As workforces shifted to remote work during the pandemic, trade secret information may have been subject to relaxed protective measures, inadvertent disclosures, or misappropriation. Employees, business partners, and vendors may have accessed information using unsecure personal devices, uploaded information to less secure cloud storage systems (intentionally or unintentionally), or printed sensitive documents on home printers, among other possibilities. As shuttered offices reopen, companies should develop a process to understand how employees, business partners, and vendors stored, transmitted, and otherwise used (or misused) trade secret information while working remotely and act to identify issues and resolve any problems identified.

Below is a five-step process companies can follow as employees, business partners, and vendors return to their workspaces. By taking these steps, a company can assess and address the impact of any relaxed protective measures, inadvertent disclosures, and misappropriation. This applies both to trade secrets owned by the company and those owned by a third party, entrusted to the company pursuant to an NDA or other protective measures. Moreover, should a misappropriation occur in the future, evidence that the company took these precautions will aid the company in proving it took “reasonable efforts” to maintain the information’s secrecy. For that reason, the company should document all efforts taken to preserve trade secret information as employees return to the office.

Step 1: Understand How Employees Used Information While Working Remotely

Companies should first take stock of how employees protected, used, or accessed trade secret information while working remotely. In secured office environments, employers enjoy a wealth of tools to safeguard proprietary information: access to rooms or entire floors can be restricted with keycards or biometrics; employees can be monitored to enforce personal device policies and ensure only secure devices are used; company devices can include multiple layers of protection and virus defense, and paper documents can be easily collected for secure destruction. That is not necessarily true or consistent of remote work, where employees may be tempted or required by necessity to access or store data on unsecure personal devices, transmit data through less secure systems (unable to use secure systems), and create and/or keep sensitive paper documents. Simply put, risks abound when employees work from home. The first step in protecting trade secrets is to identify those risks.

• Survey employees to identify all company property used offsite. In addition to big-ticket items like computers, confirm whether employees took home tablets, printers, peripheral devices, USB flash drives, hard drives, or any other digital storage device, as well as paper documents.
• Confirm whether employees accessed or stored business information on personal devices. Employees may have accessed company databases or downloaded and stored company information onto a personal computer, tablet, cell phone, external hard drive, or cloud-based system. Employees also may have printed information using a home printer. The risk with printers is threefold: in addition to creating a paper record of sensitive information, modern printers often feature memory storage (where the information may remain in digital form) as well as network or internet connectivity (potentially exposing that information to hackers or other third parties).
• Determine whether information was exposed to unapproved software or systems. If an employee sent or received information using a personal e-mail account or unapproved chat or collaboration tools, that information could remain stored on the software provider’s servers unless and until it is deleted. Even if the company has a confidentiality agreement in place with the service provider, that agreement may not apply if the employee uploaded information to a personal or consumer account not associated with the company. Pay special attention to employees’ use of cloud storage services and SaaS systems. Many such solutions automatically sync with personal devices. For example, a file downloaded to an employee’s smartphone may automatically upload to the employee’s personal cloud account, perhaps without the employee’s knowledge. Employers should ask whether employees have made use of cloud storage accounts or SaaS systems and, if so, confirm whether those accounts sync automatically with employees’ devices. 

Step 2: Ensure Information Is Returned, Deleted, or Destroyed 

After determining how employees used or accessed sensitive information, companies should take steps to ensure that information is returned to the company’s custody, deleted, or destroyed. The goal is to ensure that no proprietary information exists beyond the company’s control. In pursuing that goal, employers should take a nonaccusatory and collaborative approach with employees, keeping in mind that (1) the shelter-in-place/stay-at-home regimes were largely imposed with little notice or preparation time; (2) employee access to hardware, software, and related support may vary greatly within an organization; and (3) employee technical sophistication should be expected to vary. 

• Confirm company property was returned. Consider preparing a checklist for each employee listing all company property used offsite, including paper documents. Employers may obtain written confirmation from each employee that the list is complete, and all listed items have been returned to the company’s custody.
• Inspect company devices—and potentially personal devices—to identify security risks. While working from home, employees may have downloaded unapproved programs or software applications onto company devices (e.g., software to connect to home printers, music streaming software, and the like). Unapproved programs can be potential security risks in that they may expose the device or company systems to intrusion, such as spy-ware, or may send sensitive data to third-party servers for any number or reasons or purposes. Companies should accordingly consider inspecting each company device used in a home setting to ensure that no such software is present, or if it is, address it. Under some circumstances, employers may also consider performing a more comprehensive forensic analysis to verify whether an employee downloaded business information onto personal devices, such as a USB drive. A forensic analysis may be appropriate if the employee is known to have worked with trade secret information from home (such as a software engineer on a development team), gave evasive answers in response to the company’s property use survey, could not remember whether he or she transferred information to a personal device, or allowed others to use company devices for noncompany purposes, including children engaging in remote learning on a company device.
• Collect paper documents for proper destruction. If an employee took home paper documents or printed business information at home, require the employee to return the documents to the company (or the company’s vendor) for proper destruction unless the employee can confirm proper shredding at home. Make it easy for the employee to comply because some employees possessing voluminous paper records may be tempted to simply toss them in the trash. Consider sending a courier to pick up the documents, using a remote shredding company that will perform house calls, or supplying prepaid boxes to return paper documents by mail to the company.
• Consider inspecting personal devices to ensure no information remains. If the company has a device inspection policy granting it the right to examine personal devices, consider exercising that right and verifying that no business information remains on such devices. Consult legal counsel before inspecting personal devices to ensure the company does not violate privacy rights.
• Confirm information has been deleted from personal devices and software. Obtain each employee’s written confirmation that no company information remains stored on any personal device or in any personal software account, including personal e-mail or cloud storage accounts. Provide detailed information as to where data may reside and offer technical assistance to employees who may be unfamiliar with how to properly locate and/or delete data. Remind employees of any confidentiality obligations set out in their employment agreement or proprietary rights agreement with the company.

Step 3: Reinstate Relaxed or Suspended Policies and Security Protocols

In the rush to transition to remote work or based on technical necessity, companies may have relaxed or even suspended policies or protocols designed to preserve trade secret information. Now is the time to reinstate those policies and protocols and to determine whether any inadvertent disclosures occurred. For example, if the company temporarily lifted restrictions on the use of personal devices for company tasks, the restriction should be reinstated once employees have returned to their workspaces. Similarly, if the company loosened access to systems housing sensitive information (such as allowing remote access to certain records outside of a VPN), prior restrictions should be restored. To avoid confusion, the company should clearly communicate to employees which policies have been reinstated and provide training as needed.

Step 4: Confirm Business Partners and Vendors Are Protecting the Company’s Trade Secrets Following a Similar Process

Depending upon the scope of a company’s contract rights and its respective bargaining power with its business partners and vendors, especially technology vendors (e.g., contract manufacturers and designers), companies should take steps similar to those detailed above for returning employees to assess and address the impact of any relaxed protective measures, inadvertent disclosures, or misappropriation by their business partners and vendors stemming from remote working. Some contracts require that a party receiving a company’s trade secret or confidential information must invoke protective measures at least as strong as the receiving party applies to protecting its own trade secret or confidential materials. Some contracts require the receiving party to enact and follow specific, defined protective measures (such as government, regulatory, or industry standards) or measures at least as strong as the disclosing party follows. Moreover, as a verification or confirmation mechanism, many of these contracts provide the disclosing party audit rights or rights to request a certification that the required policies and protocols are in place and followed. Companies should carefully review their contracts on these points with legal counsel.

It is especially important for companies that derive great value from their trade secrets (including competitive advantages and differentiation), and that disclose those materials to business partners and/or vendors subject to NDAs or other protective measures, to follow these steps or similar steps and not limit the investigation to their own internal employees. This is because under state and federal law, trade secret information may lose its trade secret status if inadvertently disclosed or otherwise not reasonably protected, regardless of who is to blame for the inadvertent disclosure or for the failure to follow reasonable protective measures. In other words, a failure by a company’s business partner or vendor to maintain the secrecy of the company’s information could invalidate the trade secret. As a result, trade secret owners must remain vigilant and not blindly relinquish stewardship of their trade secret information to their business partners and vendors. Companies should consult with legal counsel and review applicable agreements before reaching out to business partners and vendors.

Step 5: Be Particularly Vigilant With Employees, Business Partners, and Vendors With Whom the Company Separated During the Pandemic

The pandemic and associated stay-at-home orders forced many companies to furlough and lay off employees, including senior engineers and executives with access to important trade secret information. Similarly, the resulting changes to the economy have forced companies to curtail supply relationships, suspend new product lines, exit or shut down joint ventures, and cancel contracts. Whether justified or not, these actions can result in hurt feelings and worse. Under these circumstances, former employees, business partners, and vendors may be inclined to take or retain a company’s critical business information on the way out the door, including passwords, source code, customer lists, personal and technical data, business plans, financial information, and more. In some cases, the departing employee, business partner, or vendor intends to use the information to establish operations elsewhere. In other cases, the intent is more nefarious and meant to harm the company.

