DEC/JAN 2015 VOLUME 1 1 / NUMBER 6 TODAYSGENER A LCOUNSEL.COM
DISCLOSURE AND
NONDISCLOSURE Protecting Trade Secrets Privacy Class Actions Reconsidering the Cease-and-Desist Biotech Innovation at Risk? Sued for “Credit Reports” Don’t Be the Next Cybersecurity Target E-Discovery and the Cloud The Social Business Boom Is E-Discovery Cooperation Possible? A TGC Survey: Information Management
The Truth About Patent Damage Awards Bogus Compliance Plans Bring Risk
$199 Subscription rate per year ISSN: 2326-5000 View our digital edition: digital.todaysgeneralcounsel.com
REDEFINING LEGAL SOLUTIONS. REALIZING A BETTER WAY FOR CORPORATE LEGAL DEPARTMENTS TO WORK.
©2013 ©20 13 Tho Thomso mson n Reut Reuters ers T Thom homson son Re Reute uters rs and th thee Kine Kinesis sis lo logo go are tr trade ademar marks ks of Tho Thomso mson n Reut Reuters ers LL-38 -38730 7303/9 3/9-13 -13
Whether you practice law or manage the legal interests of your organization, legal solutions from Thomson Reuters deliver best-of-class products and services like WestlawNext® and Practical Law™, and secure hosted solutions like Thomson Reuters Concourse™ and Serengeti Tracker®. Intelligently connect your work and your world through unrivaled content, expertise, and technologies. See a better way forward at legalsolutions.thomsonreuters.com/corporate
Stay out of the news. NACD’s in-boardroom cyber programs prepare your board to oversee cyber-risk management. NACD is the recognized authority on leading boardroom practices. Our methods are based on over 35 years of NACD research and draw upon the real-world expertise of more than 15,000 NACD members. To help boards address complex, cyber oversight responsibilities, NACD’s in-boardroom cyber programs are: `` Designed to address your company’s specific cyber risks. `` Focused on appropriate roles for the board in cyber
oversight—not technical issues.
`` Designed to address both risks and strategic opportunities.
The result: A positive learning experience that will thoroughly prepare your board to oversee cyber-risk management.
NACD’s cyber programs are delivered by subject-matter experts including: • Senior Director for Cyberspace, National Security Council • Fmr. Cyber Coordination Executive and Director of the Joint Interagency Cyber Taskforce Office of the Director of National Intelligence • Executive Assistant Director of the Cyber Division, FBI Headquarters • Dir. of Cybersecurity Critical Infrastructure Protection, National Security Council • Senior Information Technology Policy Advisor, National Institute of Standards and Technology
To learn more, contact Steve Walker, General Counsel and Director of Board Advisory Services: steve_walker@NACDonline.org or 202-572-2101
dec/jan 2015 toDay’s gEnEr al counsEl
Editor’s Desk
Board governance has been a hot topic since the Enron and Arthur Andersen scandals spurred Congress to pass the Sarbanes-Oxley Act in 2002. As Michael Considine of Seward & Kissel and Christopher Favo of 3M Company point out in this issue of Today’s General Counsel, not only senior executives but board members can face personal liability for governance failures. Support for compliance programs isn’t lacking, in fact it’s universal, but according to the authors the tailored risk assessment that ought to precede a program’s adoption is often neglected in favor of a check-the-box approach. That can lead to the worst possible outcome, a program intended to reduce risk creates liability instead. Check out their article to see how your program stacks up. The information governance survey in this issue is complemented by several articles covering aspects of what will be an increasingly visible issue in 2015. Roxanna Prelo Friedrich of Nuix neatly defines what information governance is – a process to identify, value, store and dispose of data. Chris Salsberry of Huron Legal provides an overview of strategies and methods to approach information governance, so that a company can get its arms around problems that often seem nebulous and intractable. Jake M. Holdreith and David A. Prange of Robins, Kaplan, Miller & Ciresi observe that trade secret protection has become the alternative of choice for many legal departments, since patent protection has become less certain and more expensive, but that in the normal course of business trade secrets can be at risk. They advocate the use of nondisclosure agreements to establish contractual obligations of secrecy, and provide some tips on drafting them. Casting a critical eye on another recent trend in IP law, Peter Perkowski of Winston & Strawn proposes a reconsideration
2
of the much-despised cease-and-desist letter. He suggests making sure that the trademark at issue is actually being infringed and, if it is, giving due consideration to toning down the threats in favor of some polite suggestions. This could yield better results, he says, at a better price, and with some ancillary benefits. The trade-mark bully, he points out, is getting about as bad a name these days as the patent troll.
Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com
GET YOUR ROADMAP TO EXCELLENCE!
Access the Law Department Maturity Model® to transform your department from “order takers” to business asset. www.bridge-way.com/roadmap
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Features
56
STRATEGIES FOR MINIMIZING RISKS OF PRIVACY CLASS ACTIONS
60
COMPLIANCE PLANS SHOULD REDUCE RISK, NOT CREATE LIABILITY
Rachel Meny and Jennifer Huber Statutes drafted in another technological era can make a defense difficult.
Michael G. Considine Don’t be ambushed by your own protocols.
COLUMNS
4
50
THE TRUTH ABOUT PATENT DAMAGE AWARDS
52
TAKE CONTROL OF THE M&A PROCESS
Brian Howard The threat is overstated.
Jeffery M. Cross Pre-merger antitrust pitfalls.
BOOK REVIEW
54
BUSINESS AND COMMERCIAL LITIGATION IN FEDERAL COURTS (THOMAS WEST, THIRD EDITION) Susan L. Shin Review of a treatise edited by Robert L. Haig, partner at Kelley Drye & Warren and a member of the Editorial Advisory Board of Today’s General Counsel.
Page 50
Prior results do not guarantee a similar outcome. © 2014 Phillips Lytle LLP One Canalside, 125 Main Street, Buffalo, NY 14203 (716) 847 8400
2014 Client Service A-Team
Phillips Lytle has been recognized by FORTUNE 1000 in-house counsel for delivering superior client service.
WHEN IT COMES TO FORGING YOUR WORLDWIDE INTELLECTUAL PROPERTY STRATEGIES, WE BRING MORE TO THE TABLE.
When you partner with Phillips Lytle, you get more experience, more passion and a more pragmatic approach. And that gets winning results. Talk to us about Intellectual Property or any one of our 36 practice areas. PHILLIPSLYTLE.COM | EST. 1834 NEW YORK: ALBANY, BUFFALO, CHAUTAUQUA, GARDEN CITY, NEW YORK, ROCHESTER | WASHINGTON, DC | CANADA: WATERLOO REGION
dec/jan 2015 toDay’s gener al counsel
Departments Editor’s Desk
2
Executive Summaries
10
Page 36
E-DiscovEry
cyBErsEcUriT y
TGc sUrvE ys
24 Bringing Sanity to E-Discovery in Five Steps
36 Don’t Be the Next Cyberattack Target
46 Data Protection a Spending Priority for 2015
Peter Perkowski It’s an often misused tool. Don’t squander it.
Roxanna Prelo Friedrich Predictive coding is just one of many tools to consider.
Chris Salsberry Bring cyberconsciousness to the business side.
Lack of urgency about emails.
18 Protecting Trade Secrets with a Solid Nondisclosure Agreement.
26 Why Even Aggressive Lawyers Should Cooperate
inTELLEc TUaL propErT y
16 Reconsidering the Cease-andDesist
6
Jake M. Holdreith and David A. Prange The more specific, the better.
22 Shrinking Territory: Patent Eligibility of Biotechnological Inventions Leslie Kushner and Robert S. Schwartz Current uncertainty is having a measurable effect on innovation.
Michele C. S. Lange and Brian Calla Cooperation does not conflict with the client’s interest.
30 E-Discovery and the Cloud Rory J. Radding and Danielle E. Gorman The courts say you are in control, so know and understand your cloud vendor.
32 Social Business Boom Brings Legal Obligations Kris Vann, Edwin Lee and James FitzGerald Preservation is the rule, regardless of the medium.
L aBor & EmpLoymEnT
38 Beating a NonCompete Disguised as A Non-Solicit Todd R. Wulffson A back door for noncompetes in California.
42 Texting and Using Personal Devices for Business Usama Kahf and Brent Cossrow Will data on employees’ personal devices be discoverable?
44 FCRA Compliance Moves Up the To-Do List Rod M. Fliegel, Jennifer Mora and William Simmons Background checks can open the door to lawsuits.
Delivering a single platform for managing all of your e-discovery processes. Only Xerox makes it that simple. Integrating technology can be risky, time consuming and costly. Viewpoint™ streamlines e-discovery by delivering an all-in-one platform with everything needed to manage your needs – including collection, processing, early case assessment, analytics, technology-assisted review, review and production. This discovery platform is available both as an on-premises software solution and a managed service. It’s one more way Xerox simplifies business, so you can focus on what really matters.
xerox-xls.com ©2014 Xerox Corporation. All rights reserved. Xerox ®, Viewpoint,™ Xerox and Design® and Ready for Real Business® are trademarks of Xerox Corporation in the United States and/or other countries. Xerox does not offer, and is not authorized to provide, legal advice, representation or counseling in any jurisdiction.
editor-in-Chief Robert Nienhouse Chief operating offiCer Stephen Lincoln managing editor David Rubenstein
exeCutive editor Bruce Rubenstein
senior viCe president & managing direCtor, today’s general Counsel institute Neil Signore art direCtion & photo illustration MPower Ideation, LLC law firm business development manager Scott Ziegler database manager Matt Tortora
Contributing editors and writers
8
Michael Considine Brent Cossrow Jeffery M. Cross James FitzGerald Rod M. Fliegel Roxanna Prelo Friedrich Danielle E. Gorman Jake M. Holdreith Brian Howard Jen Huber Usama Kahf Leslie Kushner
Michele C. S. Lange Edwin Lee Rachael Meny Jennifer Mora Peter Perkowski David A. Prange Rory J. Radding Chris Salsberry Robert Schwartz Susan L. Shin William Simmons Kris Vann Todd R. Wulffson
subsCription Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com
reprints For reprint requests, email rhondab@fosterprinting.com Rhonda Brown, Foster Printing
editorial advisory board Dennis Block GREEnBERG TRAURiG, LLP
Dale Heist BAKER HOSTETLER
Robert Profusek JOnES DAy
Thomas Brunner
Joel Henning
Art Rosenbloom
WiLEy REin
JOEL HEnninG & ASSOCiATES
CHARLES RiVER ASSOCiATES
Peter Bulmer JACKSOn LEWiS
Sheila Hollis
George Ruttinger
Mark A. Carter
DUAnE MORRiS
CROWELL & MORinG
David Katz
Jonathan S. Sack
DinSMORE & SHOHL
James Christie BLAKE CASSELS & GRAyDOn
Adam Cohen
WACHTELL, LiPTOn, ROSEn & KATz
Steven Kittrell MCGUiREWOODS
FTi COnSULTinG
Jerome Libin
Jeffery Cross
SUTHERLAnD, ASBiLL & BREnnAn
FREEBORn & PETERS
Thomas Frederick WinSTOn & STRAWn
Jamie Gorelick WiLMERHALE
Robert Haig KELLEy DRyE & WARREn
Jean Hanson FRiED FRAnK
Robert Heim DECHERT
Timothy Malloy Mc AnDREWS, HELD & MALLOy
Jean McCreary nixOn PEABODy
Steven Molo MOLOLAMKEn
Thurston Moore HUnTOn & WiLLiAMS
MORViLLO, ABRAMOWiTz, GRAnD, iASOn, AnELLO & BOHRER, P.C.
Victor Schwartz SHOOK, HARDy & BACOn
Jonathan Schiller BOiES, SCHiLLER & FLExnER
Robert Townsend CRAVATH, SWAinE & MOORE
David Wingfield WEiRFOULDS
Robert zahler PiLLSBURy WinTHROP SHAW PiTTMAn
Ron Myrick ROnALD MyRiCK & CO, LLC
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, with out the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published six times per year by Nienhouse Media, Inc., 640 Park Avenue, Hinsdale, IL 60521-4644 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2014 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Today’s General Counsel, 640 Park Avenue, Hinsdale, IL 60521-4644 Periodical postage paid at Hinsdale, Illinois and additional mailing offices.
NEW! Today’s General Counsel Career Center Let TGC help you find your next job. New in-house postings added daily.
