As a teen, Donald Maurice helped with his family’s construction and land development company. Out in the hot sun, he’d spend hours pounding nails, sawing boards, as part of a team building houses. It was the perfect beginning for his legal career, in which he began as a land use attorney. But this was the mid-1980s, and the savings and loan crisis quickly transformed him into a financial services attorney. “I had a knack for understanding commercial property and the challenges that borrowers and lenders faced,” he says. When that crisis resolved, his career continued to evolve in this practice area. Now, he helps manage a 30 plus attorney law firm, Maurice Wutscher, with offices in 16 states. He’s a regular contributor to his firm’s blog, hosts webinars, and gives speeches throughout the country on consumer and commercial finance laws.

*     *     *

What inspired you to become a lawyer?

My family’s work was construction and land development, mostly commercial and residential land development. I would work with my family in the summer and when I had breaks from school. At a very young age I learned that the law impacted how we could develop properties and construct buildings. I found it very interesting, and when you’re outside in the hot heat of the summer sun, it seemed a lot better to be on that side of the business than on the labor side.

How did you come to specialize in consumer and commercial finance companies?

When I went to law school, which was in the mid-’80s, the S&L crisis began to unfold. When I graduated in 1988, my intent was to pursue a career in land use law, but at that time there weren’t many developments going on because of the crisis. In fact, commercial and residential developments were largely in default. The loans were not being paid and the lenders needed to begin to take back their properties. Some smaller New Jersey banks reached out to the law firm where I worked and wanted assistance in recovering these properties. I had a background in construction and development, so I understood the state of the properties and went from being a land use attorney to a financial services attorney just by virtue of the economy at the time.

What do you enjoy about it?

I had a knack for understanding commercial property and the challenges that borrowers and lenders faced. As the economy began to recover, there was less and less work like that. Commercial properties were thriving, and the development end of it was moving forward properly. A theory of law called lender liability began. It was interesting and new, and it involved borrowers accusing banks of wrongdoing. I began successfully defending against these cases.

Soon there was a new area of lending that was growing very rapidly and that was the consumer side. What banks began to see in the late ’80s and early ’90s was a growth in consumer-related litigation arising from financial products and services, particularly in the automobile finance area. The same banks that had hired my firm and myself to defend them in commercial matters began to send the consumer matters to me. I found them very similar to commercial matters. It fit very well into what I was doing, and I was very successful on that end of the work, as well as defending the financial services companies against those types of claims.

Later on, a group of plaintiffs’ attorneys representing consumers in the financial services transactions began to expand out from automobile loans to all types of consumer loans. So, we saw a lot of activity in credit cards and credit card disclosures and the alleged failure to make proper disclosures. In the late ’90s and turn of the century, we saw the growth of debt collection, particularly with the emergence of large companies that bought defaulted debt and then would collect on it. Unlike original creditors and creditors who extend credit, the debt-buying companies were often subject to other sets of federal and state regulations that allowed for civil claims to be brought against them that were not typically brought against creditors.

So I began to represent these debt-buying companies. There were not a lot of people 20 years ago doing this work, and I have been representing that industry for 20 years. I continued to grow that practice in New York, New Jersey, and Pennsylvania.

You now help to run a 30-plus attorney law firm with offices in 16 states. What do you most enjoy about heading up a firm?

Running a firm is the toughest thing an attorney can do. I don’t run it myself, I can assure you of that. We have partners who handle various aspects of it. What I like about having a firm like ours is that we can specialize primarily in consumer financial services. To have a group of attorneys who all are working on regulatory compliance and financial services litigation brings a great amount of knowledge and experience to the table. It allows us to provide our clients with superior services. We have, for example, myself and others here who have been practicing in this area for 30 years.

We have offices from California to Boston to South Florida. It gives us a very good overview of what is happening nationally. We are able to spot emerging trends and help our clients who primarily are engaged nationwide to address some of these emerging issues quickly. I also do a lot of work in state legislative affairs. You begin to see patterns in how states are regulating consumer financial services, and in my role, I get to assist in shaping those state laws through my legislative work.

What are the main challenges of running a firm?

My biggest challenge is to provide assistance to all the other attorneys whom I work with. The attorneys are coming to me with questions either on the law or strategy, and my role is to assist them in answering those legal questions and developing a strategy. That means I have to be familiar with all of their cases.

Do you have a systematic or technological solution to tracking cases?

We do employ a wide variety of technology solutions. We share a lot of information through that technology, and we have systems that allow us to track the cases. But in ligation you can’t replace the ability to strategize with technology. So it has to be a hands-on endeavor in each of the cases. We are constantly having meetings concerning each of the cases that we work on internally and with our clients. Technology can only assist you in the very fundamental aspects of tracking and monitoring cases.

Is there a lot of travel for you?

I travel very often. I’m licensed in Massachusetts, New York, New Jersey, and D.C., and I have about 30 federal admissions. In any coming week, it’s not unusual for me to be in Boston, New York, Chicago, or New Jersey. I also do a good bit of travel for my legislative work.

You also provide advice and counsel to attorneys in matters of professional responsibility and attorney ethics. What issues do you see rise most frequently?

In the consumer financial services space, there are attorneys engaged in consumer debt collection. Unfortunately, the practices of these attorneys have come under extraordinary scrutiny as a result of the application of the federal Fair Debt Collection Practices Act (FDCPA). This has created extraordinary difficulties that other attorneys do not regularly face. They are subject to lawsuits by consumers simply because the attorneys file lawsuits on behalf of their clients.

The FDCPA is sometimes utilized to sue these attorneys, alleging, for example, that because they lost a case, the lawyers did not have a basis to sue on the claim. Sometimes the lawyers are sued because it’s alleged that they did not spend enough time reviewing a file before they sent a letter. The federal Consumer Financial Protection Bureau has brought enforcement actions against lawyers and law firms based on that theory. There is no other attorney practice area that I know of that is subject to that great deal of risk. It has caused a significant number of problems for these attorneys.

What I have learned from representing these attorneys is that they probably spend far more than other types of practice groups on both professional compliance and compliance with the federal and state laws in the areas in which they practice. They do this not only because they want to do a very good job for their clients, but because of the personal risks that they now face.

You help write a blog, the Consumer Financial Services Blog. How valuable is the blog to the firm?

We started the blog about six years ago, and we did it because we love to write. My articles are typically analytical, but the blog also has a lot of case updates that our clients may find interesting. Certainly there is an element of the blog that is there to display the talent of our attorneys. Most, if not all, of our attorneys publish to the blog regularly. It provides the public with insights into the skill and expertise of our attorneys.

It also keeps our attorneys up to date on developments in law. Because we’re writing about what we believe are important developments impacting consumer and financial services, our attorneys are staying abreast of changes in the law, both in the decisional law and in the regulations and statutes.

How often is a new article posted on the blog?

Since May of 2015, we typically publish four articles a week. In all, there are nearly 550 articles published through the blog.

You recently spoke at the ABA Business Law Section about the case the Midland Funding v. Aleida Johnson case before the U.S. Supreme Court. What are your main views about this case?

The issue presented in Midland v. Johnson, whether a proof of claim for a debt subject to an expired limitation violates the FDCPA was one our firm successfully defended many years ago in the Eastern District of Pennsylvania bankruptcy court. I though the issue was resolved, but it re-emerged in the 11th Circuit Court of Appeals, in Crawford v. LVNV and again from the same court in Midland v. Johnson. We knew that that the decisions did not sit right under bankruptcy law. Claims under the bankruptcy code include debt subject to defenses. The fact that a debt is subject to the defense of an expired limitations period doesn’t mean that the creditor no longer has a claim under bankruptcy law.

We thought maybe the theory would remain in the 11th Circuit, which covers Georgia, Florida, and Alabama, and wouldn’t expand to other parts of the country, but sure enough it did. Soon after, we had a case in the Third Circuit, Torres v. Cavalry, a case in the Fourth Circuit, Dubois v. Atlas, and several trial court level cases in the Fifth and Seventh Circuits. All of them involved these Crawford claims.

We successfully argued for a dismissal in the Torres case. Dubois went to the Fourth Circuit Court of Appeals which, in August of 2016, affirmed the decision of the bankruptcy court dismissing the claim. And in the Seventh Circuit—several Illinois bankruptcy courts also dismissed the claim, one of which was affirmed by the U.S. District Court.

I’m outside counsel to the Receivables Management Association, which is a trade organization of companies that are engaged in the purchase and collection of accounts receivable. Some of these companies are debt buying companies, which were mostly the targets of each of these complaints. They had asked us to look at this issue because of the work that we had done and the cases I mentioned.

Our firm filed an amicus for RMA in Midland v. Johnson. We thought we could add to the excellent work that Midland’s attorneys had done by addressing the issue of due process—an issue we had explored in one of the Illinois cases. Essentially, in a Chapter 13 bankruptcy filing, due process can only be afforded to creditors holding claims is they are allowed to participate in the bankruptcy process by the filing of a proof of claim. I later had the pleasure of being at the Supreme Court to hear the oral argument.

You also give many webinars. What is the primary value of doing these?

Because I’m working across the country, we see a lot of trends. One of the early webinars we gave was on Crawford. We talked about Crawford soon after it came down and said that there’s a possibility this could spread throughout the United States. We offered insights so that others could defend these cases. Both plaintiffs and defense counsel participate in our webinars. It’s not a lecture, but rather a discussion of the issues.

I work a lot with the ABA and produce presentations and sometimes webinars, and various other organizations ask us to do the same.

You give many speeches. If you could pick any topic to talk about what would it be?

The one I enjoy the most is professional responsibility. Attorneys hold themselves to such a high standard of moral and professional responsibility. I don’t know of any other profession that goes as far as what is required of us. It lets the public know that attorneys strive not only do their best work for each of their clients, but also that our job is to protect the integrity of our legal system.

What advice would you give to a new attorney who’s just starting out?

Number one: spend your early years learning how the law developed. Learn procedure as well. Spend a lot of time not only reading the case law but understanding the how and why the common law, statutory law, and procedure developed.

In my first five years of practice, I spent an inordinate of amount of time learning not just what the law was but how the law got there. It’ll help you later on because as you continue in your career, it helps you understand the future development of the law.

Number two is to have peers and mentors. Certainly if you’re in a smaller firm you need to be part of the larger organizations. The ABA is prime example of that. When I first started out, my firm was small. Even our firm, though we have 30 attorneys, is still small compared to larger firms. The ABA’s Consumer Financial Services Committee is the preeminent spot for you to be. I’ve been a member since I began to practice, and so many of the leaders in that group, whether they realize it or not, were mentoring me. They were encouraging me to participate in presentations and in writing. The Consumer Financial Services Committee wants you to be involved. At the same time the people who go to the meetings are the people shaping consumer financial services law. You will not see that anywhere else. And it is also a unique setting, you have defense attorneys, plaintiff attorneys, general counsel, federal and state regulators, and enforcement attorneys all in one place.

I have personally benefited from these interactions. As a defense litigator, I often touch on so many areas of consumer financial services law, whether it be credit reporting, or debt collection or disclosures or privacy and now technology and payment systems. Because of this group, it allowed to me to explore the connections between the financial products and services from the creditors, regulators and consumer advocates perspectives, long before the products or services made their way to the public.

What do you do for fun?

I love to do things around the house. I do our yard work and landscaping and all of our handyman work. Anything that needs to be done around the house from plumbing to electrical to cutting the grass.

I’ve always loved taking pictures in different forms—sports photos, photos of the family, or our travels. Lately, I’ve been very interested in aerial photography. A lot of people call them drones but these drones have pretty sophisticated cameras attached to them. It enables you to get to locations that you typically wouldn’t or couldn’t go, and you can capture some beautiful landscapes. I also enjoy traveling with my wife and my two adult daughters.

Thank you so much!

Corporate lawyers rarely focus their practice on managing corporate records and the information, knowledge, and expertise that those records contain, but doing so can be enormously valuable to a corporate client. The question that corporate lawyers should be vitally interested in is why it matters to effectively manage corporate information, knowledge, and expertise. Lawyers who provide advice and counsel to corporate clients, even in specialty subjects such as security compliance, EEO, intellectual property, tax, or any other legal subject, should have some familiarity with the issues involved with that client’s records because they contain vital data, information, and knowledge that may be directly on point to their subject matter advice. The quality of that advice is directly dependent on the quality of the information, knowledge, and expertise in, or that should be in, the corporate records.