In any event, as return to work occurs, it is critical to use whatever tools may be at hand to review what may have been kept or taken by departed colleagues and partners, and to use legal tools to get the information back. Companies should carefully review the termination clauses in their employment agreements, joint venture agreements, and other contracts with legal counsel and affirmatively exercise their legal rights to obtain or destroy information that might otherwise leave the company inadvertently. If information is missing that includes personal identifiers, it may be necessary to evaluate the company’s obligations under U.S. and international privacy laws as well.

The unprecedented impact of COVID-19 on the American economy has forced many businesses of all sizes and in all industries to seek some form of financial relief. Perhaps the most prominent source is the Coronavirus Aid, Relief, and Economic Security Act (commonly known as the CARES Act), which provides over $2 trillion in assistance through the largest economic stimulus package in U.S. history. A common example of funding under the CARES Act is through the Paycheck Protection Program (PPP) in the form of loans to certain businesses. The CARES Act allocates funds through numerous provisions, the two largest of which are dedicated to corporate and small business loans. Many businesses that receive federal funds will also seek recovery from a second, hotly debated source: insurance. Whether companies are pursuing payment for business interruption, event cancellation, or some other loss, the coming years will bring litigation over coverage and a critical question: Are insurance companies entitled to an offset for any relief that a business receives from the CARES Act (or are losses reduced by any of the ancillary payments for other reasons)? As is often the answer in the legal world, it depends.   

While insurers may insist that any CARES Act payment must reduce what is owed under a policy, the analysis begins (and may sometimes end) with the policy itself. The right to an offset is just that—a right that must be grounded in the insurance contract. Many insurance policies contain clauses that specifically address how recoveries from other sources will impact the insurance payout. This frequently takes the form of a “Salvage and Recoveries” provision, “Collection from Others” provision, or some type of subrogation clause. If a policy is devoid of any such language, this should end the inquiry. While different states may have common law doctrines that could affect the outcome, an insurer has no contractual basis to complain. It could have addressed this risk in its policy and failed to do so. As is the case in many jurisdictions, the coverage must be construed broadly and the benefit of the doubt goes to the party that suffered the loss—not the insurance company.

Even when an insurer does address other-source recoveries in its policy, an offset is not necessarily required. Just as before, the policy language and law are key. Generally speaking, one kind of policy provision addressing offset is intended to reduce the carrier’s obligation to pay for the same losses that a policyholder has already recovered from another source. As courts have explained, this requires consideration of the intent behind the “other” funds received by the policyholder. If the statute’s intent is to compensate the company for something other than its losses, courts have held that such a recovery does not entitle the insurer to an offset. That is because the insurance company is obligated to pay for one thing, and the collateral payment may be used to compensate for something different.

This issue was considered in Northrop Gruman Corp. v. Factory Mut. Ins. Co.,[1] where Northrop made an insurance claim for lost earnings from property damage caused by Hurricane Katrina. The federal court in California rejected the insurer’s argument that it was entitled to an offset for federal income tax relief that Northrop received under the Katrina Emergency Tax Relief Act of 2005. Because the Tax Relief Act “was conceived as an incentive to retain employees rather than compensation for a loss,” the court found that the credit received by Northrop was “not a ‘recovery’ or ‘collection for such loss from others’ under the policy language.”

Subrogation clauses are another type of provision on which insurers may rely to claim entitlement to an offset. Such a clause typically provides that “if any person or organization to or for whom we make a payment under this Coverage Part has rights to recover damages from another, those rights are transferred to us to the extent of our payment.” Addressing an offset claim under this language, a Louisiana federal court held that the insurer, RSUI, needed to establish that the policyholder had a “right to recover damages” from the other source.

In Cameron Parish Sch. Bd. v. RSUI Indem. Co.,[2] CPSB was entitled to recovery under its flood insurance policy and received assistance from the Federal Emergency Management Agency policy (“FEMA”) in the wake of Hurricane Rita. RSUI argued that it was entitled to an offset because CPSB was attempting to “re-characterize and ‘double recover’ alleged losses . . . that [were] already [] allotted or promised from FEMA.” The court rejected this argument, holding that “RSUI has not demonstrated that CPSB has a ‘right to recover damages’ from FEMA, and as such, RSUI is not entitled to receive an offset for FEMA funds.” The insurer failed to present evidence of FEMA payments or cite any authority where an insurer was entitled to receive an offset from FEMA payments.

Determining whether CARES Act payments create offset rights for insurers can be impacted by the section under which payment is made and how the recipient ultimately spends the money. For example, one of the most popular sections of the Act is the Small Business Paycheck Protection Program, which is generally open to small businesses with 500 or fewer employees. Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities. At least 75% of the forgiven amount, however, must have been used for payroll. None of these elements are expressly intended to compensate businesses for lost income due to the COVID-19 pandemic. But this is where the policy language becomes key. Business interruption policies may address some of these elements, potentially creating room for debate as to whether an offset is appropriate. Other policies, however, provide coverage entirely unrelated to the compensation that a business might receive under the CARES Act. The greater the distinction between the coverage and the statutory payment, the less likely it is that an offset is due.

Regardless of the type of policy provision at issue, the burden of proving entitlement to an offset will almost uniformly fall to the insurance company. And, as is the case in most jurisdictions, any uncertainty will be interpreted in favor of the policyholder and broader coverage. This was precisely the case in Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp.,[3] where the court ruled in the insured’s favor after the insurer failed to demonstrate which portions of a separate recovery entitled the carrier to an offset. Policyholders are placed at an advantage from the outset, as the evidentiary burden and the benefit of the doubt are both in the insured’s favor.

Though insurance companies may seek to deduct any CARES Act recoveries from their insurance payouts, the inquiry is more nuanced than simple arithmetic. Carriers will be quick to point the accusatory “double recovery” finger at policyholders to ensure that they pay out as little as possible. But the “double recovery” accusation assumes the answer. Policyholders, in turn, must be prepared to show that a setoff is not warranted. Ultimately, courts will have to carefully consider whether there is overlap between the statutory payment and the insurance coverage at issue and if there is a basis in the insurance policy to allow the insurer to an offset or to otherwise reduce the loss it is obligated to pay. As with many other aspects of COVID-19 and its ramifications, it is too early to tell how all of the different insurance angles will play out.

[1] Northrop Grumman Corp. v. Factory Mut. Ins. Co., No. CV 05-08444 DDP PLAX, 2013 WL 3946103 (C.D. Cal. Jul. 31, 2013).

[2] Cameron Parish Sch. Bd. v. RSUI Indem. Co., No. 2:06 CV 1970, 2008 WL 4622328 (W.D. La. Oct. 16, 2008).

[3] Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp., No. 1:10-CV-1333, 2011 WL 4829933 (E.D. Va. Oct. 11, 2011) (noting that the party who asserts an offset must prove its claim, and that the insurer failed to offer sufficient evidence to show which portions of a separate judgment and security deposit required an offset under its policy).

Throughout the 20th and 21st centuries, every national crisis in the United States has left a long wake of investigations in its trail at all levels of government. Those governmental investigations and enforcement actions have followed a familiar pattern when arising out of a public crisis.

First, investigative and regulatory bodies at both the federal and state levels target the obvious scammers. In the context of the COVID-19 crisis, this includes obvious frauds such as selling snake oil as a panacea to COVID-19; selling fake tests to consumers and to states; and promising to deliver medical supplies to hospitals, receiving payment from the government, and then disappearing before ever delivering the goods. This “first wave” of enforcement actions generally takes priority among regulators because the conduct at issue directly impacts public safety. Indeed, the Office of the Inspector General (OIG) announced a “strategic plan” outlining the following four goals relating to the enforcement and protection of the Department of Health & Human Services’ (HHS) COVID-19 response and recovery efforts: (1) protect people, (2) protect funds, (3) protect infrastructure, and (4) promote effectiveness of HHS programs—now and into the future.[1] Unsurprisingly, COVID-19’s first wave has already begun.[2]

Once the first wave is well underway, the government shifts focus to its next target: the more reputable companies and businesses operating in a potentially “grey” area. Typically, the targets of these cases believe they complied with the law but have a genuine disagreement with the government about how a law, regulation, or contractual condition should apply or be interpreted. Although these cases are more resource-intensive, they correspondingly present an opportunity for the government to recover larger amounts of money and generate bigger headlines. These cases constitute the “second wave” of enforcement; notably, most investigative and regulatory bodies follow this two-wave paradigm, whether it be the U.S. Department of Justice (DOJ), the state attorneys general, the Federal Trade Commission, the Consumer Financial Protection Bureau, or the most recent player, local governments.