Plus, for a limited time TGC is offering employers a complimentary listing. Use code TGCintro when submitting your job listing.
T O D AY S G E N E R A L C O U N S E L . C O M / C A R E E R - C E N T E R
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Executive Summaries INTELLEC TUAL PROPERT Y
10
PAGE 16
PAGE 18
PAGE 22
Reconsidering the Cease-andDesist
Protecting Trade Secrets with a Solid Nondisclosure Agreement
By Peter Perkowski Winston & Strawn
By Jake M. Holdreith and David A. Prange Robins, Kaplan, Miller & Ciresi
Shrinking Territory: Patent Eligibility of Biotechological Inventions
In the world of despised legal correspondence, few things beat cease-anddesist letters. They promise maximum, but unspecified, efforts to protect “valuable intellectual property rights” and subtly suggest that failure to comply will result in costly legal proceedings, if not steep damages. Nevertheless, they are both important and useful in many contexts, including policing trademarks. Before launching a cease-and-desist letter, consider whether the third party’s use is a “use in commerce,” or use in connection with sale or advertising of goods and services. If not, then there is no trademark infringement. Free expression use such as news reporting and fair use are not likely to confuse, and there is no infringement without likelihood of confusion. Relevant considerations for confusion are the mark’s strength, similarity with the alleged infringing mark, and relatedness of the goods and services. Thus, consumers are likely not confused by the use of REDLINE on both cosmetics and energy drinks. Analyzing these factors can provide a high degree of confidence that there is no infringement. But when there is, bridle the itchy trigger finger and reserve cease-and-desist letters for more serious cases. While not having quite the same level of negative connotation as “patent troll,” being labeled a “trademark bully” can still sting. In cases where a cease-and-desist letter is necessary, smart trademark policing calls for being polite, reasonable, and avoiding an overly adversarial tone. That fosters cooperation, probably yields better results, and could yield some positive publicity.
Trade secret protection of company information has become more popular as patent protection has become less certain and more expensive. A company must take “reasonable” steps to protect a trade secret in order to qualify for protection under the Uniform Trade Secret Act. Recent case law suggests that “reasonable” means that contractual obligations of secrecy need to be established with those who use or receive trade secrets in order to protect them. This is best done with a nondisclosure agreement. Using a nondisclosure agreement is nothing new, but it must be drafted carefully to avoid pitfalls. Be specific in defining the confidential information. Often the disclosing party will define it very broadly, believing that will provide more flexibility to protect its rights. But broadly defined rights can lead to confusion about what information is actually protected. For greater certainty, be specific as to how long the information must be kept secret. The parties should agree to a period for protection based on how long it is actually needed. Greater specificity in a nondisclosure agreement leads to greater predictability in the parties’ relationship with regard to how information is handled, and in litigation if the relationship sours. The level of specificity necessarily is affected by the relative bargaining positions of the parties at the time they enter into a non-disclosure agreement, but in general more specificity allows parties to evaluate risk, a potential breach, and whether subsequent litigation is prudent.
By Leslie Kushner and Robert S. Schwartz Fitzpatrick, Cella, Harper & Scinto
Two recent Supreme Court decisions have changed how the Patent Office will determine patentability of biological inventions. Mayo v. Prometheus held that methods for administering drugs are not patent eligible under Section 101. Association for Molecular Pathology v. Myriad held that isolated DNA is not patent eligible under Section 101. The reasoning was the claims at issue merely recited laws of nature (Mayo) or claimed a natural product (Myriad). The Federal Circuit recently interpreted Myriad as applicable to natural products other than nucleic acids. The PTO Guidance similarly applies Myriad broadly to all natural products, instructing that a claim for a naturally occurring product is not patent eligible unless it recites something “significantly different” than the naturally occurring product. The PTO Guidance provides that a “significant difference” can be shown if the product claimed is “markedly different in structure” from naturally occurring products. The current uncertainty about criteria for patentability of biological inventions is having a measurable effect on biotechnological innovation, and it may in turn affect economic development in critical areas. The PTO has said it intended to revise its Guidance to clarify some of the issues raised with respect to eligibility. Biotechnological innovators are very interested in the revisions, but the new guidelines will not be binding on the courts, and it may be some time before the courts clarify the scope of patent eligibility under Section 101 in light of Mayo and Myriad.
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Executive Summaries E-DISCOVERY PAGE 24
PAGE 26
PAGE 30
Bringing Sanity to E-Discovery in Five Steps
Why Even Aggressive Lawyers Should Want to Cooperate
E-Discovery and the Cloud
By Roxanna Prelo Friedrich Nuix
By Michele C.S. Lange Kroll Ontrack and Brian Calla Eckert Seamans Cherin & Mellott LLC
E-discovery is becoming increasingly time consuming and expensive. Many in the legal profession think that technology can provide the solution, that by using technology to conduct a tedious and labor-intensive part of the process, predictive coding, they can eliminate a major component of discovery costs. But predictive coding is just one of many technology tools that should be considered, depending on the type of case, deadlines, cost structure, and types of data at issue. Begin by gathering the facts from key custodians and data sources. To make informed case strategy decisions, relevant data needs to be collected, culled and indexed, as a way to garner insights from various perspectives. At that point you can assess the costs and potential business disruption of litigation, the potential for the wrong kind of publicity, and the likelihood that sensitive information will be disclosed. With this knowledge, you can decide to file, settle or vigorously defend. To be litigation-ready, you need an information governance plan. Information governance is about developing a strategy and then implementing processes to identify, value, store and dispose of data. The speed and precision with which legal practitioners access information can have a huge impact. Technologies can provide insight into the content and value of data located in common repositories like file shares, hard drives, legacy email archive systems, cloud repositories, email servers and desktops. These technologies can help respond effectively to discovery and prevail in, or avoid, future litigation.
In litigation, cooperation on e-discovery matters does not conflict with the advancement of clients’ interests. It enhances it. Meetings and conferences regarding e-discovery protocols are crucial. Clawback agreements regarding the inadvertent release of privileged documents, for example, should be reached in conference before they become necessary in the e-discovery process. Without such agreements, parties may have to make the difficult showing that they took “reasonable steps” to prevent disclosure in order to retrieve documents. When parties agree upon a jointly stipulated ESI protocol, courts disapprove when one party fails to remain within the guidelines. In Progressive Casualty Insurance Co. v. Delaney, the court refused to order predictive coding at plaintiff’s request after the parties had agreed to manual review. Even though the court wrote in favor of predictive coding it concluded that ordering its use would only result in more disputes, stating that if “the parties had worked with their e-discovery consultants and agreed at the onset of this case to a predictive coding based ESI protocol, the court would not hesitate to approve a transparent mutually agreed upon ESI protocol. However, this is not what happened.” Litigation is by nature adversarial, but lawyers should understand the positive impact that collaboration can have on the budget and outcome of the matter. When it comes to e-discovery the case for cooperation is even more compelling, with intricate legal doctrines, complicated technical protocols, and multiple inside counsel, law firm and service provider roles intersecting.
By Rory J. Radding and Danielle E. Gorman Edwards Wildman Palmer LLP
Over the years courts have ruled that ESI held by a third party on behalf of a litigant or its counsel remains within the litigant’s “control,” and is thus subject to production. Although few courts have commented specifically on discovery obligations within the context of cloud computing, the July 2014 decision in Brown v. Tellermate Holdings Ltd. confirms that courts are also likely to deem a cloud customer to be in control of data if the customer retains the right or ability to obtain the ESI. Accordingly, in-house attorneys or their outside counsel must be prepared to adequately respond to such requests. Privileged data may become problematic. If discovery inadvertently retrieves privileged data, it may lead to a waiver of privilege. A litigant also faces the liability of potentially waiving a third party’s privilege. If the litigant’s data is mingled with third-party cloud users’ data in a public cloud, production of that data may constitute waiver of a third party’s privilege. Inadvertently gaining access to a third party’s trade secret information stored in the cloud could destroy the legal protection of that trade secret. Proposed changes to Federal Rules 16, 26 and 37 may clarify some of a party’s obligations with respect to e-discovery, or at least force litigants to plan for e-discovery issues, including cloud-stored data, at an early stage of the case. The proposed rules provide for consideration of, and sanctions related to, the preservation of ESI.
11
Dec/jan 2015 today’S gEnEr al counSEl
Executive Summaries e-Discovery
12
cybersecurit y
l abor & emPloyment
Page 32
Page 36
Page 38
Social Business Boom Brings Legal Obligations
Don’t Be The Next Cyberattack Target
Beating a Non-Compete Disguised as a Non-Solicit
By Kris Vann TRUSTe Edwin Lee Alvarez & Marsal James FitzGerald Exterro
By Chris Salsberry Huron Legal
By Todd R. Wulffson Carothers DiSante & Freudenberger LLP
Workplace communication has been transformed over the past decade. Recently, the emergence of “social business” platforms has allowed organizations to improve business performance by engaging with customers, employees, partners and suppliers. The world of social business comprises dozens of evolving products and services. For example, organizations are using enterprise platforms with instant messaging (IM), such as Microsoft Lync and IBM Sametime to promote easier communication among employees. At many companies these services replace conventional email. Companies must be prepared to preserve and collect potentially relevant electronically stored information (ESI) associated with legal and regulatory matters, regardless of the media from which it derives. For years, the primary source of discoverable ESI was email. As email is replaced with newer forms of communication, legal and IT teams must adapt to a far more complex data environment. Many of the emerging social business platforms are cloud-based, so legal and compliance professionals face new challenges meeting their obligations, particularly because data recovery protocols vary from one cloud provider to another. Organizations can take steps to mitigate the risks associated with the social business boom. A good policy starts with establishing parameters regarding which systems employees are permitted to use to disseminate company-related information. The policy should also delineate acceptable and unacceptable use of social business platforms. But a policy alone, even one that is well thought out, will not be effective if not properly enforced, regularly revisited and updated as necessary.
This is a good time to reassess cyber programs, determine how to limit the data that could be compromised, and minimize potential fallout from a breach. The National Institute of Standards and Technology released its Framework for improving critical infrastructure in February 2014. Sparked by this development, a number of government agencies subsequently issued guidance that puts organizations from many industries on alert that cybersecurity should be a top priority, and they must formulate a strategy that addresses the most common and hazardous risks. Cybersecurity affects all aspects of a business, not just IT. Therefore, organizations must create a culture of cyberconsciousness that encourages buy-in among all business units. To craft strategies to combat potential threats, organizations must understand what their information assets are and where they are located. They need to inventory their physical devices and systems, as well as their software platforms and applications. They should also catalog and evaluate all external connections to their network. Along with external risks, cybersecurity programs must contemplate the risks from employees, those who can access, share, and possibly destroy proprietary digital assets. All cybersecurity programs should identify who has access to which types of data and devise a method for searching for, and flagging, unorthodox data access and transfers. Successful cybersecurity requires monitoring, testing and tweaking to account for internal developments and emerging threats, as well as an organizational culture where vigilance against cyber risks is part of every employee’s job.
Even in areas where California is decidedly pro-employer, such as limiting the enforcement of non-competition and non-solicitation agreements, the result can be litigation so expensive and time-consuming that it creates the same restrictions that law and the courts have tried to prevent. The company Stearns Lending Inc. recently experienced this dilemma. It prevailed before an Orange County jury in an expensive case that never should have been brought. Stearns was sued by competitor Prospect Mortgage, for allegedly “aiding and abetting” former Prospect employees in violating agreements that they would not solicit or recruit a former co-worker. Prospect asked the jury for more than $10 million plus punitive damages because several former loan officers left Prospect to work for Stearns. The jury found for Stearns. The takeaways from this case are: • Reliance on the decisive Edwards decision may ultimately protect a business from liability, but it provides no immunity from expensive litigation. • Putting the onus on employees to disclose their restrictive covenants is important, but providing an avenue for them to present any problems quickly is even more so. • The general counsel must be proactive in leading management to respond quickly and effectively to any perceived threat of litigation. • Diligently researching the plaintiff and any similar cases it has brought can be a cost-effective way to learn valuable information. A non-competition case disguised as one of non-solicitation can be beaten, but it requires diligence, planning and significant resolve by the defendant.
