The decision to use voice-controlled digital assistants, like Amazon’s Alexa, Apple’s Siri, Microsoft’s Cortana, and the Google Assistant, may present a Faustian bargain. While these technologies offer great potential for improving quality of life, they also expose users to privacy risks by perpetually listening for voice data and transmitting it to third parties.

Adding a voice-controlled digital assistant to any space presents a series of intriguing questions that touch upon fundamental privacy, liability, and constitutional issues. For example, should one expect privacy in the communications he engages in around a voice-controlled digital assistant? The answer to this question lies at the heart of how Fourth Amendment protections might extend to users of these devices and the data collected about those users.

Audio-recording capabilities also create the potential to amass vast amounts of data about specific users. The influx of this data can fundamentally change both the strength and the nature of the predictive models that companies use to inform their interactions with consumers. Do users have rights in the data they generate or in the individual profile created by predictive models based on that user’s data?

On another front, could a voice-controlled device enjoy its own legal protections? A recent case questioned whether Amazon may have First Amendment rights through Alexa. Whether a digital assistant’s speech is protected may be a novel concept, but as voice-controlled digital assistants become more “intelligent,” the constitutional implications become more far-reaching.

Further, digital assistants are only one type of voice-controlled device available today. As voice-controlled devices become more ubiquitous, another question is whether purveyors of voice-controlled devices should bear a heightened responsibility towards device users. Several security incidents related to these devices have caused legislators and regulators to consider this issue, but there remains no consensus regulatory approach. How will emerging Internet-of-Things frameworks ultimately apply to voice-controlled devices?

Voice-Activated Digital Assistants and the Fourth Amendment

Voice-activated digital assistants can create a record of one’s personal doings, habits, whereabouts, and interactions. Indeed, features incorporating this data are a selling point for many such programs. Plus, this technology can be available to a user virtually anywhere, either via a stand-alone device or through apps on a smartphone, tablet, or computer. Because a digital assistant may be in perpetual or “always-on” listening mode (absent exercise of the “mute” or “hard off” feature), it can capture voice or other data that the user of the device may not intend to disclose to the provider of the device’s services. To that end, users of the technology may give little thought to the fact their communications with digital assistants can create a record that law enforcement (or others) potentially may access by means of a warrant, subpoena, or court order.

A recent murder investigation in Arkansas highlights Fourth Amendment concerns raised by use of voice-controlled digital assistants. While investigating a death at a private residence, law enforcement seized an Amazon Echo device and subsequently issued a search warrant to Amazon seeking data associated with the device, including audio recordings, transcribed records, and other text records related to communications during the 48-hour period around the time of death. See State of Arkansas v. Bates, Case No. CR-2016-370-2 (Circuit Court of Benton County, Ark. 2016).

Should one expect privacy in the communications he engages in around a voice-activated digital assistant? The Arkansas homeowner’s lawyer seemed to think so: “‘You have an expectation of privacy in your home, and I have a big problem that law enforcement can use the technology that advances our quality of life against us.’” Tom Dotan and Reed Albergolti, “Amazon Echo and the Hot Tub Murder.” The Information (Dec. 27, 2016) (hereinafter “Dotan”).

To challenge a search under the Fourth Amendment, one must have an expectation of privacy that society recognizes as reasonable. With few exceptions, one has an expectation of privacy in one’s own home, Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001), but broadly, there is no reasonable expectation of privacy in information disclosed to a third party. Any argument that a digital-assistant user has a reasonable expectation of privacy in information disclosed through the device may be undercut by the service provider’s privacy policy. Typical privacy policies provide that the user’s personal information may be disclosed to third parties who assist the service provider in providing services requested by the user, and to third parties as required to comply with subpoenas, warrants, or court orders.

The Bates case suggests that data collected by digital assistants would bear no special treatment under the Fourth Amendment. The police seized the Echo device from the murder scene and searched its contents. Unlike a smartphone that would require a warrant to search its contents, see Riley v. California, 134 S. Ct. 2473, 2491 (2014), the Echo likely had little information saved to the device itself. Instead, as an Internet-connected device, it would have transmitted information to the cloud, where it would be processed and stored. Thus, the Arkansas law enforcement obtained a search warrant to access that information from Amazon.

Under existing law, it is likely a court would hold that users of voice-activated technology should expect no greater degree of privacy than search engine users. One who utilizes a search engine and knowingly sends his search inquiries or commands across the Internet to the search company’s servers should expect that the information will be processed, and disclosed as necessary, to provide the requested services.

Perhaps there is a discernible difference in that voice data, to the extent a service provider records and stores it as such, may contain elements that would not be included in a text transmission. For example, voice data could reveal features of the speaker’s identity (such as a regional accent), state of mind (such as excitement or sadness), or unique physical characteristics (such as hoarseness after yelling or during an illness), that would not be present in text.

Or perhaps it is significant that some information transmitted might enjoy a reasonable expectation of privacy but for the presence of the device. Although digital-assistants usually have visible or audio indicators when “listening,” it is not inconceivable that a digital assistant could be compromised and remotely controlled in a manner contrary to those indicators.

Further, the device could be accidentally engaged, particularly when the “wake word” includes or sounds like another common name or word. This could trigger clandestine or unintentional recording of background noises or conversations when the device has not been otherwise intentionally engaged. See Dotan (“[T]he [Echo’s seven] microphones can often be triggered inadvertently. And those errant recordings, like ambient sounds or partial conversations, are sent to Amazon’s servers just like any other. A look through the user history in an Alexa app often reveals a trove of conversation snippets that the device picked up and is stored remotely; people have to delete those audio clips manually.”).

The technology of voice-activated digital assistants continues to advance, as evidenced by the recent introduction of voice-controlled products that include video capabilities and can sync with other “smart” technology. Increasing use of digital assistants beyond personal use will raise more privacy questions. As these devices enter the workplace, what protections should businesses adopt to protect confidential information potentially exposed by the technology? What implications does the technology have for the future of discovery in civil lawsuits? If employers utilize digital assistants, what policies should they adopt to address employee privacy concerns? And what are the implications under other laws governing electronic communications and surveillance?

First Amendment Rights for Digital Personal Assistants?

The Arkansas v. Bates case also implicates First Amendment issues. Amazon filed a motion to quash the search warrant, arguing that the First Amendment affords protections for both users’ requests and Alexa’s responses to the extent such communications involve requests for “expressive content.” The concept is not new or unique. For example, during the impeachment investigation of former President Bill Clinton, independent counsel, Kenneth Starr, sought records of Monica Lewinsky’s book purchases from a local bookstore. See In re Grand Jury Subpoena to Kramerbooks & Afterwords Inc., 26 Media L. Rep. at 1599 (D. D.C. 1998).

Following a motion to quash filed by the bookstore, the court agreed the First Amendment was implicated by the nature of expressive materials, including book titles, sought by the warrant. Ms. Lewinsky’s First Amendment rights were affected, as were those of the book seller, whom the court acknowledged was engaged in “constitutionally protected expressive activities.” Content that may indicate an expression of views protected by free speech doctrine may be protected from discovery due to the nature of the content. Government investigation of one’s consumption and reading habits is likely to have a chilling effect on First Amendment rights. See U.S. v. Rumely, 345 U.S. 41, 57-58 (1953) (Douglas, J., concurring); see also Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (2002) (protecting consumer records concerning videos and similar audio-visual material).

Amazon relied on the Lewinsky case, among others, contending that discovery of expressive content implicating free speech laws must be subject to a heightened standard of court scrutiny. This heightened standard requires a discovering party (such as law enforcement) to show that the state has a “compelling need” for the information sought (including that it is not available from other sources) and a “sufficient nexus” between the information sought and the subject of the investigation.

The first objection raised by Amazon did not involve Alexa’s “right to free speech,” but instead concerned the nature of the “expressive content” sought by the Echo user and Amazon’s search results in response to the user’s requests. The murder investigation in question, coupled with the limited scope of the request to a 48-hour window, may present a compelling need and sufficient nexus that withstands judicial scrutiny.

However, Amazon raised a second argument that Alexa’s responses constitute an extension of Amazon’s own speech protected under the First Amendment. Again, the argument is supported by legal precedent.

In Search King, Inc. v. Google Tech., Inc., an Oklahoma federal court held that Google’s search results were constitutionally protected opinion. 2003 WL 21464568 (W.D. Okla. 2003). More recently, a New York federal court determined that Baidu’s alleged decision to block search results containing articles and other expressive material supportive of democracy in China was protected by the First Amendment. Jian Zhang v. Baidu.com, Inc., 10 F.Supp.3d 433 (S.D.N.Y. 2014). Accordingly, no action could lie for injunctive or other relief arising from Baidu’s constitutionally protected decisions.

The court considered search results an extension of Baidu’s editorial control, similar to that of a newspaper editor, and found that Baidu had a constitutionally protected right to display, or to consciously not display, content. The court also analogized to a guidebook writer’s judgment about which attractions to feature or a political website aggregator’s decision about which stories to link to and how prominently to feature them.

One unique issue that arises in the context of increasingly “intelligent” computer searches is the extent to which results are not specifically chosen by humans, but instead returned according to computer algorithms. In Baidu, the court was persuaded by the fact that the algorithms are written by humans and thus “inherently incorporate the search engine company engineers’ judgments about what materials” to return for the best results. By its nature, such content-based editorializing is subject to full First Amendment protection because a speaker is entitled to autonomy to choose the content of his message. In other words, to the extent a search engine might be considered a “mere conduit” of speech, First Amendment protection might be less (potentially subject to intermediate scrutiny), but when the search results are selected or excluded because of the content, the search engine, as the speaker, enjoys the greatest protection.

Search results arising from computer algorithms that power search engines and digital assistants may currently be considered an extension of the respective companies’ own speech (through the engineers they employ). Current digital assistants are examples of “weak artificial intelligence.” Thornier legal questions will arise as the artificial intelligence in digital assistants gets smarter. The highest extreme of so-called “strong” artificial intelligence might operate autonomously and be capable of learning (and responding) without direct human input. The First Amendment rights of such systems will no doubt be debated as the technology matures.

Voice Data and Predictive Models

Digital assistants have the potential to gather massive amounts of data about users. Current voice data analytic tools can capture not only the text of human speech, but also the digital fingerprint of a speaker’s tone, intensity, and intent. Many predictive models rely extensively on lagging indicators of consumption, such as purchases made. Voice data might be able to provide companies with leading indicators, such as information about the user’s state of mind and triggering events that may result in the desired interactions with a company.