In the context of the COVID-19 crisis, the second wave is coming, and when it hits, it will be a tsunami.

1. What the COVID-19 Tsunami Will Look Like

The second wave of the COVID-19 crisis is likely to be more extreme and long-lasting than ever before. The factors leading up to the second wave are unprecedented in our history—the federal government has disbursed trillions of dollars to the private sector with minimal federal oversight—and those factors create an environment that is ripe for downstream allegations of fraud. The federal government will have a groundswell of public support to exact retribution against those companies and individuals who took advantage of the public trust during the crisis. In parallel, state and local governments are starving for revenue as a result of severe budget shortfalls caused by COVID-19. As such, the need for funding will usher in an unparalleled era of state and local enforcement action, where states, led by state attorneys general, and localities will rely on lawsuits and investigations as a means of recapturing lost revenue for both consumers and the governmental entities more so than ever before.

A. The Federal Government’s Disbursement of Funds

Whenever the federal government disburses funds to private actors, especially at alarming rates, an environment exists for fraud to flourish because those funds are typically disbursed with numerous conditions tied to them. Such conditions can take the form of details in the statute, regulations promulgated by agencies, or even less formal regulatory guidance. Yet, the risk that many companies accepting those funds run is the failure to comply, even inadvertently, with the “fine print,” thus exposing them to claims of having wronged the government.

In such times, the federal government will turn to a familiar and favorite tool in its box: the Federal False Claims Act (FCA), 31 U.S.C. § 3729–3733. The FCA is no stranger to the healthcare, medical device, or pharmaceutical industries in that the DOJ has used it extensively for decades to successfully combat fraudulent claims for reimbursement submitted to Medicare, Medicaid, TRICARE, and other governmental payors, and to recover tens of billions of dollars in the process. The FCA is a particularly potent tool because it enables the federal government to recover not only treble damages, but also statutory penalties of $5,500 to $11,000 per violation. The crippling exposure that the FCA often generates, sometimes in the billions, is enough to strongarm most companies into lucrative settlements, even where those companies have highly meritorious defenses.

This tool is likely to be front and center in the investigations and enforcement space over the next five to ten years. In the first three months of the COVID-19 crisis, the federal government disbursed trillions of dollars to stimulate the economy to save small businesses and to facilitate the transfer of personal protective equipment (PPE), ventilators, testing, swabs, prescription drugs, and other medical supplies to states and localities. In an effort to contribute during the national crisis, numerous companies have answered the call to provide the necessary medical supplies that states and the nation required to save lives, accepting federal government dollars as payment for those services.

To the extent those companies did not fully comply with all of the terms and conditions of taking those funds, however, they face the very real risk of allegations of fraud or other impropriety by employee whistleblowers or the federal government. That risk is heightened by the speed at which these contracts were executed and funds received, where there often was insufficient time for a thorough review of the associated obligations by outside counsel or even in-house legal departments in some cases.

For these reasons, a spike in FCA investigations and lawsuits is likely coming. Indeed, the OIG has already stated its intentions to audit fund recipients in connection with its goal of protecting HHS funds.[3] Although no industry is immune, the healthcare, pharmaceutical, biotech, and medical supply industries are especially at risk; similarly, companies that participate in the manufacturing, distribution, and brokerage of medical equipment are likely to be hard hit. In the same vein, hospitals, long-term care facilities, testing labs, and nursing homes must be on high alert.

B. The State Response and the Role of State Attorneys General

States, meanwhile, are in dire straits as a result of budget shortfalls caused by COVID-19. The impact will likely continue to plague states for at least the next three to five years. The stay-at-home orders across the country have decreased sales tax revenue, delayed deadlines for filing state income tax returns and paying state income taxes due, and vastly reduced the use of public transportation and toll roads. At the same time, the federal government has largely required the states to assume the responsibility for procuring PPE, tests, ventilators, and other medical supplies at their own expense. Neither the CARES Act nor other federal legislation disbursing federal funds provided significant relief to the states in this regard.

Making matters worse, many states claim to be victims of fraud and contractual breaches at the hands of the private sector. The governor of Massachusetts, for example, claimed that “millions of pieces of [medical] gear evaporate[d] in front of us” after confirmed orders with private vendors. Likewise, Maryland canceled a $12.5 million contract for PPE with a firm that allegedly failed to deliver masks and ventilators as promised. That matter has already been referred to Maryland’s attorney general for review.

States, though, have more ability than ever to combat these two problems simultaneously. Most states have noticed the potency of the federal FCA and enacted state analogs to that statute over the past three decades; however, only recently have states started enforcing them aggressively. That trend is likely to intensify because the state false claims acts empower states to recover treble damages and statutory penalties of approximately $5,500 to $12,000 dollars per violation against actors who defraud the state—a windfall in this era where states are desperate for dollars. Even some large localities, like Miami-Dade and Philadelphia, have tagged along and implemented analogous ordinances, and like their federal counterpart, the exposure generated by these state and local false claims acts often force companies to the settlement table, even where they have worthwhile legal defenses. Such settlements, even at the state or local level, are rarely cheap. Consequently, states and localities will have incentive to file claims under these statutes to pursue revenue windfalls that can help offset their budgetary gaps.

In addition, state attorneys general have ratcheted up enforcement actions in recent years. In addition to prosecuting cases under the state false claims acts, state attorneys general also have power to bring actions against companies that are reported for violations that harm consumers under state consumer protection acts. In light of the public harm that COVID-19 has inflicted, consumer protection act cases are likely to skyrocket in coming months. For these reasons, companies must look not only at the activity of DOJ and federal regulatory bodies, but also at enforcement trends and activity commencing at the state and local level.

Together, the forthcoming investigation and enforcement actions by the federal, state, and local governments will create a tsunami, the likes of which the private sector has never seen.

2. How Companies Can Prepare

There are several steps companies can take to reduce the risk of, and defend against, regulatory inquiries:

• Prioritize compliance programs and involve both the compliance department and in-house legal department in all aspects of decision-making during the COVID-19 crisis, including the decision to accept federal funds. Document in detail decisions that were made and the reasons for doing so.
• Carefully consider all aspects of accepting federal funds, including the statutory, regulatory, and contractual terms implicated by that acceptance. Closely scrutinize any submission to a government actor that could be construed as a misrepresentation or material omission.
• Ensure complete transparency when interacting with federal, state, and local government actors when a government contract or public funds are involved.
• Carefully think through the ethical or moral implications of decisions involving governmental funds or contracts. Dilemmas raising ethical or moral considerations are the type to generate media coverage and public interest when a company makes a controversial decision and are also the type that can catch the attention of regulators.
• Seek the outside advice of someone with expertise in this area of the law when confronting novel or thorny issues that implicate the federal, state, or local government.
• Monitor settlements and enforcement actions because they will provide visibility into ongoing regulatory trends.

[1] See OIG Strategic Plan: Oversight of COVID-19 Response and Recovery (May 2020), at 2.

[2] See, e.g., United States v. Purity Health & Wellness Ctrs., Inc., No. 3:20-cv-00985-L (N.D. Tex. filed Apr. 22, 2020) (seeking injunctive relief of alleged scheme to defraud where defendants purportedly sold “ozone therapy” as a preventative and cure to COVID-19); DOJ Press Releases, Georgia Man Arrested for Orchestrating Scheme to Defraud Health Care Benefit Programs Related to COVID-19 and Genetic Cancer Testing (Mar. 30, 2020) (defendant allegedly conspired to be paid kickbacks on a per-test basis for COVID-19 tests bundled with more expensive respiratory tests incapable of diagnosing and treating COVID-19); Georgia Woman Arrested for Role in Scheme to Defraud Health Care Benefit Programs Related to Cancer Genetic Testing and COVID-19 Testing (May 15, 2020) (defendant allegedly sought to pay and receive illegal kickbacks in exchange for referring Medicare beneficiaries for COVID-19 tests); New Jersey Man Arrested For $45 Million Scheme to Defraud and Price Gouge New York City During COVID-19 Pandemic (May 26, 2020) (alleging used-car salesman lied about his authority to sell large quantities of PPE to New York City at grossly inflated prices).

[3] See OIG Strategic Plan: Oversight of COVID-19 Response and Recovery (May 2020), at 3.

Among the interesting data points highlighted in a new report on M&A appraisal litigation in Delaware is the steep decline in both appraisal petitions and cases since 2016.[1] That year, the Delaware Court of Chancery saw its highest-ever number of petitions (76) and cases (47), but over the past two years, those numbers have declined significantly. There were only 26 petitions in 2018, the lowest number since 2012; likewise, cases decreased to their 2012 levels as well. What explains this multiyear decline?

