-110 and 9-305, have functioned well as a matter of U.S. law in international as well as domestic transactions, but they have now been augmented and partially preempted by the Hague Securities Convention (the Convention), more formally known as the Convention on the Law Applicable to Certain Rights in Respect of Securities Held with an Intermediary.

The Convention, ratified by the United States in December 2016, became effective as a matter of U.S. federal law on April 1, 2017. Fortunately, the Convention’s choice-of-law rules lead in most instances to the same results as under Articles 8 and 9.There are some differences, however, and the Convention applies even to existing transactions.

Background and Scope of the Convention

The Convention was promulgated in 2006 by the Hague Conference on Private International Law. By its terms it became effective upon adoption by three nations, and the United States is the third of those nations—the other two to date being Switzerland and Mauritius. More countries are expected to follow, and as the Convention’s choice-of-law rules become internationally widespread, the transactions to which the Convention applies will be greatly facilitated.

The Convention applies only to transactions in intermediated securities, which U.S. lawyers often call the “indirect holding system.” In such transactions, the securities’ registered owner is typically a clearing corporation (e.g., a federal reserve bank, the Depository Trust Company, Clearstream, or Euroclear); the clearing corporation maintains accounts reflecting that the securities are held for the benefit of a bank, broker, or other securities intermediary (referred to in this article as an “intermediary,” although a clearing corporation acts in this role as well with respect to their participants); and the securities’ ultimate beneficial owner may be a customer of the intermediary. When a customer says that he, she, or it owns securities issued by Social Media Corporation, the customer in the indirect holding system actually has a right to the securities against the intermediary, and the intermediary has a right to the securities against the clearing corporation. In the United States, the substantive commercial law rules governing these relationships are set forth in Part 5 of UCC Article 8. Naturally, other nations’ substantive rules can and do differ substantially.

The Convention determines the applicable law for a broad range of commercial law issues in any transaction or dispute “involving a choice” between the laws of two or more nations. In this globalized era, transactions in intermediated securities frequently present such a “choice” for purposes of the Convention, for example whenever any two of the following elements of the transaction are in different nations: the account holder; an intermediary; any party to an outright or collateral transfer; an adverse claimant; a clearing corporation; a creditor of either the account holder or an intermediary; the issuer; or the certificates held by the clearing corporation. (U.S. lawyers have generally never ignored elements such as the debtor’s location or the other elements just mentioned, for purposes of planning with respect to the likely jurisdictions of a possible insolvency proceeding, but they have also been accustomed to treating these elements as immaterial to a strictly UCC choice-of-law analysis under §§ 8-110 and 9-305.) Moreover, any non-U.S. nation in question need not be a party to the Convention in order for the Convention to apply. As a result, lawyers should keep the Convention in mind in planning virtually every intermediated securities transaction.

The choice-of-law issues determined by the Convention include all of those currently covered by UCC §§ 8-110 and 9-305, as well as a few others. The Convention’s issues, set forth in its Article 2(1), include all of the following:

  • the rights and obligations between a customer and its intermediary;
  • the perfection steps that must be taken if a customer grants a security interest to the intermediary or to a third-party lender;
  • whether the transfer of an interest in securities is characterized as a sale or a security interest;
  • the effect of a judgment creditor of the customer attaching or levying on the customer’s interest in the securities;
  • how the priority conflict among buyers, secured parties, and judgment lien creditors is resolved if more than one of them claims an interest in the securities;
  • the effect of a disposition of the securities by the intermediary, with or without the customer’s consent;
  • whether any interest in the securities obtained by a buyer, secured party, or judgment lien creditor extends to dividends and other distributions; and
  • the requirements that a secured party or other acquirer must follow in foreclosing on or otherwise realizing the value of the securities.

Several limitations on the Convention’s scope should also be noted. The Convention provides choice-of-law rules only for indirectly held securities, not for directly held ones. The Convention’s rules do not affect the rights and duties of a security’s issuer or transfer agent. The Convention also does not provide choice-of-law rules for purely contractual issues, for example, the effect of an arbitration clause in the agreement governing the account (the account agreement), or the strictly bilateral, rather than third-party, effects of attachment of a security interest.