Incorporating voice data into current predictive models has the potential to make them vastly more accurate and specific. A digital assistant might record and transmit the message “Pat is going to the hospital for the last time.” Based on only text of the message, an algorithm might predict that a tragic event is about to take place. But with a recording, analysis of the voice’s pitch, intensity, amplitude, and tone could produce data that indicates that the speaker is very happy. Adding such data into the predictive model, might result in the user beginning to see ads for romantic tropical vacations, instead of books about coping with grief.

User interactions with digital assistants will also give rise to new predictive models. Before going to sleep, a user might ask a digital assistant to play relaxing music, lower the temperature of the home, and turn off certain lights. With a new predictive model, when the user asks the digital assistant to play relaxing music at night, the digital assistant might recognize the user’s “going to sleep sequence,” and proceed to lower the temperature of the home and turn off lights automatically.

In addition to the richness of data in a single voice recording, predictive models based on voice interactions with digital assistants are potentially more robust because digital assistants are always “listening.” This “listening” largely takes the form of recording the voice interactions between the user and the digital assistant. Terms of service of the most popular digital assistants typically do not indicate the precise moment when recording starts. Some voice-controlled products have been marketed with an increased focus on privacy concerns. Apple’s forthcoming HomePod speaker, for instance, is said to be designed so that no voice data is transmitted from the device until the “wake word” is spoken.

A digital assistant may begin recording and analyzing voice data even when it is not specifically “turned on” by the user. This makes the potential data set about the user much larger, which results in a more robust predictive model. If the digital assistant is always “listening,” its owners’ statement, “I’m going to take a nap,” could trigger the “going to sleep sequence” described above. If voice recordings are used in conjunction with current predictive models, a user’s statement, “we’re expecting a child,” could be used as a very powerful leading indicator of specific future purchases.

Legal analysis in this growing field should distinguish voice-data recordings (and data derived from these recordings) from the text of these recordings. The current legal framework applicable to voice recordings captured by digital assistants and their use in predictive models is very limited. California has enacted a statute governing certain uses of voice recordings collected from connected televisions. See CA Bus. & Prof. Code §22948.20. However, the states generally have not regulated the use of voice recordings from digital assistants, and have permitted use of voice data in various predictive models with relatively little restriction.

Each digital assistant has terms of service and privacy policies that their parent companies promulgate (and change from time to time). Users, therefore, should know that voice recordings are captured by digital assistants with their consent. The terms of service for some digital assistants specifically note that voice recordings may be used to improve the digital assistant itself and may be shared with third parties. Thus, voice data is likely to be used in predictive models.

Call centers have been using real-time voice-data analytics systems. Interestingly, as part of these technology packages, certain voice-data analytics systems can detect and scrub personally identifiable information from voice recordings. Digital assistants may use similar technologies to avoid recording and storing regulated content (e.g., health information, financial information, etc.) to avoid becoming subject to privacy regulations. Doing so may expose those recordings for use in various predictive models.

Even if digital assistants only record interactions between the user and the device, the richness of voice data means that predictive models may become finely tuned to each individual user. Every interaction with a digital assistant may help build a unique user profile based on predictive modeling.

As discussed in this article, certain elements of a user’s interaction with the digital assistant may include “expressive content,” and both the user and the digital assistant may have constitutional protections. If a digital assistant develops a rich user profile based on both “expressive content,” and data from other sources, how much of that profile still enjoys constitutional protections? As individuals sacrifice privacy for convenience offered by digital assistants, will their profile will become more akin to a private journal? As the technologies develop, what rights can the individual be said to have given up to the discretionary use of the service provider and third parties?

Voice Data and the Internet of Things

Digital assistants are not the only voice-controlled devices available to consumers. What about voice-controlled devices that may seem innocuous, or might not even be used by the actual purchaser, like an Internet-connected children’s toy? Unsurprisingly, there have already been a few well-publicized data security incidents involving voice data from these types of products. Although the products may be relatively niche at present, the issues raised are not and underscore broader risks associated with the use and collection of consumer-voice data.

One security incident involved a line of Internet-connected stuffed-animal toys. The toys had the ability to record and send voice messages between parents (or other adults) and children through a phone-based app. Voice data from both parents and children was collected and stored on a hosted service. Unfortunately for users, the voice-recording database was publicly accessible and not password protected. Over two million voice recordings were exposed. Worse still, third parties gained unauthorized access to the voice data and leveraged it for ransom demands. Over 800,000 user account records were compromised.

Another recent incident involved a doll offering interactive “conversations” with users. Voice data was transferred to a third-party data processor, who reserved the right to share data with additional third parties. When this toy was paired with an accompanying smartphone app, voice data could be accessed even without physical access to the toy. Security researchers discovered paths to use an unsecured Bluetooth device embedded in the toy to listen to—and speak with—the user through the doll.

Concerns over this doll and other similar products have triggered responses from European governmental agencies. For example, in December 2016, the Norwegian Consumer Council published a white paper analyzing the end-user terms and technical security features of several voice-controlled toys. Forbrukerrådet, #Toyfail: An analysis of consumer and privacy issues in three internet-connected toys (Dec. 2016). Complaints have also been filed with privacy watchdog agencies in several European Union member states, including France, the Netherlands, Belgium, and Ireland. Some complain that voice data is collected and processed by third parties in non-EU states, like the United States, who are not subject to EU privacy and use regulations. Third parties include voice-data processors who also perform voice-matching services for law-enforcement agencies.

More recently, German regulators announced that the sale or ownership of one such toy was illegal under German privacy laws after the toy was classified as a “hidden espionage device.” Although German regulators are not pursuing penalties against owners, they have instructed parents to physically destroy the toy’s recording capabilities. This unusual step may ultimately signal increased regulation of voice controlled consumer products under German law.

Complaints regarding similar products have also been filed in the United States with the Federal Trade Commission and other bodies. Privacy groups have questioned whether these devices comply with the consent requirements of the Children’s Online Privacy Protection Act (COPPA) and its associated rules and regulations. COPPA applies to operators of online sites and services involved in collecting personal information from children under 13 years of age and provides additional protections that may be applicable to voice-controlled toys.

Aside from COPPA, given the lack of comprehensive legislation or regulation at the federal level, there remains a patchwork of state and federal laws that may regulate voice-controlled products. One bill that covers voice data (as part of a broad class of personal information) has passed the Illinois State Senate and is now pending in the Illinois State House. The Right to Know Act, HB 2774, would require operators of websites and online services that collect personally identifiable information to: (i) notify customers of certain information regarding the operators’ sharing of personal information, including the types of personal information that may be shared and all categories of third-parties to whom such information may be disclosed; (ii) upon disclosure to a third-party, notify consumers of the categories of personal information that has been shared and the names of all third parties that received the information; and (iii) provide an email or toll-free phone number for consumers to access that information. Importantly, the current draft of the Illinois Right to Know Act also creates a private right of action against operators who violate the act. Whether this bill or similar laws will be enacted remains an open question.

Conclusion

Data collected by voice-controlled digital assistants and other connected devices presents a variety of unresolved legal issues. As voice-controlled features continue to develop, so too will litigation, regulation, and legislation that attempt to balance the rights of users, service providers, and perhaps even the underlying technology itself. The issues presented in this article are deeply interrelated. When even one of the associated legal questions is settled, other issues in this emerging field could quickly follow suit, but new issues will likely emerge.

On June 5, 2017, in Kokesh v. SEC, the Supreme Court held that disgorgement by the Securities and Exchange Commission (SEC) is subject to the five-year limitations period of 18 U.S.C. § 2462, severely restricting the commission’s ability to force companies to disgorge profits prior to five years before an action is brought. The decision could also impact attempts by the Department of Justice (DOJ) to force companies to disgorge profits from allegedly illegal conduct.

In Kokesh, the court considered the SEC’s efforts to disgorge $34.9 million from defendant Charles Kokesh, $29.9 million of which resulted from violations before the five-year limit imposed by Section 2462. Kokesh, 581 U.S. —, 2017 WL 2407471, at *4 (2017). Disgorgement of profits has been a typical remedy sought by the SEC—in addition to civil or criminal fines sought by DOJ—when prosecuting cases, including for alleged violations of the law such as the Foreign Corrupt Practices Act (FCPA). Kokesh, who ran two investment firms that siphoned off money from investors, argued that Section 2462 limited the SEC’s disgorgement request. Section 2462 bars “an action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise” that is not “commenced within five years from the date when the claim first accrued.” The SEC countered to the district court and the Tenth Circuit that, as an equitable remedy, disgorgement did not fall under Section 2462. Both courts agreed with the SEC that disgorgement of profits was not a penalty. The Tenth Circuit went further, holding that disgorgement was also not a forfeiture.

Prior to Kokesh, application of Section 2462 to civil disgorgement actions varied by circuit. The First Circuit (SEC v. Tambone, 550 F.3d 106, 148 (1st Cir. 2008)) and the D.C. Circuit (Riordan v. SEC, 627 F.3d 1230, 1234 (D.C. Cir. 2010)) held that Section 2462 applies only to penalties sought by the SEC, not to disgorgement. In 2016, prior to the Tenth Circuit’s Kokesh decision, the Eleventh Circuit disagreed with the First Circuit and D.C. Circuit and found that Section 2462 applies to disgorgement, which created a circuit split. SEC v. Graham, 823 F.3d 1357, 1363-64 (11th Cir. 2016). Despite acknowledging the Eleventh Circuit’s decision, the Tenth Circuit nevertheless departed from the Eleventh Circuit’s reasoning in holding that Section 2462 did not apply to SEC disgorgement. With its Kokesh decision, the Supreme Court resolved the split.

In an unanimous opinion penned by Justice Sotomayor, the Supreme Court held that the SEC’s disgorgements amount to a penalty and are subject to Section 2462. In so holding, the court looked to two factors: (1) whether the “‘wrong sought to be redressed is a wrong to the public, or a wrong to the individual’” and (2) whether the sanction is sought “‘for the purpose of punishment, and to deter others from offending in like manner’—as opposed to compensating a victim for his loss.” Kokesh, 2017 WL 2407471, at *5 (quoting Huntington v. Attrill, 146 U.S. 657, 667-68 (1892)).

The Supreme Court held that the SEC’s disgorgement sanction qualified as a penalty under both factors. The court observed that the SEC imposed disgorgement as “a consequence for violating what [the Court] described … as public laws”—meaning that the money collected goes to the U.S. Treasury rather than to victims as a restitution payment might. As the court pointed out, violations of the securities laws—for which the SEC seeks disgorgement—are committed “against the United States rather than an aggrieved individual.” The court further found that under the second prong—the purpose of the sanction—disgorgement can be punitive in nature. The court rejected the SEC’s argument that disgorgement puts defendants into the same position they would have been absent violations and therefore is only remedial, rather than punitive. The court observed that in many cases “disgorgement does not simply restore the status quo; it leaves the defendant worse off” because SEC disgorgement is at times ordered without consideration of expenses that may reduce the illegal profit.