The Delaware Supreme Court’s reversal in DFC Global Corporation v. Muirfield Value Partners L.P.,[2] an appraisal decision on the 2014 acquisition of DFC Global Corporation, occurred in August 2017, and it is likely no mere coincidence that the trend line for appraisal petitions entered its swoon shortly thereafter. In DFC, the Chancery Court gave less weight to the deal price in favor of a “blend of three imperfect techniques”—including deal price, company valuation, and discounted cash flow (DCF) valuation, each equally weighted—and then proceeded to reach a deal price of $10.30 per share, an 8.4 percent premium over the deal price of $9.50 per share.

On appeal, the Delaware Supreme Court reversed and remanded. Chief Judge Leo Strine stopped short of embracing a full-scale presumption in the accuracy and reliability of deal price, but did make clear that under the prevailing circumstances, deal price should receive greater weight. He reasoned that “[m]arket prices are typically viewed superior to other valuation techniques because, unlike [for example], a single person’s discounted cash flow model, the market price should distill the collective judgment of the many based on all the publicly available information about a given company and the value of its shares.”

Furthermore, because the “Court of Chancery found that the sales process was robust and conflict-free,” the Supreme Court found no reason to justify giving the deal price merely one-third weight. The Supreme Court concluded its decision by rejecting the Chancery Court’s argument that the nature of the buyer—in this case, a private equity firm—reduced the fairness of the deal price because a private equity firm’s willingness to pay a certain price does not necessarily equate with an unfair value.

The Delaware Supreme Court’s stance on the primacy of deal price in DFC was further clarified shortly thereafter when the court weighed-in once more in Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd.,[3] again reversing the Chancery Court’s decision and reaffirming its view of deal price as a useful metric, yet again stopping short of endorsing it as the sole and decisive metric. Ignoring both the company’s pre-deal announcement stock price and the deal price in reaching its fair value determination of $17.62—a 28.1-percent premium over the deal price of $13.75—the Chancery Court relied instead on its own DCF analysis. The Supreme Court reversed, holding that the record “suggested that the deal price deserved heavy, if not dispositive, weight.” As in DFC, however, the Supreme Court in Dell refrained from giving full weight to the deal price, stating that creating a presumption in favor of deal price runs afoul of the Delaware appraisal statute’s guidance to “consider all relevant factors.” Nevertheless, the Supreme Court cautioned that in particular cases, one factor—such as the deal price—may rise above others in terms of importance, depending on the evidence supported by the record. The Supreme Court also criticized the Chancery Court’s decision to award a fair value that is higher than what the market was willing to pay for Dell’s stock, taking a position that both courts would later endorse.

These two reversals form the backdrop against which we have seen the rapid decrease in appraisal litigation in Delaware. For those who might have hoped for a signal from the Delaware Supreme Court that it is backtracking on its embrace of deal price, the court’s April 2019 en banc opinion in Verition Partners Master Fund Ltd. v. Aruba Networks, Inc.[4] provides very little reason to believe the court is growing more skeptical of the primacy of deal price. Although the Aruba decision sheds light on the Supreme Court’s existing precedent, it leaves some related questions unanswered, particularly regarding target valuation in the take-private context.

Like DFC and Dell, which were decided while the Aruba appeal was still pending, Aruba involved a Delaware statutory appraisal claim by the shareholders of Aruba Networks, Inc. following its acquisition by Hewlett-Packard. Notwithstanding the precedent established in DFC and Dell, the Chancery Court ultimately relied solely on the unaffected trading price of the seller leading up to the transaction—that is, the average trading price of Aruba Networks’ shares during the 30 days prior to when the news of the merger with HP emerged. The Chancery Court considered two other valuation methods, including the parties’ competing DCF analyses and the merger price less synergies, but dismissed both as unreliable measures of fair value.

The Supreme Court once again reversed in an unusually combative opinion. Rejecting the Chancery Court’s reliance on Aruba Networks’ market price, the court reiterated the position it expressed in Dell that market prices “can be a proxy for fair value” and that “the price a stock trades in an efficient market is an important indicator of its economic value that should be given weight.” The Delaware Supreme Court concluded that Vice Chancellor Laster erred in finding “that an informationally efficient market price invariably reflects the company’s fair value in an appraisal.” Conversely, the Supreme Court reiterated that an efficient market price “further informed by the efforts of arm’s-length buyers” to find a fair deal price based on a diligence-driven analysis “is even more likely to be indicative of so-called fundamental value.” In other words, “after a process in which interested buyers all had a fair and viable opportunity to bid, the deal price is a strong indicator of fair value, as a matter of economic reality and theory.” The court made clear that its decisions in DFC and Dell did not compel “rote reliance” on market price when calculating fair value, but clearly held the conclusion that deal price less synergies is the best method to assess Aruba’s going concern value, where “synergies” is defined as “other value the Buyer expects from changes it plans to make to a company’s ‘going-concern’ business plan.” The valuation of such synergies is a matter of fact to be assessed based on the record.

Among its many noteworthy takeaways, Aruba strengthens the focus on deal price in an arm’s-length transaction and goes a step further than DFC and Dell by deducting the synergies from the deal price in order to get to the fair value price. Though critical of the Chancery Court’s opinion, the Delaware Supreme Court sides with the Chancery Court’s position—and reinforces recent Delaware jurisprudence—by holding that the deal price should act as a ceiling for a valuation, a result that will likely reinforce the trend in place since 2016 toward decreasing numbers of appraisal petitions. For example, the Supreme Court’s fair value appraisal in Aruba resulted in a 22.6-percent reduction from the deal price, an outcome that would remind petitioners not to overly rely on the statutory appraisal right, especially if there is no clear and convincing basis for such an appraisal claim.

However, Aruba did backtrack in one notable instance. In a clear change of positions, the Supreme Court in Aruba agreed with past Chancery Court arguments, noting that the type of buyer—such as a private equity firm versus public company—might impact the fair value determination because the synergies to be deducted from the deal price could be different based on the new owner. Unlike the case of a public company buyer with characteristically broad stock ownership, ownership of companies in the private equity setting tends to be far more concentrated, which can create efficiency and reduce agency costs. This circumstance can lead to a potentially different calculation for the cost of synergies to be deducted from the deal price. How this precedent will be applied to the valuation of targets in take-private transactions is not entirely clear from the recent jurisprudence, but we see no reason to believe that a return to 2016 levels of appraisal litigation is in the offing.

Chauncey M. Lane is a partner in the Dallas office of Reed Smith LLP. He regularly advises domestic and international clients on buy- and sell-side mergers, divestitures, asset acquisitions, going-private transactions, debt and equity offerings, and corporate governance. He also counsels fund sponsors on all aspects of fund formation, capital raises, and investment adviser compliance, often serving as outside general counsel.

George Khoukaz is an associate in the Kansas City office of Husch Blackwell LLP and a member of the firm’s Corporate and Securities practice group. He regularly advises domestic and international clients on complex commercial and capital market transactions.

This article has been published in PLI Current: The Journal of PLI Press, Vol. 4, No. 1 (2020).

[1] Cornerstone Research, Appraisal Litigation in Delaware: Trends in Petitions and Opinions 2006-2018 (2019).

[2] DFC Glob. Corp. v. Muirfield Value Partners L.P., 172 A.3d 346 (Del. 2017).

[3] Dell, Inc. v. Magnetar Glob. Event Driven Master Fund Ltd., 177 A.3d 1 (Del. 2017).

[4] Verition Partners Master Fund Ltd. v. Aruba Networks, Inc., No. 368, 2018 (Apr. 16, 2019) (per curiam).

The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.

Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.

Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.

The California Attorney General Remains Steadfast on the California Consumer Privacy Act

The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.

In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”

In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.

European Regulators Signal Flexibility

The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”

The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.

The EDPB also issued two new guidelines: (1) “Guidelines 03/2020” on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) “Guidelines 04/2020“on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. “Guidelines 03/2020” allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. “Guidelines 04/2020” discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.

Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.

Department of Health and Human Services Relaxes Enforcement of the Health Insurance Portability and Accountability Act

Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.

While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.

Federal Trade Commission Warns of Increasing Threat

On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.

Congress Proposes Competing COVID-19 Privacy Legislation

Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.

What You Need to Know

• The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
• Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
• It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
• If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.

As the world grapples with the continued spread of COVID-19, along with the unsettling public health and economic concerns, there are a number of uncertainties surrounding data security and privacy.* Efforts to contain the virus differ from country to country, as do the strategies surrounding the collection of data to aid in “contact tracing” that will surely be the subject of debate for years to come, with legal experts defining—or redefining—just how far governments and tech companies can go.

In order to counter the threat of the virus, countries have been adopting drastic measures, such as utilizing geolocation data and social contact history, leading to a number of complex privacy questions for both public and private entities involved in the process. This has created a substantial need for clarity from legal professionals and data protection authorities (DPAs) across the globe, many of whom are publishing guidance on best practices for collecting and processing personal data related to COVID-19 in order to stay in line with obligations under privacy and data security laws.