It is important to note the differences between basic terms such as “securities” as used in the Convention and the same terms as used in UCC Article 8. The Convention defines the term “securities” as “any shares, bonds or other financial instruments or financial assets (other than cash) or any interest therein.” This definition is broader in some respects than the UCC Article 8 definition, yet the Convention’s overall reach is narrower than that of the UCC’s indirect holding system. This is because UCC § 8-102(a)(9) permits the intermediary and customer to agree that any property other than securities will also be treated as a “financial asset” to which the indirect holding system will apply. By contrast, the Convention contains no such option for expanding its scope by agreement. (The Convention uses “financial asset” as part of its definition of “security,” but does not define “financial asset.”) Similarly, the UCC’s indirect holding system clearly applies to “cash” (i.e., credit balances), either because credit balances are considered part of the securities account itself, or because the intermediary and customer have agreed to treat the cash as a financial asset, but the Convention expressly excludes cash even if the cash would otherwise have been considered a “financial asset” within the Convention’s usage of that term. Nonetheless, the Convention is designed like the UCC to be flexible and to have fluidly broad coverage that will meet the demands of market practices. An authoritative and in-depth Explanatory Report on the Convention, referring to “exchange traded financial futures and options” and to “credit default swaps” suggests that securities held with an intermediary for purposes of the Convention could encompass some assets that might be considered commodity contracts or otherwise not considered securities or other financial assets under the UCC.

The Importance of Unified Transnational Choice-of-Law Rules: An Example

Suppose that a bank operating in New York acts as an intermediary, and that one of the bank’s custodial customers is a corporation organized under Texas law. The customer wishes to invest in securities of a certain issuer located in Ruritania, so the intermediary acquires those securities through a clearing corporation and credits them to the customer’s account. A German lender extends credit to the customer, is granted a New York law security interest in the customer’s Ruritanian securities as collateral, and takes appropriate steps under New York law to perfect the security interest. Later, an Australian unsecured creditor of the customer obtains a judgment against the customer and also obtains a judgment lien on the customer’s interest in the securities.

The substantive outcome of the contest between the German lender and the Australian creditor will often depend on the choice-of-law rules of the forum in which the contest arises. In a New York forum, prior to effectiveness of the Convention—and generally now as well, although some details are discussed below—the German lender has generally prevailed if it has perfected under the substantive law made applicable by New York’s conflicts rules. Under those conflicts rules, if the account agreement designates, say, New York or New Jersey as the “securities intermediary’s jurisdiction” or, absent such a clause, provides that the account agreement is governed by New York or New Jersey law, then the lender may perfect by control under New York or New Jersey law, as the case may be. See NYUCC §§ 9-305(a)(3), 8-110(e). Also under New York’s conflicts rules, the fact that the customer is a Texas corporation means that the lender may perfect by filing a financing statement under the substantive law of Texas. See NYUCC §§ 9-305(c)(1) and 9-307(e). If perfected by either means, the German lender prevails under the applicable state’s version of UCC § 9-317(a)(2)(A).

Very different rules would likely apply if the Australian creditor brings its action in Ruritania. The Ruritanian court could very well apply a widespread choice-of-law rule known as lex rei sitae, which points to the substantive law of the asset’s situs—and Ruritanian law could very well view securities issued by a Ruritanian issuer as being located in Ruritania. Moreover, under Ruritanian substantive law, a judgment lien of the Australian creditor could very well take priority over the German lender’s security interest if the German lender had not previously taken steps to perfect under Ruritanian law, rather than New York or Texas law. A similar scenario would arise if the Ruritanian choice-of-law rules viewed the securities as being located in, say, Sylvania, where the clearing corporation were located or where certificates representing the securities were physically held.

This problem can be especially acute under insolvency law. In a Ruritanian insolvency proceeding, the lender’s security interest may not be recognized at all, if the applicable substantive law is that of Ruritania or another jurisdiction in which the lender did not take appropriate perfection steps.

A similar issue could even affect the lender if the customer becomes a debtor under the U.S. Bankruptcy Code. In such a proceeding, the bankruptcy trustee would have the status of a hypothetical creditor with a judgment lien on the customer’s Ruritanian securities, obtained at the time of the commencement of the bankruptcy case. What is the choice-of-law rule that determines the substantive effects of this hypothetical creditor’s judgment lien? The Bankruptcy Code does not expressly provide such a choice-of-law rule, nor does the case law appear to be well-settled. If the substantive effects are determined by Ruritanian law, then the bankruptcy trustee could set aside the lender’s security interest and treat the lender as a general secured creditor, even though the security interest would have been senior to the judgment lien under New York’s substantive law.

The importance of all of the foregoing is multiplied for lenders that extend credit against a portfolio of securities of issuers located, or held through clearing corporations, in numerous countries. Without a clear and widely unified choice-of-law rule in these circumstances, it could easily become cost prohibitive for a lender to investigate and comply with the substantive laws that might apply under the choice-of-law rules of each country in which litigation might be brought. Conversely, the more widely adopted the Convention becomes, the more the parties contemplating a transaction can be confident that its broad set of issues will be resolved under a single body of substantive law, known in advance, irrespective of the forum in which a dispute is likely to arise. The prospect of approaching this goal—in a manner that also harmonizes well with the sound, existing rules of UCC Articles 8 and 9—is what led the American Bar Association, the Association of Global Custodians, the International Swaps and Derivatives Association, EMTA (formerly the Emerging Markets Traders Association), the Securities Industry and Financial Markets Association, and the Uniform Law Commission all to support U.S. ratification of the Convention.