Although Kokesh answers only the narrow question of whether SEC disgorgement is subject to Section 2462’s five-year limitation, the ripples of the decision may be felt more broadly, particularly with respect to the DOJ’s FCPA Pilot Program. The DOJ traditionally has not pursued disgorgement against companies, leaving that remedy to the SEC. See Daniel Patrick Wendt, “So how does the DOJ calculate disgorgement?” FCPA Blog, (Nov. 30, 2016), available at http://www.fcpablog.com/blog/2016/11/30/daniel-patrick-wendt-so-how-does-the-doj-calculate-disgorgem.html (last visited June 12, 2017) (Noting that in “nearly 40 years of FCPA history,” the DOJ began using disgorgement only in 2016). If the SEC was not involved, DOJ historically would have sought either just criminal fines, or restitution to victims, plus forfeiture. In 2016, however, the DOJ announced a new policy (called the Pilot Program) designed to encourage companies to self report potential violations of the law by offering to reduce penalties for such self-disclosed violations, and by threatening to punish companies that are aware of conduct but do not self-report. A requirement of participating in the Pilot Program is for companies to “disgorge all profits resulting from the FCPA violation.” U.S. Dept. of Justice, Criminal Division, “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance,” (Apr. 5, 2016), available at https://www.justice.gov/archives/opa/blog-entry/file/838386/download (last visited June 12, 2017). In 2016, DOJ required civil disgorgement from two privately-held companies as conditions to its declinations to prosecute the company criminally. As noted, disgorgement of profits would have been unusual for DOJ historically, but probably occurred here because of the statement about disgorgement in the Pilot Program and the lack of involvement by the SEC in those matters. See HMT LLC, Declination Letter, Sept. 29, 2016, available at https://www.justice.gov/criminal-fraud/file/899116/download (last visited June 12, 2017); NCH Corp., Declination Letter, Sept. 29, 2016, available at https://www.justice.gov/criminal-fraud/file/899121/download (last visited June 12, 2017).

In light of the Supreme Court’s determination that SEC disgorgement is a “penalty,” Section 2462 would on its face also limit any civil disgorgement—even if sought by the DOJ—on the same theory that it constitutes a punishment.

A footnote in Kokesh suggests that the practice of disgorgement could itself be in jeopardy. The court noted that “[n]othing in this opinion should be interpreted as an opinion on whether courts possess authority to order disgorgement in SEC enforcement proceedings or on whether courts have properly applied disgorgement principles in this context.” Kokesh, 2017 WL 2407471, at *5 n.3. The court may be inviting a case challenging the entire practice of SEC disgorgement. Combined with two other decisions this term, Nelson v. Colorado and Honeycutt v. United States, which limited state and federal forfeiture, the court has shown a skepticism for such powerful—and often less regulated—government penalties. See Honeycutt v. United States, 581 U.S. —, 2017 WL 2407468, at *5-6 (2017) (Comprehensive Forfeiture Act does not permit joint and several liability for forfeiture of proceeds of crime); Nelson v. Colorado, 581 U.S. —, 137 S. Ct. 1249, 1257 (2017) (state could not require defendant whose criminal conviction is overturned or who is on retrial acquitted of crime to prove innocence in proceeding for return of assets seized pursuant to the wrongful conviction).

It is also interesting to consider where else this decision could lead. For example, a few years ago the court held in Southern Union Co. v. United States that a jury must “find beyond a reasonable doubt facts that determine [a criminal] fine’s maximum amount” to comply with the Sixth Amendment. 567 U.S. 343, 132 S. Ct. 2344, 2351 (2012). Typically sentencing had been handled entirely by the judge, not a jury, and with a lower standard of proof than “proof beyond a reasonable doubt,” which is what is required for the government to obtain a criminal conviction of an individual or company. The application of the Southern Union standard to fines or disgorgement paid by corporations in DOJ and SEC investigations could severely limit the government’s power, considering how difficult it could be for the prosecutors to prove its damage theories to a jury in the context of a corporate malfeasance case.

What This Means For You

This decision continues a trend by the Supreme Court limiting the government’s expansive reading of statutes and the imposition of heavy fines in corporate investigations. By limiting the period during which the SEC can seek disgorgement of illegally obtained profits, Kokesh could put pressure on both the SEC and the DOJ to expedite their investigations (or to seek tolling agreements to extend statutes of limitations earlier in investigations). It should be noted, though, that nothing in this decision would seem to limit the DOJ’s authority to seek heavy criminal fines from corporations, even for conduct that is more than five years old. That is because of conspiracy charges. The law of conspiracy provides that the statute of limitations is based on the last act of a conspiracy. In other words, the criminal law of conspiracy would allow the government to seek damages for the full scope of a conspiracy even if older than five years so long as some act in furtherance of the conspiracy had occurred within the last five years.

Still, the Supreme Court has handed us another effective tool in representing our clients aggressively in investigations brought by one or both government agencies.

Prologue—Choice of Law

When a litigator argues for a particular choice of law, the litigator seeks retrospectively the law most favorable to a particular claim or claims. When a business lawyer chooses a state of formation for a business entity, the lawyer seeks prospectively the governing law whose characteristics most favor the client’s interests.

Although in particular situations one characteristic may dominate, in general the business lawyer should look for governing law that is clear, comprehensive, coherent, accessible, and stable (or at least predictable). With these five metrics in mind, this column explains why lawyers forming limited liability companies should not dabble in Delaware.

The Preeminence of the Delaware Law of LLCs

Although Wyoming, not Delaware, pioneered the modern limited liability company, Delaware has long since overcome that embarrassing origins story. Most experienced LLC practitioners consider the Delaware Limited Liability Company Act (Delaware Act or Act) to be the statute of choice for sophisticated ventures organized as LLCs, and in many deals involving entrepreneurs or investors from more than one state, the lawyers routinely “default” to using the Delaware Act rather than the LLC statute of any of the states actually involved in the deal.

According to Bishop & Kleinberger, Limited Liability Companies ¶ 14.01[2], “Delaware law seems to exert an almost gravitational pull on attorneys.” For example, at the ABA Section of Business Law’s 2016 LLC Institute, the discussion of recent case developments allocated approximately equal time to Delaware case law and to case law from the other 49 states, the District of Columbia, and U.S. territories.

The Delaware Act

The Delaware Act is a complex, sophisticated, and eminently flexible statute that exalts freedom of contract even to the point of permitting an operating agreement to eliminate some or all fiduciary duties. However, the Act’s attractiveness has little to do with its inherent qualities. To the contrary, the Act’s drafting style is arcane, with substantive requirements embedded in definitions, sentences in which length seems a virtue, and provisions that overlap and intertwine so as to require substantial efforts of deconstruction. For example, section 18-101(7) of the Act’s definition of “limited liability company agreement” comprises 411 words, and in the Act’s provisions on protected series, subsection 18-215(b) comprises 577 words.

As Delaware’s own Supreme Court has written in Atochem N. Am., Inc. v. Jaffari, 727 A.2d 286, 291 (Del. 1999), “To understand the overall structure and thrust of the Act, one must wade through provisions that are prolix, sometimes oddly organized, and do not always flow evenly.” In sum, the Delaware Act lacks clarity, coherence, and ease of access.

As for comprehensiveness, the Delaware Act has only a skeletal set of default rules, unlike the Uniform Limited Liability Company Act (2006) (Last Amended 2013) (ULLCA) and the LLC statutes of most nonuniform states. As for stability, Delaware amends the Act every year. Sometimes the changes are inconsequential; sometimes they are fundamental. Moreover, Delaware eschews the normal “strike and underline” method for showing statutory changes and uses instead an antiquated method requiring decryption. The result is more symbolic than substantive, but consider for example section 9 of 2007 Del. Laws, chapter 105:

Amend § 18-201(d), Chapter 18, Title 6 of the Delaware Code by deleting the word “may” in the first place where such word appears therein and substituting in lieu thereof the word “shall”, by inserting the words “or otherwise existing” immediately after both appearances of the words “entered into”, and by inserting the words “or reflected by” immediately after the words “as provided in”.

As for substance, many other states have statutes offering comparable flexibility and an essentially equal commitment to enforcing agreements made by LLC members. The Delaware Act does stand out by authorizing an operating agreement to eliminate all fiduciary duties, but the LLC acts of several other states do so as well. Moreover, in Leo E. Strine Jr. & J. Travis Laster, “The Siren Song of Unlimited Contractual Freedom,” Research Handbook on Partnerships, LLCs and Alternative Forms of Business Organizations (Robert W. Hillman and Mark J. Loewenstein, eds.), two of Delaware’s leading jurists have criticized that approach as resting on false premises and being otherwise misguided. In any event, even under a Delaware operating agreement that successfully waives all fiduciary duties, the implied contractual covenant of good faith and fair dealing remains in place to constrain unduly opportunistic behavior. See “In the World of Alternative Entities What Does ‘Good Faith’ Mean?” and “Delineating the Implied Covenant and Providing for ‘Good Faith’”.

The Inherent Quality of the Delaware Judiciary

Why, then, do many non-Delaware practitioners choose Delaware when forming LLCs? The answer lies in the reputation of the Delaware judiciary. The Delaware Court of Chancery has jurisdiction over claims relating to the internal affairs of a Delaware LLC, and that court is the preeminent business court in the United States. It is comfortable with business disputes and is capable of handling esoteric and even arcane issues of law. The Delaware Supreme Court is likewise comfortable and capable; many of its judges have served previously in the Court of Chancery.

Both the Court of Chancery and the Delaware Supreme Court accept and adhere to the policy of the Delaware Act “to give maximum effect to the principle of freedom of contract and to the enforceability of limited liability company agreements” under section 18-1101(b). Indeed, Delaware courts are conservative about contracts in general. They lean away from modernist notions that all agreements are necessarily indeterminate and toward the old-fashioned approach that a contract is a contract and that a court is not a proper forum for salving the pain of “buyer’s remorse.”

But Delaware case law has its disadvantages. First, keeping pace is almost a full-time job. As a court of equity, the Court of Chancery often ladens its decisions with voluminous statements of facts. Fifty-page decisions are not unusual, and some decisions can be understood only in the context of previous decisions in the same case. For example in Renco Grp., Inc. v. MacAndrews AMG Holdings LLC, No. CV 7668-VCN, 2015 WL 394011, at *1, n.1 (Del. Ch. Jan. 29, 2015), the court states that it “focuses on the facts related to the specific disputes in the pending motion and assumes general familiarity based on related proceedings.” For that familiarity, the court refers to two of its earlier decisions in the same matter.