Most discussed in the public eye currently is Google and Apple’s recent announcement about their extensive coronavirus partnership. In the next few months, they will unveil updates to their operating systems to enable contact tracing to help identify carriers of the virus so they can be isolated from the public. It works by tracking with whom one comes into contact by recording where one’s Bluetooth connects with other nearby devices. Once approved, government health agencies will be able to utilize the app to track physical proximity among phones. The system is Bluetooth-only, fully opt-in, and collects no location data from users.

It all sounds good in theory; however, security experts are pointing to potential flaws in the system, including techniques that could reveal the identities of COVID-19-positive users and help advertisers track them, or invent false positives from users with malicious intent.

Most countries affected by COVID-19 are adopting their own version of contact tracing, and nearly all are going digital and leveraging the power of smartphones through Bluetooth or geolocation data. The Google and Apple announcement has propelled public attention and concern on the topic of privacy laws.

Governments Consider Surveillance Methods That Push Limits

In China, telecommunications organizations helped the government track and contact those who had traveled through Hubei province in the early days of the virus. Location data was then channeled to China’s Health Commission, which allowed them to trace the steps of those infected.

In Israel, the government passed an emergency law to use mobile phone data to track those who test positive for COVID-19 as well as identify others with whom they have come into contact and may have infected. This method has typically been reserved to counter-terrorism operations, but it is now being used to track infected patients and their phone contacts. If someone found to be positive for COVID-19—or someone who was in close contact with one—disobeys quarantine, they receive a text message or call ordering them to return home. If they don’t, the police are called.

Since the start of the pandemic, countries to the west have been paying close attention to how countries like China and Israel have used data collection and apps as part of their public health response. Many critics have raised concerns about privacy and potential illegal use of data, especially as the virus has spread through Europe and the United States.

The European Union and a “Pan-European” Approach

In the European Union, contact tracing must be compliant with the EU’s privacy law, the General Data Protection Regulation (GDPR), as well as separate laws specific to the given EU country. Still, EU nations can make their own exceptions to the rules temporarily for emergencies. For example, Italy adopted a decree to address the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data-protection rights could be halted to combat the coronavirus.

GDPR Article 6 provides that processing personal data without consent is lawful where it is necessary for compliance with a legal obligation to protect the public interest or to protect an individual. In fact, it provides specific language on not needing consent for monitoring epidemics, pandemics, and their spread, or in situation of humanitarian emergencies.

Earlier this month, Human Rights Watch and more than 100 other organizations issued a joint call for legal protections on how government can use digital surveillance, including mobile phone location data, to fight the pandemic. Europe is under intense scrutiny by these groups as the European Commission scrambles to develop coronavirus tracking apps, seeking an “EU approach” to contain the disease. As a result, hundreds of researchers from eight countries in Europe have been working on the Pan-European Privacy Preserving Proximity Tracing Project (PEPP-PT) to develop a single app that any county can use and that is compliant with EU privacy laws.

U.S. Law

Although there is no main data-protection law at the federal level in the United States like the GDPR, there are several federal and state laws that offer privacy protection to certain types of data, like health information, employment, and location data.

As the United States continues to control the spread of the virus and develop plans to potentially reopen the economy, government agencies have put into place—or contemplated—a variety of tracking and surveillance technology that examines the limits of personal privacy—everything from geolocation tracking that oversees the location of people through their mobile devices, to facial-recognition programs that analyze pictures to determine who may have come into contact with those who later test positive for the coronavirus. In fact, we know that data-mining firm Palantir Inc. has worked with the Centers for Disease Control and Prevention (CDC) to model the virus and its outbreak and continues to do so.

This is leading to a struggle among those in the tech industry and among government officials to find a balance between the deployment of technology and safeguarding patients’ data, specifically medical information. At the same time, privacy advocates worry that little has been announced about what has already been implemented or about to be deployed as governors across the country determine when and how to reopen their states.

Healthcare and Location Data Biggest Concern in United States

Just like in the European Union, the United States has issued guidance on privacy and data security relating to COVID-19. The Department of Health and Human Services (HHS) has waived sanctions and penalties against covered hospitals for certain provisions under HIPAA. The waiver includes the requirement to obtain a patient’s consent before speaking with friends or family members about care, the requirement to distribute a notice of privacy practices, the patient’s right to request privacy limitations, and the patient’s right to request confidential communications.

As the crisis continues in the United States, much-needed additional guidance is being issued by local, state, and federal agencies.

The United States does have The Health Insurance Portability and Accountability Act Privacy Rule, which protects the privacy of a patient’s health information, although its protections are not unconditional. Just this past February, HHS released a bulletin outlining when disclosure of health data is permitted, which includes for public health reasons and “to prevent an imminent threat.”

The U.S. Constitution, specifically the Fourth Amendment, also protects certain expectations of privacy, including one’s physical location. Reference Carpenter vs. U.S., for example, in which the U.S. Supreme Court looked at how to apply the Fourth Amendment to cell phone records, particularly cell-site location information (that looks at a person’s past movements). The government had obtained the records as part of a criminal investigation and argued Carpenter should not have an expectation of privacy in them because he voluntarily provided it to third parties (cell phone carriers). However, the Supreme Court ultimately ruled that the government invaded Carpenter’s reasonable expectation of privacy when it accessed cell-site location information from wireless carriers.

It is likely that as COVID-19 cases continue to exist, creating the need for contact tracing, there will be more discussion in the United States on privacy interests like those discussed in the Carpenter case. As such, the need to quickly address it because of this public health issue seems likely as well.

Main Takeaways

It is evident that contact tracing and testing technology will very much play a role in forming a sound, strong recovery strategy. Understanding what our privacy laws require in specific situations, like pandemics or public emergencies, as well as how they are applied are going to be crucial to continue managing COVID-19 and reopening our economies.

By tapping into people’s phones and medical records, researchers and public health authorities are hoping to quickly identify potentially infected patients and curb the pandemic. In fact, the federal agency in the United States in charge of policing data breaches already announced it will back off enforcement of some privacy rules to make it easier for healthcare facilities and their vendors to share patient records with public health officials.

Scaling back of these health privacy rules—and justifying them during a crisis—raises the question of what happens when the pandemic ends. Will life return to normal, or will we redefine what we historically knew as our right to privacy? Will we have another version of the Patriot Act in the United States? Will we have countries around the world tracing their citizens movements freely under the excuse of this pandemic?

On a more positive note, how will countries across the globe learn from one another to develop best practices for tracking diseases that, hopefully, respect our privacy?

*John Neocleous is the founder and managing partner of NCI Law Group, a multinational law practice in the United States, United Kingdom, and Switzerland.

The healthcare industry remains a significant portion of the U.S. economy and will be so for the foreseeable future.* The U.S. Centers for Medicare and Medicaid Services (CMS) reported that in 2018, the overall share of U.S. gross domestic product (GDP) related to healthcare spending was 17.7 percent. Moreover, national health expenditures are projected to grow at an average annual rate of 5.4 percent for 2019–28 and to represent 19.7 percent of GDP by the end of the period. A large portion of that spending is related to payment for the provision of healthcare services. As such a large portion of the economy, both activity and interest in acquisitions of healthcare services companies has been incredibly robust for at least the last 25 years. There does not seem to be any indication of a significant slow-down any time soon. In middle-market private equity transactions alone, valuation of healthcare services companies continues to rise to unprecedented levels.

Given the large portion of the economy that healthcare represents and the market interest in acquisition activity, an understanding of the major, material healthcare regulatory risks that an acquirer might face is important to an effective and meaningful acquisition. That understanding can assist an acquirer in either eliminating risk or at least mitigating it appropriately. This article will provide a summary of those major, material health regulatory risks, some basic diligence requests to address in pretransaction diligence, and thoughts on representation and warranty issues in transaction documents.

Before discussing risks, a definition of “healthcare services” is important to understanding the types of businesses that face these risks in ways that can be material to the business. For purposes of this article, healthcare services includes businesses that provide professional/clinical healthcare services to patients; brick-and-mortar, in-patient and out-patient healthcare providers; and businesses that provide ancillary healthcare services. To be specific, these healthcare services businesses include, but are not limited to: hospitals and health systems, nursing homes, behavioral health providers, physicians and healthcare professional groups, home health and hospice providers, outpatient clinics, ambulatory surgery centers, out-patient rehabilitation, substance use disorder services, senior housing and services, and continuing-care retirement communities.

Most if not all of the aforementioned healthcare services businesses face a majority of certain material health regulatory risks. These material risks fall within five categories that include government reimbursement, fraud and abuse, licensure, excluded parties, and healthcare privacy-related issues. A summary discussion of each of these risks is contained in the sections that follow.