Managing corporate records might seem to the uninitiated to be a simple, straightforward matter, often the responsibility of file clerks who pay little or no attention to the content of those records. Managing the data, information, and knowledge in corporate records is by far a quite complicated subject that must be the responsibility of critically thinking individuals who are familiar enough with corporate operations and the applicable law to be able to evaluate the quality and appropriateness of that data, information, and knowledge.

Corporate lawyers and those in private practice should be able to quickly and accurately answer such questions as “What is a corporate record?” and “How long must a particular corporate record be maintained in corporate files?” These are just two of the most fundamental questions with which corporate lawyers serving as professional record managers must be familiar and comfortable with answering because those answers absolutely govern the fate and longevity of the data, information, and knowledge the records contain. Fundamentally, the question is whether the quality of the information, knowledge, and expertise is as high as it possibly could be in terms of its accuracy, completeness, timeliness, and at least a dozen more factors that measure its quality.

Complicating the practice of corporate records management is the fact that today’s records no longer are pieces of paper in a physical file somewhere in the corporate facilities. For several decades now, many, if not most, corporate records involve technical electronic systems for their creation, transmission, storage, and maintenance. These technical electronic systems not only speed the creation and communication of corporate data, information, and knowledge, but also often frustrate their being quickly located, identified, and used for the purposes that corporate lawyers need to make of them. For these and many other reasons, attorneys who represent corporate clients and those in private practice must have enough familiarity with corporate records-management practices to be able to retrieve the data, information, and knowledge they need to ensure that their practices are providing the best legal advice possible. Furthermore, many lawyers might not realize that practicing corporate records management and providing legal services in this field can be a lucrative practice area.

Mismanagement of data, information, and knowledge can cause enormous legal liabilities, as recent corporate disasters have shown, and the Sarbanes-Oxley Act has tried to rectify some of these situations and prevent them happening in the future. Given the myriad of laws, regulations, and other requirements, corporate compliance is a tremendous legal challenge, but corporate counsel must go beyond mere compliance to understand how they might anticipate legal problems before they occur to avoid potential liabilities. Effective management of corporate information, knowledge, and expertise by experienced counsel will go a long way toward preventing legal and other corporate disasters that have taken so many companies to their graves.

As professionals responsible for managing the content of corporate records, attorneys must achieve various levels of understanding about the content of those records in order to be extraordinarily capable in their field. Attorneys must have the ability to:

• access the quality of the information, knowledge, and expertise in those records;
• know how to classify, i.e., determine the type of information, knowledge, and expertise that is in the record content;
• organize the records so that their information, knowledge, and expertise can be quickly found when needed;
• detect problems in the content and context of the information, knowledge, and expertise;
• develop solutions for the problems found in the information, knowledge, and expertise content or context;
• implement solutions to the problems found in the information, knowledge, and expertise content or context;
• assure that problems found in the information, knowledge, and expertise content or context do not reoccur; and
• educate firm members throughout the company so that problems found in record content or context are not repeated.

(Excerpted from the Preface to Designing an Effective Corporate Information, Knowledge Management, and Records Retention Compliance Program, 2016 Edition (Thomson Reuters 2016).)

In summary, lawyers serving both inside a corporation and in private practice with corporate clients should pay significantly more attention to the quality of the corporation’s information, knowledge, and expertise and should develop a program to systematically capture as much of the tacit information, knowledge, and expertise that should be in its records, but that walks out the company’s doors in the minds of its employees every night. Simply put, this article advocates that corporate counsel adopt a more inclusive strategic mindset to their corporate practices. To do this they should operate using an innovative strategy rather than a traditional one. The business universe, including the business of law practice, consists of two distinct types of operating space and strategies: traditional and innovative, with the latter devoting significant resources to corporate law practice that, to date, has not received the attention it deserves, which is managing the quality of its information, knowledge, and expertise:

To apply an innovative strategy: (1) never use the competition as a benchmark, but create a leap in value for both one’s practice and one’s clients; and (2) reduce the firm’s costs while also offering clients more value. Operating with an innovative strategy focusing on corporate information, knowledge, and expertise is an underserved and mostly ignored area in which lawyers can build a profitable practice with plenty of room to grow and, most critically, serve as an important leader to corporate clients.

The bottom line for attorneys responsible for managing the content of corporate records is that they must have a comprehensive understanding and appreciation for: (1) all the business operations and functions of the company; and (2) all the applicable and relevant laws and regulations that apply to his or her company. That is why those serving as counsel to corporate clients are uniquely qualified to take on this responsibility of managing corporate information, knowledge, and expertise and why attention to this subject must be included in those lawyers’ responsibilities.

In 2017, The Business Lawyer published a landmark report titled “Defining Key Competencies for Business Lawyers,” which was prepared by a task force that the ABA Business Law Section’s Business Law Education Committee created in 2013. The task force, drawing on the framework of the MacCrate Report, but with a focus on business lawyer competencies, directed the report toward faculty and students in law schools and business law practitioners. Barbara Wagner deserves special praise for serving as the primary author of this report, which provides valuable guidance for law school curriculum committees and for practitioners tasked with creating training and development opportunities.

The task force, recognizing that the list of competencies might be modified in the future, invited comments on the report. One aspect of the report that the task force might want to address is the minimal discussion of competencies relating to the leadership role played by business lawyers. The report does include specific skills relating to leadership that are inherent in a business lawyer’s work, such as problem solving, critical thinking, and communication, and in a section that extends beyond the MacCrate framework, the report lists people skills and other behavioral competencies of business lawyers.

However, the report is quiescent when discussing broader leadership competencies. These competencies include thinking strategically about how a lawyer’s risk-management skills relate to the value-creation focus of business strategy, motivating others in an organization, leading change management, developing a leadership vision, building social capital, and building a team.

When covering the business knowledge that a lawyer should possess, the report discusses topics such as finance, accounting, supply chain, marketing, and a “facility with numbers.” Although this business knowledge certainly is useful, there is little mention of broader leadership competencies. In its over 26,000 words, the report (according to my keyboard’s “Find” function) includes the word “strategy” in only four sentences—two dealing with transactional strategy and two dealing with factual investigations. The word “team” is mentioned only once, and the words “leader,” “leadership,” and “vision” do not appear in the report. Concepts relating to motivating others within an organization, change management, and social capital are also missing. Although the report does discuss the important competency of adding value to a deal, it ignores the lawyer’s broader role in developing value-creating business strategies.

These omissions are unfortunate from both practitioner and academic perspectives. From a practitioner perspective, the percentage of lawyers in CEO positions has declined over the past century. A 2016 article titled “Who Let the Lawyers Out” in the University of Pennsylvania Journal of Business Law notes that, prior to 1930, over 75 percent of American CEOs had a legal education; by 2012 this figure had dropped to nine percent according to U.S. News & World Report.

The tide might be turning. A 2013 ACC/Georgetown study concludes that the value of strategic input from general counsel will increase in the future. This is an important shift from the traditional management assumption that law is merely a cost center. When the Directors Roundtable honored Lori Schechter in 2016 for her work as general counsel of McKesson Corporation, her remarks reflect this new direction. In her words, the way to “get a seat at the table” is “a combination of not just being the naysayer or the person looking at the risk issues, but also being the person that’s helping to create the value.”

From an academic perspective, the opening lines of an article in the Winter 2017 issue of the Journal of Law, Business & Ethics note the lack of leadership education in law schools: “In the recent experience of this recent law school graduate, I observe a lack of appreciation that leadership, in legal education or the profession, is vital to wellbeing. There is utility in educating law students about leadership as an essential or core competency for ethical engagement and success as a lawyer.”

Law schools have abundant opportunities to include leadership education and strategic thinking in the curriculum. For example, the required course on contracts could cover strategies to increase the value-creating function of a contract as a business tool as well as a legal document. The required course on torts could explore value-creating aspects of tort law, such as the use of product liability prevention processes to identify new product opportunities. In addition, a third-year capstone course on, say, “law and leadership” could aggregate learning from the required law school courses using the lens of value-creating legal strategies, just as final-semester capstone business strategy courses in business schools combine elements from business school core courses on finance, marketing, operations, and management.

This article focuses on a key aspect of a business lawyer’s leadership role—the ability to provide strategic input into management decisions. The Harvard Business School’s required course on leadership provides a useful framework for academics and practitioners interested in this element of leadership. The course utilizes a three-part model—based on the intersection of economics, law, and ethics—that can be used to conceptualize a lawyer’s leadership role in the development and implementation of business strategy.

The following sections, adapted from Chapter 1 of The Three Pillar Model for Business Decisions: Strategy, Law & Ethics (Van Rye Publishing, 2016), apply the Harvard model to the work of a business lawyer. The first section covers the triadic framework used in the course. The second section recommends an expansion of the model by replacing economics with strategy. The third section identifies a key challenge in using the model—the gap between the value-creation orientation of strategy and the risk-management focus of law. The fourth section suggests an approach for closing the gap. The article concludes with practical examples that illustrate the important role that law can play in value creation.

The Harvard Leadership Course

Academics Timothy Fort of Indiana University, Archie Carroll of the University of Georgia, and Mark Schwartz of York University have developed theoretical models of business decision making based on economics, law, and ethics. The clearest practical application of these models originated at Harvard Business School (HBS). I first encountered this application in 1998 when I was a visiting professor of business administration at Harvard and served on the teaching committee for a module called “Leadership, Values and Decision Making” that was taught to all MBA students. This module later morphed into the current required HBS leadership course, “Leadership and Corporate Accountability” (LCA). Professor Lynn Sharp Paine, former senior associate dean at HBS, described the practical nature of the course in Datar et al., Rethinking the MBA: “We are training future practitioners. . . . We focus not on rare events or abstract issues in moral philosophy, but on decisions that students will have to make in their careers.”

LCA focuses on the three key elements that form the foundation for decision-making in business—economics, law, and ethics. The 2011 online version of the course syllabus describes the three categories of a business leader’s responsibilities as: “. . . economic, legal, and ethical. Economic responsibilities relate to resource allocation and wealth creation; legal responsibilities flow from formal laws and regulations; and ethical responsibilities have to do with basic principles and standards of conduct.”

The course is especially challenging and important because it takes future leaders into what the syllabus calls the “grey areas” of business. The analytical perspectives of the economics, law, and ethics triad, a staple of everyday business decision making, shape these real-world challenges. The following diagram from a course overview that students receive at the beginning of LCA depicts the overlap of the three perspectives. As the course overview notes, “The basic idea is that outstanding managers develop plans of action that fall in the ‘sweet spot’ at the intersection of their economic, legal, and ethical responsibilities.”

The course guide for instructors elaborates on this sweet spot, which is also described as the “zone of sustainability”:

Actions and strategies that fall inside this zone tend to be acceptable to the firm’s constituencies and thus repeatable over time, while those that lie outside typically invite negative repercussions from injured, wronged, or otherwise disappointed parties. Actions outside the zone may even lead to the firm’s failure, especially if pursued at length.

The three dimensions of the Harvard model are also depicted in the form of the following decision tree, adapted from a diagram developed by Constance Bagley (a senior research scholar at Yale Law School). The original diagram appeared in a 2003 Harvard Business Review article titled “The Ethical Leader’s Decision Tree.”

The ideal decision-making path would follow the “Legal,” “Creates Value,” and “Ethical” branches, although in some cases another path might be justified. For example, business leaders might decide to take an action that benefits society even if it does not create economic value for shareholders.

Expanding the Harvard Model

The Harvard model provides a practical framework for making business decisions. However, expanding the economics perspective makes the model even more useful in business and other settings.

Candidates for this expansion include the seven core functions that are critical to business success: accounting, finance, legal, marketing, operations, human resources, and strategy. Of these functions, strategy is the most likely replacement for economics. Defined broadly, strategy involves establishing and achieving goals. In a business setting, strategy focuses on the goal of value creation for shareholders, which brings into play all functions and disciplines, including economics.

Strategy is also an attractive candidate because it is important in all organizations (including nonprofits that are not concerned with creating shareholder value) and in the political realm. On a personal level, the strategic ability to establish and achieve goals is also key to success. By replacing economics with strategy, the three dimensions of decision-making—the “three pillars” that are described in The Three Pillar Model for Business Decisions: Strategy, Law & Ethics—provide a framework that is appropriate for all forms of business, leadership, and personal decision-making.