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Executive Summaries L ABOR & EMPLOYMENT
TGC SURVE YS
PAGE 42
PAGE 44
PAGE 46
Texting and Using Personal Devices for Business
FCRA Compliance Moves up the To-Do List
Data Protection a Spending Priority for 2015
By Usama Kahf and Brent Cossrow Fisher & Phillips LLP
By Rod M. Fliegel, Jennifer Mora and William Simmons Littler Mendelson
Strategic planning for information governance
Employee use of personal electronic devices to communicate, and generate what it may be argued are business records, raises interesting issues for businesses, particularly in the face of threatened or pending litigation. Various policies, ranging from encouraging “bring-your-own-device” (BYOD) to outright banning it, have advantages and risks. A court recently sanctioned defendants $931,500 for failing to preserve and produce employees’ text messages on company-issued and personal phones. The court noted that a company that issues a litigation hold to its employees must include text messages within its scope, so as to include workrelated text messages on employeeowned personal cell phones. In another case, the court imposed an adverse inference jury instruction because the Blackberries issued to defendants’ employees were wiped of e-mails, text messages, calendar items, contacts and attachments at a time when defendants had a legal duty to preserve evidence relevant to the litigation. The court noted that the absence of any text messages or e-mails on employees mobile devices should be a red flag for defendants during discovery. Preserving employee text messages may be a logistical challenge, but in many cases the evidence preserved can be helpful. If the reality of your business is that employees will be using their personal cell phones for work, then it may be in your best interest to implement policies and procedures that provide the right to access, and if needed the ability to preserve, workrelated information on employees’ personal devices.
The Fair Credit Reporting Act (FCRA) is the federal law that regulates the exchange of credit reports between credit bureaus and lenders, but it also regulates the informational exchange between employers and “consumer reporting agencies” (CRAs) that provide consumer reports. The obligations that the FCRA imposes on employers are triggered not only when an employer orders a credit report, but also when they order virtually any type of report from a CRA. For decades, lawsuits under the FCRA primarily targeted credit reporting agencies and lawsuits against employers were rare, but since early 2014 approximately 30 FCRA class-action lawsuits have targeted employers. These actions cut across all industries, including retailers, restaurant chains, theater chains, manufacturers and transportation companies. Solo practitioners and non-profit groups with experience in the FCRA’s requirements routinely team with wellknown wage-and-hour class-action firms to file these lawsuits. The FCRA allows an applicant or an employee to sue an employer for “negligently” or “willfully” failing to comply with the FCRA, with a two-year statute of limitations that may be extended up to a maximum of five years. Corporate counsel should educate key stakeholders to escalate issues involving potential adverse actions for background-check related reasons. They should also consider arranging for a privileged review of background check forms and procedures, establishing written background check policies and implementing procedures to help ensure that adverse action notices are not sent to applicants or employees before a certain waiting period (e.g., five business days).
Spending on information governance will increase in 2015, according to a TGC survey of in-house practitioners taken in October 2014. Judging from the priorities the respondents identified, increased spending will focus on enhanced data protection systems, staff training, improving compliance and upgrading technology. Over half of respondents reported that their organization’s highest priority for 2015 is to enhance their data protection systems. Relatively few said that adding email and social media to governance planning was a priority. Respondents were asked to rate their company’s overall approach to information governance – planning, policies, and procedures. Twelve percent rated their organization as “excellent,” the same percentage that rated it as “not very good.” Most respondents said “fairly good” or “just average.” There were no clear trends by department or organization size. Asked for reasons why they graded as they did, respondents who rated their organization as being excellent emphasized the longevity of their approach to information governance or the people in charge of it. One respondent wrote that his/her organization had a “long history of litigation that drove the focus on our information governance policy.” Those who described their organization as rating a grade of “not very good,” mentioned what was lacking – “devotion of thought to the process,” “experience or apprehension,” “money for infrastructure.” Several noted a lack of centralization for data repositories, data governance, and managing information.
13
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Executive Summaries FEATURES
14
PAGE 56
PAGE 60
Strategies for Minimizing Risk of Privacy Class Actions
Compliance Plans Should Reduce Risk, Not Create Liability
By Rachael Meny and Jennifer Huber Keker & Van Nest
By Michael G. Considine Seward & Kissel LLP and Christopher M. Favo 3M Company
Businesses are increasingly facing class action lawsuits alleging that they have violated someone’s privacy, under state or U.S. laws. Privacy statutes exist in most states, including California with its Invasion of Privacy Act, or “CIPA,” which provides criminal and civil liability for violations like recording communications without consent. Federal privacy statutes include the Electronic Communications Privacy Act (ECPA), which provides criminal and civil liability for intercepting “electronic communications” or permitting access to electronically-stored information. Businesses should take steps to protect themselves from such claims before they are filed and lay the groundwork for a defense if they are filed. Being aware of potential key defenses and thinking strategically before a lawsuit is filed can often lead to early dismissal. If your business records, collects or uses consumer data, you should regularly review your disclosures about these practices to confirm they are accurate and satisfy current law. If you are sued for privacy violations, keep in mind that many privacy statutes were enacted before the development of the Internet and with other kinds of activities in mind. Thus, a key defense may be that the alleged privacy violation simply does not fit the statute. Differing state laws may enable an argument that one state’s laws do not reach those who live outside the state. An alleged data privacy violation rarely leads to actual or quantifiable damages, and especially in federal court the absence of injury can be grounds for obtaining dismissal.
Calls for improved corporate compliance are coming from boards of directors, shareholders and government. Board members are now exposed to personal liability for failing to ensure an adequate program. Outside and in-house counsel constantly remind upper management that legal developments around the globe demand focus on compliance. Given these developments, there is little corporate resistance to the concept of implementing a compliance program. But once there is a commitment to crafting a program, it may be patched together with insufficient planning. Personnel may have the compliance function thrust upon them without adequate training, or they may be given a copy of a program from an established competitor and encouraged to use it to fashion a new plan. That may enable management to “check the box” and report that compliance is a priority, but it’s an approach that can prove lethal. When plans are adapted without careful analysis, poorly crafted documents emerge. Some provisions may then be ignored because they are too impractical to implement, and reporting and auditing provisions may be deemed too burdensome to follow. Assessing risk requires a comprehensive review of the business lines, including the federal statutes implicated in the operations of the business, the countries involved and their reputations for corruption. Vendor relationships should be reviewed, as should any particular practices closely scrutinized by the government. Lawsuits and regulatory probes should be reviewed. Consideration should be given to conducting these kinds of activities in a privileged context.
SUBSCR IBE TO
“Informative and worth reading.” “I refer to the magazine often and the information is useful in my daily work.” “Very useful publication.”
todaysgeneralcounsel.com/ subscribe
The Magazine The six-time yearly publication, with strategies, best practices and analysis written by expert practitioners within the legal profession, offers an excellent branding opportunity to 58,000 qualified subscribers.
T ODAYS G ENER A L C OUNSEL .C OM / SUB S C R IBE
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Intellectual Property
Reconsidering the Cease-andDesist Smarter Trademark Policing By Peter Perkowski
16
I
n the world of despised legal correspondence, few things beat cease-and-desist letters. Laden with legalese, they arrive unannounced, unexpected, accusingly listing inventories of culpable improprieties. They promise maximum, but unspecified, efforts to protect “valuable intellectual property rights” and subtly suggest that failure to comply will result in costly legal proceedings, if not also steep damages. Thus described, the cease-and-desist letter is an often-misused tool. Let’s face it: When unwarranted and unnecessarily aggressive, as they often are, cease-and-desist letters do no favors for lawyers, or the clients they represent, and give non-lawyers another reason to ridicule an already disdained profession. Even more significant, when misused the cease-and-desist letter can backfire, causing recipients to dig in their heels and fight, and even bringing unwanted attention on the sender’s brand. Which is not to say that the tool should remain in the toolbox. Cease-and-desist letters are both important and useful in many contexts, including policing trademarks. But there is a better, smarter approach.
POLICING AND ENFORCEMENT
Obtaining trademark rights requires use in commerce. Keeping such rights
today’s gener al counsel dec/jan 2015
Intellectual Property requires diligence. Lack of diligence could result in the loss of rights. Here’s why: Trademark protection depends, in part, on distinctiveness. The more distinctive the mark – that is, the better it serves to identify particular goods and services and distinguish them from others – the more deserving it is of protection. Words that lack all distinctiveness are “generic” and are incapable of being trademarks. Generic words are seen by consumers as equivalent to the goods and services they label, like MILK for a liquid dairy product, and such words cannot obtain protection. But two things can cause a mark to lose distinctiveness and become weaker. The first is casual misuse of the trademark to refer to a category of goods and services, rather than particular goods and services. An example of this is using BAND-AID to refer generally to adhesive bandages. The second is unbridled infringement, as when third parties use the same or confusingly similar marks on related products. Left unchecked, infringing uses can cause marks to lose their association with particular goods and services. Over time, these processes can wear down a mark’s distinctiveness to the point that it no longer functions as an identifier. This is known as “genericide.” There are many examples of former brand-name trademarks losing distinctiveness to the point of becoming generic, among them THERMOS for a vacuum flask; CELLOPHANE for a thin, transparent sheet of cellulose; ESCALATOR for a set of moving stairs; and PILATES for a method of exercise. OVER-POLICING
Preventing genericide, and less severe erosion of distinctiveness, requires diligent monitoring and enforcement, both internally and against third parties. Part of it is smart marketing, including self-policing by the trademark owner. To prevent consumers from associating BAND-AID with all adhesive bandages, for example, Johnson & Johnson changed the words of its “I am stuck on Band-Aid” ad jingle to “I am stuck on Band-Aid brand.”
Similarly, Kimberly-Clark Corporation’s advertisements use the phrase “Kleenex tissues,” not simply “Kleenex.” In this way, proper internal use and marketing reinforcement also send a brand-differentiating message to consumers, averting loss of distinctiveness.
While the threat of genericide is real, many overestimate the risk and believe that guarding against it requires a hyper-aggressive approach. Monitoring improper uses by others is another matter, however. While the threat of genericide is real, many overestimate the risk and believe that guarding against it requires a hyperaggressive approach. This leads to overenforcement – the use of legal process to thwart third-party trademark uses that are privileged, protected by the First Amendment or not infringements at all. A new, highly charged phrase was even created to describe this behavior: “trademark bullying.” Prominent examples of entities tagged as so-called trademark bullies include the Lance Armstrong Foundation, which owns LIVESTRONG, and Toho Co. Ltd., which owns GODZILLA. By opposing registrations that included “strong” as part of the mark, the Foundation seemed to claim ownership to that word and sought to exclude just about anyone, especially other non-profits, from using it. The charity fought the registration of marks such as Prostrong, Getstrong, Eatstrong, Agestrong, Swim Strong, Christ Strong, Live the Beauty of Being
Strong, and even a law firm’s tagline “HenderLaw. Hender Strong.” For its part, Toho wears its aggressive reputation proudly. Toho reportedly takes enforcement action against marks that include “-zilla,” especially when combined with all or part of a lizard image. Those who have been on the receiving end of a cease-and-desist letter or lawsuit from Toho include a brewing company selling a beer called MechaHopzilla, the makers of a red wine named Cabzilla, a health food company making GreenZilla energy drink, a humorist with a blog called Davezilla, and the rock band Asshole Godzilla. Many of these enforcement efforts resulted in settlements. The GreenZilla label now features a leaf rather than a lizard’s tail, for example. But it is in large part because of Toho’s aggressive strategy that many who receive a ceaseand-desist letter from them decline to fight the so-called bully. A BETTER APPROACH
While not quite having the same level of negative connotation as “patent troll,” being labeled a “trademark bully” can still sting. Unless you’re aiming to embrace the label, like Toho, here are some tips on how to avoid it. As important as cease-and-desist letters are to trademark protection, the first step to smarter policing is not sending them at all. As the U.S. District Court said in Engineered Mechanical Services., Inc. v. Applied Mech. Tech., Inc., not every instance of possible infringement requires a hostile deployment of lawyers. “The owner of a mark,” the court said, “is not required to constantly monitor every nook and cranny of the entire nation and to fire both barrels of his shotgun instantly upon spotting a possible infringer. Lawyers and lawsuits come high and a financial decision must be made in every case as to whether the gain of prosecution is worth the candle.” In short: hold your fire. Unloading the legal magazine should be reserved for the cases where failing to act truly carries the risk that the trademark will be weakened by actual infringement, continued on page 21
17
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Intellectual Property
18
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Intellectual Property
Protecting Trade Secrets with a Solid Nondisclosure Agreement By Jake M. Holdreith and David A. Prange
T
rade secret protection of company information has seen a popular resurgence, as patent protection has become less certain and patent enforcement more expensive. Courts are struggling to define what qualifies for patent protection, particularly in technologies such as computer software, biologics and biosimilars, and business methods. The uncertainty and additional investment that a company must make to secure and protect its patent rights may mean it is simpler and safer to protect its technology by keeping it secret. A company must take “reasonable” steps to protect a trade secret in order to qualify for protection under the Uniform Trade Secret Act (UTSA), which is adopted in some form by almost all states. Recent case law suggests that reasonableness for a sophisticated company may require it to establish contractual obligations of secrecy with those who use or receive its trade secrets. For example, in a 2012 Seventh Circuit case, Fail Safe, LLC v. A.O. Smith Corporation, the court suggested that sophisticated businesses should, at a minimum, use written disclosures to identify communicated trade secrets. According to the court, absent a written agreement and identification, a sophisticated business should not have an expectation that shared trade secrets will remain secret. This development reinforces the importance of a specific written nondisclosure agreement if a company is disclosing its trade secrets or confidential information to others outside the company. Using a nondisclosure agreement is nothing new, but there are pitfalls, and the balance of this article provides suggestions for drafting to provide more certain protection.