Category 1: Government Reimbursement

CMS, the administrator of the Medicare and Medicaid programs, is the single largest payer for healthcare services in the United States. The dollars it spends on healthcare services far exceed any other payer, including commercial payers. CMS administers the Medicare program (Parts A, B, and D) through its administrative contractors as well as through managed care plans (Part C). CMS partners with states, which partially fund Medicaid programs, to administer the Medicaid programs. In order to participate in either Medicare or state Medicaid programs, healthcare services businesses agree to comply with a significant regulatory framework mostly in the form of conditions or requirements for participation (a Regulatory Condition) as well as specific requirements relating to the submission of claims for services or supplies provided (a Claim Submission Requirement).

Material liability risks for healthcare services businesses can arise from a significant failure to meet a Regulatory Condition or a Claim Submission Requirement. Random or targeted government inspections and complaints from patients or clients can result in a citation for a failure to meet a Regulatory Condition. Those citations can culminate in civil fines that in some cases may carry per-day penalties. They can also result in potential termination from the Medicare or Medicaid program. Civil penalties can range from minor amounts to major material liabilities for the business. In that respect, understanding what, if any, (i) inspections/citations a healthcare services business has been subject to historically; and (ii) what may be currently outstanding is important to assessing risk in a possible acquisition. Failures to pay civil fines may also result in termination of participation in Medicare or Medicaid.

Complying with Claim Submission Requirements is likely one of the most important issues for healthcare services businesses that participate in government payment programs. Failures to comply can result in demands for recoupment or allegations of overpayments. In some cases, what a business may see as a simple error, the government or its contracted agents view as an intentional act to defraud. A missing provider signature or a failure to document a patient’s vital signs can result in a failure to meet a Claims Submission Requirement. These failures can be minor or they can be significant and carry millions of dollars in repayment liability.

Reimbursement diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:

• documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
• documents relating to corrective action plans imposed on the business or implemented by the business
• documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
• documents relating to any self-disclosures or voluntary disclosures made to any governmental authority
• documents relating to internal audit reports of billing and coding reviews or audits
• documents relating to any third-party reports and related deliverables from consultants engaged to billing and coding audits or reviews

In addition to conducting appropriate diligence, the material transaction document should contain representations and warranties from the seller that broadly address: (i) general compliance with healthcare laws; (ii) compliance with government programs and claims filing obligations; (iii) the absence of any material overpayment or claims filing repayment obligations; and (iv) no affirmative inappropriate or illegal conduct.

Category 2: Fraud and Abuse

Fraud and abuse in the healthcare system has been a concern of federal and state regulators almost since the inception of organized health care and certainly became a significant issue with the passage of legislation creating the Medicare and Medicaid programs. Major fraud and abuse laws include the Federal Anti-Kickback Statute (AKS), 42 U.S.C. §1320a-7b(b), the Physician Self-Referral Prohibition (the Stark Law), 42 U.S.C. §1395nn, and the Criminal and Civil False Claims Acts, 18 U.S.C. §287 and 31 U.S.C. § 3729. These laws prohibit certain business practices as well as provide for penalties relating to fraudulent claims to government payment programs.

Fraud and abuse liability can come in many forms and can result in both civil and criminal liability depending on the conduct and issues at hand. Moreover, fraud and abuse liability is rarely immaterial to a transaction unless the target involved is a large business facing a civil liability, and given the size of the target, the liability will not be material to its business operations. Even in those circumstances, however, the acquirer will likely not want to inherit the liability.

Fraud and abuse diligence. In order to assess these types of risks with a potential target, acquirers should at the very least examine:

• contracts between the target and other healthcare businesses or vendors
• documents or memos analyzing any arrangement the target feels fits into a safe harbor to the AKS or exception to the Stark Law
• business relationships with physicians and other healthcare professionals whether via ownership or compensation
• business relationships with any individual or entity in a position to refer business paid for by governmental programs to the target business
• marketing activities of the target
• bonus and compensation plans
• documents relating to governmental actions and other issues mentioned in the section on Claim Submission Requirements above

In addition to representations and warranties from the seller mentioned above in relation to government reimbursement, the material transaction document should contain representations and warranties with respect to fraud and abuse matters that address: (i) specific compliance with major federal and state fraud and abuse prohibitions; (ii) the absence of adverse criminal or civil settlements or civil monetary penalties; and (iii) the absence of any threatened or current civil or criminal litigation relating to fraud and abuse matters.

Category 3: Licensure

As one of the most regulated industries in the United States, an acquirer can expect that most, if not all, of the target companies they are looking to acquire have some type of license or permit to do what they do in health care. Ensuring that a target business has the correct licenses, has complied with all of the regulatory requirements relating to retention of those licenses, and has not been subject to any type of adverse finding by a licensure authority are integral to assessing any material risk in a potential transaction.

It is important to recognize that there are simple risks relating to licensure that might result in immaterial fines. However, multiple instances of immaterial fines might add up to revocation of a license that is necessary to operate the business. As a result, understanding the target’s regulatory compliance history through appropriate diligence is important to assessing risk.

Licensure diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

• all current regulatory permits, licenses, certifications, accreditations, certificates of need, and other required approvals that the target may have relating to its business
• documents relating to investigations, audits, surveys, site visits, and inquiries by governmental agencies and contractors
• documents relating to corrective action plans imposed on the business or implemented by the business
• documents relating to unpaid civil monetary penalties or administrative penalties and civil settlements
• documents relating to any suspension, termination, or revocation of a license
• documents relating to any refusal to approve a license

Relative to licensure, seller’s should also provide, via the material transaction document, representations and warranties to the buyer that: (i) affirmatively state the seller has all of its required licenses; (ii) none of those required licenses have been subject to suspension, revocation, or termination; and (iii) there is no current action to suspend, revoke, or terminate a required license.

Category 4: Excluded Parties

Generally, excluded parties in the healthcare context are persons or entities (i.e., businesses) that have either been excluded from participation in federal healthcare programs or excluded from participation in federal contracts. The U.S. Department of Health and Human Services’ Office of the Inspector General (OIG) has the authority to exclude individuals and entities from participating in federal healthcare programs, which include Medicare, Medicaid, and any other healthcare program funded directly or indirectly by the federal government. Exclusion in its most basic sense means that no payment can be made for any items or services furnished, ordered, or prescribed by an excluded individual or entity. The OIG maintains a searchable list of excluded individuals and entities on its website.

In addition to OIG exclusions, the U.S. General Services Administration (GSA) maintains a comprehensive list of individuals and entities that have been excluded from participation in federal contracts. The GSA’s excluded parties list system contains a list of persons and entities that have been excluded by federal government agencies from receiving federal contracts or federally approved subcontracts, and from certain types of federal financial and nonfinancial assistance and benefits.

A target company that has in the past or is currently employing an excluded individual or has had, or has, a contract with an excluded party can have material risks associated with it. If the excluded individual or contractor “touched” (i.e., was associated with) significant federal dollars, the target entity could face material liability. Beyond simply a repayment of those associated dollars, there are also potential civil penalties that can be assessed. The civil penalties can become significant. As a result, there is a general expectation that healthcare services companies will have checked the appropriate databases periodically to screen for ineligible individuals and entities and steer clear of them.

Excluded parties diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

• whether the company has a process in place that screens for excluded parties
• whether the company has ever had exposure to an excluded party and how that exposure was handled

In addition to the previously described representations and warranties, the material transaction document should contain one specific to exclusions that provides that the seller has not hired an excluded party and periodically checks to ensure it is not associating with excluded parties.

Category 5: Healthcare Privacy Issues

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national privacy standards to protect individuals’ medical records and other personal health information (PHI). It also establishes physical and electronic security standards for PHI. HIPAA applies to “Covered Entities,” which include healthcare providers, insurers, and other stakeholders that may use or disclose PHI. HIPAA requires Covered Entities to develop and follow procedures that ensure privacy and security of PHI and sets limits and conditions on the use and disclosure of PHI without patient authorization. Compliance with HIPAA is not only for Covered Entities, but also for their business associates (e.g., claims processors and bill collectors). Covered Entities that must share PHI with a business associate should have a written Business Associate Agreement (BAA) in place that requires the third party to comply with HIPAA requirements.

HIPAA violations can result in civil or criminal liability depending on the nature and extent of the violation. The civil penalties can end up being quite costly, ranging anywhere from $100 to $50,000 per violation. Additionally, Covered Entities must provide notification of a privacy breach to affected individuals, the Secretary of HHS, and in some circumstances, the media. Thus, acquirers should focus diligence efforts on existing HIPAA compliance processes and any prior or ongoing privacy-related investigations to assess not only the potential financial implications, but also the reputational implications.