In a business setting the key questions that decision makers should address are:

• Strategy Pillar: What is our value-creation goal and how do we intend to achieve it?
• Law Pillar: How can we manage the legal risks associated with our strategy?
• Ethics Pillar: Is our proposed strategic decision ethical?

The following diagram depicts the expanded version of the Harvard model in which economics is replaced by strategy:

The Gap between the Strategy Pillar and the Law Pillar

This revised model—with its sweet spot in the middle illustrating an overlap among the three pillars—might be more aspirational than descriptive. True, the overlap between the strategy pillar and the ethics pillar has increased in recent years, especially as more companies embrace corporate social responsibility. For example, the previously mentioned “Who Let the Lawyers Out” article notes that former Johnson & Johnson CEO Ralph Larson was asked whether he wanted the company “to maximize shareholder value or be a good corporate citizen.” He answered, “Yes.”

Law and ethics are even more intertwined than strategy and ethics. Legal doctrines such as fraud, unconscionability, good faith, and fiduciary duty provide solid guidelines for ethical conduct. Furthermore, company “codes of conduct” frequently blend law and ethics. Of course, when lawyers provide ethical leadership, their advice might extend beyond the law. In a talk at the Directors Roundtable, former Senior Vice President and General Counsel of General Electric Company Ben W. Heineman discussed the role of a lawyer-statesman:

It’s pretty simple. The first question is, “Is it legal?” And the last question [is], “Is it right?” Your job inside the corporation is to ask that “Is it right?” question insistently and to move way beyond legal issues to all the political, economic, and social impacts of what the corporation is doing. There are basically three roles for a lawyer: expert, counselor and leader. In basically asking that “Is it right?” question as a lawyer-statesman, you are acting in all three roles.

Although there is overlap between the other pillars, a gap often exists between the strategy pillar and the law pillar. For example, with the exception of a PESTLE analysis (that examines Political, Economic, Social, Technological, Legal, and Environmental factors), the multitude of strategy concepts and frameworks that have developed over the years generally overlook the importance of law. As a result, in reality the model looks more like this.

The gap between strategy and law results in large part from the key role business lawyers play in managing risk, a role that often bridles a business decision-maker’s enthusiasm for certain value-creation strategies. As the task force report explains, lawyers analyzing a proposed transaction must put themselves “in the shoes of someone attacking the plan.” Business lawyers often need what the ACC/Georgetown study calls “managerial courage” when providing the independent professional advice this risk-management role requires: “Managerial courage is about the willingness and ability to speak up and represent the organization and act in its best interest, even when it feels uncomfortable or may reflect poorly on colleagues.”

This risk-management role is increasingly important, given that surveys indicate that law has emerged as the most important category of business risk. For example, the 2015 Travelers Business Risk Index was developed from a survey of more than 1,200 business risk managers representing 10 industries. The survey questioned managers about their greatest risk concerns among several categories, including financial, operational, and legal risk. Only two categories—“Legal Liability” and “Medical Cost Inflation”—were included in the top ten risks for every industry. The top ten lists for nine of the 10 industries included another category of legal risk, “Complying with Laws.”

Closing the Gap between Strategy and Law

The gap between the strategy pillar and the law pillar is reminiscent of the “mind the gap” recording that warns travelers boarding London trains to be careful of the gap between the train and the platform. Although minding the gap—that is, understanding that the gap exists—is important, deciding what action to take after recognizing the gap is essential.

Companies that are successful in closing the gap have an opportunity to create competitive advantage over their rivals. Robert Bird, writing in the Connecticut Law Review (November 2011), notes that, when this happens, the competitive advantage can be sustainable. In other words, the sweet spot in decision-making that Harvard calls the zone of sustainability might more accurately be called the zone of sustainable competitive advantage.

Bird based his conclusion on a legal analysis using a resource-attribute framework that strategy professor Jay Barney developed. One takeaway from this analysis is that law’s complexity can create resources that, in Barney’s terminology, are imperfectly imitable by competitors. In other words, managers who are able to work with legal counsel to penetrate the veil of complexity that surrounds the law have an opportunity to create a sustainable competitive advantage.

Bird and coauthor David Orozco describe various pathways of corporate legal strategy in an article in the MIT Sloan Management Review (Fall 2014). They emphasize the need for “a fundamental change from managing risk to creating business opportunities” that requires business leaders to “regard the law as a key enabler of value creation.” The challenge for business leaders and their legal advisors in achieving this fundamental change is that the strategy pillar and the law pillar often operate as separate silos where key business questions are framed in terms of either shareholder value or risk management, either reward or risk.

At best, this parallel play is unfortunate as businesses miss opportunities to create value through synergies between strategy and law. At worst, the silo mentality is destructive when it creates a conflict between the strategy pillar and the law pillar—e.g., when a risk-averse approach results in an overly legalistic contract that hinders a business opportunity. In the previously-mentioned “Who Let the Lawyers Out” article, PepsiCo CEO Indra Nooyi commented on the combination of a perfect contract with a flawed business deal: “We cannot afford this separation of church and state.”

This silo mentality might result in what decision researchers call frame blindness. Mental frames often are useful because they enable us to simplify the complexity in our lives so that we can make rational decisions. However, simplification can come at a cost. When we view the world through a particular window (from the perspective of either the strategy pillar or the law pillar, for example), we see only part of the landscape. As noted in the 1990 book Decision Traps, narrowing the scope of our vision causes us to become susceptible to frame blindness—much like the blind spot on the side-view mirrors of a car. By failing to consider the big picture, we might miss the best options when making decisions.

For example, I assign an exercise in which graduate students and executives (including lawyers) play the role of a C-suite executive considering the advice of legal counsel in deciding whether to accept a settlement offer from the opposing side in a lawsuit. Almost everyone exhibits frame blindness by concentrating on the legal issues raised in the case. In so doing, they overlook fundamental financial and strategic concerns, such as the net present value of a victory in court, opportunity costs, and the possibility of creating a joint venture with the other side.

To close the gap between strategy and law, business leaders and legal counsel should attempt to reduce frame blindness by reframing the shareholder value orientation that characterizes the strategy pillar of decision making and the risk-management orientation that dominates the law pillar. A big-picture mindset can be useful in the reframing process. In his 1993 negotiation book, Getting Past No, William Ury uses the phrase “going to the balcony” as a metaphor to describe the mental detachment that often is necessary to create this mindset. From their balcony vantage point, business leaders and legal counsel have an opportunity to gain a broad perspective that allows them to see the entire playing field without the blind spots that hinder sound decision making when they operate within their separate silos.

When observing the playing field, they should take special note of the key stakeholders (in addition to shareholders) who impact business success. Which stakeholders have the greatest effect on a company’s economic value? A 2011 McKinsey survey that posed this question produced responses from 1,396 executives worldwide. Respondents were allowed to select multiple responses from a list of stakeholders. Three-quarters of the executives felt that customers had the greatest effect on economic value. The other main categories were government/regulators (53 percent), employees (49 percent), and investors (28 percent).

Just as the most successful negotiators have the ability to look at deals from the opposing side’s perspective, business leaders and legal counsel should take into account the interests of all stakeholders affected by their decisions, not just shareholder interests. What are these stakeholder interests? How can these interests be linked to company interests to create mutual gains that benefit all parties?

By addressing these questions, decision makers can move beyond the frame blindness of the strategy and law silos toward a joint stakeholder interest mindset. This new mindset can create an intersection between the strategy pillar and the law pillar that has the potential to create competitive advantage while also benefitting stakeholders, as illustrated by the examples below.

Moving beyond frame blindness is consistent with the Proactive Law Movement in Europe. Under the leadership of Helena Haapio, an international contract counsel for Lexpert, Ltd., this movement focuses on using the law not only to manage risk, but also to create value and strengthen relationships. The Proactive Law Movement emphasizes collaboration between lawyers and various business functions.

Michael Porter and Mark Kramer, in “Creating Shareholde Value” published in the Harvard Business Review in 2011, also advocate, in part, a management philosophy similar to a stakeholder interest mindset. They redefine the purpose of the corporation as “creating shared value, not just profit per se.” However, their shared-value philosophy focuses primarily on one stakeholder—society. In their words, the principle of shared value “involves creating economic value in a way that also creates value for society by addressing its needs and challenges.” A stakeholder interest mindset of the type advocated here, in contrast, searches for value-creating opportunities for all stakeholders identified in the McKinsey survey—customers, the government, employees, and investors.

Conclusion

To summarize, the three pillars provide a framework for making business decisions. The gap between the strategy pillar and the law pillar represents a major challenge in using this framework. By closing this gap, business decision makers can create a sweet spot at the intersection of the three pillars—a zone of sustainable competitive advantage.

Business leaders and legal counsel should ascend the balcony to reframe decisions relating to creating shareholder value (the strategy pillar) and managing risk (the law pillar). During the reframing process, they should identify and consider all stakeholder interests when developing opportunities for value creation.

The Three Pillar Model for Business Decisions: Strategy, Law & Ethics provides many practical illustrations of the benefits that arise from closing the gap between the strategy pillar and the law pillar. Here are some examples relating to specific stakeholders:

• Customers: Use product liability prevention processes as a source of new product development to meet customer needs.
• Employees: Use employment law to attract and retain the best business talent.
• Government: Use government regulation to develop new business models through disruptive innovation and a regulatory gap strategy.
• Investors: Use an intellectual property management plan to create shareholder value.
• A variety of stakeholders: Use lean contracting and contract visualization to develop contracts that are useful business tools and use dispute-resolution processes for value creation.

Closing the gap also enables lawyers to meet their ethical leadership responsibilities. Through the stakeholder-interest mindset, they can encourage management to make decisions that are aligned with the codex developed by Professor Paine and others—a list of eight, key ethical principles based on legal requirements and codes of conduct used by the world’s largest companies.

A legal director at Royal Dutch Shell told this story during a Law Society speech in London:

Two young fish swim along and happen to meet an older fish swimming the other way, who nods at them and says, “Morning, boys. How’s the water?” The two young fish swim on for a bit until, eventually, one of them looks over at the other and [says], “What the hell is water?” Like water, law is around us—everywhere. It affects everything a company does. But somehow you can’t see it, at least not on the surface.

Business leaders often do not understand how and why law, like the water that surrounds a fish, touches all company activities. By closing the gap between the strategy pillar and the law pillar, lawyers can show these leaders that, in addition to its traditional risk-management function, law is an important factor in the creation of value that will result in sustainable competitive advantage.

The Shareholder Agreement—Overlooked, Underestimated

It’s an exciting time for a client when a venture capital investor (VC) comes onto the scene. Company founders work hard to find financing. When big money and an attractive valuation are proposed, it’s hard for them not to get caught up in the moment. But financing always comes with strings attached. Clients need to be aware. Show me the money! (But give me a reasonable shareholder agreement too.)

“Investor Rights Agreement,” “Right of First Refusal and Co-Sale Agreement,” the simple “Side Letter” are all different varieties of shareholder agreements. Whatever the shape and size, a shareholder agreement can contain a broad variety of potential tricks and traps.

Term sheets for VC investments usually outline all of the major terms that will be contained in the investment documents, including the shareholder agreement. In a perfect world, where clients consult their attorneys before making big decisions (and listen to the offered advice, and send holiday candies…), lawyers get a copy of the term sheet in advance and have a chance to walk their clients through all of the provisions and implications. In the real world, clients often review the $X investment amount on line one, the $Y valuation amount on line two, and the signature block on page ten, and then send the executed copy to their lawyer. Condition your client in advance! When you catch the slightest whiff of a financing in the air, be relentless in making the point: no signature on the term sheet until we understand the shareholder agreement!

The ultimate purpose of a shareholder agreement is to provide a VC with rights above and beyond what it would have simply by virtue of its overall percentage ownership of the company. The main issues addressed in a shareholder agreement are: (1) ownership (restrictions on share transfers); (2) conduct of business (board composition and consent rights); and (3) exit (drag-along rights).

Steering Clear of “That Guy”

VCs want to know who they are getting in bed with (who wouldn’t!) and be sure that company ownership cannot substantially change without their consent. Founders and other key shareholders almost always have to accept some restrictions on transfer. The questions are, how tight are the restrictions and to whom do they apply?