Greater certainty leads to more predictability in the relationship. It also may lead to more effective enforcement should the relationship sour. These suggestions are malleable, and how they can be applied depends on the relative bargaining positions of the parties, including their size and desire to share or receive confidential information. In general, for greater certainty be more specific in defining the confidential information. Many times a party disclosing confidential information will define the scope broadly,
Vague or ambiguous terms used to define the scope of a trade secret can compromise its protection. believing that will provide more flexibility to protect its rights. But broadly defined rights may lead to confusion about what information is actually protected. This confusion may lead to a misstep in using that information. Instead, a company should consider a more narrow and specific definition, so people using the information understand what is protected. The good reasons for specificity must be balanced against any difficulty in identifying each trade secret with particularity, especially when the agreement concerns information that may be in development and may change and
grow over time. A best practice will attempt to define the protected information comprehensively, by category, and will also itemize specific known trade secrets to the extent practicable. People providing and receiving confidential information are more likely to comply with an obligation to protect that information if they understand the obligation. A specific definition allows people to determine permissible uses for received information, and it gives a judge or jury comfort in imposing sanctions when it is clear that an actor should have known what was prohibited. By contrast, a broad definition may sweep in public information and can lead to confusion regarding what is and is not confidential information. This can be problematic when enforcing a breached obligation. This confusion can also lead to accidentally disclosing confidential information without appropriate protection. Using a specific definition to identify confidential information allows all involved to recognize and use that information with greater certainty. Parties who are forthcoming in their treatment of information have a relationship that is not plagued by confidentiality questions. Clarity minimizes disputes. If a dispute arises, a court (and a jury) is more likely to recognize and enforce confidentiality rights if those rights are specific. A broad definition invites an argument that the contract is unenforceable. Under the UTSA, as modified by the states, information may be a trade secret only if that information is not generally known (in other words, not public). There may be an argument that a broad term does not clearly identify the trade secret because it also captures public information. A court faced with a broad term that overreaches on a party’s statutory right
19
dec/jan 2015 today’s gener al counsel
Intellectual Property
20
of protection may find the contract unenforceable because it is too vague or ambiguous. In addition, a company may have greater difficulty convincing a jury that it has a protectable trade secret if the definition is overly broad. A broad definition of confidential information coupled with over-designation on the part of the disclosing company can, in the hands of good opposing counsel, be used to instill doubt that the asserted confidential information should be protected. A defendant can argue that the company seeking enforcement is trying to take from the public what should be rightfully available to all market participants. A defendant could also argue that it did not and could not have understood the obligations. Such arguments may appeal to a jury and create greater skepticism regarding whether any trade secret or confidentiality exists. A lawsuit premised on a contract with a specific definition can also help to contain litigation costs when a company turns to enforce its rights. Several jurisdictions now require a plaintiff asserting trade secret claims to identify its asserted trade secrets early in the case. In California, for example, a plaintiff must identify its trade secrets with specificity before other discovery can commence. Early disclosure requirements are easier to enforce and comply with, and may result in fewer discovery disputes, if a party can rely on a specific definition based on the written agreement. A consistent identification of the trade secret or confidential information, from written agreement to litigation, can also protect a plaintiff from unnecessary discovery. For greater certainty, also be specific about how long the information must be kept secret. The parties should agree to a period for protection based on how long it is actually needed, and that will depend on the industry and technology involved. For example, technology that advances rapidly may dictate a shorter nondisclosure period, while technology that relates to national security may require a longer period. Having a fixed period provides certainty to both parties.
The disclosing party knows how long it has to keep track of its information that is in the hands of another party, and the receiving party knows how long it must be careful with the information that it has received. The nondisclosure agreement should also address how information that a party considers confidential is identified as confidential. A first method for doing that is by category. A second is by labeling information exchanged as confidential with a brand or other legend. Both methods have a related problem. Defining confidential information by categories can lead to a disagreement about whether a document’s content is within one of the categories, and branding exchanged information is problematic because verbally conveyed information is hard to label, and compliance is not always perfect. A better practice is to identify protected information by category and a specific label. An agreement should include designated categories of information protected as confidential before the parties exchange documents or have discussions covered by the agreement. In addition, parties should consider including a labeling clause covering documents and communications. Documents, and each page of multiple-page documents, should be branded in some form (e.g. “Confidential information of [Party]”). Parties should discuss the applicability of any nondisclosure agreement at the beginning of any meeting, and after the meeting the disclosing party should consider providing a written identification of the confidential information disclosed during the meeting. This additional notice may eliminate ambiguity about whether discussions are confidential. A company enforcing a nondisclosure agreement also will benefit in litigation by following the agreement’s marking provisions. A defending party may challenge a claim that the plaintiff intended for the information to be confidential at the time of conveyance, and this claim is more easily rebutted if the conveying party labeled the information as confidential.
For greater certainty, include statements regarding the purpose for exchanging information, how the information may be used, or limits on who may review it. Including these terms provides guidance for a receiving company on how to maintain confidentiality. Identifying who may review confidential information, for example, allows a receiving company to establish barriers that prevent employees who have received confidential information from sharing it with other employees, thus potentially avoiding a claim that a person who received confidential information later used it improperly. In summary, improving specificity in a nondisclosure agreement leads to greater predictability in the parties’ relationship with regard to how information is handled, and in litigation if the relationship sours. The level of specificity necessarily is affected by the relative bargaining positions of the parties at the time they enter into a nondisclosure agreement, but in general more specificity allows parties to evaluate risk, a potential breach and whether subsequent litigation is prudent. ■
Jake Holdreith is a partner at Robins, Kaplan, Miller & Ciresi LLP. He counsels clients and tries complex lawsuits in areas including intellectual property, regulatory matters and constitutional issues. He handles cases in the United States, Europe and Asia. jmholdreith@rkmc.com
David Prange is a trial lawyer and registered patent attorney at Robins, Kaplan, Miller & Ciresi LLP. He focuses on complex business litigation with an emphasis on intellectual property, including patents, trademarks, and trade secrets. daprange@rkmc.com
today’s gener al counsel dec/jan 2015
Intellectual Property Cease-and-Desist
continued from page 17 and where defending against that risk is worth the cost. Before launching a cease-and-desist letter, therefore, a few things should be considered. First, is the third party’s use a “use in commerce,” or relatedly a use in connection with the sale or advertising of goods and services? If not, then there is no trademark infringement. This is likely the case when the use is purely for one of several First Amendment purposes. For example, the Ninth Circuit and other courts have held that a “gripe site” devoted to critical commentary is not a use in connection with goods and services, so long as there are no ads or links to commercial websites. Similarly, when the third party is commenting on the mark (or its associated goods and services) or expressing an opinion on its validity or status, those uses are not “in commerce” either, according to the Ninth Circuit. When these concepts apply, a cease-and-desist letter is neither necessary nor warranted. Second, is the third party’s use likely to cause consumer confusion, mistake, or deception? Even when they are “commercial,” free expression uses – such as news reporting and commentary, parody, and fair use – are not likely to confuse, though these categories do not always have clear boundaries. Nevertheless, there is no infringement without likelihood of confusion. Relevant considerations in this analysis are known as the Sleekcraft factors in the Ninth Circuit. The three most important are the mark’s strength, its similarity with the alleged infringing mark, and the relatedness of the goods and services. Thus, consumers are likely not confused by the use of REDLINE on both cosmetics and energy drinks, or by LEXUS on automobiles and LEXIS on database services, but CHLORIT when used on bleach is likely to be confused with CLOROX. Often, the “confusion” question isn’t even asked, though. Rather, the kneejerk impulse is to quash any and every third-party use of the mark. But in many cases, analyzing these factors can
provide reassurance, with a high degree of confidence, that there is no infringement. When it does, bridle the itchy trigger finger and reserve cease-anddesist letters for more serious cases. When a cease-and-desist letter is clearly called for, though, the second step to smarter trademark policing calls for ditching the nastygram. Being polite, reasonable, and avoiding an overly adversarial tone fosters cooperation, and probably yields better results. It could also produce positive publicity.