Healthcare privacy diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

• the company’s HIPAA compliance policies and procedures covering at least the last three years
• any HIPAA training materials and information on how personnel received HIPAA training
• all BAAs in place over the last three years
• documents relating to HIPAA compliance tracking and assessment
• documents relating to any security breaches or incidents, follow-up response, and disclosure of the breaches/incidents to individuals or third parties
• list of complaints or allegations of privacy/security breaches involving the company

Given the increased scrutiny on privacy compliance, the material transaction document should contain targeted representations and warranties from the seller that address HIPAA privacy and security compliance as well as the absence of any privacy or security breaches.

An Additional Note on Regulatory Compliance Programs

Regulatory compliance programs have become an increasingly important part of the healthcare industry. Despite there not being a significant regulatory requirement to have a compliance program, healthcare service providers are strongly encouraged to make them a priority. Additionally, as providers often became subject to federal False Claims Act allegations in particular, they became more aware of the U.S. Federal Sentencing Guidelines for Organizations and the process by which the guidelines can provide some mitigation in sentencing for organizations with effective compliance and ethics programs. Moreover, the OIG embarked on a campaign to encourage healthcare services providers to voluntarily develop and implement programs through its compliance program guidance.

The purpose of compliance programs is to help healthcare services providers develop controls for adherence to applicable healthcare law. Regulatory compliance programs are designed to monitor compliance and correct compliance issues before they become a significant problem. Most importantly, well-developed and effective compliance programs have become the yard stick by which buyers can measure a target company’s “culture of compliance.” Essentially, if a buyer finds that a company has a well-developed and effective program, they can get some comfort with respect to the company’s overall regulatory compliance. As a result, most if not all buyers conduct some form of diligence relating to a seller’s regulatory compliance program.

Regulatory compliance diligence. In order to assess this type of risk with a potential target, acquirers should at the very least examine:

• whether the company has an established compliance committee and officer
• documents relating to regulatory compliance policies, procedures, and training materials
• documents relating to corporate compliance tracking, assessment, and response
• meeting minutes from the company’s compliance committee, if applicable

Although not a must-have, buyers should include in the material transaction document a targeted representation and warranty from the seller that specifically addresses the sellers implementation of a regulatory compliance program that meets OIG guidance, the federal sentencing guidelines, or both.

As transactions involving healthcare services providers increase, an understanding of the major areas of material risk discussed in this article will be an important tool for any business lawyer involved in such a transaction. This summary provides an outline for practitioners to help them ensure that important pretransaction regulatory diligence is conducted and the material transaction document allocates risk appropriately through representations and warranties.

*Ari J. Markenson, J.D., M.P.H., is a partner and co-chair of the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP. Cynthia Suarez, Esq., is an associate in the Health Care and Life Sciences Industry Group at Winston & Strawn, LLP.

On May 4, 2020, U.S. Securities and Exchange Commission (“SEC”) Chairman Jay Clayton (“Chairman”) and SEC Director of the Office of Municipal Securities Rebecca Olsen (“Director”) recommending that municipal securities issuers and obligors (each of these, herein, “issuer(s)”) provide robust, timely, and accurate disclosures regarding the impact of and uncertainties caused by the COVID-19 health crisis. This statement issued on April 8 by the Chairman and the Director of the Division of Corporation Finance William Hinman concerning disclosures by public companies in light of COVID-19. Both statements urge current and, to the extent feasible, forward-looking disclosure, as outlined in the corporate issuer disclosure statement.

Most issuers in the municipal market file only (i) annual financial disclosure reports and (ii) notices of listed events listed under SEC Rule 15c2-12. The impacts of COVID-19 would generally not fall within the scope of the Rule 15c2-12 notice events, absent a severe impact such as an issuer’s rating downgrade or a missed debt service payment. In the municipal disclosure statement, the SEC urges issuers to make supplemental “voluntary, unaudited and non-routine disclosures regarding [their] current financial status and operating conditions,” and the SEC encourages issuers to make available to investors “as much information about their current financial and operating condition as is reasonably practicable.” The SEC stresses the “need for timely financial information” and observes that, due to the unpredictable nature of the pandemic and its effects on current market conditions, the practice of providing historical financial information in an annual filing may not adequately enable investors to assess an issuer’s current and projected financial state in order to make an informed investment decision.

Recognizing the higher risk of liability that might result from issuers’ enhanced required and/or voluntary disclosures, the SEC notes that such disclosures may be accompanied by “meaningful cautionary language—including, for example: (1) a description of relevant facts or assumptions affecting the reasonableness of reliance on and the materiality of the information provided, (2) a description of how certain important information may be incomplete or unknown, and (3) the process or methodology (audited vs. unaudited) used by the municipal issuer to produce the information—[which] will not only improve the quality of the disclosure but also will reduce legal and other risks.” According to the statement, the Chairman and the Director “would not expect good faith attempts to provide appropriately framed current and/or forward-looking information to be second guessed by the SEC.”

To date, issuers have filed several thousand disclosures concerning the effects of COVID-19 on the Electronic Municipal Market Access (“EMMA”) system operated by the Municipal Securities Rulemaking Board (“MSRB”), which serves as the official source for municipal securities disclosures and related market data. Following the municipal disclosure statement, we expect that issuers planning to bring bond issues to market, or that are filing annual or quarterly reports, or that are filing Rule 15c2-12 event notices, will disclose the impact of COVID-19 on their financial and operating condition in the same offering documents or required filings. Issuers who do not anticipate issuing bonds or making required disclosures in the near future should consider (i) providing voluntary disclosure on the current and reasonably anticipated future impact of COVID-19 on their financial condition and operating results, and (ii) the risks associated with providing such voluntary disclosure.

On May 22, 2020, the SEC announced that its conference entitled “Spotlight on Transparency: A Discussion of Secondary Market Municipal Securities Disclosure Practices” has been rescheduled for June 16, 2020. The conference is open to the public via live webcast from 1 p.m. to 4 p.m. ET at www.sec.gov, and will be archived on the Office of Municipal Securities webpage for later viewing. The conference will bring together a variety of municipal securities market participants, including issuers and investors, to discuss the state of secondary market disclosure in the municipal securities market, including COVID-19-related disclosure.

Certain literary or graphic characters may, in some cases, enjoy copyright protection. Think James Bond—or Batman, and even his Batmobile. Recently, the Ninth Circuit was called upon to determine whether the Moodsters, “anthropomorphized characters representing human emotions,” are subject to the same copyright protection as Batman. Sadly, the Ninth Circuit concluded they do not.

The Moodsters were created by an expert on children’s emotional intelligence and development, Denise Daniels. She created the Moodsters to “help children cope with strong emotions like loss and trauma.” In 2005, Ms. Daniels and her team released an initial product called The Moodsters Bible. The Moodsters Bible told the story of five characters who were “color-coded anthropomorphic emotions,” each representing a different emotion: pink forlove, yellow for happiness, blue for –sadness, red for anger, and green for fear. Two years later, Ms. Daniels and her team released a 30-minute television pilot featuring the Moodsters called, “The Amoodsment Mixup.” In 2015, Ms. Daniels and her team had developed a line of toys and books featuring the Moodsters that were sold at Target and other retailers.

Ms. Daniels claimed that she pitched the Moodsters concept to several entertainment companies, including the Walt Disney Company and its affiliate, Pixar, between 2005 and 2009. She claimed she had contact with Thomas Staggs, the CFO of the Walt Disney Company, and that he had informed her that he would share information about the Moodsters with Roy E. Disney, the son of Disney’s founder. Ms. Daniels also claimed that at some point she spoke with film director Pete Docter about the Moodsters.

In 2010, Disney began development of its movie Inside Out, which was released in 2015. Inside Out focuses on five anthropomorphized emotions “that live inside the mind of an 11-year-old girl named Riley.” The emotions represented are joy, fear, sadness, disgust, and anger. The film was directed by Peter Docter, who also co-wrote the screenplay. He claimed that he got the idea for the film by “the manner with which his 11-year-old daughter dealt with new emotions as she matured.”

In 2017, Daniels sued Disney for breach of implied in fact contract in connection with Inside Out. She then filed an amended complaint, which joined her company, The Moodsters Company, and sued for copyright infringement “of both the individual Moodsters characters and the ensemble as a whole.” Disney moved to dismiss, which was granted by the district court on the grounds that “The Moodsters are not protectable by copyright.” Daniels appealed that ruling to the Ninth Circuit. (This article does not address Ms. Daniels’s implied contract claim.)

The Ninth Circuit began by recognizing that, “[a]lthough characters are not an enumerated copyrightable subject matter under the Copyright Act, … there is a long history of extending copyright protection to graphically depicted characters.” For instance, the Ninth Circuit cited to its prior decision in DC Comics v. Towle, 802 F.3d 1012 (9^th Cir. 2015), in which it held that the Batmobile was entitled to copyright protection. In the Towle case, the Ninth Circuit adopted a three-pronged test for determining whether a character is entitled to copyright protection: (1) the character has “physical as well as conceptual qualities;” (2) the character is “sufficiently delineated to be recognizable as the same character whenever it appears” and “display(s) consistent identifiable character traits and attributes;” and (3) the character is “especially distinctive” and “contain[s] some unique elements of expression.” The Ninth Circuit examined whether The Moodsters satisfied this three-pronged test.