Carve-outs permitting transfers to trusts and estate-planning vehicles are common and, if important to a founder, should be demanded. Who should be restricted is complicated, and sometimes contentious. Restrictions can take the form of outright prohibitions on transfer, right of first offer/right of first refusal provisions that permit transfers, but only after the VCs or other shareholders are first given the right to buy the shares, or both. There is an inherent tension between, on the one hand, founders and the company (who collectively want tight control in anticipation of a financing) and, on the other hand, common shareholders who are not founders, but may hold some substantial portion of shares (who often feel like they should not be subject to transfer restrictions). Not anticipating these dynamics in advance of a financing can result in giving inadvertent leverage to individual shareholders at the very moment when having a united front is most important. Internal shareholder relations are in the same category as corporate housekeeping matters and general skeletons in the closet—things that need to be tidied up and addressed proactively in advance, not ignored until VCs start asking their inevitable due diligence questions.

Hey Man, We’re Trying to Run a Business Here!

VCs always require some level of control over the company, even when they hold less than a majority of shares. Control comes in the form of the right to appoint board members and the right to veto certain specified actions. The balance to be struck in the shareholder agreement is for the VC to have enough control to protect its investment while not stifling the company’s agility in an ever-changing business environment. When founders and VCs see eye-to-eye (typically at the moment of funding), everything is great. But when visions start to diverge (usually when business is not growing as planned) the specific wording in the dusty, long-forgotten shareholder agreement becomes front and center. Founders should negotiate these provisions with the worst case scenario in mind, and be confident that they could effectively run the business if the VC exercised every veto right possible, and the VC director opposed every suggested initiative.

Running for the Exits

Drag-along rights allow a VC to force other shareholders to sell their stock when the VC finds a buyer. The critical component of a drag-along right is the threshold price above which a shareholder must sell. While the interests of shareholders of all classes are usually aligned when the sale price is high, interests start to diverge when the sale price is lower (when it becomes more likely that, after paying the preference on the VC’s preferred shares, little or nothing will be left over for the common shareholders). Here again, founders need to assume a gloomy scenario when agreeing to terms. Nobody reads a shareholder agreement during a blockbuster sale. But they revisit every page when the deal is not so good.

Pay Attention; Read the Shareholder Agreement

There is more to a VC investment than money and valuation! Shareholder agreements give VCs extensive rights, far beyond the economics reflected in a company’s charter. Lawyers should, in their usual buzzkill lawyerly way, force their clients to slow down and think about how restrictive shareholder agreement covenants will feel during the lean times, even when the lush times (the funding wire transfer!) are close at hand. Reading the fine print, and understanding the nuances and dynamics, is critical. Recite these mantras until your clients know them cold: don’t sign a term sheet without counsel; read the shareholder agreement slowly; read it to the end; read it again. Negotiate a solid shareholder agreement on behalf of your client. If everything goes well, you’ll never read it again. And if not, you’ll be glad you did.

Introduction

“The loss of industrial information and intellectual property through cyber espionage constitutes the ‘greatest transfer of wealth in history,’” said Gen. Keith Alexander—at the time, the nation’s top cyber warrior.

In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has only become bigger, more insidious, and more expensive to address, and lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $5.06 trillion in value added, or 34.8 percent of U.S. GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60 percent of all U.S. exports. U.S. companies have a lot to lose.

Economic espionage (sometimes called industrial espionage) is a major drain on competitive advantage, unique IP, and market share. Not only are U.S. companies directly hurt by the theft of their IP, but they may end up competing against their own technology advanced by the IP thief. Susan Brewer & Anthony Crescenzi, State-Sponsored Crime: The Futility of the Economic Espionage Act, Hous. J. of Int’l L. (Summer 2016). For example, “American oil and gas firms are frequently targeted and subject to theft of trade secret, business plans, exploration bids and geological data.” Blake Clayton & Adam Segal, Addressing Cyber Threats to Oil and Gas Suppliers, Council on Foreign Relations (June 2013).

Economic espionage is not new. What is new is the way IP is stolen. Cyber attacks are the most used method that other nations, companies, and criminals employ to root out and steal your IP and other valuable or sensitive information. It is our increased dependency on IT systems and networks that creates vulnerabilities, even though there are such obvious benefits and uses to them.

In May 2013, the Commission on the Theft of American Intellectual Property released a report that concluded that the scale of international theft of American intellectual property is . . . roughly $300 billion per year and 2.1 million additional jobs now in our economy. While China is not the only actor targeting U.S. IP and technology, it is the only nation that considers acquiring foreign science and technology a national growth strategy.

U.S. Congressional Committee on Energy and Commerce Hearing, Cyber Espionage and the Theft of U.S. Intellectual Property and Technology (July 3, 2013). So, depending on how you calculate the impact of economic espionage to U.S. businesses, it can mean a loss of roughly a billion dollars a day or more.

Did the September Agreement between China and the United States Address the Problem?

By some accounts, U.S. cyber espionage concerns subsided on September 25, 2015, when China unexpectedly agreed with the United States (and, later, other countries) to refrain from cyber economic espionage. It remains to be seen whether China ceases its governmental involvement in cyber economic espionage, although there is good reason to be skeptical. The “understanding” did not cover other forms of economic espionage, only the cyber variety. According to Reuters:

There were clear limits to Friday’s deal. A White House statement said the two leaders agreed that neither government would knowingly support cyber theft of corporate secrets or business information. But the agreement stopped short of any promise to refrain from traditional government-to-government cyber spying for intelligence purposes. That could include the massive hack of the federal government’s personnel office this year that compromised the data of more than 20 million people. U.S. officials have traced that back to China, but have not said whether they believe the government was responsible.

Given the increasing complexity of the way cyber attacks are carried out and the challenges of attribution or “pinning” an information heist on one person or organization, perhaps the Chinese merely were placating the United States. In other words, the Chinese can say they will cease cyber economic espionage because verification of the true identity of the thief is nearly impossible. Thus, it is difficult to know exactly whether anything really has changed.

Furthermore, as reported by the FBI in April of 2016, the “FBI’s number of investigations into possible economic espionage on U.S. businesses has increased by 53% within the past year.” Although the list of Justice Department cases do not differentiate between cyber and in-person theft, the list of active criminal cases involving trade secret theft is sizable.

Going Public May Be the Law, but It Does Not Look Good

Sizing up the problem is further compounded by the fact that, although reporting requirements mandate the disclosure of events that have a material impact to a publicly traded company, there are strong disincentives to disclose a successful IP theft. Not only does such a theft raise questions about management not doing its job or IT leadership failing to keep the bad guys out, but it also tells other bad guys that your company has inadequate security and could invite further cyber attacks.

On December 18, 2015, the Cyber Information Sharing Act became law. The law was designed to create a voluntary cybersecurity information sharing process to encourage public and private entities to share cyber threat information while protecting classified information, intelligence sources, privacy, and more.

It remains to be seen whether the law will address the reluctance of companies to come forward.

The Law Cannot Really Solve the Problem

In-house lawyers play several roles that can help mitigate the effect of economic espionage on their individual company. From negotiating better security software agreements, to legally protecting IT, to aggressively going after IP thieves, lawyers increasingly play an important role. For the most part, however, lawmakers have been hamstrung in finding an effective legal solution to the theft of company trade secrets.

In this regard, it is important to differentiate between cyber economic espionage and in-person theft. In the case of cyber economic espionage, the “theft” is almost always done remotely and outside the United States by operators that go to great lengths to obfuscate their identity and whereabouts.

The issue is so great that new laws are needed to stem the flow of U.S. ingenuity. For example, the Cyber Economic Espionage Accountability Act was proposed to take aim at foreigners present in the United States and stealing IP.

Although the Economic Espionage Act of 1996 (EEA), 18 U.S.C. § 1832, is the major criminal law on which perpetrators of economic espionage are prosecuted, it may be ripe for reworking. David P. Fidler, Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets Through Cyber Technologies, 17 ASIL Insights 10 (Mar. 20, 2013). In U.S. v. Hanjuan Jin, the defendant was convicted of trade-secret theft, but was acquitted of charges under the EEA because there was insufficient evidence of the China connection.

Economic Espionage Act

The Economic Espionage Act details the legal framework for theft of trade secrets:

(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly—

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.

(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.

There have been several convictions under the EEA, but the true effectiveness of the law as a deterrent is questionable. The EEA has already been amended to increase penalties from a conviction, but still it seems like a drop in the bucket given the volume of IP theft. The EEA may be more effective if amended to allow for a private right of action, letting companies sue for the harm caused from theft of their IP.

On the international stage, agreements, treaties, and organizations exist but may be of limited usefulness in addressing IP theft. For some countries, economic espionage is no different than regular espionage and is considered “fair game.” With few laws to convict the criminals and many practical limitations, understanding how trade-secret crimes are perpetrated today may make more sense to preempt or mitigate harm or to protect your company’s information crown jewels before the theft has transpired than expecting real economic redress through any legal channels.

10 Shocking Ways They Are Stealing Your IP and Corporate Mojo

The world of economic espionage has become rather sophisticated, and in-person theft is very different than cyber theft. When your corporate value may be in jeopardy, it is prudent to assess the risk and attempt to mitigate the issues that create the greatest risk. For example, if your organization needs engineers and hires from abroad, conducting deep background checks, and even hiring judiciously from countries that pose the greatest risk, are prudent courses of action.

If the cyber assault on your IT infrastructure suggests that the bad actors are state entities trying to exploit a weak perimeter, different fixes are needed. In that regard, IT security, although good, will never keep out all the bad actors all of the time. No matter how much money and effort you exert to solve the problem, if they want it badly enough, the cyber thieves will find a way.

What follows are the things that your company is doing wrong and the frankly shocking and brazen nature of how your people and systems are assaulted

1. The Internet of Things (IoT) Is Awesome and Scary

The IoT involves smart devices (i.e., devices embedded with software and sensors such as copiers, medical devices, refrigerators, sports monitors, TVs, cars, music devices, etc.) that are connected to the Internet and collect and transmit information, sometimes without your knowledge. They continue to make everything interconnected and accessible, but often have limited security, making your information even more vulnerable to cyber attacks, and making it harder to calculate risk.

The prediction is an explosion of IoT and smarter and more connected devices over the next decade, which does not bode well for stemming the tide of theft of trade secrets. In other words, the IoT may be a way your trade secrets are exposed, exploited, and exfiltrated.

2. Economic Espionage as a Service

You can buy almost anything on the “dark web” that you cannot buy on the mainstream web, such as stolen credit-card numbers, stolen IP, and even IP thieves themselves. “Economic espionage attacks can be aided by espionage-as-a-service offerings that are readily available in cybercriminal underground forums and markets and the Deep Web. Attackers can easily buy the tools they need to spy on and exfiltrate highly confidential corporate data or “company crown jewels” from rivals. They can even hire hackers to do the actual spying for them,” according to Trend Micro.

In addition to state actors, IP theft is now increasingly perpetrated by sophisticated cyber mercenaries. Lawyers can help address the new threats by ensuring that heightened security functionality is part of new technology purchases when negotiating contracts on behalf of their company, mandating that company information is stored only in hyper-secure, compliance-driven Clouds, and that policy dictates that information is encrypted when “inflight” or “at rest.”

3. Beware of the Never-Ending Assault of Malware

Malware is malicious software that seeks to get in and grab data, spy, lie in wait to do something nefarious in the future, disrupt IT, and more. Although there are sophisticated attacks on IT security systems, many cyber attacks are successful because they bombard organizations with thousands, or even millions, of cyber assaults just to find a way into company computers. There are endless examples of hacks on U.S. companies that have caused major harm. Persistence combined with greater sophistication means cyber attacks will continue seemingly unabated.

What lawyers can do is help IT professionals combat persistence with compliance. Compliance methodology must be applied to IT and information-security policies and practices. Compliance methodology tends to institutional vigilance and “good” corporate behavior, which helps employees get it right and helps insulate the company if all else fails, as the built-in rigor manifests reasonableness. In other words, the company cares and tries, and institutionalized caring matters to shareholders, markets, the court of public opinion, courts, regulators, and the bottom line. Randolph Kahn, Information Nation: Seven Keys to Information Management Compliance Second Edition (Wiley Press, 2009).