When a cease-and-desist letter is clearly called for, smarter trademark policing calls for ditching the nastygram. Being both polite and reasonable, and avoiding an overly adversarial tone, fosters cooperation and probably yields better results. A recent example illustrates the point. Two years ago, a lawyer for Jack Daniel’s Properties, Inc., owner of JACK DANIEL’S trademarks, took the high road in a cease-and-desist letter to the author and publisher of a book entitled Broken Piano for President. The issue? According to the distiller, the book’s cover “closely mimics the style and distinctive elements” of Jack Daniel’s trademarks, specifically, the label of a bottle of Jack Daniel’s Tennessee Sour Mash Whiskey. Leaving aside whether the cover of a literary work of fiction is likely to cause consumer confusion with a
brand of alcoholic spirits, Jack Daniel’s took a friendly, almost apologetic tone in its cease-and-desist letter. On behalf of the company, the attorney professed to be flattered by the book author’s “affection for the brand,” but explained in plain terms that allowing the use would risk weakening the trademark – a result that the attorney was sure the book author, “as a fan of the brand,” neither intended nor would want to see happen. Rather than demand something unreasonable, such as that unsold copies of the book be recalled, Jack Daniel’s asked that future editions and re-prints use a different cover design. And if the publisher was willing to change the cover immediately, Jack Daniel’s even offered to pay part of the costs of doing so. Even the recipient called the letter “perhaps the most polite cease-and-desist letter ever written.” They complied with the request, proving the old adage that you get more bees with honey than with vinegar. Trademark policing is important, even critical. But hyper-vigilance often leads to over-enforcement, in an effort to avoid potentially severe consequences of failing to act. Rather than an approach that targets true infringement, trademark owners deploy a shotgun strategy, attacking even harmless use. All too often, unnecessary and belligerent cease-and-desist letters are a part of this strategy. There is a better approach: send fewer, more targeted cease-and-desist letters, and make them more polite and reasonable. Everybody wins. ■
Peter Perkowski is a partner in Winston & Strawn’s Los Angeles office. He focuses his practice on intellectual property, sports and entertainment litigation. pperkowski@winston.com
21
dec/jan 2015 today’s gener al counsel
Intellectual Property
22
Shrinking Territory: Patent Eligibility of Biotechnological Inventions By Leslie Kushner and Robert S. Schwartz
W
e have entered an era of change in determining patentability of biological inventions. It began with two recent landmark Supreme Court decisions, Mayo Collaborative Services et al. v. Prometheus Laboratories, Inc. (Mayo) and Association for Molecular Pathology et al. v. Myriad Genetics, Inc., et al. (Myriad). Mayo held that methods for administering drugs are not patent eligible under 35 U.S.C § 101 (“Section 101”), and Myriad held that isolated DNA is not patent eligible under Section 101. The reasoning was
the claims at issue merely recited laws of nature (Mayo) or claimed a natural product (Myriad). Recognizing that Mayo and Myriad were game changers, the U.S. Patent and Trademark Office issued a March 2014 Guidance for Patent Examiners, which implemented a new procedure for determining patentability under Section 101 in light of those cases. The PTO Guidance expanded patent ineligibility beyond isolated DNA and methods of administering drugs. Given these new guidelines, the question is not whether the scope of
patent ineligibility will be expanded, but rather by how much. This article will explore the potential, perhaps unintended, consequences of a broad interpretation of Mayo and Myriad on patent eligibility of biotechnology and life sciences inventions under Section 101, and the effect of those consequences on biotechnological innovation. INNOVATION AT RISK
The current uncertainty about criteria for patentability of biological inventions is already having a measurable
today’s gener al counsel dec/jan 2015
Intellectual Property effect on biotechnological innovation, and it may in turn affect economic development in critical areas. About 40 percent of biotechnology patent applications pending at the time of the PTO Guidance had claims rejected as unpatentable, with the examiner citing Mayo or Myriad in the rejection, according to a recent Biotechnology Industry Organization study (reported by Matthew B. McFarlane and Tara Sharp of Robins, Kaplan, Miller & Ciresi and John T. Aquino of Bloomberg BNA). According to the Georgetown University DNA Patent Database, as of 2012 the PTO had issued more than 63,000 nucleic acid related patents, and more than 15,000 patents claiming isolated nucleic acids with naturally occurring sequences were granted between 1981 and 2010. In addition, 19 percent of FDA-approved new drug compounds are isolated and purified natural products or bio-technologically produced peptides or proteins, according to a study by Newman and Cragg. Many of the patents for these inventions and therapeutic compounds may now be at risk of invalidation. In the biopharmaceutical industry alone, over $50B was invested in drug discovery and development in 2013, and close to 8,000 United States companies used biotechnology to produce goods or services, or perform research and development in 2010, according to the Pharmaceutical Research and Manufacturers of America. The Organization for Economic Cooperation and Development (OECD) predicts that by 2030, biotechnological innovation could contribute to up to 80 percent of pharmaceutical and diagnostic production, 50 percent of agricultural production, and 35 percent of chemical and other industrial production worldwide. The Mayo and Myriad-driven change in patent eligibility under Section 101 could significantly effect innovation in those critical areas. PATENT ELIGIBILITY AFTER MAYO AND MYRIAD
Under Section 101, “[w]hoever invents or discovers any new and useful process, machine, manufacture, or compo-
sition of matter, or any new and useful improvement thereof, may obtain a patent therefor … .” Nonetheless, laws of nature, natural phenomena, and abstract ideas have long been held by United States courts not to constitute patentable subject matter. In the seminal 1980 Chakrabarty case (Diamond v. Chakrabarty), concerning the patent eligibility of genetically-modified living organisms under Section 101, the Supreme Court upheld the patentability of claims
Given the new guidelines, the question is not whether the scope of patent ineligibility will be expanded, but rather by how much. for “man-made” bacteria useful for digesting oil in oil spills, reasoning that “anything under the sun that is made by man” is patent eligible under Section 101, because it is “the product of human ingenuity.” Twenty years later, the Supreme Court again addressed patent eligibility under Section 101, in the 2010 In re Bilski case, holding that claims addressing business methods for managing commodity risk are not patent eligible where they cover substantially all uses of a natural principle, thus preempting the use of the natural principle by others. Importantly, in his concurrence, Justice Stevens stated that the “anything under the sun” language in Chakrabarty did not mean that patent eligibility under Section 101 “has no limits or that it embraces every discovery.” Mayo, decided in 2012, provided a two-step analysis for determining whether a method claim recites patent eligible subject matter under Section
101. One, does the claim apply a “law of nature”? And, two, does the claim add an “inventive concept”? Under Mayo, the correlation between a drug dose administered to a patient and the concentration of the drug’s metabolite in the patient’s blood is a “law of nature,” and therefore not patentable. Since the claim at issue recited techniques well-known by medical practitioners, no “inventive concept” was included that might have transformed the “law of nature” into a patent-eligible invention. In June of 2014, the Supreme Court applied the Mayo two-step analysis in Alice Corporation Pty, Ltd. v. CLS Bank International et al. (Alice) to find a business method patent ineligible. In response, the PTO issued revised patent examination instructions which clarified that the Mayo analysis for patent eligibility will be applied to both product and process claims, regardless of technological field. In 2013 the Supreme Court decided Myriad, holding that a nucleic acid with a sequence identical to that found in nature is not patent eligible under Section 101 because it is not “markedly different” from the natural nucleic acid sequence, and isolating the genomic sequence does not confer patentability. Distinguishing the claims at issue from those found patentable in Chakrabarty, the Myriad Court explained that the man-made bacteria in Chakrabarty had “markedly different characteristics” from bacteria found in nature. In contrast, the isolated genomic DNA segment claimed in Myriad was identical in sequence to naturally-occurring genomic DNA and, therefore, not patent eligible, even though it was isolated. The Federal Circuit may soon decide whether DNA primers covered by the Myriad patent claims are patent eligible, thereby clarifying the boundaries of patent-eligible DNA, having heard oral arguments in In re BRCA1- and BRCA2-based Hereditary Cancer Test Patent Litigation on October 6, 2014. The Federal Circuit recently interpreted Myriad as applicable to natural continued on page 29
23
DEC/JAN 20 15 TODAY’S GENER AL COUNSEL
E-Discovery
Bringing Sanity to E-Discovery in Five Steps By Roxanna Prelo Friedrich
N
24
o one will be shocked to hear that e-discovery is becoming increasingly complex, time consuming and expensive, and that the primary cause is unruly data. Or to hear about the alarming rate at which our multi-device, internetconnected world generates data: The volume of data we create is increasing at more than 40 percent annually, almost doubling every two years. Making things worse, organizations retain this unstructured data wholesale, often without thinking about why they keep it or for how long. All this digital clutter means that it’s now virtually impossible to complete e-discovery within a reasonable time frame and budget. Many in the legal profession think that if technology created the problem, technology can provide the solution. In particular, people have paid a lot of attention to predictive coding. The theory is that by using technology rather than people to conduct a tedious and labor-intensive part of the process, predictive coding can eliminate a major component of discovery costs. But predictive coding alone will barely make a dent. Why? Many legal practitioners are still uncomfortable handing important decisions over to computers and algorithms. This is especially the case for “black box” predictive coding solutions that do not clearly explain how their engines classify documents. If lawyers can’t understand how the technology works, how can they explain it to a judge?
Also, depending on the volume and type of data, and the vendor’s pricing structure, the cost of using predictive coding can itself be prohibitive. And, finally, the predictive coding process itself has become controversial and therefore another source of complexity, time and expense. This means that predictive coding is just one of many technology tools you should consider, depending on the type of case, discovery deadlines, cost structure, and types of data at issue. Reducing costs requires a multifaceted approach that combines different technologies across the Electronic Discovery Reference Model (EDRM) process. In this way, legal teams can develop a clear and detailed picture of the case, enable informed decisions, save time and reduce costs. Here are five steps for carrying out this approach.
1) Plan the entire process with the end goal in mind. Start by gathering the facts from key custodians and data sources. This requires a rigorous investigative plan. • To identify data sources that might be relevant to the case, interview key custodians, and other custodians who might have relevant information. • Implement a legal hold process, and make sure you update it regularly as your understanding of the case develops. • Talk to your IT department, understand the data sources identified and develop an in-depth understanding of their content, including the time frame and file types that will be relevant. • Before collecting data, conduct a light metadata scan of potential target
TODAY’S GENER AL COUNSEL DEC/JAN 2015
E-Discovery
• •
•
•
data to analyze data sources, custodians, document types and date ranges that are most likely to be relevant, and to ensure that you preserve all potentially relevant evidence. Perform targeted data collection based on interviews and the light metadata scan. Fully index and analyze all collected data, using search, clustering and visualization tools to examine the relationships between custodians and evidence. If this analysis identifies information gaps or additional people who may have been involved, repeat the fact-gathering process with these new custodians or lines of inquiry as part of it. Once you are satisfied that you have made a reasonable effort to preserve all the relevant information, use techniques such as de-duplication and predictive coding to cull it down to a small number of critical documents for the legal review team to use as it begins setting strategy.
Speed is essential in all government inquiries and in most litigation, so at every stage of the process, avoid bottlenecks such as technologies that cannot quickly map, collect and analyze data. 2) Set a strategy. To make informed decisions about case strategy, you need to collect relevant data, cull it down and index it, so you are able to slice and dice it, and achieve insights from various perspectives. At that point you can assess the costs and potential business disruption of litigation, the potential for the wrong kind of publicity, and the likelihood that sensitive information will be disclosed. With this knowledge, you can decide to file, settle or vigorously defend. Once you have made the decision to progress to discovery, this knowledge is critical to developing your e-discovery plan and for negotiating at the meet-and-confer conference. Having rapid access to the full corpus of evidence and powerful investigative search capabilities can help you maintain a strategic lead over the opposition throughout discovery.
As the case progresses, the advantages of having indexed and investigated the evidence sources becomes clear. As witnesses or documents emerge, the legal team will be able to quickly search and analyze evidence, and if new evidence sources come to light, these can be added to the corpus, indexed and analyzed. 3) Reduce review costs with multiple techniques. Predictive coding can help identify relevant data prior to the review process, but it is far from the only useful technology. There are many automated techniques that can be employed to identify responsive, privileged or ir-
If lawyers can’t understand how the technology works, how can they explain it to a judge? relevant documents. In addition to predictive coding, there is near-deduplication, clustering, advanced searching and data analysis. Using multiple techniques and comparing the results can be a form of quality assurance. A final run of predictive coding and other analytical techniques over production sets can provide a safeguard against revealing privileged information. 4. Apply analytics technologies. With advanced technology, you can also thoroughly investigate the other side’s disclosures in order to reveal information gaps. Analytics technologies, such as clustering, can show differences between the two sides’ document sets. This can quickly reveal what one side knows that the other does not, or it may point to critical evidence the opposition has failed to disclose. Cases that involve native format production provide an opportunity to forensically investigate an opponent’s disclosures. This can often uncover
secrets they are trying to conceal, for example through “track changes” markups in documents or hidden files. 5) Implement information governance before you need it. To be litigation ready, you need an information governance plan. Information governance is about developing a strategy and then implementing processes to identify, value, store and dispose of data. It’s gradual and proactive, as opposed to the frantic reactive scramble that typically happens after a trigger event leads to litigation or government investigation, and it will save your organization big dollars in the long run. There’s no question, organizations that face frequent litigation or regulatory action have a clear business imperative to put information governance plans in place and apply appropriate technology. The speed and precision with which legal practitioners can access information can have a huge impact on a business. Today, sophisticated technologies can provide greater insight into the content and value of data located in common repositories like file shares, hard drives, SharePoint, legacy email archive systems, cloud repositories, email servers, and desktops. These technologies can help an organization both respond more effectively to discovery and prevail in – or avoid – future litigation. ■
Roxanna Prelo Friedrich is Director of Client Services at Nuix, supporting and managing sales and post-sales engagements for clients and partners. She was previously Managing Director of Client Advisory Services at Merrill Corporation, where she advised corporations and law firms on complex discovery issues in large litigations and on information governance projects. She previously worked at Applied Discovery as an e-discovery consultant for Fortune 100 corporations, and for 10 years as a litigator and trial court judge in Albuquerque, New Mexico. Roxanna.Friedrich@nuix.com
25
dec/jan 20 15 toDay’s gEnEr al counsEl
E-Discovery
26
toDay’s gEnEr al counsEl dec/jan 2015
E-Discovery
Why Even Aggressive Lawyers Should Want to Cooperate By Michele C.S. Lange and Brian Calla
T
he word “cooperation” appears in e-discovery opinions touching almost every subject. It’s easily dismissed because it usually serves as a friendly reminder, or precedes the occasional slap on the wrist. But lawyers shouldn’t view cooperation as a hindrance. It can be a way to better represent clients. Cooperation is almost always better than crying foul over e-discovery procedural disputes. According to the e-discovery “Cooperation Proclamation” developed by The Sedona Conference thinktank, lawyers have a duty to “strive in the best interests of their clients to achieve the best results at a reasonable cost, with integrity and candor as officers of the court. Cooperation does not conflict with the advancement of their clients’ interests, it enhances it.” With that in mind, consider these five important elements of cooperation in e-discovery issues. 1) Hammer out and approve a clawback agreement. Judge David Waxse, Magistrate Judge for the District of Kansas, has spoken at length about the importance of clawback agreements regarding the inadvertent release of privileged documents, and even hinted (outside the courtroom) that failing to enter into a clawback could be grounds for attorney malpractice. Just as man and machine will probably never be able to perfectly separate what’s relevant from what’s not, the same holds true for identifying and isolating privileged information. Mistakes happen in document review and production. This underlines the importance of carving out an escape plan, such as a clawback agreement.