Second, a “Delaware LLC lawyer” must stay up to date on more than just LLC law; Delaware LLC and limited partnership law are reciprocally precedential. Knowledge of Delaware contract law is also essential. For example, B.M. Gottesman & S.E. Swenson state in “More Than Bargained For? Topics for Consideration in the Issuance and Acceptance of Delaware LLC Opinions,” 81 N.Y. St. B.J. 20, 22 (2009), that when an attorney is asked for a formal legal opinion pertaining to a Delaware limited liability company, “[i]t is . . . the responsibility of the opinion-giver to navigate Delaware common law [especially contract law] prior to rendering a Delaware LLC opinion, and to keep abreast of its shifting landscape.”

Third, sometimes a “Delaware LLC lawyer” must take into account Delaware corporate law. On more than one occasion, the Court of Chancery has applied that law to resolve a dispute among members of a Delaware LLC. For example in Bay Ctr. Apartments Owner, LLC v. Emery Bay PKI, LLC, No. CIV. A. 3658-VCS, 2009 WL 1124451, at *8 (Del. Ch. Apr. 20, 2009), the court noted that “[t]he LLC cases have generally, in the absence of provisions in the LLC agreement explicitly disclaiming the applicability of default principles of fiduciary duty, treated LLC members as owing each other the traditional fiduciary duties that directors owe a corporation.” Similarly, in a case in which an LLC member sought judicial dissolution, Haley v. Talcott, 864 A.2d 86, 96–97 (Del. Ch. 2004), the court gave pivotal importance to 8 Del. C. § 273, a corporate statute addressing dissolution of a joint venture corporation having two stockholders.

Moreover, Delaware corporate law can be inordinately complicated. For example, for many years “new standards of [judicial] review [of director conduct] proliferated when a smaller number of functionally-thought-out standards would have provided a more coherent analytical framework,” according to William T. Allen, Jack B. Jacobs & Leo E. Strine, Jr., Function over Form: A Reassessment of Standards of Review in Delaware Corporation Law, 56 Bus. Law. 1287, 1292 (2001).

Fourth, Delaware entity law is not especially stable. For example, Smith v. Van Gorkom, 488 A.2d 858, 864 (Del. 1985), shocked the corporate bar and led to prompt corrective action—i.e., exculpation statutes adopted in Delaware and around the country. For unincorporated business organizations, Gotham Partners, LP v. Hallwood Realty Partners, LP, 817 A.2d 160, 167–68 (Del. 2002) provides a similar example. In Gotham Partner, the Delaware Supreme Court criticized dicta in Court of Chancery opinions, indulged in its own dicta, and stated that a limited partnership agreement could restrict but not eliminate fiduciary duty. This dicta, equally applicable to limited liability companies, prompted another legislative correction: 2004 Del. Laws, ch. 275 (HB 411), §§ 13, 14 (expressly stating that an LLC operating agreement may eliminate fiduciary duties); 2004 Del. Laws, ch. 265 (SB 273), §§ 15 and 16, and ch. 266 (SB 274), §§ 3 and 4 (same as to limited partnership agreements and general partnership agreements). The most recent example comprises Gatz Properties, LLC v. Auriga Capital Corp., 59 A.3d 1206 (Del. 2012) and 2013 Del. Laws, ch. 74, § 8. The case called into question whether fiduciary duties even exist in a limited liability company; the statutory, albeit obliquely, that in the default mode, LLC law includes “rules of law and equity relating to fiduciary duties.”

A Report Card and an Explanation

Thus, Delaware LLC law does not fare well under the five metrics set forth at the beginning of this column (clarity, comprehensiveness, coherence, accessibility, and stability). Yet Delaware remains fundamentally important to the law and practice of limited liability companies, and in countless sophisticated circumstances, a Delaware LLC is the most effective and practicable vehicle available.

This situation is no conundrum. For the cognoscenti, the drawbacks in the Delaware law are immaterial. For a lawyer whose practice centers on Delaware LLCs, assiduous study and continuous attention dissipate the drawbacks of the Delaware Act. The Delaware case law is indeed lengthy and plentiful almost to the extent of being fulsome, but the decisions: (i) address issues of great importance that often require sophisticated analysis and subtlety; and (ii) are authored by carefully vetted jurists for whom concepts like ROI, waterfall distributions, dilution, and marginal cost hold no mysteries. For transactional lawyers focused on Delaware LLCs, the weekly “assigned reading” has a more than acceptable “average cost.”

But for any dabbler in these mysteries, the average cost is insupportable, and the resulting risks are substantial. Therefore, don’t dabble in Delaware.

With parents who immigrated from Cuba to the United States, Brigida Benitez grew up immersed in two cultures. That upbringing influenced her career path, giving it an international flavor. A partner at Steptoe & Johnson, Benitez focuses on complex litigation, global anti-corruption matters, and internal investigations. She’s also served as Chief of the Office of Institutional Integrity of the Inter-American Development Bank, which provides development financing for Latin America and the Caribbean. She served as president of the D.C. Bar, the second largest unified bar in the country. The highlight of her career—so far—was representing the University of Michigan for six years in the case that led to a victory for diversity in higher education before the U.S. Supreme Court.

*     *     *

Tell us about your upbringing. I read your parents immigrated from Cuba.

My parents immigrated from Cuba and came to the United States pursuing the American dream. I grew up in a working-class community just north of Miami and many of my friends and peers had similar backgrounds. My parents did not have much formal education. My father started working at age 12 to support his family. But they instilled in my brother and me a strong work ethic and a belief that hard work and education were the keys to success.

Did you grow up speaking Spanish and English? And my follow-up question, did your immersion in two cultures influence your decision to have a global practice?

I grew up speaking only Spanish at home, and I learned English when I started kindergarten in public school. I’ve been immersed in two cultures my entire life. I’m sure that at some level that influenced some of my choices along the way. My Spanish fluency and my background led to opportunities early on, such as my work in Latin America. That certainly had an effect on my career path.

One of your specialties is internal investigation, including investigations in front of enforcement agencies. What skills are required for this, and how are they the same or different from being a lawyer?

I started my career as a litigator, which I still am. About 20 years ago, I also started doing internal corporate investigations when that emerged as a practice. Conducting an investigation as a lawyer requires that you look at a problem strategically and figure out the best approach and solution for the client. It’s critical to have good judgment and strong communication skills and to be able to connect with people and to build trust.

Ultimately, as with anything that one does as a lawyer, it’s about finding the optimal solution for the client. So the skills that make one a successful litigator and investigator are those that make you a good lawyer.

You also focus on complex litigation and global anticorruption matters. What is involved in a global anticorruption practice?

I counsel multinational companies on anticorruption issues, such as the Foreign Corrupt Practices Act, anti-money laundering, ethics and violations of codes of conduct, and sanctions laws, including OFAC and the sanctions procedures of the World Bank and other leading international financial institutions. I help these companies with the development and implementation of policies, procedures, and training on all of these issues. Then I advise them if anything serious comes up in these areas. Sometimes it means there’s a question or issue that has arisen about a certain law or policy. Other times there’s a significant problem that requires an internal investigation, for example, and maybe potentially disclosing to and negotiating with a regulator such as the Department of Justice or the Securities and Exchange Commission.

Is your practice exclusively U.S. based?

I know some about the anti-corruption laws, for example, that have been passed recently in a number of countries around the world. But ultimately, my specialty is U.S. law and advising companies that have exposure under U.S. law, and that may be U.S. companies who are doing business in other parts of the world. But it could just as easily be what we think of as non-U.S. companies that, because they’re listed on the exchanges here or they do a lot of business in the U.S., have exposure under U.S. laws.

You were part of a team in the landmark case, Grutter vs. Bollinger, in which the affirmative action admissions policy of University of Michigan was upheld by the U.S. Supreme Court. Can you describe the experience for us and how you were involved and just having that win?

The University of Michigan case has really been one of the highlights of my career, and an experience that I will cherish my entire life. I represented the university for six years from the filing of the complaint to a very successful resolution before the U.S. Supreme Court. As a litigator, it is such a rare experience to work on a case through all of the possible stages of a litigation from the beginning all the way through a Supreme Court resolution, which is rare in and of itself.

This was a case in which we had to be very creative from the outset and think long-term and strategically about building a defense that no one had crafted before. It was truly an incredible professional experience, a great team effort. I worked closely with the late John Payton, who was a terrific civil rights lawyer and became a great friend and mentor. On a personal level, given my own background, it was also very meaningful to achieve a victory for diversity in higher education.

And no one thought the Supreme Court would decide the way it did?

That’s correct. The issue had not come before the Supreme Court for 25 years and given the climate at the time, in the wake of the Hopwood case out of the Fifth Circuit, few were optimistic that the court would rule in our favor.

You’ve also had an interesting experience as Chief of the Office of Institutional Integrity of the Inter-American Development Bank. What does this entity do and what did you set out to achieve?

The Inter-American Development Bank is a multilateral development bank. It’s a leading source of financing for development throughout Latin America and the Caribbean. It functions in a manner similar to the World Bank, except its focus is on Latin America. I headed the office that was responsible for investigating potential fraud and corruption in any project financed by the bank, as well as implementing compliance policies and procedures relating to anti-corruption, anti-money laundering, sanctions laws, and the like.

I was a member of the senior management team and reported to the president of the bank and the audit committee of the board of executive directors. My work encompassed 26 countries in Latin America and the Caribbean. It was a very challenging yet rewarding experience.

Former Attorney General Richard Thornburgh had made a number of recommendations, including that the head of the Office of Institutional Integrity be elevated to a senior management position. At that time, the bank was trying to figure out how to build that office. That’s why I was recruited and ultimately hired. One of the things I did was implement policies relating to anti-corruption and anti-money laundering laws. For example, one policy concerned the use of offshore financial centers and how to tell where there are red flags in the use of off-shore financial centers. Another one was having a policy relating to the sanctions laws and regulations administered by the Office of Foreign Assets Control. There was a lot of opportunity to implement policy in the office.

You’re an adjunct professor at Georgetown University Law Center where you teach a course on International Business Litigation and Federal Practice. What do you enjoy about teaching?

One of the things I enjoy most is interacting and getting to know the students. I find that the students are eager to learn, always in need of mentoring, and it’s just fun to get to know them.

Also, because of the class I teach, I end up having a number of JD students as well as LLM students from around the world, some of whom already have practiced law. So it leads to very interesting discussions about how law is practiced elsewhere.

Can you give an example?

We get a lot of non-U.S. plaintiffs who come to the U.S. because of the availability of certain types of damages, of potentially larger verdicts, and broad discovery that’s simply not available in other countries. If you’re litigating a matter in France, for example, you’re not going to have the access to discovery that you do in the context of U.S. litigation. It’s always interesting to have those discussions with students who come from these other countries where the practice is very different.