The Convention’s Strong Kinships with UCC Articles 8 and 9

The Convention’s primary rule, set forth in its Article 4(1), provides that the law applicable to all of the choice-of-law issues covered by the Convention is the law chosen by the intermediary and its customer to govern their account agreement generally or, alternatively, to govern the issues covered by the Convention specifically. The only limitation, often referred to as the “Qualifying Office” test and further discussed below, is that this chosen law must be that of a country in which the intermediary, at the time that the parties enter the agreement, has an office that is engaged in the activity of maintaining securities accounts.

Many readers will already see that by giving effect to the account agreement’s governing-law clause, the Convention is directly parallel to UCC § 8-110(e)(2). By the same token, the Convention’s giving effect to an alternative clause, in which the parties designate a body of law different from the one that governs the account agreement as a whole, is directly parallel to UCC § 8-110(e)(1). The agreement between an intermediary and its customer is always at the essence of the customer’s interest in intermediated securities, and this is the reason that the Convention, just like UCC Articles 8 and 9, looks at this agreement in determining the applicable choice of law.

We offer one word of caution, however. UCC § 8-110(e)(1) and (2) refer to “an agreement” between the intermediary and its customer governing the account, whereas the Convention’s definition of account agreement refers to “the agreement” between those parties governing the account. The Explanatory Report makes clear that this agreement may consist of more than one document. However, it is probably advisable to avoid relying on the law designated only in a free-standing control agreement, i.e., one that is not clearly a part of the account agreement per se, unless the control agreement makes clear that it is amending the account agreement.

The Convention also generally disapplies the conflict-of-laws notion of renvoi, in which a forum would have to take account not only of another jurisdiction’s substantive law, but also of the other jurisdiction’s conflicts-of-law rules. Thus, under the Convention Article 10, if the parties have designated, for example, English law, then a U.S. forum would apply English substantive law without regard to England’s own conflicts rules. This treatment of renvoi also parallels UCC Articles 8 and 9, which express the same idea by designating the “local law” of the jurisdiction in question.

Also directly paralleling the UCC, for lenders that seek to perfect a security interest by the filing of a financing statement, the Convention generally does a remarkably good job of accommodating UCC Article 9’s choice-of-law rules for perfection by filing. See Convention Article 12(2)(b), further discussed below.

Applying all of these points to the earlier example of the New York intermediary and its Texas customer owning Ruritanian securities, a New York forum will reach exactly the same results under the Convention as heretofore under the UCC alone (assuming only that the Qualifying Office test is met; see below). If the German lender seeks to perfect its interest by control, and if the account agreement designates New York or New Jersey law as either the account agreement’s own governing law or as the law governing the Convention’s Article 2(1) issues, then control will be available under New York or New Jersey law, as the case may be. Alternatively, if the German lender seeks to perfect its interest by filing, then the Convention will take account of New York’s enactment of UCC §§ 9-305(c)(1) and 9-307, which enable perfection by the filing of a financing statement in Texas.

The Convention’s Principal Differences from UCC Articles 8 and 9

There are a few minor instances in which the choice-of-law outcomes under the Convention might differ from those under UCC Articles 8 and 9 alone. The most important of these are described here, but the risk of a different outcome in any of these circumstances is manageable by sound transactional planning. In the case of transactions already in place before the Convention becomes effective, some transitional attention may be required.

Qualifying Office

The Convention’s Qualifying Office test (the thrust of which is articulated above, although further details are set out in Convention Article 4(1), second sentence) has no counterpart in UCC Articles 8 and 9. However, the Qualifying Office test is not expected to have much effect in practice because intermediaries typically provide that their account agreements will be governed by the law of a country in which they have one or more offices satisfying the test. By virtue of Article 12 of the Convention, which addresses so-called Multi-unit States like the United States, the Qualifying Office test is met for a chosen law of a U.S. state, district, or territory so long as the intermediary has an office in any U.S. state, district, or territory. The Qualifying Office test was a product of compromise in the Convention negotiations, worthwhile for the sake of helping to pave the way for eventual ratification by many nations having different legal systems.

Filing and Non-U.S. Law Account Agreements

The Convention’s accommodation of UCC Article 9’s choice-of-law rules for perfection by filing does not cover transactions in which the intermediary and its customer have contractually chosen non-U.S. law under the Convention’s primary rule. Adapting the earlier example, if the New York intermediary and its Texas customer effectively provide that their account agreement is governed by English law (or that English law applies to all of the issues under the Convention), then the Convention will cause the New York forum to look to English law, and not to any rules of UCC Article 9, for all matters of perfection, including whether and how perfection by filing might be available.