Without such an agreement, parties must show that they took “reasonable steps” to prevent disclosure in order to recoup mistakenly produced privileged documents. However, parties can modify these requirements, or eliminate them altogether, if they arrive at a properly worded Fed. R. Evid. 502 clawback agreement before discovery begins. 2) Avoid being squelched with respect to search protocol when disputes arise. When one party fails to meet and confer regarding e-discovery protocols despite the mandates of Fed. R. Civ. P. 26(f)(3), courts have frequently ruled against future discovery requests raised by that party. In
Cooperation is almost always better than crying foul over e-discovery procedural disputes. the context of search, if a producing party solicits the requesting party for input over its tentative search protocol (whatever form or forms of technology assisted review it might involve), the requesting party has an incentive to speak up or forever hold its peace. For example, in In re National Association of Music Merchants, Musical Instruments and Equipment Antitrust Litigation, the plaintiffs failed to suggest any search terms to be used in the defendants’ search when prompted in an early attempt to meet
and confer. When the plaintiffs later argued that the defendants’ unilaterally chosen search terms had failed to capture all responsive electronically stored information because they didn’t accommodate for acronyms and abbreviations appearing in the data set, the court was quick to deny the motion asking the defendants to re-search ESI with keywords which included these terms. If there is such a thing as “cooperation” case law, perhaps the general rule is that requesting parties get one bite of the apple for offering search input to producing parties, who are afforded deference over their search methodology and bear the burden of certifying a complete production under Rule 26(g). As shown by this illustrative case, when requesting parties don’t chime in after being engaged by a producing party attempting to meet and confer, the entire apple may be left for the opposition. 3) Stick to the stipulated ESI protocol. When parties agree upon a jointly stipulated ESI protocol, the court does not appreciate when one party fails to remain within the approved guidelines. Case in point? Progressive Casualty Insurance Co. v. Delaney, where the court refused to order predictive coding. In this case, the plaintiff used keyword search to cull a set of 1.8 million documents into a set of 565,000 potentially responsive documents. However, after beginning a manual review of those documents, the plaintiff decided that manual review would be too costly and time-consuming. The plaintiff then asked the court to modify the stipulated ESI protocol to allow the use of predictive coding. The defendant opposed this request, and argued that it would further complicate the litigation, and
27
dec/jan 20 15 toDay’s gEnEr al counsEl
E-Discovery
if predictive coding were to be used, it should have been done against the full set of documents, not just the culled data. Even though the court wrote directly in favor of predictive coding and technology assisted review, it was hesitant to stray from the ESI protocol that the parties had agreed upon. The court concluded that ordering the use of predictive coding would only result in more disputes and further delay of discovery, stating that if “the parties had worked with their e-discovery consultants and agreed at the onset of this case to a predictive coding based ESI protocol, the court would not hesitate to approve a transparent mutually agreed upon ESI protocol. However, this is not what happened.” This case points to the importance of cooperation throughout the course of litigation.
28
4) Avoid discovery about discovery. In Ruiz-Bueno v. Scott, the court had to decide whether it would force defendants to answer interrogatories regarding how they conducted e-discovery. The plaintiffs were asking the court to order the defendants to answer “what procedures or methods were used” for search, a topic that should have been discussed in a meet-and-confer that never happened. The court awarded the sought after “discovery about discovery” after calling it exactly that. In an ideal world, these types of disputes would never be presented to the court because counsel would have recognized the potential for disagreement about proper search protocols, and would have actively sought to avoid them through cooperation. That concept appears in Fed.R.Civ.P. 26(f), which requires the parties to meet and confer early in the case to discuss “any issues about disclosure or discovery of electronically stored information, including the form or forms in which it should be produced….” In this case, that effort would have required defendants’ counsel to state explicitly how the search was constructed or organized. Plaintiffs’ counsel would then have been given the chance to pro-
vide suggestions about making the search more thorough. That does not mean that all of plaintiffs’ suggestions would have to be followed, but it would change the nature of dispute from one about whether plaintiffs are entitled to find out how defendants went about retrieving information to one about whether those efforts were reasonable. The main lesson: Failure to cooperate is costly. 5) Avoid being nudged by the court. An opinion in the In re Biomet case saw the court address the plaintiff Steering Committee’s request for Biomet to produce “the discoverable documents used in the training of the ‘predictive coding’ algorithm” to help them “intelligently propose more search terms.” Biomet only
Unexplained lack of cooperation in discovery can lead a court to ques-
standards of what the Sedona Conference endorsed, stating that an “unexplained lack of cooperation in discovery can lead a court to question why the uncooperative party is hiding something, and such questions can affect the exercise of discretion.” While the court did not compel disclosure in this case, it did urge Biomet to “rethink its refusal.” Litigation by its very nature is adversarial. However, even the most cutthroat lawyers understand the impact that collaboration can have on the case budget and the overall outcome of the matter. When it comes to e-discovery the case for cooperation is even more compelling, with intricate legal doctrines, complicated technical protocols and multiple inside counsel, law firm and service provider roles intersecting. Cooperation between litigating parties may be counter-intuitive, but when it comes to e-discovery it is essential. ■
Michele Lange is
of discretion.
a Director of Legal Technologies Marketing and Thought Leadership for Kroll Ontrack. She co-authored the American Bar Association book Electronic Evidence and Discovery: What Every Lawyer Should Know. mlange@krollontrack.com
stated that the discoverable documents used in the seed set had already been disclosed, and argued that it was not required to further identify the seed set. The court confirmed that compliance was not required, but did indicate that it was troubled by Biomet’s position. Biomet suggested “no way in which telling the Steering Committee which of the documents already produced were in the seed set would harm it.” In addition, the court found that Biomet’s cooperation fell below the
is a member at Eckert Seamans Cherin & Mellott, LLC. He concentrates his practice in the area of general civil litigation, with a particular emphasis on electronic discovery, mass tort litigation and product liability. He serves on an Electronic Discovery Special Masters panel for the U.S. District Court for the Western District of Pennsylvania. bcalla@eckertseamans.com
tion why the uncooperative party is hiding something, and such questions can affect the exercise
Brian Calla
today’s gener al counsel dec/jan 2015
Intellectual Property Shrinking Territory continued from page 23
products other than nucleic acids. In In re Roslin Institute (decided May 2014), the Federal Circuit held that the cloned sheep Dolly was an “exact genetic replica” of the natural (“donor”) sheep and did not possess any “markedly different” characteristics from natural sheep. The Court said that the differences between the clones and the donor which the Roslin Institute had relied upon to argue in favor of patentability – such as differences in mitochondrial DNA – were not recited in the claims, nor did the patent application identify how those differences rendered the claimed clones “markedly different” from the donor animals. The PTO Guidance similarly applies Myriad broadly to all natural products, instructing that a claim for a naturally occurring product is not patent eligible unless it recites something “significantly different” than the naturally occurring product. The PTO Guidance provides that a “significant difference” can be shown if the product claimed is “markedly different in structure” from naturally occurring products. The question arises: Do Mayo and Myriad apply to both process and product claims? Analysis of patent eligibility under Mayo and Myriad differ in that under Mayo a method claim must recite an “inventive concept,” while under Myriad a product claim must recite a “marked difference” from a natural product to be patent eligible under Section 101. The “inventive concept” requires that the claimed process involve more than known, routine steps and that the claimed process provide a meaningful limitation, such that all uses of the natural law recited in the claim are not preempted. The PTO Guidance interpreted the “marked difference,” referred to in Myriad, as requiring a structural difference between the claimed and natural product. Yet, Myriad suggested that a “marked difference” may also allow for a functional difference. While Myriad acknowledged that isolated genomic DNA was chemically distinct from a
naturally occurring gene, it also held that this structural difference did not confer any “new and useful” functional property and, therefore, the claimed nucleic acid was not patent eligible. Similarly, the Federal Circuit Roslin decision acknowledged that while the mitochondrial DNA of a cloned mammal may be different than that of a natural mammal, such a structural difference does not confer “markedly different” characteristics upon the clone, and therefore does not remove the clone from patent ineligibility under Section 101. Recent court decisions support the application of separate analytical frameworks for determining patent eligibility for product claims under Myriad and process claims under Mayo. For example, in Ariosa Diagnostics, Inc. v. Sequenom, Inc., the District Court of the Northern District of California found the claimed methods of detecting cell-free fetal DNA in maternal plasma to be patent-ineligible under Mayo. It also found the product of the claimed method – cell-free fetal DNA – was not claimed, and therefore that Myriad did not apply. And the District Court of New Jersey, in Shire LLC v. Amneal Pharmaceuticals, refused to find the product claims patent-ineligible under Mayo because “Mayo does not alter the patent-eligibility test for composition claims.” PLANNED PTO GUIDANCE REVISION
The PTO reported at a Biotechnology, Chemical and Pharmaceutical Customer Partnership meeting, in September, that it intended to revise the PTO Guidance in late 2014 to clarify some of the issues raised in the over 80 public comments received from various intellectual property and pharmaceutical organizations, academic institutions, law firms, and practitioners. Four changes were expected: (1) patent eligibility analysis will focus on claims directed to, rather than merely involving or reciting, a law of nature, natural product, or abstract idea, (2) “markedly different” will include functional as well as structural differences, (3)
“significantly different” will disappear as a standard used to determine patent eligibility, and (4) the patentability analysis will be simplified, dispensing with the 12-step approach. Importantly, the PTO noted that in its revised PTO Guidance natural products would not be confined to DNA. In any case, while biotechnological innovators anxiously awaited the revision of the PTO Guidance to establish clear rules for patent eligibility, those new guidelines will not be binding on the courts, and it may be some time before the courts clarify the scope of patent eligibility under Section 101 in light of Mayo and Myriad. ■
Leslie Kushner, Ph.D., is an associate at Fitzpatrick, Cella, Harper & Scinto, where her practice is focused on biotechnology and pharmaceutical patent litigation. Prior to becoming an attorney, she was an Associate Member of the Feinstein Institute and Director of Urological Research at the North Shore-Long Island Jewish Health System, Manhasset, NY, where she was a Principal Investigator of biomedical research on urologic disease. lkushner@fchs.com
Robert S. Schwartz, Ph.D., is a partner at Fitzpatrick, Cella, Harper & Scinto. He focuses his practice on biotechnology and pharmaceutical patent litigation, technical advising, and patentability and non-infringement opinions. His primary work is in biotechnology, particularly protein biochemistry, cell biology, molecular biology, genomics, proteomics, vitamin and nutritional supplements and the chemical arts. rschwartz@fchs.com
29
DEC/JAN 20 15 TODAY’S GENER AL COUNSEL
E-Discovery
30
TODAY’S GENER AL COUNSEL DEC/JAN 2015
E-Discovery
E-Discovery and the Cloud By Rory J. Radding and Danielle E. Gorman
W
e all hear about the wonders of the cloud. It may be less costly and more efficient than data stored on local servers or computers, and it’s easily accessible. The belief is that using it will save corporations millions of dollars by eliminating captive storage systems. But the cloud is not a panacea when it comes to litigation. Corporate counsel whose companies store, manage or process data in the cloud must be mindful of the legal ambiguities that creates, especially when the company finds itself in litigation. Although cloud computing affords many advantages, it may also create unintended obligations or liabilities if your company is asked to produce electronically stored information that has been stored in this amorphous space. One of many legal uncertainties that arises with cloud e-discovery involves determining who is in “custody, possession, or control” of the ESI for purposes of production. If your company’s data is stored off-site with a cloud vendor, under what circumstances will that data still be deemed within the company’s “control,” such that the company is obligated to respond to ESI discovery requests? Over the years a number of courts have ruled that ESI held by a third party on behalf of a litigant or its counsel remains within the litigant’s control, and is thus subject to production if the litigant has the practical ability or legal right to obtain it on demand, or has retained the right or ability to direct the third party that holds the ESI. Although few courts have commented specifically on discovery obligations in the context of cloud computing, the July 2014 decision in Brown v. Tellermate Holdings Ltd. confirms that courts are likely to deem a cloud customer to be in control of the data maintained by a thirdparty cloud service provider for production purposes, if the customer retains the legal right or ability to obtain it.