4. Grabbing Treasure Troves Undetected Has Become Easier

More and more data fits in smaller storage devices, which makes stealing more and more valuable data that much easier. Further, sending the information outside the firewall via e-mail and the IoT has been effective as well. The CIA and NSA hacks are just recent examples. Organizations are not “risk profiling” their information so that they can apply the necessary protections. The fact is that not all information is equal in value, and organizations are woefully negligent at managing to that reality. The problem is that, as information volumes increase (and they are already massive for most big companies), being vigilant about everything is impractical.

Most companies have policies that require encryption of company trade-secret information and protection of any confidential information sent outside the protected firewall. Too often, however, information travels freely without any protection or encryption outside the company. In other words, policies are not followed, which leads to exposed IP.

However, the place to start to address the issue is knowing which information deserves protection. Large companies usually have information-security classification regimes that are underutilized or improperly utilized by employees, and technology that can apply the rules “automatically” too often is not harnessed either. To protect information and IP, it must be classified as a trade secret. In any event, the law requires that reasonable steps be taken to protect IP if you want to be able to assert your legal rights, and that begins with classification as well.

Lawyers can help reinvigorate classification regimes, simplify and redraft existing classification policies, and insist on the use of encryption technology. Once again, compliance methodology can help institutionalize vigilance.

5. Demanding Code and Information and Exploiting Legally Mandated “Backdoors”

One way some countries are gaining access to U.S. IP is by requiring the transfer of your company’s information (i.e., trade secrets), including computer code, to be allowed to do business in their country. Indeed, some countries even legislate the result, according to the World Economic Forum, which stated that “China, for instance, has joined Russia in tightening the requirements placed on foreign companies to store information within national borders.”

Another way IP is extracted is by providing access to IP and computer code through “backdoors” to encryption technology. In other words, the locked door protecting your trade secrets is now unlocked. From the hearing before the U.S.-China Economic and Security Review Commission: “Recently the government in Beijing has proposed a series of regulatory provisions that would require U.S. tech companies and their foreign customers, especially financial institutions and banks, to turn over source code and encryption software, effectively creating backdoor entry points into otherwise secure networks, all being done, of course, under the guise of cybersecurity.”

Before sharing a company’s secret sauce, its lawyers must advise their clients on how to proceed, if at all, with maximum protections in place.

6. Cyber Thieves Are Successfully Exploiting Laziness and the Lack of Understanding

The Office of Personnel Management (OPM) hack and so many others were successful because proper authentication to gain access is not effectuated. Many cyber hackers are successful because IT security is unimpressive at best. That is the reality, in part because there is a misunderstanding of how to keep cyber hackers away from your data, as well as a lack of vigilance in doing it. One easy solution to secure important information is to use better authentication techniques.

Two-factor authentication is the very least your company should be using. Passwords alone are not sufficient, as real hackers have technology that will crack your password in no time. Good passwords today are about concepts or ideas, not words. So instead of using “Fluffy123,” the better password is “MyLastDogAte5Shoes.” Still, that is only the first layer and not enough by itself. Every archive containing company “trade secrets” needs at least two-factor authentication, and there is confusion about what two- and three-factor authentication is, so the following is provided to clear it up:

• one-factor authentication is a unique something the employee knows, such as a strong password;
• two-factor authentication is the first factor plus something the employee possesses, such as a company ID card and security code, a security fob that generates a unique code, etc.;
• three-factor authentication adds to the above something the employee is, such as a voice scan, fingerprint, eye scan, etc.

Lawyers must revisit these information-security company policies and gather audit and compliance groups to focus greater scrutiny on how databases and repositories are managed. It may have prevented 20 million Americans from having their personal information stolen.

7. New Techniques and Never-Ending Attacks of Spear Phishing, Ransomware, and Zero-Day Malware Will Catch Someone Off-Guard

Cyber thieves are using more sophisticated ways to breach company security, including spear- phishing, ransomware, and zero-day malware attacks. Unlike phishing, which uses an e-mail and a malicious code attached from an organization with which you were not expecting to communicate, spear phishing is a communication from a trusted individual or organization and one with whom you are likely to engage. This far more targeted and sophisticated approach scams even technically sophisticated people. According to Trend Micro:

Using the intel gathered during reconnaissance, the attackers typically send contextually relevant malware-laden spear-phishing emails to the chosen high-ranking corporate official. This helps ensure they get the credentials with the highest level of access required to infiltrate systems where company crown jewels are stored. Network command and control (C&C) is then established aided by backdoors, remote access Trojans (RATs), or other malware. Attackers then move laterally across the network to seek out top-secret data. The data is then exfiltrated to a site that only the attackers have access to for selling to the highest bidders or delivery to the individual or company that hired them.

Ransomware is even more malicious. It is a special type of malware that secretly installs on a computer and then either holds data hostage, or is a sophisticated leakware that threatens to publish the data. It works by locking the system or even encrypting the files until a ransom is paid.

Finally, unlike in years past, organized entities are now seeking to harvest information or company trade secrets using zero-day malware that got its name because it is so new that no commercial anti-virus software exists yet to eradicate the harm.

8. Exploiting the Slow-Reacting Security Team

The hack of OPM, which has been linked to China, is a perfect example of breaching security and trolling for information. In that case, the bad guys made off with the most extensive collection of personal information about U.S. government employees, past and present, ever.

Shockingly, the OPM IT security team had watched and monitored the bad guys moving throughout their IT systems for months before the information was extracted. Had the IT staff reacted in a timely manner, they likely would have been able to protect the trove of information that ultimately was stolen.

Assuming the bad guys will get in from time to time, it is worthwhile walling off data and setting up “honey pots” in your archives. Honey pots are information troves marked “M&A targets,” “products specs,” or other valuable targets to attract the criminals to a specific location. That misinformation sends the bad guys in the wrong direction.

Lawyers can help customize the honey pots to deal with the various possible assaults on select pools of data depending upon the target country of the thieves, given that certain countries are after money and pricing information, while others are after M&A targets and product designs.

9. Exploiting Your Relationships and Joint Ventures

During negotiations between Westinghouse Electric and a Chinese state-owned nuclear power company, the companies began to cooperate more closely, and the Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business,” according to the Wang Dong Indictment.

For all relationships with partners doing business outside the United States, local lawyers will be essential to guide the transaction. Equally as important is limiting access to trade secrets and IP not part of the transactions. That may mean limiting access to facilities and systems where such information is housed, and having strict rules ironed out about who gets access to what information. If cloud-based collaboration tools are used to work on the partnership, more strict rules about what can and cannot be stored and shared in such environments is essential.

Make sure that your IP stays in the United States if possible. If you must bring your IP, make sure there are agreements in place for every eventuality, understanding that such measures still may not be enough protection. Perhaps more importantly is the need to control access to your information and to limit the number of people that have access.

There have been many cases where a “partner” is manufacturing in China and uses the U.S. company’s molds or designs. If there is no agreement governing the molds or designs, and what happens when the relationship ends, then it is quite possible that the Chinese partner will retain the molds or designs and use the same for their own benefit. Even if you have an agreement governing what happens when the relationship is over, they may still steal your molds and designs to work against you.

10. They Are Getting Information from Your Workforce or Your Recruiter

IP is being stolen by competitors or foreign entities hiring operatives who may work at your business for years or even decades. Monitoring and auditing information transmissions and extreme vetting must be utilized to mitigate this risk.

Even more troubling is the recent revelation that the Chinese have begun U.S.-based recruitment and headhunting firms that appear perfectly legitimate, but really are placing “operatives” at U.S. businesses that have IP deemed strategically important to China. Further, according to the FBI, job advertisements are posted online by those intent on stealing IP to attract employees.

Conclusion

Economic espionage from abroad is a significant and growing concern. Cyber attacks are becoming more challenging to combat and, in conjunction with traditional physical stealing of trade secrets, poses a large existential threat to American businesses, the economy, and security.

In the United States, officials are pursuing an enhanced and comprehensive strategy to attempt to counter economic espionage and IP theft in general. Many agencies, including law enforcement, are focused on the problem, and it is a top priority for the FBI. In the end, however, self-help likely is U.S. companies most prudent avenue. In that regard, lawyers play a unique and important role: negotiator, risk manager, creative drafter, and hopefully not litigator. At about a billion dollars a day of U.S. IP theft, however, U.S. companies have much to lose, and they are continuing to lose.

Predispute consumer arbitration has sparked energetic debate and sharp divides over the utility of the class action versus the utility of individual arbitration. Thus far, the U.S. Supreme Court’s jurisprudence has given a “thumbs up” approach to predispute consumer arbitration waivers, which almost always include a class waiver agreement. In AT&T Mobility LLC v. Concepcion, 563 U. S. 333, 347–48 (2011), the Supreme Court implicitly approved predispute class-action waivers, when it held that the Federal Arbitration Act (FAA) preempted California state law, which tended to hold such agreements unconscionable in consumer cases. Then in American Express Company v. Italian Colors Restaurant, 133 S. Ct. 2304, 2309 (2013), the Court rejected the argument that aggregate, or class litigation, is necessary to preserve the opportunity to vindicate low-value, statutory claims. Congress showed little interest in amending the FAA, even for consumer cases. It seemed that consumer arbitration was the “wild west” of the law, in that it was largely unregulated and could direct claims to the black hole of private dispute resolution.

The CFPB Proposes an Arbitration Prohibition

But then entered the Consumer Financial Protection Bureau (CFPB). In May 2016, the CFPB issued a proposed rule prohibiting predispute arbitration agreements in providing consumer financial services products. This rule would prohibit mandatory predispute arbitration agreements in consumer agreements for items such as checking or savings accounts, credit cards, student loans, payday loans, automobile leases, debt management services, some payment processing services, other types of consumer loans, prepaid cards, and consumer debt collection. The rule would also prohibit predispute arbitration agreements in connection with providing a consumer report or credit score to a consumer or referring applicants to creditors to whom requests for credit may be made.

Ironically, the CFPB chose to exclude the federal government, its affiliates, and state governments when providing consumer financial products or services, permitting the government to enter into private arbitration class waivers, whereas private industry cannot. The rule includes other exclusions, such as for brokers under the Securities and Exchange Commission (SEC).

The proposed rule prohibits covered providers from “rely[ing] in any way on a predispute arbitration agreement” in connection with “any aspect of a class action that is related to any of the consumer financial services or products” covered by the rule after the final rule’s effective date. The prohibition does not apply if the presiding court has ruled that the case may not proceed as a class action and the time for interlocutory appellate review has passed.

For consumer arbitration agreements entered into after the effective date, the proposed rule requires the following arbitration agreement language: “We agree that neither we nor anyone else will use this agreement to stop you from being part of a class action case in court. You may file a class action in court or you may be a member of a class action even if you do not file it.”

The effective compliance date will be 211 days after publication of the final rule in the Federal Register. The Dodd-Frank Act requires that any proposed rule apply only to agreements entered into 180 days after the rule’s effective date, which is proposed as 30 days.

The proposed rule also provides for certain reporting requirements of arbitration results to the CFPB for any consumer arbitration that does occur, presumably when the consumer elects to choose arbitration over class actions. The provider must report the initial claim and counterclaim, the arbitration agreement, the judgment or award, if any, and any communication received from an arbitrator or arbitral service regarding a provider’s failure to pay required fees or a finding that the arbitration agreement is out of compliance with the arbitral service’s fairness principles or due process rules.

In support of the rule, CFPB Director Cordray touted the benefits of the class action for consumers, claiming that consumer financial services “group lawsuits delivered, on average, about $220 million in payments to 6.8 million consumers per year.” But the CFPB’s decision to require class resolution as superior dispute resolution vehicle to individual arbitration is not necessarily supported by the findings of the CFPB’s empirical arbitration study. Why are the study results so important? The Dodd-Frank Act delegates rule-making authority on arbitration in consumer financial products and services to the CFPB, but any rules promulgated “must be consistent with the [arbitration] study.” 12 U.S.C. § 5518(b) (emphasis added).

The CFPB Ban on Class Arbitration Waivers—What’s Happening Now

As noted above, the CFPB published the proposed rule banning the use of class arbitration waivers in May 2016. The notice-and-comment period ended August 22, 2016. The CFPB was flooded with nearly 13,000 comments on the proposed rule, both in favor of the rule and against it. A number of consumer financial services representatives stated that the CFPB’s rule will effectively end the viability of consumer arbitration. Put simply, without the “carrot” of a class arbitration waiver, a company has no incentive to offer, much less to cover the costs of, individual consumer arbitration.