You served as past president of the D.C. Bar. What are you most proud of accomplishing in that position?

I’m very proud to have been able to have served in that position. For me, it was a great honor to be able to lead the D.C. Bar, which is a fantastic organization. It’s the second largest mandatory bar in the country, with more than 100,000 members worldwide. I was very honored to have been elected and to have served in that position.

With team effort, we accomplished a great deal during my tenure. We bought a building, for example, that is being built and will be ready in January. It will be the new headquarters for the D.C. Bar and will be not only the first building that the Bar owns, but will ultimately save members millions of dollars over the course of the next 20 years. It’s going to offer technological resources, meeting spaces, and all of the advantages that an organization like the D.C. Bar can provide to its members. We also accomplished a number of other things, including developing and implementing a five-year strategic plan that sought unprecedented input from the membership to determine the D.C. Bar’s course moving forward. I also appointed a global legal practice task force to study and make recommendations on some of these issues and how the D.C. Bar can continue to be on the cutting edge in that area.

You’ve won many awards. Is there one that stands out for you or most meaningful?

I’ve been very fortunate to have been recognized during the course of my career and very proud of that. I would say that one award that stands out goes back to my work on the University of Michigan case. The first award that I won in connection with that case came from MALDEF, the Mexican-American Legal Defense and Education Fund.

For me, the fact that a national civil rights organization such as MALDEF that’s so well-known and well-respected presented me with its Excellence in the Legal Profession Award for the work that I had done in the University of Michigan case is something that I’m very proud of.

I’m wondering if you have any suggestions to law schools or law firms on how to promote diversity.

It’s a difficult issue and unfortunately, while there have been many efforts made, I think that there’s still much work to be done in the area of diversity, both in law schools and certainly in the legal profession. I would say that initiative, grit, and resilience can be more important than top grades from a top law school. It is essential to look at these attributes and to consider the potential of individuals to become great lawyers.

What advice would you give to a new attorney who’s just starting out?

The first thing I would say is welcome to the profession. It’s a great profession. There’s a lot of opportunity and a lot of potential to do many great things. It is first and foremost a service profession, and so I would encourage them to keep that in mind as they move forward; it’s whether you’re servicing your clients or giving back to the profession or doing pro bono work and serving those in need, I think that’s an important principle of our profession and a commitment for all of us to observe.

I would also say, be proactive about your career. It’s tempting when you get a job, whether it’s at a law firm or in-house corporate department, to just put your head down and do good work and, of course, that’s important. But it’s also essential for your professional development to look up, to connect with other lawyers, to network, to get involved in bar associations, to get involved with issues that you care about, because you learn of opportunities, you figure out what you want to do, you can contribute to the profession, and you have a more exciting and fulfilling career.

What has been the value of the ABA to you?

The ABA offers an amazing network of lawyers in diverse practice areas throughout the world. And for me, it’s been valuable to be able to be part of that network and connect with other lawyers. That’s really one of the key values of the ABA.

What do you like to do for fun?

I love to run. I discovered running about 10 years ago, and now I’m hooked. I regularly run races. I’ve run everything from 5Ks to marathons throughout the U.S. and even internationally. I find it to be a good stress relief and it keeps me balanced. I also enjoy travelling and spending time with my family and friends.

Thank you so much for your time!

“Pro Bono Publico” is a Latin phrase meaning “for the good of the public.” The phrase has come to refer to something done or donated without charge, especially with respect to legal representation.

Every year the nation celebrates National Pro Bono Week. Pro Bono Week was started over eight years ago by the Standing Committee on Pro Bono of the American Bar Association as “a coordinated national effort, to meet the ever-growing needs of this country’s most vulnerable citizens by encouraging and supporting local efforts to expand the delivery of pro bono legal services and by showcasing the great difference that pro bono lawyers make to the nation, its system of justice, its communities and, most of all, to the clients they serve.”

Pro Bono Week events take place all over the country, and even overseas. Pro Bono Net, a national nonprofit, has an interactive map that highlights everything happening around the world at www.probono.net. Of course, the need for pro bono legal assistance, and the opportunity to provide pro bono services, is year round. This need is ever growing, and the impending loss of federal funding of the Legal Services Corporation makes pro bono volunteerism even more critical.

While the ABA, through Model Rule 6.1, and many states through their respective rules governing the practice of law, encourage, and in some cases, require, attorneys to provide legal services to those unable to pay, there is still a tremendous difference nationwide between the number of attorneys admitted to practice, and those actually providing pro bono services. There are a variety of reasons that attorneys are reluctant to take a pro bono case. There are those that say they don’t have the time. There are those that say they have no way to waive the conflicts. There are concerns about malpractice coverage. There are those who are associates in firms and their firms do not give them credit for taking a pro bono case. And most popular among business lawyers—they do not want to go to court.

Let’s start with the time commitment. Yes, there are some pro bono cases that can take a great deal of time. Just ask any attorney who has worked on a death penalty case or a Hague Convention child custody case. But there are many pro bono opportunities that will take no more than a couple of hours of time—for example, staffing walk-in clinics, manning small claims hotlines, or going to public libraries to demonstrate how to use and understand different legal and court websites. If you are not certain what programs are available in your area, you can go to the ABA website, to the webpage for the Standing Committee on Pro Bono & Public Service, where you will find a Directory of Local Pro Bono Programs. That directory will guide you to a pro bono provider in your area, who will, in turn, advise you what volunteer opportunities are available to you.

Attorneys working for “big law” are concerned about the conflicts that pro bono work can trigger, especially attorneys working to help borrowers or debtors seeking to save their homes or discharge credit card debt. How does the representation avoid violating Model Rule 1.7?

Client-Lawyer Relationship

Rule 1.7 Conflict Of Interest: Current Clients

(a) Except as provided in paragraph (b), a lawyer shall not represent a client if the representation involves a concurrent conflict of interest. A concurrent conflict of interest exists if:

(1) the representation of one client will be directly adverse to another client; or

(2) there is a significant risk that the representation of one or more clients will be materially limited by the lawyer’s responsibilities to another client, a former client or a third person or by a personal interest of the lawyer.

(b) Notwithstanding the existence of a concurrent conflict of interest under paragraph (a), a lawyer may represent a client if:

(1) the lawyer reasonably believes that the lawyer will be able to provide competent and diligent representation to each affected client;

(2) the representation is not prohibited by law;

(3) the representation does not involve the assertion of a claim by one client against another client represented by the lawyer in the same litigation or other proceeding before a tribunal; and

(4) each affected client gives informed consent, confirmed in writing.

All states, as well as the District of Columbia, have adopted Model Rule 1.7 in some form.

If an attorney is working at a walk-in or phone-in clinic, there is no time or opportunity to clear conflicts or get written waivers. Moreover, some attorneys are concerned about providing legal help that would conflict with the interests of banking clients—cases, for example, involving foreclosure assistance or bankruptcy. Some states have exceptions to these conflict rules when the attorney is doing a pro bono case as part of a walk-in clinic or small claims hotline. For example the New York Rule of Professional Conduct 6.5 has a limited exception to the conflict rules if the lawyer “under the auspices of a program sponsored by a court, government agency, bar association or not-for-profit legal services organization, provides short-term limited legal services to a client without expectation by either the lawyer or the client that the lawyer will provide continuing representation in the matter.” “Short-term limited legal services” is defined in the rule as “services providing legal advice or representation free of charge as part of [a program described above] with no expectation that the assistance will continue beyond what is necessary to complete an initial consultation, representation or court appearance.”

Another benefit of taking a pro bono case through a legal aid provider is that the attorney has malpractice coverage. Thus, so long as the case is referred through the appropriate agency, malpractice insurance should not be an issue.

Often business lawyers tell me they don’t take pro bono cases because they will not go to court. Many pro bono cases do not involve court appearances at all. Many legal aid providers around the country have small claims clinics or landlord tenant clinics that, whether by telephone or walk-in, require a commitment of a couple of hours. The clinic organizers usually have scripts that provide the answers to the most common questions and “experts” available if the answers are not readily ascertainable. 

There are also opportunities for business lawyers to advise companies whether those companies are in the start-up phase or are dealing with ongoing business issues. For example, the Florida Bar Business Law Section conducts pro se clinics for not-for-profit businesses in different cities around the state. Clients have included a job training program for veterans, a collective for visual artists, and a cooperative for micro-businesses for women in poverty. Their needs have varied from creating all the documents necessary to start the business, to filing annual reports, to drafting resolutions to lease space or equipment, to creating documents for fundraising under section 501(c). And, unfortunately, once in a while, volunteers have provided legal advice relating to financial distress.

Many law schools around the country are doing business start-up clinics. For example, Duke Law School has the Start-Up Ventures Clinic, which “provides legal advice and assistance to seed and early state entrepreneurial ventures . . . including formation, intellectual property protection, commercialization strategies and operational issues.” These programs are springing up all over the country and it is likely that a law school near you either has such a program or is considering such a program. The students in these start-up clinics need mentors. Where the new venture qualifies as a pro bono client in your state, you can get pro bono credit for being a mentor.

Pro bono service is something that every law firm should encourage. For those young lawyers in your firms that want trial experience, pro bono cases give those young lawyers the opportunity to get courtroom experience not usually available for attorneys at entry level positions in firms. Those law firms that don’t have a formal pro bono policy should consider adopting a policy. Even if your firm encourages pro bono participation without a policy, the lack of a formal policy may discourage young lawyers from pursuing those opportunities. If your firm doesn’t encourage pro bono participation, you need to ask yourself why.

If your firm does have a pro bono policy make sure it is up to date. If your law firm does not have a pro bono policy, or it needs updating, take a look at the resources available at the webpage of the ABA Standing Committee for Pro Bono & Public Service, or on the Pro Bono Institute’s website. You can also take a look at the Florida Bar Business Law Section’s Best Practices Guide for a Firm Pro Bono Policy, located here. The Pro Bono Committee of the Florida Bar Business Law Section developed this Guide to encourage law firms to adopt a formal pro bono policy, or, if a firm already has a policy, to provide suggestions for improvements.

In sum, there is no reason not to do pro bono. And it makes business sense to do pro bono. As my colleague Judge Catherine McEwen from the Middle District of Florida is fond of saying  “pro bono is like a box of assorted donuts; open it up and you will find the flavor just for you.”

Judges can be significant contributors to pro bono service. No, they certainly cannot jump across the bench and represent poor litigants in the well of the courtroom. But there are other meaningful ways judges can participate in promoting access to the courts for indigent parties. So how can judges foster pro bono service to parties who otherwise cannot afford an attorney? And how do judges learn about what they can and should be doing to advance this important goal?