In Brown, the defendants stated that they did not have “control,” but the United States District Court for the Southern District of Ohio unequivocally found that ESI maintained by a cloud provider “belonged” to the defendant companies. Even though the ESI was stored on the provider’s database, any of the defendant employees with a login name and password could access that information at any time. In light of the defendants’ failure to preserve and collect that ESI, the court awarded plaintiffs legal fees and precluded defendants from relying upon certain evidence. Thus, because a cloud service customer will most likely be deemed to be in control of the ESI at issue for purposes of production, a party to litigation or a governmental entity may seek ESI by a request to the cloud customer in addition to, or instead of, a subpoena directed to the cloud service provider. The opposing party may indeed prefer to request the information from the cloud customer because, in some limited circumstances, a cloud service provider may be protected against compelled disclosures under The Stored Communications Act. Accordingly, you or your outside counsel must be prepared to adequately respond to such requests. Keep the following in mind to improve the efficiency or adequacy of your responses: • Know your vendor. Since the cloud customer often remains accountable for the production of cloud-stored data, it remains the customer’s responsibility to carefully vet vendors and to secure one competent at handling discovery requests. Many cloud customers simply use vendors to store data in the cloud for general purposes, with no special provisions or considerations about e-discovery. However, different types of cloud vendors may specialize in or provide e-discovery
tools or software, use of which may facilitate the discovery process and increase a cloud customer’s compliance with production requests. • “Location, location, location.” Understand exactly where your company’s data resides. This includes knowing whether the cloud service provider uses subcontractors or stores its data outside of the United States. In either of these instances, it may take longer for the cloud provider to collect the data, possibly subjecting your company to sanctions for untimely response. • Read the fine print. Understand your company’s cloud service agreement, including any provisions that specify whether or not the customer data remains the property of the customer. They are rare, but if there are in fact service contract provisions that restrict customer access to the data, courts will be far more receptive to an inaccessibility argument. PRIVILEGE
Discovery of ESI in the cloud also poses certain risks if the customer or provider is unskilled at the technical production process. If the discovery process inadvertently retrieves privileged data, its production may lead to a waiver of privilege. In Hernandez v. Esso Standard Oil Co., for example, the United States District Court for the District of Puerto Rico held that the defendant’s inadvertent production of approximately 1,500 privileged documents due to an “errant mouse click” resulted in a waiver of the privilege. A litigant also faces the liability of potentially waiving a third party’s privilege. Specifically, if the litigant’s data is comingled with third-party cloud user’s data in a public cloud, production of that mixed data may constitute waiver of a third party’s privilege. Furthercontinued on page 35
31
dec/jan 20 15 toDay’s gEnEr al counsEl
E-Discovery
32
Social Business Boom Brings Legal Obligations By Kris Vann, Edwin Lee and James FitzGerald
T
he workplace communication landscape has been radically transformed over the past decade. Today communications with clients and colleagues use a multitude of platforms to stay connected. Though the term social media is often associated with prominent websites, like Facebook and Twitter, that empower mass communication, now the emergence of “social business� allows organizations to leverage community platforms to improve business performance by way of
engagement with customers, employees, partners, and suppliers. The world of social business comprises dozens of evolving products and services. For example, organizations are using enterprise platforms with instant messaging, such as Microsoft Lync and IBM Sametime, to promote easier communication among employees. In many cases this involves group chat among several workers at once. Many companies are seeing these services replace conventional email, because they offer a more immediate and efficient means of communication.
Companies also utilize social business platforms to connect with customers and prospects. Facebook and LinkedIn company pages now serve as valuable locations to promote products and services. Indeed, many companies have adopted social business-based advertising strategies. Customer service professionals often troubleshoot issues virtually via screen sharing and other services that allow users to work on projects collaboratively despite being hundreds of miles apart. Every business
toDay’s gEnEr al counsEl dec/jan 2015
E-Discovery
function is being transformed in one way or another by the prevalence of social business. LEGAL OBLIGATIONS
While the workplace communication landscape has seen immense change in recent years, many organizations aren’t aware that there has been a commensurate increase in the obligation to accurately preserve social business content. This obligation is already crucial in regulated industries such as banking, insurance, pharmaceuticals and healthcare. Those requirements are migrating to other industries quickly. Companies must be prepared to preserve and collect potentially relevant electronically stored information (ESI) associated with legal and regulatory matters regardless of the media from which it derives. For many years, the primary source of discoverable ESI was email. As email is replaced with newer forms of communication, legal and IT teams must adapt to a much more complex data environment. Since many of the emerging social business platforms are cloud-based, legal and compliance professionals face challenges meeting their obligations, particularly because data recovery protocols vary significantly from one cloud provider to another. Standard servicelevel-agreements with cloud providers rarely address e-discovery requirements, and provisions surrounding user access to data are often vague. This was underscored in a recent case, Brown v. Tellermate Holdings, Ltd., in which a party was sanctioned for neglecting to adequately investigate how one of its cloud providers maintained historical data and backup information. Compounding matters, litigants are increasingly pressing adversaries to look under every rock for relevant ESI, and that means lawyers have to account for new forms of data that weren’t previously on the legal team’s radar screen. TECHNICAL COMPLEXITIES
Besides navigating the legal and compliance requirements, the technical complexities surrounding preserving and collecting social business content (or “social data”) can prove challenging.
Because of the collaborative nature of social business platforms, these systems structure data very differently from more familiar data sources, like email. For example, Microsoft SharePoint permits multiple users to access and modify the same files and collaborate on shared “discussion boards,” creating an exten-
Every business function is being transformed in one way or another by the prevalence of social business. sive and complex web of metadata that is often difficult to comprehend when crudely copied out of context. These archived discussion threads are of little historical concern to the native users of the system. But for a legal or compliance team tasked to track back actions to specific custodians and incidents, these complexities impose enormous burdens and make piecing together a coherent “story line” across multiple systems very difficult. Some organizations attempt to log social data using off-the-shelf email archiving applications. What they typically end up with is large volumes of data shorn of context that must be laboriously pieced together manually. Errors and omissions are common with this method. Another preservation approach is to capture social data by exporting the raw code from web pages. While cheap to initially perform, this method isn’t very effective when it comes to analysis and review. It has two primary shortcomings. Simply being able to interpret the raw data requires significant technical expertise and often necessitates bring-
ing in specialists from outside the organization, and raw data is static, meaning it can only offer a snapshot of content at a given time. Depending on how often the organization is capturing the data, spoliation still remains a major risk. OPPORTUNITIES FOR MISUSE
The open nature of social business platforms, coupled with weak enforcement of usage policies at most organizations, creates many opportunities for misuse. In one notable example, a manufacturing company discovered that a single employee permitted a media contractor to modify an existing contract via an instant message conversation of less than 15 exchanged words. In a subsequent lawsuit, a judge found that even though the exchange between the employee and contractor occurred over instant message, it was a legitimate conversation between client and customer authorizing the contract change. The company ended up losing more than a million dollars as a result of the incident. (See CX Digital Media, Inc. v. Smoking Everywhere, Inc.) While that example may seem extreme, studies show companies are grappling with similar issues at an escalating rate. According to the recent Proskauer 2014 Social Media in the Workplace Around the World survey, 70 percent of respondents reported taking disciplinary action for employee misuse of social media. Examples of misuse include employee harassment, misuse of confidential information and misrepresenting the company. These are the types of issues that often trigger internal investigations, compliance violations or legal conflicts, all of which spark preservation obligations. CREATING A POLICY
There are steps organizations can take to mitigate the risks associated with the social business boom. A good policy starts with establishing some broad parameters regarding what systems employees are permitted to use to disseminate company-related information.
33
dec/jan 20 15 toDay’s gEnEr al counsEl
E-Discovery
That way, legal and compliance teams can stay abreast of sources of potentially responsive ESI that may be implicated in future matters. The policy should also clearly delineate acceptable and unacceptable use of social business platforms. Going back to the previous instant messaging case example, a policy prohibiting any discussion of existing contracts over instant message may have prevented the employee from even broaching the topic in the first place. A policy alone, even one that is well thought out, will do little good if it’s not enforced, regularly revisited and updated. Many companies create a
The open nature of social business platforms, cou34
pled with weak enforcement of usage policies at most organizations, creates many opportunities for misuse.
policy around social media or social business platform use only to have most workers forget it exists. Another thing to keep in mind is that an overly-restrictive policy can be difficult to enforce, and can engender a negative response from employees. This often results in an unintended uptick in clandestine social communications, which is the stuff of the legal and compliance team nightmares. If creating a social business policy represents the first line of defense, leveraging technologies specially designed to deal with social business content is the second and a crucial component of a strategy. There are advanced social data repositories that
can capture content in high-fidelity context, so the real story isn’t lost. In the case of a shared discussion board, this can take the form of a conversation thread, so that reviewers can easily see which communications connect with which others. Another advantage of utilizing specialized repositories is their ability to capture key metadata, including date and time stamps of all changes, which is often required for legal and compliance purposes. The ability to capture deleted or revised information is another key capability. While users frequently erase social communications, the data itself is often recoverable. Advanced technologies can track and store deleted content in the event that legal and compliance teams need to access it. In highly-regulated industries, such as finance, organizations are occasionally called upon to perform this level of data recovery. Having tools on hand that can perform this function can save organizations money that would otherwise go to outside specialists. Another technology consideration when dealing with social business content is integrating existing ediscovery and compliance applications with social data repositories. Among the key benefits of integrating systems is the ability to quickly and easily preserve, collect and ingest social data into a centralized repository where it can be joined by other ESI, such as email, and be collectively processed and searched. Enterprise level e-discovery applications also have robust documentation capabilities, including automated activity logs and audit trails. These can capture actions around social communications in the context of other e-discovery activities when systems are integrated and relaying information back and forth. Social business is everywhere. While it began as a personal communication phenomenon, social communications have invaded most workplaces with remarkable speed. The benefits of the social business boom are undeniable,
but many organizations underestimate the legal and compliance risks that come along with a more connected, collaborative workforce. By recognizing these risks, creating enforceable policies and investing in the right technologies, legal and compliance teams will be well prepared to navigate this transformed communications landscape. ■
Kris Vann, is the lawyer in residence for TRUSTe. A former litigator with more than 20 years of experience in compliance and legal technology, she is a frequent speaker on the topic of risk mitigation in the use of 3.0 communication platforms. kris.vann@yahoo.com Edwin Lee is the managing director of Alvarez & Marsal’s global forensic and dispute services. He helps legal counsel and companies control the costs and mitigate the risks of e-discovery. He is a member of the State Bar of Texas and a participant in The Sedona Conference Working Group 1 on Electronic Document Retention and Production. elee@alvarezandmarsal.com
James FitzGerald serves as the senior director of information governance at Exterro. He has more than 20 years of experience in strategic management for complex software solution providers. He publishes regularly on the topic of legal technology and e-discovery process management. james.fitzgerald@exterro.com
toDay’s gEnEr al counsEl dec/jan 2015
E-Discovery
E-Discovery and the Cloud continued from page 31
more, inadvertently gaining access to a third party’s trade secret information stored in the cloud could destroy the legal protection of that trade secret. Also, because the data at issue is being maintained by a third-party host, steps must be taken to ensure that the company’s data is not being commingled or accessed by unauthorized third parties. Corporate counsel or those in charge of vetting and selecting cloud vendors should keep these guidelines in mind: • Know thy neighbor. Ask potential vendors who else is storing in the cloud, and whether tenancy is shared or if separate processors or storage devices are used for each client. • Get it in writing. Seek to include provisions in the cloud service agreement that require the provider to compartmentalize your company’s data and keep it separate from the data of other cloud customers. Take reasonable care to prevent accidental or unlawful loss, access or disclosure of your company’s data. • Plan for the worst. Contemplate the possibility of third-party claims due to inadvertent access or disclosure of third-party ESI, and understand under what circumstances your company may be held liable for such errors. PRESERVATION
The duty to preserve relevant information may arise as soon as it is reasonably foreseeable that an issue will become the subject of litigation. However, when your company has placed the relevant ESI in the cloud, fulfilling the duty to preserve that data is complicated. Typically, a cloud customer will not be able to access the cloud’s operating server to implement preservation commands. Nonetheless, the customer bears the responsibility of ensuring that its service provider preserves any relevant ESI. If it’s lost, altered or destroyed, the cloud customer may be punished with sanctions, preclusion of evidence, adverse inferences or awards of costs or fees.