Prior to the presidential election, most folks thought the CFPB would publish the proposed rule rather quickly. Even after the election, many predicted that the CFPB would publish the final rule banning class waivers in consumer arbitration agreements before President Trump’s inauguration. As of the date of this article, the CFPB’s fall 2016 regulatory agenda identifies February 2017 as the target date for publication of the final arbitration rule. But surprisingly, the CFPB has not published a final rule yet.

There are a number of reasons the CFPB may delay publishing the final rule. First, one might expect any rule so blatantly antibusiness to draw the attention of President Trump, which could cause a flutter of tweets or other social media ire.

Second, the CFPB’s previously impervious structure is now in question. In October 2016, the U.S. Court of Appeals for the District of Columbia in PHH Corp. v. Consumer Financial Protection Bureau, 839 F.3d 1, 8–9 (D.C. Cir. Oct. 11, 2016), declared the directorship of the CFPB, set up to be unaccountable to the executive, unconstitutional. The D.C. Circuit analyzed the enormous power this single–director structure gave the CFPB:

The CFPB’s concentration of enormous executive power in a single, unaccountable, unchecked Director not only departs from settled historical practice, but also poses a far greater risk of arbitrary decision-making and abuse of power, and a far greater threat to individual liberty, than does a multi-member independent agency.

. . . 

This new agency, the CFPB, lacks that critical check and structural constitutional protection, yet wields vast power over the U.S. economy. So “this wolf comes as a wolf.”

Id. at *4 (quoting Morrison v. Olson, 487 U.S. 654, 699 (1988) (Scalia, J. dissenting)). The D.C. Circuit chose to remedy the CFPB’s structural flaw not by shutting down the CFPB, but by electing the narrower remedy of severing the “for-cause” director removal provision, making the CFPB director removable at the will of the president. The ramifications of this decision certainly affect the CFPB’s unwieldy power, but the extent of that weakening remains to be seen.

The D.C. Circuit granted the CFPB’s petition for rehearing en banc and vacated the panel’s opinion on February 16, 2017. The en banc court hearing will be held on May 24, 2017. This opinion will likely have a large effect on the scope of the CFPB, and current Director Cordray’s authority under this new administration. Even if the CFPB goes forward with the final rule, it is likely that it will face a slew of litigation from industry advocates who support consumer arbitration, which may deteriorate the effectiveness of the rule.

In the interim, to the extent the CFPB is reconsidering the effectiveness of this watershed anti-arbitration rule, it could revise the rule to still permit consumer arbitration to develop, but under a regulatory regime that is more pro-consumer. The CFPB arbitration study shows some defects in consumer arbitration in its current form, but it also highlights some major deficits in consumer class actions.

The CFPB Arbitration Study: What is Working In Consumer Arbitration, What is Not

In 2015, the CFPB finished its multiyear study of consumer financial arbitration before the American Arbitration Association (AAA) and of class actions based on consumer financial services. Although the CFPB states that the study shows “that class actions provide a more effective means for consumers to challenge problematic practices” by financial services companies, the results are not quite so conclusive. The Arbitration Report showed:

• Over the three-year period of 2010–2012, consumers filed an average of 411 claims for arbitration in consumer financial services products. This is abysmally low.
• Of the 1,060 arbitration filings studied, about 60 percent settled or ended in a manner consistent with settlement. Only 32 percent were resolved on the merits. This settlement figure suggests that some sort of resolution is being achieved prior to a merits decision in consumer arbitration.
• Consumers had access to attorneys. Counsel represented consumers in nearly 60 percent of the cases. Companies, of course, nearly always had counsel.
• It appears that attorneys with arbitration experience are representing these consumers. Repeat player attorneys represented consumers in 50 percent of filings across all consumer financial services product markets. Forty-five percent of those filings were by “heavy” consumer repeat players, meaning the attorney appeared in four of more arbitration disputes in the three-year study period. For student loan disputes, heavy repeat player law firms represented 93 percent of consumers.
• Dispute resolution is not a primary concern for consumer choice. When asked about factors that are important in selecting a credit card, no consumer raised dispute resolution. When asked, in a telephone survey, what one would do if a credit card company charged an improper fee, most respondents commonsensically answered he or she would cancel the credit card. Less than 2 percent mentioned seeking legal advice or suing, but 10 percent said they would refer the issue to a governmental agency.

What does this information tell us about consumer arbitration? Well, first it tells us that consumers are not pursuing consumer arbitration at all, which is troubling. Are consumers scared of arbitration? Unwary of the procedure? Cynical of recovery? Or are the arbitration fees still too high to make it worth pursuing? The AAA currently caps a consumer’s fees in consumer arbitration at $200. The business portion of a consumer arbitration, regardless of who initiates it, is $1,700, plus an additional $750 arbitrator compensation fee. Some businesses agree to fully pay the costs of consumer arbitration in the arbitration agreement, and some “consumer-friendly” agreements even offer to pay a premium and/or attorneys’ fees if the consumer receives an arbitral award that is greater than the business’s last settlement offer. The Arbitration Study did not report on how often an arbitrator awards such “incentivizing premiums,” but one would think their very presence encourages settlements.

The Arbitration Study also tells us that for the few consumer cases being pursued, consumers have access to attorney representation. The attorneys who tend to represent consumers in this dispute have developed a cottage niche, no doubt because they are familiar with the AAA Consumer Arbitration Rules and procedure. Finally, the settlement figures tell us that something useful is occurring in consumer arbitration. In some way, perhaps due to the business-side costs of consumer arbitration or incentivizing premiums, parties are likely reaching a settlement resolution prior to a merits decision.

The study also reported “win” rates for affirmative consumer claims and for business claims. Remember that only 32 percent of the cases filed resulted in an arbitrator decision on the merits, thus the sample size is very low. For claims brought by consumers that resulted in a decision on the merits, consumers “won” some kind of relief in about 20 percent of the cases (32/158). Businesses “won” relief in over 90 percent of the business-brought cases (227/244) that went to a merits decision, although some of the decisions were similar to a default judgment.

But one cannot make an assessment of arbitration by simply comparing consumer win rates to business win rates. As stated above, the sample size of merits decision was very small. More importantly, the study shows that most arbitration disputes resolved in a manner consistent with settlement. Additionally, differing incentives to assert claims can explain some of the difference in outcomes. If a business funds all or most of the dispute resolution process, consumers are incentivized to bring claims of questionable merit. Yet for the business which must pay all or most of the upfront costs ($1,700 per consumer claim under AAA rules), the incentive is to not bring (1) low value claims or (2) claims of questionable merit. Any comparative “win” rate of consumers to businesses would need to be compared to how consumers fare in litigation, not just how consumers fare compared to businesses, a point the Arbitration Study made.

The CFPB Arbitration Study: What It Tells Us About Individual Consumer Recovery in Class Actions

The CFPB Consumer Arbitration Study also examined class action recovery in consumer financial class actions. Although the CFPB concluded, in proposing its arbitration class-waiver ban, that consumers are better off preserving the class action than waiving it, the study results do not support this conclusion. For example, the CFPB Arbitration Study found that approximately 60 percent of the consumer financial products class actions filed ended in a non-class settlement or potential non-class settlement (i.e., withdrawal or dismissal by the plaintiff). Only 12 percent (69 cases) reached an approved class-action settlement. This means that only a very small portion of class actions filed resulted in any damages to the class-member consumer. Yet those class actions filed do result in a societal drain on judicial resources and corporate class action defense costs (which we would assume are passed on in one form or other to the consumer). Attorneys’ fees awarded to counsel in class action settlements during the relevant time frame were $424 million, which is estimated at about 24 percent of total class payments and 16 percent of gross relief (proposed cash relief and in kind relief).

Second, the average claims rate (claims made as a percentage of eligible class members) was low, 21 percent, with an 8 percent median. Thus, even when consumers obtain a settlement through the class device, they usually do not take the administrative steps to obtain the payout. Finally, the CFPB study did not attempt to provide data on the average class member recovery for those 69 cases that reached class settlement or the difficulty of obtaining settlement proceeds. But even taking Directory Cordray’s slogan of an average of “about $220 million in payments to 6.8 million consumers per year in consumer financial services cases,” one could estimate this results in about $32.35 in recovery to the individual per year, that is, if he or she takes the time to read and fill out the cumbersome forms required for claims-made recovery. These statistics cause one to at least question the effectiveness of the class action for providing individual relief to the class members.

The CFPB Could Take a More Moderate Approach to Facilitate Transparent and Free Consumer Arbitration

What should we make of the data provided above? First, it is premature to conclude that the class action is a more effective dispute resolution platform than individual arbitration. When only 12 percent of cases filed results in any class settlement, it suggests that there is a significant waste in the system. Second, we know arbitration is chilling consumer activity. The CFPB could confront this by providing more consumer education on arbitration and requiring more transparency. The CFPB could implement data-reporting requirements (similar, but more extensive than, those in the proposed rule for essentially post-dispute arbitration) that require reporting of the types of claims made, demand amounts, counterclaims and amounts, case resolutions, product types, and information about consumer representation.

The CFPB should require any consumer arbitration to be fully business-funded at no cost to the consumer. When a business faces transaction costs of nearly $2,000 per arbitration filed, repeat consumer filings will attract its attention. In addition, the CFPB could consider requiring that any consumer arbitration which results in a favorable consumer award on the merits should be awarded treble damages and attorneys’ fees. This provision would include a sort of “built in” incentivizing provision. The goal of this provision is to encourage organically what we already see occurring, increased settlement of consumer disputes. Still further, the CFPB should require that any consumer arbitration award must result in a written statement of decision, which permits other consumers to know how the arbitrator applied the law to the facts of that case. This will facilitate consumer knowledge of potential corporate overreach (and encourage more recovery), and will also help aid the consumer in arbitrator selection. The CFPB has a number of measures it could take to regulate consumer arbitration to the benefit of the consumer, short of removing a potentially viable dispute resolution platform that could benefit the individual consumer.

Conclusion

The CFPB’s proposed anti-arbitration rule will have a wide effect on consumer financial services, and even potentially on other consumer arbitration agreements. But the CFPB’s arbitration class-waiver ban is essentially an election of the class action to the expense of individual arbitration. This policy choice is premature and is not yet supported by the data. The abysmally low number of consumer arbitration filings is too low to make generic assessments regarding the efficacy of consumer arbitration. But it tells us consumers need to know more and have confidence to pursue their own low-value claims, or be aware that attorney assistance may be available. Even still, the image the Arbitration Study paints of class actions show that this vehicle is not providing satisfactory recovery to the individual class members. But requiring businesses to fully fund and incentivize consumer arbitration in a fair and transparent way could provide a vehicle for individualized low-cost consumer relief. Will there still be some de minimis claims that are not pursued on the individual level? Yes. But this tradeoff may be rational in the eyes of the consumer to preserve an essentially free dispute resolution platform for economically rational claims. The CFPB should take the time pending issuance of its final rule, under a new Executive Branch, to issue regulations that will make consumer arbitration more susceptible to empirical study, more transparent, and cost free for the consumer.

Introduction

There seemingly are lots of new ways to make payments today. New apps for smart phones, new peer-to-peer payment networks, new currencies, and new ledger systems offer to meet the needs of U.S. consumers and businesses in ways that legacy payment methods do not. Many of these new ways to pay have improved end-user experience by providing more convenient or intuitive ways to initiate payments through legacy systems (such as the ability to accept card payments through a device that connects to a phone). In other cases, the underlying payment system through which payments are made is new (such as the ability to pay someone instantly with virtual currency through a distributed ledger system).

It does matter how you pay; however, the part that matters—from a legal perspective—is not the means of initiation (i.e., payment via mobile app) or infrastructure (i.e., blockchain), but rather who is providing the payment service to the payor and payee and the characteristics of the payment service.

This article’s focus is how payment-system and consumer-protection laws apply (or do not apply) to some of the new ways to pay. It should be noted that there are other important legal and regulatory frameworks that apply to payments, such as financial privacy, cyber and information security, Bank Secrecy Act/anti-money laundering, and economic sanctions, all of which are beyond the scope of this article.