The Court recognized that Disney did not contest the first prong—that each of the individual Moodsters had physical as well as conceptual qualities. Given that they had physical qualities, “[t]he Moodsters are not mere literary characters.” 

However, it was the second prong that proved to be the biggest hurdle for Ms. Daniels and her Moodsters. The Ninth Circuit reasoned that “a character that lacks a core set of consistent and identifiable character traits and attributes is not protectable, because that character is not immediately recognizable as the same character whenever it appears.” The Ninth Circuit contrasted The Moodsters with recognizable characters like Godzilla or James Bond who, though their physical characteristics could change over time, maintain “consistent and identifiable character traits and attributes across various productions and adaptations.”

The Ninth Circuit continued by noting that the use of “a color to represent a mood or emotion is an idea that does not fall within the protection of copyright.” In fact, it noted that “the idea of color psychology is involved in everything from decorating books to marketing and color therapy,” and that “color and emotion are also frequent themes in children’s books, such as Dr. Seuss’s classic, My Many Colored Days.” The Ninth Circuit also noted that “colors themselves are not generally copyrightable” nor “is the `idea’ of an emotion copyrightable.”  Thus, the Ninth Circuit concluded that Daniels could not “copyright the idea of colors or emotions, nor [could] she copyright the idea of using colors to represent emotions where those ideas are embodied in a character without sufficient delineation or distinctiveness.”

It was this last issue, “sufficiently delineated,” that especially troubled the Ninth Circuit. First, the Court noted that the physical appearances of the Moodsters had “changed significantly over time.” When they first appeared in the 2005 Bible, they had an insect-like appearance. By the time they appeared in retail stores in 2015, they looked “like small loveable bears” with “a detective’s hat and small cape.” While the Moodsters’ representation of the five human emotions had not changed over time, the descriptions of each character had. For instance, the 2005 Bible described each character with a few short paragraphs; however, these descriptions were no longer mentioned in the 2007 television pilot. Furthermore, in every iteration of the Moodsters, they had different individual names. Finally, while initially each character related to its emotion in its own way (for instance, the “anger” Moodster would become angry), the Moodsters were “mood detectives” by 2015, trying to help a young child discover his emotions.

The Ninth Circuit then contrasted the ever-changing Moodsters with that of the Batmobile that it considered in Towle. The Court noted that over a 25-year period, “the Batmobile had numerous identifiable and consistent character traits and attributes,” and that it was always referred to as “a crime fighting car” and it had jet engines and modern weaponry; it could “navigate through landscapes impassible for an ordinary vehicle.”

Finally, even if the Ninth Circuit concluded that the Moodsters could satisfy the second prong, they would also fail the third prong in that they were not “especially distinctive.” The Ninth Circuit compared the Batmobile, which consistently had the same name over time, with the Moodsters, who had at least three entirely different sets of names over time. Therefore, they were not “especially distinctive” and could not meet the third prong of the Towle test either. 

The Ninth Circuit did disagree with the lower court, however, in its conclusion that the Towle test was the only possible analysis for determining whether a character was entitled to copyright protection. The Ninth Circuit recognized that it had decided nearly 60 years ago in Warner Bros. Pictures v. Columbia Broadcast System, 216 F.2d 945 (1954), that a character could be entitled to copyright protection if it constituted “the story being told” in a particular work. However, “a character is not copyrightable under this test where `the character is only the chessman in the game of telling the story’.” The Ninth Circuit noted that this is a “high bar since few characters so dominate the story such that it becomes essentially a character study.”

The Ninth Circuit concluded, however, that even under the Warner Bros. test, the Moodsters were not entitled to copyright protection. Given that the Moodsters were introduced in the 2005 Bible with short descriptions, “these pithy descriptions do not constitute the story being told” as required by the Warner Bros. test. By the time of the 2007 television pilot, there was even less character development such that, “The Moodsters are mere chessmen in the game of telling the story.” Thus, even under the alternative Warner Bros. test, the Moodsters were not copyrightable.

Finally, Ms. Daniels argued that even if the individual Moodsters were not copyrightable, then the ensemble of the five Moodsters should be entitled to copyright protection. The Ninth Circuit rejected this claim on the ground that whether you described the Moodsters individually or as an ensemble, it did not change the analysis as to their “distinctiveness” or the “degree of delineation.”

The Ninth Circuit’s decision in the Daniels case makes clear that it is extremely rare that a particular character will be entitled to copyright protection. Only those characters which are or have a consistent level of distinctiveness or degree of delineation could possibly qualify for copyright protection.

Clawbacks are provisions that assure a former equity owner receives fair, full consideration when it sells its equity. Such provisions enable the former owner to participate in the consideration received in a subsequent sale of the business by the remaining owner or owners.

Whether a buy-sell agreement was previously in place among equity owners or not, a departing business partner wants to be assured that at the time of sale it receives full value for its interest. In many cases, there is concern that shortly after the sale of its interest, the remaining owners will sell their interest for a significantly higher price.

Although federal and state securities laws may protect a departing owner from the remaining owners not disclosing an imminent sale, or that a higher offer has been made for the business, it is prudent for counsel for the departing owner to consider inclusion of a clawback provision in the sale agreement.

A departed shareholder may feel that his or her business efforts, or the critical capital provided, greatly contributed to the company’s growth and that dividends from those efforts will continue for at time after his or her departure. A clawback provision allows a departed owner to share in the proceeds of a later sale as if its shares were not previously sold.

From the remaining owner’s perspective, a clawback may be the final negotiated piece that convinced the departing partner to sell and that does not have an economic cost if there is no subsequent sale. If there is a subsequent sale, the clawback amount is paid by the buyer. Although the funds may come from proceeds otherwise payable to the remaining owner, hopefully the funds actually received from such sale will be sufficient to more than satisfy the owner.

Moreover, whether the sale price was fixed by prior contract or negotiated at the time of the sale, the value received by the departed owner may have been based primarily, if not exclusively, on the value of the business as a going concern with no consideration based on a potential sale. This is a common occurrence when the remaining owner states that he or she desires to continue to run the operation as a family business for the indefinite future and not with the purpose of selling to a competitor or other third party.

If there was a buy-sell provision included from the beginning of the partnership, the remaining equity owners will argue that the absence of a clawback provision in such instrument should be determinative that there should not be one added at a later time. This is not always a persuasive argument if there is no requirement to sell.

Once the decision is made to include a clawback provision in the sale document, there are many factors that should be considered in crafting such a provision.

• Whether the decision to separate the partners, causing the business to divert funds from operations to the buyout, is made by the remaining partner or the departing partner often influences the sale price, as well as determining whether a clawback is appropriate.
• Whether the departing partner was active in management or a passive investor. In the first instance, the departing owner claims his or her efforts contributed to the growth of the business and that the value of the contribution continues for a period post-sale. A passive investor may not be able to make a similar claim.
• Clawbacks may also be useful in the termination of contingent payments that form a part of many pay-out provisions. A future buyer may not want to continue contingent payments to former owners, particularly if such payments can’t be quantified or the terms of which may impact the buyer’s ability to change procedures in the acquired business. A clawback benefits the future buyer by allowing it to end the contingent payments for a fixed amount. The departed equity owner benefits by getting an earlier fixed payment, and the remaining owners have one less difficult issue to negotiate.
• Clawback provisions may last one year after the sale or for several years. I have utilized provisions that last up to 10 years, although ranges of three to five years are more common. An active partner involved for many years in a mature business (i.e., bakery or funeral home) with slow, steady growth will claim the clawback should continue for a longer period than a young, fast-growing business where the future efforts of active managers contribute to the future growth. There is a point where the claim of residual value expenses negates the rationale for a clawback to continue.
• Recognizing that the departed partners’ influence will diminish over time, it is not uncommon for the clawback percentage to decline over time. For example, if the second sale occurs within the first 12 months after the sale of the departed shareholder’s interest, such shareholder will receive the value for its equity as if no original sale had occurred. The percentage may decline to 50 percent of the value in the second and third years after the original sale and only 25 percent in years four and five. To illustrate, if a 30-percent owner of a business received $3 million to sell his or her interest in 2020 (representing a $10 million enterprise value), but less than a year later the business is sold for $15 million, then the former owner would receive an additional $1.5 million, representing 30 percent of the subsequent sale price less the $3 million already received. If the sale occurred in 2024, the former owner would receive only $375,000, or 25 percent of the differential.

By recognizing the value of clawbacks and drafting provisions that fit the unique facts of the situation, attorneys can ensure that fair value has been provided to the departed equity owner and that no additional funds will be expended by the remaining owners if no future sale occurs.