Those questions are answered in my area by a biennial Judicial Pro Bono Summit. The organizer is my state circuit’s Florida Supreme Court–mandated pro bono committee (of which I am a member). We invite all judges—state and federal—who sit within the boundaries of our state judicial circuit (which comprises our county) to attend an informal, box-lunch meeting away from their courthouses.  During the summit, we educate judges about referral resources and actions the judges can take to promote pro bono representation. The summit is easy to organize, inexpensive, and enjoyable. Indeed, a great byproduct of these judges-only gatherings is getting to know our state and federal colleagues better. 

Organizing the Summit

We meet in a casual, private setting, our local general bar association building’s meeting hall. The cost of the boxed lunch can be handled in two ways: The local pro bono committee can find sponsors (law firms), or each judge and pay the modest cost of the lunch. A great time for holding a judicial pro bono summit is during National Celebrate Pro Bono Week, which this year runs October 22–28, 2017. (Go here for more information on the celebration: www.probono.net/celebrateprobono/.)

The summit’s format is simple and designed to take no more than one hour. The first part features a few local pro bono legal service providers making brief presentations on what populations those organizations serve and in what subject matters. And then we discuss various ways judges can perform pro bono service personally and can encourage and promote pro bono service by attorneys. We also provide a handbook-style compilation of useful resources, including referral information for legal services providers in the area, so that these resources will be within arm’s reach on the bench. Excerpts of the written materials can also be posted on our local bar association’s website. The materials also list ways a judge may participate in pro bono, and the lunch discussion usually generates more ideas. Below is a sampling of permissible activities.

Hands-on Pro Bono Service

• Work with the local bar to create a self-help desk and materials for pro se parties (see, e.g., www.flmd.uscourts.gov/pro_se/docs/USDC-MDFL-Civil_Case_Flowchart.pdf, and http://www.flmd.uscourts.gov/pro_se/docs/FLMD_ProSe_Handbook.pdf)
• Work with the local bar to create a courthouse walk-in clinic, open during specified hours and staffed by volunteer attorneys
• Create a legal assistance program in which judges may appoint volunteer lawyers to staff cases involving indigent parties (see, e.g., www.mieb.uscourts.gov/programs-services and www.flmb.uscourts.gov/legal_assistance/)
• Alert bar organizations to opportunities for pro bono funding, such as Bench Bar Funds (attorney admission fees), undistributable funds in a chapter 11 case, or cy pres funds in other cases
• Act as a notary or intake assistant at legal clinics, such as the ABA’s Homeless Experience Legal Protection program that is run in many major cities
• Create a pro bono toolkit for judges (see, e.g., Missouri’s at www.courts.mo.gov/page.jsp?id=4975)
• Provide training for pro bono attorneys
• Lecture on consumer law topics at local libraries
• Reach for your wallet and donate money to a local pro bono provider and/or your state bar’s foundation (incidentally, I obtained an ethics opinion from the Judicial Conference of the United States saying this is okay for federal judges to do in most circumstances, and one of my state colleagues obtained similar advice for Florida judges; contact me if you’d like copies)

Encouraging and Promoting Pro Bono Service

• Participate as a member of a local or state bar association pro bono committee
• Urge your federal judicial law clerk to engage in pro bono work consistent with the Code of Conduct for Judicial Employees, Canon 4D (a judicial employee may provide pro bono service on his or her own time under certain circumstances set out in the canon) or your state code’s counterpart
• Advocate for pro bono publicly by writing op-ed pieces for local news media or appearing on radio or TV (see, e.g., www.tbo.com/list/news-opinion-commentary/national-celebrate-pro-bono-week-should-be-cheered-20151025/ and www.tbo.com/list/news-opinion-commentary/a-wish-list-for-access-to-the-courts-20150110/)
• Write a letter to newly barred attorneys asking them to take a pro bono case or provide other pro bono service
• Express appreciation of pro bono attorneys in open court, court newsletters, or personalized letters
• Provide perks and accommodations for pro bono attorneys such as “go to the front of the line” privileges or even providing a special parking place at the courthouse
• Display pro bono opportunities/promotional materials in the courtroom
• Nominate pro bono lawyers and voluntary bar associations for pro bono awards
• Permit unbundled (limited scope) services in pro bono cases
• Appear at pro bono award ceremonies
• Speak on pro bono service at bar association luncheons, swearing-in ceremonies, and other legal organization gatherings
• And, last but not least, organize a Judicial Pro Bono Summit to spread the word to your area’s colleagues on the bench

Judges, by planning a judicial pro bono summit in your area for some time in the coming year, I bet you could double this list!

Editor’s Note: This article is a substantial revision of an article that first appeared in the National Conference of Bankruptcy Judges’ Conference News.

Introduction

Cybersecurity continues to raise red flags among investment advisers and their government regulators. According to a recent Investment Adviser Association and Cerulli Associates poll, 97 percent of surveyed registered investment adviser executives cited cybersecurity compliance as a priority concern and 93 percent noted increased related regulatory pressure. Their concern is not unfounded. As a continuation of an ongoing trend over the past few years, the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) included cybersecurity among their 2017 examination priorities. This article will address the regulatory cybersecurity framework applicable to investment advisers and what steps advisers can take to combat cyber attacks.

Background

Over the past few years, the SEC and FINRA, the chief regulators of investment funds and advisers, have demonstrated continued interest in cybersecurity.

In April 2014, the SEC Office of Compliance, Investigations and Examinations (OCIE) launched a Cybersecurity Initiative, conducting a series of examinations of registered investment advisers and broker-dealers to identify cybersecurity risks. In September of the following year, OCIE announced its 2015 Cybersecurity Examination Initiative, with a focus on the following areas: (i) governance and risk assessment, (ii) access rights and controls, (iii) data loss prevention, (iv) vendor management, (v) training, and (vi) incident response. That same year, FINRA released a Report on Cybersecurity Practices, detailing practices that firms can tailor to their business models to advance cybersecurity efforts. OCIE continued to advance the efforts of its Initiatives in 2016, reviewing in particular the technical sufficiency of respondents’ security programs.

Cybersecurity will remain on regulators’ radar. On January 12, 2017, both the SEC and FINRA released their 2017 examination priorities. The SEC announced that it will continue its ongoing initiative to examine, including “testing the implementation of,” investment adviser and broker dealers’ cybersecurity compliance procedures and controls. FINRA will similarly pay close attention over the course of the year to cybersecurity risks and firms’ programs to mitigate those risks.

Governance and Risk Assessment

The best way of mitigating the impact of security breaches is to seek to reduce the number that actually occur. Investment advisers should have cybersecurity governance and risk assessment procedures to prescribe perimeter and other defenses. These procedures should include implementation of written policies tailored to business operations and communication of plans to and from senior management. While no amount of security can thwart a determined, well-equipped and sophisticated hacker, organizing and implementing even a basic defense can ward off more run-of-the-mill intruders.

Governance and risk assessment requirements are codified in the federal laws governing investment advisers. For example, the Gramm-Leach-Bliley Act (GLBA) “Safeguards Rule” requires financial institutions to establish a written information security program (WISP), designate an employee to coordinate its WISP, identify and assess risks to customers’ non-public personal information, and regularly test and evaluate the effectiveness of current safeguards. The GLBA is administered and enforced by several federal agencies, including the SEC via Regulation S-P. Rule 30 of Regulation S-P requires registered investment advisers, investment companies, and broker dealers to adopt written procedures to insure the confidentiality and protect against anticipated threats to the security of customer records or information.

In April 2015, the SEC’s Investment Management Division released a guidance based on OCIE’s 2014 examinations. In addition to periodic assessments of cybersecurity readiness, the guidance recommended that investment funds and advisers create and implement a cybersecurity response strategy through written policies that include access control, data encryption, restrictions on the use of removable storage media, data backup and retrieval, and an incident response plan. In the guidance, the SEC encouraged investment funds and advisers addressing these cybersecurity concerns to review the NIST Cybersecurity Framework, which is currently being updated. Investment advisers are required to review the adequacy of their policies and the effectiveness of their implementation at least annually pursuant to Rule 206(4)-7 of the Investment Advisers Act of 1940.

Notwithstanding the foregoing paragraph, it is important to note that while federal guidelines may be useful, there is no “one size fits all” with regard to cybersecurity compliance. Individual advisers, smaller firms, and branch offices are limited in financial and human resources allocable to cybersecurity defense. Additionally, the rapid pace of technology has engendered an ongoing technical struggle between hackers and their targets and staying on the cutting edge can be an expensive prospect. As FINRA noted in its recent Regulatory and Examination Priorities Letter, investment advisers must tailor their cybersecurity programs to their specific business model, size, and risk profile.

Consequences of failing to comply with the Safeguard Rule include loss of clients, private lawsuits from former clients, reputational damage, and civil penalties. The latter may be imposed even where no pecuniary losses can be shown. For example, in September 2015, one St. Louis–based investment adviser, R.T. Jones Capital Equities, settled an investigation with the SEC for $75,000. R.T. Jones had suffered a breach of its server, resulting in the leak of personally identifiable information (PII) of 100,000 individuals. While the SEC found no evidence that the firm’s clients were financially harmed, it concluded R.T. Jones had violated Rule 30(a) of Regulation S-P by having no written policies or procedures in place to reasonable protect client data.

Several states have gone further than federal regulators, imposing more stringent data security requirements on financial institutions. For example, while the GLBA applies only to customer information, Massachusetts’s “Standards for the Protection of Personal Information of Residents of the Commonwealth” apply to both employee as well as customer information. Massachusetts’s Standards also provide a list of items a WISP should contain, require encryption of personal information and limit the amount of information financial institutions are allowed to collect. New York’s recent “Cybersecurity Requirements for Financial Services Companies” require that financial institutions designate a Chief Information Security Officer, encrypt all “nonpublic” data and annually certify compliance with the regulations. While the regulations do not directly apply to investment advisers (which are not licensed by the New York Department of Financial Services), they may serve as a harbinger of future state-registered investment adviser requirements.

Access Rights and Controls

In its 2015 Cybersecurity Examination Initiative, OCIE noted that security breaches can stem from the failure to implement even basic controls to prevent unauthorized system or information access. Controls on onsite and offsite access to systems and data include management of user credentials and authentication and authorization methods.

“Man-in-the-middle” attacks—where a fraudster tricks (in the context of investment funds) a general partner or a limited partner into wiring a contribution intended for a fund or a distribution intended for a limited partner to a third party—are particularly threatening to investment advisers. Theft of client bank account information or an adviser’s private client list are also causes for concern, particularly where sensitive data is later exposed to the public.