The Legal Framework for Payments

One’s legal rights and responsibilities as a payor or payee for noncash payments are determined by payment-system laws—statutory, regulatory, and contractual. For example, if a payor instructs payment for $100, but through error or fraud the payee is instead paid $1,000, payment-system laws will determine who among the various parties to the payment takes the loss for the extra $900 received by the payee. When consumers are a payor or payee, certain statutory and regulatory consumer-protection laws may also apply to the payment.

Payment-System Laws

With respect to payment-system laws, it should come as no surprise that different laws apply to different types of payments. At the state level, the Uniform Commercial Code (UCC) Articles 3 and 4 serve as the foundational laws for checks, and UCC Article 4A establishes the laws for wholesale wire transfers. These state laws generally may be supplemented or varied by agreement of the parties involved, or by clearinghouse or funds transfer system rule. For example, banks and image clearinghouses generally adopt the Electronic Check Clearing House Organization Rules (ECCHO Rules) to modify and supplement rights and responsibilities under the UCC to address issues unique to the interbank exchange of check images. Note, however, that the ability to vary the UCC by agreement or by clearinghouse or funds transfer system rule is not unlimited. For one thing, the UCC obligation to act in good faith may not be waived.

There is no statutory framework that serves as the basis for exchange of electronic debits through the Automated Clearing House (ACH) system, although commercial credits fall under UCC 4A. Banks rely on the Operating Rules of the National Automated Clearing House Association (NACHA), as adopted into ACH operator rules, both to establish the framework for the debits and to supplement the UCC 4A framework for commercial credits.

It is important to note that the scope of the laws and rules governing traditional noncash payment mechanisms—funds transfers, ACH, and checks—includes bank customers and banks, but does not necessarily contemplate or apply to nonbanks that serve as intermediaries to payors and payees or payments that are made through nonbank networks. Thus, the funds transfer process, under article 4A and the Federal Reserve’s Regulation J, begins with an instruction by an originator to its bank to pay or to cause another bank to pay a beneficiary, and the funds transfer ends when a bank for the beneficiary accepts an instruction to pay its customer. Likewise, the check collection process under article 4 and the Federal Reserve’s Regulations J and CC begins when an item is deposited with a depository bank, and typically ends when the payor bank pays the item. Similarly, under NACHA’s rules, an ACH payment begins with an authorization provided by a customer of a bank, is initiated to an ACH operator by a sending bank, and ends when the receiving bank has received and settled for the payment.

As further discussed below, this means that payment-system laws will not completely address—or may not address at all—issues that may arise for payors and payees whose payments do not begin and end at a bank.

Consumer-Protection Laws

With respect to consumer-protection laws, the primary federal laws in the payments area are: (i) the Electronic Fund Transfer Act (EFTA) and its implementing regulation, Regulation E, for consumer payments made via debit cards, ACH, payroll cards, prepaid accounts, and other consumer electronic funds transfers (discussed further below); and (ii) the Truth in Lending Act (TILA) and its implementing regulation, Regulation Z, for consumer payments via credit cards. These federal laws and regulations establish certain baseline consumer protections, such as disclosures, periodic statements, and most relevant to this article, limitation of liability for unauthorized payments and error-resolution requirements. These consumer protections generally cannot be varied by agreement.

Historically, the payments laws and consumer-protection laws described above provide mutually exclusive legal frameworks governing consumer funds transfers. In particular, the scope of article 4A by its own terms (Section 4A-108) generally excludes from its coverage funds transfers, any part of which is governed by EFTA. In turn, EFTA and Regulation E govern consumer funds transfers—specifically, “electronic fund transfers,” which include essentially any electronic transfer of funds to or from a consumer account, but excludes funds transfers sent by a financial institution on behalf of a consumer through a wholesale payment system (that is, a funds transfer system that is not designed primarily to transfer funds on behalf of consumers), such as a wire transfer system—as a result, those transfers would be covered by article 4A. In recent years, however, most state legislatures have taken steps to amend article 4A to permit some overlap with EFTA with respect to certain remittance transfers that became covered by EFTA and Regulation E as a result of the Dodd Frank Act.

In addition, federal consumer-protection laws historically were tied to payments made to or from consumer accounts held at banks. However, Regulation E’s remittance-transfer provisions apply to remittance-transfer providers that are both banks and nonbanks. Similarly, the Consumer Financial Protection Bureau (CFPB) finalized a new rule in early October that applies Regulation E’s disclosure, periodic statement, limitation of liability, and error-resolution requirements to prepaid accounts, regardless of whether the prepaid account is held by a bank or a nonbank. Specifically, the revised regulation defines a prepaid account to include a variety of payment products, including general purpose prepaid cards and nonbank payment services, such as digital wallets and payment networks, that involve an account that is either issued on a prepaid basis or capable of holding consumer funds. The new provisions become effective April 1, 2018 (although the CFPB also recently announced its decision to revisit certain substantive issues in the rule), and will cover many, but not all, nonbank payment services. Among the payment services that will fall outside the rule are those that only facilitate payments, but do not require consumers to have accounts with the service provider.

For payment services provided by nonbanks that fall outside the CFPB’s prepaid rule and remittance transfer rule, a consumer’s rights and responsibilities as a payor or payee primarily will be determined by the contractual terms that apply to the payment service. However, the consumer may have Regulation E protections for parts of a nonbank payment if the nonbank payment involves funds transfers to or from the consumer’s bank or prepaid account.

Some Examples

The scenarios below illustrate how a payor’s legal rights and responsibilities may vary depending upon whose payment service the payor uses.

Hypothetical 1: Person-to-Person Payment

CoolPay is a nonbank payment service that provides CoolPay accounts to its users and enables them to send funds to each other through its service. CoolPay makes payments in two ways. If a payor-user has funds in his or her CoolPay account, CoolPay will pay the payee through a book transfer: i.e., a debit entry to the payor’s CoolPay account and a credit entry to the payee’s Cool-Pay account. If a payor-user does not have funds in his or her account, CoolPay will initiate an ACH debit to the payor-user’s bank account and then credit the payee-user’s CoolPay account once CoolPay’s bank account is credited for the ACH debit it sent to the payor-user’s bank account.

Jane and George are CoolPay users. Jane uses CoolPay to send George $100 for his birthday. Although Jane is a CoolPay user, she does not keep funds in her CoolPay account. Hence, to effectuate the payment, CoolPay instructs its bank, Bank A, to send an ACH debit for $100 to Jane’s bank, Bank B. Once Bank A receives settlement from Bank B for the ACH debit, it credits CoolPay’s bank account. CoolPay then credits George’s CoolPay account for $100. What if CoolPay makes a mistake and credits Ted’s CoolPay account rather than George’s?

Given that CoolPay provides a payment service that enables consumers to hold funds in CoolPay accounts, CoolPay will be subject to the new prepaid account requirements of Regulation E, including its disclosure and error-resolution requirements, when it goes into effect. The rule will require CoolPay to: (i) disclose to Jane that she has error-resolution rights; and (ii) investigate the error upon timely notice from Jane that her bank account has been debited, but that George has not received his birthday money. CoolPay generally will be required to investigate and determine whether an error occurred within 10 days of Jane’s notice. If CoolPay determines that an error occurred, it must correct the error within one business day of such determination.

Note that, until the CFPB’s prepaid rule is effective, Jane’s ability to seek redress from CoolPay will be determined by the terms and conditions governing Jane’s use of the CoolPay service or possibly her state’s money transmission laws. It should further be noted that, due to the fact that the debit to Jane’s bank account was in the correct amount, it is unlikely that Jane could have sought redress from her bank for CoolPay’s error because the debit was authorized, in the correct amount, and her bank made no error is transmitting the funds to CoolPay’s account with Bank A.

It is also the case that, if CoolPay acted as only a payment facilitator and did not hold consumer funds in CoolPay accounts, the CFPB’s prepaid rule will not be applicable to Jane’s payment. She would again look to the terms and conditions of CoolPay’s service and her state’s money transmission laws for redress.

Hypothetical 2: Business-to-Business Payment

Company A and Company B are CoolPay users. Company A instructs CoolPay to pay Company B $10,000 via transfer from Company A’s CoolPay account to Company B’s CoolPay account. Company A has sufficient funds credited to its CoolPay account to pay for the transfer without the need to debit Company A’s bank account. Hence, CoolPay debits Company A’s CoolPay account for $10,000. However, CoolPay erroneously credits Company C’s CoolPay account rather than Company B’s CoolPay account.

If CoolPay were a bank, this type of error would be an error in execution. Under article 4A, if Company A’s bank paid a party other than the beneficiary Company A identified in its payment instruction, Company A would be entitled to a refund under article 4A’s money-back guarantee provisions for the amount of the payment. Company A’s bank could seek to recover the amount from Company C, but it would be required to refund Company A regardless of whether it does so. Under article 4A, the bank would not be permitted to vary its obligation to refund Company A by agreement.

In the absence of article 4A, the rights of Company A and CoolPay will be governed by the terms and conditions of CoolPay’s service, other agreements among the parties, and common law. In addition, if CoolPay’s terms are not favorable to Company A, it may find itself in court arguing by analogy to article 4A that CoolPay must provide a refund. If Company A is unable to recover from CoolPay, it may also be able to recover from Company C under CoolPay’s terms or common-law theories, but Company C, its jurisdiction, and a number of other factors will be completely unknown to Company A.

Hypothetical 3: Business-to-Business Payment with Distributed Ledger

Let us add a variation to the previous two examples where CoolPay provided payment services to the payor and payee: What if instead it is simply banks providing those services? Does it matter if those banks, in turn, choose to use a fundamentally new infrastructure, such as blockchain, to settle with each other?

Suppose Company A wishes to pay Company B $10,000 for products that it purchased. Company A has an account with Bank A, and Company B has an account with Bank B. Company A opts to make that $10,000 payment by a funds transfer from its account at Bank A to Company B’s account at Bank B. The funds transfer begins with a debit to Company A’s account on Bank A’s books (funds are withdrawn from the payor’s account), and ends with a credit to Company B’s account on Bank B’s books (funds are deposited into the payee’s account).

Suppose, however, that Bank A and Bank B do not have a direct relationship with each other that enables Bank A to credit an account it holds for Bank B, or for Bank B to debit an account it holds for Bank A. Instead, they choose to use blockchain technology—CoolChain—to clear and settle payment from Bank A to Bank B in real time on their own books. A detailed description of how the banks may use blockchain technology in this way is provided in a March 2016 article by Jessie Cheng and Benjamin Geva. In essence, blockchain technology allows banks with no direct relationship to establish trust and coordinate their actions to settle with each other.

Does the fact that the banks in the funds transfer opt to use CoolChain, rather than a traditional funds transfer system like CHIPS or Fedwire, to transact with each other in this way mean that the payment is outside the scope of article 4A? Not necessarily. Article 4A focuses on the type of entities involved, not the means by which they transact with each other. The primary focus of article 4A is the “funds transfer,” the transfer of bank credit from the payor to the payee. The hypothetical above—where Company A transmits an instruction to its bank, Bank A, to pay or cause another bank to pay Company B—falls within article 4A’s definition of “funds transfer” in section 4A-104. This remains so even where Bank A and Bank B happen to choose to use CoolChain or any other blockchain technology to settle with each other. That transfer is still a series of transactions, beginning with Company A’s payment order (Company A’s instructions to Bank A to pay or cause another bank, like Bank B, to pay a fixed amount of money to Company B) made for the purpose of making payment to Company B, the beneficiary of the order. Thus, Bank A’s and Bank B’s choice to use CoolChain to settle with each other would not remove the transfer from the ambit of article 4A.

Although article 4A can be read to apply to a funds transfer involving blockchain rails as a general matter, the application of the technology varies from blockchain to blockchain, and each implementation must be analyzed to determine whether or precisely how certain of its concepts map onto an article 4A framework. Thus, might the legacy article 4A concepts of “funds transfer system” apply to a network of banks that all use CoolChain and together agree to a certain set of payment rules governing their interbank rights and obligations? As described above, one could interpret section 4A-105(a)(5)’s definition of “funds transfer system” and its official commentary to say “yes,” even though the official commentary has not been updated to specifically recognize emerging systems that fundamentally differ from legacy payment rails. The same may not be true of another blockchain rail.