Filing and Non-U.S. Debtors

The Convention’s accommodation of UCC Article 9’s choice-of-law rules for perfection by filing also does not cover transactions in which UCC § 9-307 views the debtor to be located in a non-UCC jurisdiction; instead, perfection by filing in those cases will be governed by the law that the intermediary and its customer contractually designate under the Convention’s primary rule. Again adapting the earlier example, suppose that the customer of the New York intermediary is an Ontario, Canada corporation with its chief executive office in Toronto, and that the intermediary and customer effectively provide that their account agreement is governed by New York law. In that case, New York’s own substantive law (notably NYUCC § 9-501(a)(2) regarding filing with the New York Secretary of State) will govern perfection by filing, and not New York’s choice-of-law rules for perfection by filing, which before the Convention would have pointed to a filing under the Ontario Personal Property Security Act. This is because Article 12(2)(b) accommodates UCC Article 9’s choice-of-law rules for perfection by filing only if those rules point to a jurisdiction within the United States.

Number of Issues Covered

The Convention’s package of choice-of-law issues is more comprehensive than the package under the UCC alone. U.S. lawyers have grown accustomed to thinking of perfection, the effect of perfection or nonperfection, and priority as being all generally determined together, but the law designated under the Convention also pulls in other issues: the requirements applicable to remedies (e.g., foreclosure sales or retention of the collateral), the characterization of a transaction (e.g., as an outright sale or secured loan), and even any effects as against the intermediary or third parties of attachment of a security interest.

Certain Transition and Other Practice Tips

Beginning on April 1, the Convention began applying to already-existing transactions, as well as to new transactions going forward, so long as the transaction is one “involving a choice” between two nations’ laws, and here as well regardless of whether a non-U.S. nation involved in the choice has also ratified the Convention. In most instances, no further action is necessary to preserve the attachment, perfection, and priority of a security interest.

Clauses designating a U.S. governing law for the account agreement under UCC § 8-110(e)(2) continue to be effective under Convention Article 4(1), provided that the Qualifying Office test is met. Clauses from a pre-Convention account agreement expressly designating a U.S. “securities intermediary’s jurisdiction” under UCC § 8-110(e)(1) continue to be effective (because in this context selecting the law to govern any of the issues specified in Article 2(1) of the Convention is sufficient), at least if the governing law clause also points to U.S. law, and again provided that the Qualifying Office test is met. In both of these cases, a secured party’s perfection by control under the relevant U.S. substantive law continues to be effective. But in a pre-Convention account agreement with a non-U.S. governing law, it is advisable for U.S. lawyers to obtain advice on the effects of the Convention under that body of non-U.S. law. In certain circumstances, such a review might prompt a reconsideration of the appropriate governing law.

Account agreements for new transactions on and after April 1 should not simply rely on the UCC term “securities intermediary’s jurisdiction.” As noted, the issues governed by the Convention are broader than those governed by UCC Articles 8 and 9 alone, and accordingly in this context, such a clause would likely not meet the Convention’s requirement that the clause cover all of the Convention’s issues. Instead of such a clause (and where simply using a governing law clause will not suffice), a two-pronged clause like the following is suggested, especially if the account will include financial assets that are not “securities” as defined in the Convention:

State X [or Nation Y] is the securities intermediary’s jurisdiction for purposes of the Uniform Commercial Code, and the law in force in State X [or Nation Y] is applicable to all issues specified in Article 2(1) of the Hague Securities Convention.

A secured party of course should also confirm that the intermediary has a Qualifying Office in the chosen jurisdiction or, if the chosen jurisdiction is a U.S. state, district, or territory, in any other U.S. state, district, or territory.

Where a secured party is relying on perfection by filing, the limitations discussed above on the Convention’s accommodation of UCC Article 9’s choice-of-law rules for perfection by filing must be borne in mind. As a transition matter in relation to filing, if the account agreement designates a non-U.S. body of law, then it is advisable for U.S. lawyers to obtain advice on perfection and priority under that body of non-U.S. law in order to assess the Convention’s effects. And as another transition matter in relation to filing, if the account agreement designates a U.S. body of law, but perfection has been by filing in a non-U.S. jurisdiction, then it is advisable to employ an alternative method of perfection under U.S. law, e.g., filing in the jurisdiction designated by the account agreement.

Further Resources

This article has necessarily been limited to some of the key issues arising from the Convention. The Hague Conference on Private International Law has made available the text of the Convention and the Explanatory Report referred to above. The Permanent Editorial Board for the Uniform Commercial Code has recently published a Commentary on the Convention, including amendments to the UCC’s relevant Official Comments. The Tri-Bar Opinion Committee is expected to issue a report on related opinion practice to supplement certain prior reports in which choice-of-law rules for the indirect holding system are discussed.