Every investment adviser, large or small should ideally require multifactor user authentication to access their networks. Multifactor authentication refers to the use of at least two of the following categories: knowledge factors, location factors, time factors, possession factors, and inheritance factors. The knowledge factor is the most common type of authentication and requires users to provide an individualized piece of information, such as a password, pin code, or answers to security questions. The location factor cross-references a user’s current physical location against the user’s pre-registered location and the time factor cross-references the timing of user logins. The possession factor requires users to possess a specific item, such as a previously identified mobile device, computer, security card, or thumb drive. The inheritance factor involves biometric information that is inherently unique to each user, such as fingerprint, iris or facial pattern recognition.

Once relegated to the realm of Mission Impossible, biometric validation is now available on ordinary smartphones and is gaining traction among investment advisers and other financial institutions. For example, following a cybersecurity audit, Capital Advisors Ltd., an Ohio-based investment adviser, implemented fingerprint scans in addition to password protection for users to access its network. Validation processes are still in development however, and biometric validation is far from foolproof. Investment advisers deciding among biometric validation programs should bear in mind whether their relevant computer systems are more sensitive to false negatives (e.g., a repository of investors’ bank account information) or false positives (e.g., a system with high user traffic containing more mundane information).

As important as multifactor user authentication is the maintenance of a secure database of login information and updates to access rights based on personnel or system changes. Single sign-on software that logs into linked applications with a master identity can help investment advisers change large number of passwords at once rather than on an individual basis.

In addition to multifactor authentication and protocols for login issues, investment advisers can use firewalls and perimeter defenses to defend against breaches. Investment advisers should also conduct “hardening,” which generally refers to the reduction of security risks by removing unnecessary software, utilities, devices, or services. If a user account is compromised, multi-tiered approval processes (for example, those needed to access customer accounts or make distributions) may prevent serious harm from ensuing. On the system level, a virtual local area network segmentation, which creates a collection of isolated networks within a data center, can mitigate the damage a hacker could unleash.

Data Loss Prevention

In its 2015 Cybersecurity Examination Initiative, OCIE indicated that it would assess how investment advisers and broker-dealers monitor the volume of content transferred outside of the firm by its employees or through third parties, such as via email attachments or uploads. Customer data, especially PII, should be encrypted, whether transmitted or stored.

Investment advisers can address OCIE’s concerns by implementing a data loss prevention (DLP) strategy. DLP refers to the process for preventing the transfer of information outside of a corporate network. DLP software products use algorithms to classify and protect confidential and critical information. For instance, if an employee attempted to forward a business email outside of the firm’s email domain or upload a file to cloud storage (such as Dropbox or Google Drive), the employee would be automatically denied access, or an administrator password would be required. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.

Two particular areas of DLP that OCIE emphasized are patch management and system configuration. Patch management and system configuration involves acquiring, testing, and installing multiple code changes (“patches”) to an investment adviser’s computer systems. System administrators should (i) maintain an updated inventory of all production systems (including operating system types, IP addresses, physical location, custodian, and function); (ii) standardize (to the extent possible) production systems to the same operating system and software; (iii) assess and compare reported vulnerabilities against inventory (e.g., estimating the cost of mitigation or recovery or checking whether an affected system is within a perimeter firewall); and (iv) deploy patches as needed.

As the name implies, patches are “patch-up jobs,” rather than comprehensive overhauls of a firm’s computer network, and can sometimes cause more problems than they fix. System administrators should take simple measures to avoid issues, like performing backups and testing patches on non-critical systems. In addition to running patches, investment advisers should regularly update their cybersecurity programs, whether configuring software to automatically download security updates or keeping on the lookout for newer and more advanced programs.

The importance of DLP to investment advisers has seen recent publicity. In June 2016, Morgan Stanley Smith Barney LLC (MSSB) was fined $1,000,000 for having violated the Safeguards Rule. Between 2011 and 2014, a MSSB employee impermissibly accessed and transferred data regarding 730,000 MSSB accounts to his personal server, which was then hacked by third parties. The SEC found that while the firm used modules to operationalize the restrictions set forth in its security policy, the modules did not effectively limit employee access to data and MSSB failed to test the modules or monitor user activity in applications where PII was stored.

Vendor Management

“Vendor management,” in the context of the Investment Management Division’s guidance, refers to an investment adviser’s actual vendor due diligence, monitoring and oversight, as well as the terms of the adviser’s vendor contracts. Appropriate vendor management and oversight is an area of critical importance, especially to larger firms that engage a large number of third-party service providers.

The first line of defense in vendor cybersecurity risk are vendor contracts. Investment advisers’ vendor contracts should include data security-specific representations and warranties, as well as nondisclosure provisions. Once vendors are retained, as threshold matter investment advisers should identify all vendors that have access to personally identifiable data and ascertain what data is visible to each vendor. In accordance with system segmentation policies described above, vendors should only have access to the data needed to perform their contracted services.

Investment advisers should ideally vet vendors (especially smaller vendors) with a systematic review process, which may include (in the case of larger advisers) interviews by cybersecurity consultants, as well as questionnaires examining the vendors’ operational and security procedures. Vendors that routinely use or hold the PII of their clients’ customers should report on the key security measures they employ, and in fact many larger vendors publish white papers explaining their security standards. Established investment advisers with leverage over certain vendors may subject those vendors to an information technology audit. For larger vendors this could take the form of an AICPA Service Organization Controls report but for smaller vendors, it could be a substitute report guaranteeing satisfactory compliance with applicable security protocols.

The minimum security protocols that investment advisers should require of vendors should include password parameters, multifactor authentication for unidentified devices and encryption of data, both in transmission and at rest. Finally, while data security is the overriding concern, data availability also is critical. Data that is not available is not worthless if it cannot be accessed. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan. In some cases, vendors may be required to purchase cyber security insurance to provide some compensation payout in the wake of a breach.

The aforementioned best practices may apply not only to vendors but also to subcontractors and third parties that host or have regular access to investment advisers’ data, including computer support vendors. A vendor questionnaire thus should verify to what degree a vendor uses subcontractors to handle sensitive data, and in some cases, an investment adviser may conduct direct sub-contractor due diligence in addition to vendor due diligence.

Training

Training efforts focus on ways in which the investment adviser prevents data breaches result from unintentional employee actions. Often, the most egregious of consequences can be prevented when employees are attentive to detail and know how to identify warning signs.

Cyber threats have been caused by such mundane lapses in security as misplaced laptops, attachments downloaded from unknown sources, and access of client accounts through an unsecured Internet network. On March 12, 2016, a nearly $1 billion cyber theft was blocked at the last minute by a bank employee who noticed a typo in the wire instructions from a foreign bank.

FINRA, recognizing the importance of this issue, has given detailed guidance for effective staff cybersecurity training programs. First, investment advisers should clearly define their cybersecurity training needs. Second, advisers should identify appropriate cybersecurity training update cycles, such as offering training on a periodic basis. Third and finally, advisers should deliver interactive training that has been tailored to their history of cybersecurity incidents, risk assessments and cyber intelligence. Employee training will likely focus on password and confidential information (especially client PII) protection, physical and mobile security, and escalation policies.

Bearing in mind that an overload of information can be detrimental rather than helpful, FINRA suggests that investment advisers consider whether staff trainings will be mandatory or optional and whether they will be tailored towards a target audience, such as general topics for the entire firm and specific topics for management. Investment advisers without dedicated in-house training personnel may wish to consult cybersecurity consultants that offer programs and platforms to help employees become a barrier against cyber threats.

Incident Response

As important as preventing security breaches is dealing with the aftermath. Investment advisers should identify the most likely types of cybersecurity incident and attack vectors, from DDoS attacks to a network or customer account intrusion, and outline tailored response plans in their WISPs.

A response plan will include steps to contain and mitigate the collateral damage from a cybersecurity breach. Employing intrusion detection systems and intrusion prevention systems can help detect compromises in their early stages. Firms should be prepared to shut down key elements systems, disconnect attached network devices, and, where possible, remove admin rights of compromised user accounts. A response plan should not just encompass a firm’s IT department (if there is one) but should be a collaborative effort on the part of all departments. In one enforcement matter, a factor considered by FINRA was the “firm’s failure to rapidly remediate a device the firm knew was exposing [client] information to unauthorized users.” Consequently, firms must see to the prompt recovery and restoration of systems to normal operations as soon as possible.

In addition to damage mitigation, investment advisers will need to investigate the source of the attack and provide a prompt damage assessment. OCIE learned from its 2014 study that while over 80 percent of investment advisers had implemented WISPs, less than 15 percent of those WISPs addressed how advisers will determine if they are responsible for client cyber-related losses. A WISP should therefore allocate resources to conducting an investigation, determine the extent of data and monetary loss and should identify when client reimbursement is required.

Importantly, investment advisers are obligated to notify clients and regulators in the event of certain breaches. With regard to notices to clients of the loss or misuse of personally identifiable information and other sensitive data, this obligation takes on a fiduciary nature. Although not required by Regulation S-P, mandatory customer and regulator notices have been codified in the regulations of the District of Columbia and 47 states. Consequently, WISPs should allocate resources for the conduction of a timely reporting of cybersecurity incidents to clients and regulators.

Conclusion

Investment advisers have both a legal and a practical obligation to affirmatively protect their clients’ data. While an investment adviser’s size, industry, and other factors will determine what degree of protection is appropriate within the context of federal and state privacy laws, all advisers can and should take some protective measures, such as consulting a cybersecurity consultant, using authentication and encryption tools and preparing a WISP. With so much public focus on the issue and future regulations likely, taking cybersecurity precautions may be well worth the cost.

Introduction

Whether fighting for or against policy agendas, providing support to communities affected by policy changes, or fighting for their existence due to a lack of funding or legislative action specifically targeting an organization or its activities, charities often find themselves more engaged in advocacy activities during periods of significant political shifts. For some organizations, the change in political climate just means more or less advocacy activities in certain areas than normal. For other organizations, advocating for their communities means working to support their clients and communities in ways that require more attention to compliance in order to continue operating within the confines of their tax-exempt status. As a result, it is more important than ever that advisors to nonprofits understand the range of advocacy-related activities organizations can conduct, and the considerations organizations must take into account when conducting those activities. Charities will often avoid some types of advocacy activities, or at least do far less than is allowed by their tax-exempt status, because of the fear and misunderstanding that exists around the restrictions imposed on section 501(c)(3) organizations. This article provides an overview of the most common advocacy activities charities conduct, and the issues with those activities that could endanger an organization’s federal tax-exempt status.