Conclusion

The robust competition for payment services in the United States offers consumers and businesses many ways to pay. However, the legal framework that applies to payments, and that ultimately determines the rights and responsibilities of consumers and businesses when they make and receive payments, is dependent upon a combination of whether the payments begin and end at a bank and, for consumers, the characteristics of the payment service.

In an April 2016 article in Business Law Today, we provided a primer on foreign investment regulation in Canada, an important issue in Canadian cross-border M&A transactions. Foreign investment primarily is regulated through the Investment Canada Act (ICA) and its regulations (although some sectors like banking have separate rules, and other statutes regulating foreign investment may also apply). In the ensuing year, a number of significant changes have occurred or have been announced by the Canadian federal government and are addressed below. It should be noted that this article discusses the ICA and its regulations generally and does not discuss a number of exceptions and nuances affecting its application, including the regime applicable to investments by foreign state-owned enterprises. All currency conversions in this article are made as of March 28, 2017.

Review Thresholds

As explained in the April 2016 article, under the ICA, the acquisition of control of a Canadian business by a non‐Canadian triggers either a (usually pre-closing) review or a (usually post-closing) notification process. The review process generally is triggered if the value of the Canadian business exceeds an applicable threshold, which can vary on a number of factors.

As part of its 2016 Fall Economic Statement, other than for investments by foreign state-owned (or influenced) enterprises (SOEs), the Canadian government committed to increasing the threshold applicable to a direct acquisition of a Canadian business by nationals of World Trade Organization (WTO) member states, which would include a U.S. company ultimately controlled by U.S. nationals. This threshold for review has changed significantly over the last few years, shifting even more transactions into the notification process and thereby reducing ICA compliance costs. In March 2015, this threshold was changed, from one based on the book value of assets of the Canadian business, to a threshold based on the “enterprise value” of the Canadian business, and a planned increase schedule was set out. In its 2016 Fall Economic Statement and again in its 2017 budget, the Canadian government committed to increasing this threshold even more quickly than originally planned, as shown in the table below.

1. Upon enactment of budget implementation legislation, anticipated in the spring or fall of 2017.
2. On a date to be determined (likely January 1, 2019).

The Canadian government also is in the process of implementing the recently negotiated Canada and European Union (EU) Comprehensive Economic and Trade Agreement (CETA), which will increase the threshold for nationals of EU member states. Once in force, CETA will increase the enterprise threshold for nationals of EU member states to C$1.5 billion (approximately US$1.12 billion). A number of countries, including the United States and Mexico, have trade agreements with Canada that contain most-favored-nation protection, with the result that nationals of these countries will also benefit from this substantially increased enterprise value threshold. The legislation in Canada to implement the CETA currently is expected to be in force as early as late June 2017.

An indirect acquisition of a Canadian business (i.e., through the acquisition of its foreign corporate parent) by nationals of WTO-member states, including the United States, with limited exceptions, are exempt from review.

An important exception to these rules on direct and indirect acquisitions remains where the Canadian business is engaged, even if only partially, in the activities of a “cultural business.” A direct acquisition of a cultural business continues to be subject to review where the book value of the Canadian business’ assets exceeds C$5 million (approximately US$3.7 million), and an indirect acquisition of a cultural business continues to be subject to review where the book value of such assets exceeds C$50 million (approximately US$37 million), although in the case of the latter, the review may be done post-transaction and therefore is not an impediment to closing.

Some Clarity on National Security Review

As explained in the April 2016 article, the national security review process allows the Canadian government to review investments where it has “reasonable grounds to believe” that the investment “could be injurious to national security.” Any investment in Canada by a non-Canadian investor can trigger this process regardless of: (i) whether it is reviewable or notifiable according to the rules above; (ii) whether by a U.S. or other investor; (iii) whether it is for the establishment of a new Canadian business, the acquisition of control of a Canadian business, or the acquisition of a minority interest in a Canadian business; and (iv) the dollar value of the transaction. This means that a minority investment in a Canadian business, regardless of its size, could trigger a national security review. This process is, to a certain extent, the Canadian equivalent to the Committee on Foreign Investment in the United States (CFIUS) regulations.

The concept of “could be injurious to national security” is not defined in the ICA or its regulations and, until recently, the Canadian government did not provide any guidance on what it considered “could be injurious to national security” (other than certain statistics on the frequency and outcomes of national security reviews). On December 19, 2016, the Canadian government delivered on a promise, made in the previously noted 2016 Fall Economic Statement, to make the national security review process more transparent by publishing Guidelines on the National Security Review of Investments (the Guidelines), which identify the following nine, nonexhaustive factors that will be taken into account in determining whether foreign investments could be injurious to national security: (i) the potential effects of the investment on Canada’s defense capabilities and interests; (ii) the potential effects of the investment on the transfer of sensitive technology or know-how outside of Canada; (iii) the involvement in the research, manufacture, or sale of goods/technology relating to certain controlled goods noted in the Defence Production Act, including firearms, military training equipment, certain types of aircraft, weaponry and defense systems, etc.; (iv) the potential impact of the investment on the security of Canada’s critical infrastructure, meaning the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government; (v) the potential impact of the investment on the supply of critical goods and services to Canadians, or the supply of goods and services to the Canadian government; (vi) the potential of the investment to enable foreign surveillance or espionage; (vii) the potential of the investment to hinder current or future intelligence or law enforcement operations; (viii) the potential impact of the investment on Canada’s international interests, including foreign relationships; and (ix) the potential of the investment to involve or facilitate the activities of illicit actors, such as terrorists, terrorist organizations, or organized crime.

The Canadian government’s 2017 budget also announced an intention to require the publication of an annual report on the administration of the ICA’s national security.

The Guidelines also provide recommendations for dealing with national security. For example, the ICA contains no formal preclearance mechanism, which is a significant distinction between the Canadian national security regime and the CFIUS regime. To address this issue, the Guidelines recommend that foreign investors file their ICA notifications “early” and prior to the deadlines set out by statute, even though this is not required by law, particularly in cases where the assessment factors described above may be present. By doing such a filing on a preclosing basis and waiting for 45 days to elapse following the filing of such notification, if no action is taken, the investor can proceed with closing knowing that the period within which a national security review could be ordered has expired. Note, however, that this “early filing option” is not available unless an investment triggers a notification (or economic review) requirement. Where no notification (or review) is required (for example, the acquisition of minority interest in a Canadian business where there is no acquisition of control by the non-Canadian investor within the meaning of the ICA), the 45-day period for triggering the national review process runs from implementation of the investment, which precludes the early filing option for obtaining comfort. Nevertheless, early engagement with the government may still be beneficial in securing meaningful comfort from the government. Such engagement allows the government an opportunity to examine the investment and to ask questions of the investor, which, even absent explicit pronouncement from the government, may allow the investor to make meaningful inferences about the government’s assessment of whether the investment would be injurious to national security.

Conclusion

The proposed change to the ICA’s enterprise value thresholds will result in fewer transactions subject to review, and the Guidelines provide additional clarity on national security review. Understanding the ICA’s regulation of foreign investment is important because sanctions can include fines and even a reversal of the transaction (although the authors are not aware of this remedy ever having been used by the Canadian government). It is also important to consult with a Canadian legal advisor, given that many other federal and provincial laws can affect the implementation of an M&A transaction.

Until the 1930s, securities purchasers looked solely to state securities laws—so-called Blue Sky Laws—for protection against securities fraud. That all changed after the Crash of 1929, when the federal securities laws were enacted and came to dominate the field in the ensuing decades. But state securities laws have made a bit of comeback in recent years, and an April 2017 decision out of a California federal court may continue to fuel their rise. Colman v. Theranos, Inc. The Theranos court found that indirect purchasers of securities—those who invest in a fund that in turn purchases securities from a company—can sue that company. The decision raises a number of important questions for both issuers of securities—especially large private companies—and the many funds that buy directly into them.

A brief review of the facts will set the stage. Theranos is a privately held life sciences company recently thrust into the national spotlight over questions about the legitimacy of its business. Plaintiffs in the case had invested money in two different private funds expressly formed to invest in the company. One fund acquired stock directly from Theranos; the other acquired its stock on the secondary market. Plaintiffs’ purchases came amid a publicity campaign about Theranos that, allegedly, was designed to raise capital from private investors, including plaintiffs. After news broke questioning the viability of Theranos’s technology, the indirect purchaser plaintiffs sued the company for fraud, asserting securities claims under various provisions of California law.

Ruling on Theranos’s motion to dismiss, Magistrate Judge Nathanael Cousins of the Northern District of California held that the indirect purchasers had standing to sue under California law. In pertinent part, the California provisions at issue make it unlawful for “a broker-dealer or other person selling or offering” a security to willfully make, “directly or indirectly,” a false or misleading statement “for the purpose of inducing the purchase or sale of such security.” Unlike most of the federal securities laws, notably Section 10(b), this statute does not require a plaintiff to prove actual reliance; rather, a plaintiff need only prove that defendant intended the plaintiff to rely on his statement. And, now, if the Theranos court’s ruling is accepted by other courts, the statute also will not require “privity,” or a buy-sell relationship, between indirect purchasers and the issuing company. Defendants unsuccessfully pressed the court to impose such a requirement, but the court disagreed, noting the statute “focuses on the actions of the seller of the securities, not the relationship between seller and buyer.”

So, did the court get it right? The answer is both yes and no, with a bit of history explaining why. The California statute at issue was modeled after and closely resembles Section 9 of the Securities Act of 1934, which was specifically aimed at prohibiting the manipulative market conduct prevalent in the 1920s. As numerous state and federal courts have noted, including those in California, “market manipulation” is a term of art that covers some artifice or scheme where a defendant enters the market and alters the natural forces of supply and demand. Some of that fraudulent conduct—such as a “wash sale,” where the defendant buys and sells from himself to create the appearance of demand, or a “matched order,” where he buys and sells to co-conspirators for similar purposes—involves trading that occurs solely between one or more co-conspirators. The court is thus right that privity is not universally required; if it were, a defendant trading solely with himself or his scheming confederates could never be liable.

But the court’s analysis failed to see the full picture. Like Section 9, the California statute at issue was never intended to reach false or misleading oral or written statements like those Theranos made to the market. Rather, it is focused on specific schemes, in the market, that artificially alter the natural forces of supply and demand. Nowhere is Theranos alleged to have engaged in any such conduct. The result, then, is to allow an indirect purchaser to repackage a traditional misstatements case—which does require privity under California law—into a manipulative conduct case that does not. Courts have rejected this strategy for years.

The consequences of this approach are potentially far reaching for private companies and the funds that invest in them. For private companies, the decision poses concerns about raising money from institutional investors and publicly traded companies, which have become a significant source of financing. The court’s ruling could give disappointed investors in those entities standing to sue the private companies in which they invest. Since the universe of those investors under the reasoning of Theranos is much broader than those who participate in private offerings—and since those investors may only be able to rely on general statements in the public domain—the court’s ruling raises the possibility that retail investors could sue private companies without ever having directly invested in them.

For private funds that invest in private companies, the decision also raises a number of serious questions, especially as to who controls claims that belong to the fund. For instance, what recourse, if any, does a fund and its other investors have if they believe a lawsuit is frivolous or would distract management and thereby harm their investment? Without an express waiver of the indirect purchasers’ claims, it would seem very little. And would an investor further down the investment chain, say in a fund-of-funds, also have standing to bring a claim against the private company? The court seemed to take comfort that the universe of potential plaintiffs was limited to those the company “intended” to defraud. But drawing the line based on something so subjective provides little comfort to companies and the funds that invest in them.

It is worth emphasizing that there are ways to read the court’s ruling as limited to its unique set of facts. The funds at issue were set up for the express purpose of investing in Theranos stock, not to invest in multiple securities. What’s more, Theranos has been accused of misrepresenting the viability of its business as a whole, something different in kind and degree from an allegedly misleading statement about a discrete event or fact. Nor is it clear that the indirect purchasers had been provided any documents upon which to base their indirect investment in Theranos.

If limited to these facts, the court’s decision could be understood. But if future courts look beyond the facts to the general proposition for which Theranos stands—that indirect purchasers may sue a private company for plain vanilla securities fraud without having to prove privity—the prominence of state securities laws like those in California may only grow.