Background

Charities receive significant levels of public subsidy, both in the form of tax deductibility for gifts and in exemption from tax on most forms of income. As a result, charities are subject to significant restrictions on their activities to ensure that they exist to benefit public rather than private interests. Those restrictions include an absolute prohibition on engaging in campaign intervention activities for or against a candidate, a requirement that a public charity can conduct only insubstantial amounts of lobbying, and a prohibition on private foundations conducting any lobbying activities. By comparison, other types of organizations that do not receive the same level of tax benefits, such as section 501(c)(4) social welfare organizations or section 501(c)(6) chambers of commerce and professional associations, can conduct political activities so long as those activities are not their primary activity, and they can conduct unlimited amounts of lobbying supporting their exempt purpose(s). Organizations exempt under sections 501(c)(4) and 501(c)(6) are also likely to get more involved in lobbying and other activities during periods of political shifts, although because the restrictions on these organizations are less stringent, they are less likely to cause problems for an organization’s tax-exempt status. For those seeking to fund or fundraise for advocacy activities, section 501(c)(3) organizations are often more desirable vehicles than other types of tax-exempt organizations because their activities can be funded with tax-deductible contributions. In addition to the funding advantages charities provide, they arguably should also have an even stronger drive to engage in policy and advocacy activities because the constituencies charities serve are often some of the least likely to have a voice in the policy arena.

Lobbying Activities

One of the most common types of advocacy activities that charities conduct is legislative lobbying. Lobbying is understood to occur when an organization contacts, or urges the public to contact, legislators in order to propose, support, or oppose legislation or otherwise advocates the adoption or rejection of legislation. Legislation includes an act, bill, resolution, or similar proposal before Congress, a state legislature, local councils, or similar governing bodies (including legislative bodies in foreign countries), or before the public in a referendum, constitutional amendment, or similar procedure. As mentioned above, whether a charity can lobby depends on its foundation status. Public charities can lobby, but the amount of lobbying they can conduct depends in large part on which lobbying test they are under (see below). Private foundations cannot engage in any lobbying.

The default test that all charities are subject to unless they affirmatively elect otherwise is the no-substantial-part test. There is no clear definition of “substantial,” but it is generally understood that, if lobbying activities are anywhere from five percent to 20 percent of an organization’s total activities, it may be determined to be substantial. It should also be understood, however, that the no-substantial-part test is not a pure percentage or expenditure test of an organization’s lobbying activities. The no-substantial-part test looks at other factors, including time spent on lobbying activities, physical space devoted to lobbying activities, volunteer labor used for lobbying activities, and other factors that help understand the scope of lobbying activities as compared to the organization’s other activities. For some types of public charities, such as governmental units and churches and their related organizations, the no-substantial-part test is the only test of lobbying activities that applies. If a public charity governed by the no-substantial-part test is determined to have exceeded its lobbying limits, the penalty is revocation of its tax-exempt status. Public charities under the no-substantial-part test may use certain exceptions found in the private foundation regulations to exclude certain activities from the definition of lobbying. Those exceptions are discussed in further detail below.

Other public charities may elect to be governed by the expenditure test under sections 501(h) and 4911 (and the associated Treasury Regulations), which provide a specific calculation of the total amount of lobbying activities that may be conducted, capped at $1 million, and with a separate limitation on expenditures for reaching out to the general public to urge them to lobby their legislators (grassroots lobbying). The expenditure test provides additional definitions that are not available under the no-substantial-part test that help to exclude a much broader array of activities from the definition of lobbying. A 25-percent excise tax is imposed on organizations that exceed the total or grassroots lobbying amounts, but the organization’s exempt status is not subject to revocation unless they “normally” exceed the limits. “Normally” in this context is looked at over a four-year period and requires exceeding the lobbying limits by at least 150 percent during any given four-year period.

Private foundations are prohibited from lobbying unless the activity falls under one of the specific exceptions provided in section 4945 and its associated regulations: nonpartisan analysis, study, or research provided to the public or legislative officials; examinations and discussion of broad social, economic, and similar problems; requests for technical advice or assistance to a requesting legislative body; and self-defense lobbying communications. Currently, the exception for self-defense communications has been relied upon by many of the private foundations involved in opposing any repeal or change to the prohibition against political activities by section 501(c)(3) organizations (commonly referred to as the Johnson Amendment). If a private foundation engages in lobbying activities, it has engaged in a taxable expenditure under the private foundation rules, which subjects it to excise taxes and a requirement to correct the taxable expenditure. In some circumstances, organization managers may also be subject to an excise tax. If the amount of the taxable expenditure is not corrected within a given time period, the private foundation may be subject to a second-tier tax, and it may have its private foundation status terminated.

Political Activities

Both public charities and private foundations are subject to an absolute prohibition on political campaign activities, which is enforced through excise taxes and the revocation of an organization’s tax-exempt status. The definition of “political campaign activities” (also frequently referred to as campaign intervention or electioneering) is much broader than the election law/campaign finance law definition of “political activities.” Unfortunately, despite recent efforts to clarify this arena, there is no clear statutory or regulatory definition of what qualifies as campaign intervention. The IRS will look at all of the facts and circumstances to determine whether the charity is signaling or implying support for a candidate or party through its communications and activities. This context-driven identification of prohibited political campaign activities often causes organizations to be overly cautious. Many activities not intended to result in campaign intervention could be viewed that way by the IRS. For example, campaign intervention can very easily arise, particularly in an election year, as a result of an organization’s lobbying and issue advocacy. However, it can also be found as a result of business transactions the organization enters into, such as selling advertising, or even via its website and social media communications. Given that the context of the communications or the activities controls the analysis, many activities of an organization not directly connected to its advocacy programs could still result in a finding that the organization engaged in impermissible campaign activities.

Concerns regarding this issue are significant for many organizations this year because Donald Trump filed a notice in early 2017 with the Federal Election Commission that his campaign committee had raised enough money for the 2020 election such that it was required to file. He has also already filed a trademark registration for his 2020 campaign: “Keep America Great!” Those filings have resulted in fear by organizations, fueled in part by misinformation in the media and blogosphere, that charities are now prohibited from criticizing Donald Trump’s acts and statements as president because he is already taking actions as Trump the candidate for 2020. In fact, such communications and actions by the charitable sector are analyzed in the same way they always are, which is with regard to all of the facts and circumstances surrounding the activity or communication. There are no factors that are determinative, and organizations are advised to obtain advice from qualified counsel on the subject. Some of the relevant factors specifically referenced by the IRS in guidance include (not an exhaustive list): whether the statement identifies a candidate by name (or any other identifier that clearly indicates it is referencing the candidate); whether it is delivered close in time to the election (clearly a factor that currently weighs in favor of an organization); whether the timing of the communication or action is related to specific legislation or policies; whether the communication or action is addressing the individual as an officeholder or a candidate; whether it is an issue the organization historically has worked on; and whether it relates to the organization’s mission. A communication or action that encourages voters not to re-elect Trump would likely be regarded as campaign intervention. In contrast, an action that is issue-focused in response to current legislative action, and does not reference Trump the candidate, would likely not be campaign intervention. However, there is enough gray area that can result between (and even potentially including) those examples that, depending on the facts and circumstances surrounding the criticism (or praise), an analysis of the actual planned action or communication is often required.

Illegal Activities

It is generally understood that a charitable organization that promotes violations of the law or public policy in order to achieve its charitable purposes cannot be operated in compliance with the requirements of section 501(c)(3). This restriction comes from the law regarding charitable trusts and has arisen for charitable organizations in a variety of circumstances, including: Medicare and Medicaid fraud; sponsoring nonviolent protest demonstrations as a primary activity at which members are encouraged to commit acts of civil disobedience; activities intended to support the cultivation and distribution of medical marijuana in a state in which such activities are legal; and university prohibition against interracial dating and marriage. Charitable organizations can, however, conduct activities such as strikes, economic boycotts, picketing, mass demonstrations, etc. as a means of furthering educational or charitable purposes so long as the activities are not illegal or contrary to clearly defined public policy.

Litigation as a Charitable Activity

Organizations may be able to conduct litigation as a means of advocacy and in furtherance of their charitable purpose without jeopardizing their tax-exempt status. Most commonly seen are organizations that litigate to enforce environmental legislation, consumer protection, and to defend human and civil rights secured by law. Therefore, it is not uncommon to see significant litigation during periods of political unrest and significant changes in public policy. In order to qualify as charitable, litigation must be conducted for a public, rather than a private, purpose. This does not mean that a nonprofit cannot represent individual plaintiffs; however, the litigation should be expected to have a significant impact beyond the interests of the specific plaintiffs represented by the nonprofit. Although well-recognized as a means to exemption, organizations seeking to operate as a public interest law firm are advised to review the IRS’s detailed guidance and restrictions regarding the firm’s operations, which are intended to ensure that that the operations further charitable purposes and are distinguishable from the operations of a for-profit law firm.

Attribution Issues

Charitable organizations must take precautions to prevent activities that could jeopardize exemption from being attributed to the charity as the result of the actions of individual staff or directors, members, or organizations with which the charity is affiliated or works in coalition. Individuals associated with charitable organizations do not lose their free speech rights when they are speaking outside of official organization functions and publications. However, attribution from staff member or director’s actions can occur when it could be inferred that speech from the individual is made under the authority of the organization or the action is ratified by the organization. Individuals associated with charities, particularly individuals who are generally viewed as speaking on behalf of an organization, should take care to clarify when they are speaking in their individual capacity. That care should be taken not just in more traditional modes of public communication such as speeches, op-eds, interviews, etc., but also in the individual’s social media communications (particularly if they use personal social media accounts to engage in organization-related or organization-endorsed speech).

Charities that organize their membership and supporters to engage in protests and other public demonstrations are not generally going to be held accountable for the unauthorized activities of individuals who engage in illegal activities as a part of a march or demonstration sponsored by the charity. However, if the organization encourages, authorizes, or otherwise ratifies the illegal activities of the individual members, such action may jeopardize the organization’s charitable status.

Similarly, organizations that work in coalition with other groups that are not 501(c)(3)s, including organizations that the charity may be closely affiliated with, must take care to ensure that activities of the coalition members that the charity cannot conduct itself are not attributed back to it. For example, if a 501(c)(3) has an affiliated 501(c)(4) or 501(c)(6), it must avoid the appearance of subsidizing the political campaign activities of the affiliated entity that the charity cannot itself conduct. In other situations, 501(c)(3) organizations may be working in coalition with a variety of organizations to advocate for an issue that is important to all involved groups. The charities involved in the coalition must take steps to ensure that activities that may be conducted by some coalition members, such as political campaign activity or excessive lobbying, are not attributed to the charity.

Conclusion

There are many ways, in addition to those discussed above, for charities to advocate for policies and positions that advance their charitable purposes and benefit their charitable constituency. All organizations engaging in advocacy activities should understand the compliance issues inherent in each type of activity, but particularly organizations that are newly engaging in a certain type of advocacy in response to political and public-policy changes. It is often necessary for charities to involve themselves in policy to ensure that communities lacking a voice (or a loud enough voice) in the political process are able to have their voices amplified and heard, particularly in these political times.