The most efficient way to prevent inadvertent destruction or loss is to put a litigation hold in place quickly and issue it to the cloud service provider. In fact, failure to issue a litigation hold to an external cloud vendor may subject a litigant to sanctions. In the 2013 case Sekisui Am. Corp. v. Hart, the U.S. District Court for the Southern District of New York ruled that the plaintiffs’ conduct, including a six-month delay in notifying their cloud service provider of a litigation hold, constituted gross negligence. The court accordingly granted the defendants’ request for an adverse jury instruction. In cloud computing, issuing a litigation hold is necessarily more complicated. It is more difficult to pinpoint data associated with a specific individual or topic in the cloud than it is to identify, say, a local network drive in the traditional computing environment. Moreover, once a hold is issued, the cloud service provider may choose to ignore the hold if it is unable to separate the litigant’s data from other clients’ data and/or does not wish to disrupt other clients’ use of the cloud. Some providers may also be unwilling to suspend their routine deletion of data because the data retention would place an undue strain on the server. Even if the cloud provider is cooperative, it may simply lack the necessary e-discovery tools, and the cloud customer may thus be helpless to prevent loss or destruction of data. In any of these cases, sanctions would likely fall on the cloud customer. There are two important measures you can take to avoid sanctions for data spoliation. First, treat information stored in the cloud the same way you would if were stored on the company’s own internal system. That means cloud providers should immediately be served with a litigation hold when a cloud customer is notified of a claim or if litigation is anticipated. Second, be sure to address preservation issues in your service agreement. Get in writing the measures the service provider will undertake to preserve data, and what degree of access you as user will have to collect and export ESI so as to fulfill discovery obligations and avoid sanctions for spoliation.
Proposed changes to Federal Rules 16, 26, and 37, now pending approval by the Supreme Court, may soon help clarify a party’s obligations with respect to e-discovery, or at least force litigants to realize and plan for e-discovery issues, including cloud-stored data, at an early stage of the case. These rules provide for consideration of, and sanctions related to, the preservation of ESI, separate and apart from the production of ESI. At the very least, these proposals suggest that in the interim courts will increasingly hold cloud customers responsible for the preservation of relevant ESI and will be less likely to condone inadvertent deletion or general technological incompetence. Corporate counsel must understand the risks and obligations that arise when their company’s discoverable data is being stored in the cloud and prepare for possible litigation when use of the cloud service commences. Early preparation will make e-discovery a less cumbersome, less intrusive, and less time and cost-consuming process, while minimizing the prospect of sanctions. ■
Rory Radding is a partner in the Intellectual Property Group at Edwards Wildman Palmer LLP. He has litigated diverse intellectual property and information technology cases in the federal courts and the United States International Trade Commission. rradding@edwardswildman.com
Danielle Gorman is an associate in the Intellectual Property Group at Edwards Wildman Palmer LLP, concentrating on trademark portfolio management, enforcement and anticounterfeiting matters. degorman@edwardswildman.com
35
dec/jan 2015 today’s gener al Counsel
Cybersecurity
36
today’s gener al Counsel dec/jan 2015
Cybersecurity
Don’t be the Next Cyberattack Target By Chris Salsberry
B
y late last year many organizations had become complacent about the likelihood of a cyberattack. Then, after some high-profile incidents and renewed emphasis from U.S. regulatory agencies, organizations became aware of not only the financial losses they could suffer due to a cybercatastrophe, but also the potential for damage to their reputation and potential liabilities. Now, the current business and legal climate makes this the ideal time to reassess cyber programs, take steps to limit the amount of data that could be compromised and minimize potential fallout from a breach. A key development on the regulation front occurred in February of 2013, when President Obama issued an Executive Order calling for the development of a voluntary, risk-based cybersecurity framework for the nation’s critical infrastructure. A year later, in February 2014, The National Institute of Standards and Technology released its framework. Sparked by this development, a number of government agencies subsequently issued guidance that puts organizations from many industries on alert that cybersecurity should also be their top priority: • In June 2013, the Food and Drug Administration released draft guidance on cybersecurity in medical devices, directing manufacturers to identify and assess potential threats and vulnerabilities to the security of their devices and their software and to develop suitable mitigation strategies. • On January 2, 2014, the Financial Industry Regulatory Authority included cybersecurity among its priorities for the year, explaining it would focus on the “integrity of firms’ policies, procedures, and controls to protect sensitive customer data.” • On February 26, 2014, the Commodity Futures Trading Commission issued Gramm-Leach-Bliley Act Security Safeguards that outline data security prac-
tices that firms and third-party contractors should follow. Specifically, firms are to appoint an employee to oversee the firm’s privacy and security management, identify all “reasonably foreseeable” internal and external security risks, establish protocols to control those risks, ensure the encryption of data, implement controls to detect and respond to unauthorized access, and arrange for independent testing and monitoring of security policies and procedures. • On March 7, 2014, the Federal Energy Regulatory Commission directed the North American Electric Reliability Corporation, a nonprofit charged with setting standards for bulk power suppliers, to issue standards that address physical security risks and vulnerabilities related to the bulk-power system, including threat assessments and the safeguarding of confidential information. • On April 15, 2014, the SEC announced that its Office of Compliance Inspections and Examinations (OCIE) would audit cybersecurity preparedness in the securities industry. The OCIE planned to examine more than 50 registered broker-dealers and investment advisors, and collect documents in order to study their “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.” These agency initiatives, among others, should encourage organizations to get past any “wait-and-see” attitude, immediately begin to reconsider their approach to cybersecurity, and take proactive steps to ensure their cyber programs comply with developing regulatory initiatives and are able to handle threats.
BEST PRACTICES
Recent cybersecurity attacks on prominent retailers, government agencies, and medical device manufacturers make it clear that no one is immune from the threat of cyberattacks. Given the volume of data they create and the variety of locations where they store it, including in the cloud and with third parties, it is no longer a matter of whether, but rather when, organizations will be the victim of a breach. So now is the time to formulate a strategy that addresses the most common and hazardous risks. Although there is no one-size-fits-all approach, there are some general best-practices: 1) Realize that cybersecurity is not just an IT issue. It involves all aspects of a business. Organizations must therefore create a culture that encourages buy-in among all business units. Employees should be trained on all cybersecurity policies, with special emphasis on the importance of looking for and reporting any potential incidents. A single individual, or a committee, should be appointed to manage information security. The managing party or parties should document the organization’s cybersecurity practices, policies, and procedures. 2) Understand the organization’s data assets. To craft strategies to combat potential threats, organizations must understand what their information assets consist of and where they are located. An inventory should be taken of the physical devices and systems, as well as their software platforms and applications. All external connections to their network should be cataloged and evaluated. Organizations must also contemplate possible new risks of compromise, destruction or theft, as they adopt new mobile technologies, move their data assets to the cloud and other offsite storage facilities, and become more collaborative. It may also be a good idea to have a plan for tracking data movement across various networks. continued on page 41
37
dec/jan 2015 today’s gEnEr aL counsEL
Labor & Employment
38
today’s gEnEr aL counsEL dec/jan 2015
Labor & Employment
Beating a Non-Compete Disguised as a Non-solicit By Todd R. Wulffson
E
xcept for the weather, most businesses have little incentive to set up shop in California. The reason is the perceived anti-business attitude of California’s legislature and judiciary. Unfortunately, even in cases where California is decidedly pro-employer, such as limiting the enforcement of non-competition and non-solicitation agreements, the result can be litigation so expensive and time-consuming that it creates the same restrictions that law and the courts have tried to prevent. A company called Stearns Lending, Inc. recently experienced this dilemma. It prevailed before a jury on June 20, 2014 in a very expensive case that by all accounts never should have been brought (Orange County Superior Court, Prospect Mortgage, LLC vs. Jeremy DeRosa and Stearns Lending, Inc.). In April 2012, Stearns, one of the nation’s largest private residential mortgage lenders, was sued by competitor Prospect Mortgage, for allegedly “aiding and abetting” former Prospect employees in violating agreements (required as a condition of employment) that they would not solicit or recruit a former co-worker for 18 months after leaving. After two years’ of litigation, more than a dozen depositions and more than a million pages of documents produced by both sides, Prospect asked the jury for more than $10 million plus punitive damages because several former loan officers left Prospect to work for Stearns. Thankfully for Stearns, the jury was unconvinced by Prospect’s theories of liability, but the case highlighted the issue of whether Stearns could have done anything to avoid the substantial drain of resources and time that went into the trial.
Stearns, by all accounts, did everything a prudent employer in California should do. As part of its hiring process, all employees are required to sign an agreement stating they are not violating any restrictive covenant from a former employer and are not in possession of, or using, any confidential information in the performance of their duties. All employees are told that if they receive any threatening communication from a former employer, they must immediately contact their manager or the general counsel. Finally, Stearns takes a proactive approach to any threats of litigation, communicating with competitors to reach informal resolution of any real or perceived grievances. Silence can be perceived as a tacit admission of wrongdoing, and Stearns is diligent in making sure all known communications receive a detailed response. GENERAL COUNSEL’S ROLE
The simple act of counseling and training employees to bring issues to the general counsel’s attention was perhaps the most important thing Stearns did that ultimately led to its victory in this case. When the first letter from Prospect came in “reminding” the new Stearns employee of his continuing obligations, the employee brought it immediately to the general counsel. She was then able to take steps that proved to be the most effective in avoiding liability, based on the poll of the jurors following the trial. The general counsel instructed not just the employee who received the letter, but all former Prospect employees, to be extremely careful not to be perceived as soliciting or recruiting. They were asked to keep a log and
copies of emails and correspondence from former colleagues to show that any communication was either innocuous and/or initiated by the former colleague. If the friend or former co-worker was seeking potential employment with Stearns, the employee knew to respond by stating that he or she could not discuss employment because of his/her non-solicitation agreement with Prospect. Seeing these emails to and from the alleged violators of the non-solicitation agreements during the trial was very convincing to the jury. Similarly, the general counsel took steps internally to ensure that no former Prospect employee earned any bonus or commission related to the hiring of a former colleague. All of these emails and instructions were intentionally written and distributed by Human Resources, placed in personnel files, and were not privileged, which appeared to come as both a surprise and a disappointment to Prospect during discovery. They were also very helpful to the jury in understanding the chronology of the events and the transparency of Stearns’ claims that it had taken steps to ensure that the employees complied with their obligations. THE EDWARDS LOOPHOLE
Unfortunately for Stearns, it became apparent that the lawsuit against it was one of many filed by Prospect with nearly-identical allegations against former Prospect employees and/or their new employers. Putting aside any possible in terrorem or cost/ benefit analysis, Prospect’s numerous lawsuits are perfectly legal, taking advantage of a loophole known as footnote four in the case of Edwards v. Arthur Andersen LLP (2008).
39
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Labor & Employment
40
In 2008, the California Supreme Court acknowledged the state’s long-standing public policy favoring employee mobility and confirmed that employee non-competition agreements are unenforceable in California. California Business and Professions Code Section 16600 states that a contract that restrains anyone “from engaging in a lawful profession, trade, or business of any kind” is void. The court further stated that 16600 “protects the important legal right of persons to engage in business and occupations of their choosing.” For that reason, “this court generally condemns non-competition agreements.” Despite the broad language of the Edwards opinion, a key question remained: What about a clause, such as Prospect’s, that bars an ex-employee from soliciting fellow employees to leave and join a competitor? The Edwards court specifically avoided deciding this issue, and stated that: “[W]e do not here address the applicability of the so-called trade secret exception to section 16600 as Edwards does not dispute that portion of his agreement or contend that the provision of the non-competition agreement prohibiting him from recruiting Andersen’s employees violated section 16600.” Therefore, in reliance on this footnote, businesses such as Prospect can sue to enforce non-solicitation clauses to protect trade secrets and prevent a departing employee from inducing fellow employees to leave. If several of these lawsuits are brought, and word gets out that if one leaves the company one is likely to be sued, it may encourage employees to stay, to shun longterm friends after they leave, or simply to depart the industry altogether. If a company is willing to commit resources to enough “footnote four” lawsuits that it creates a palpable fear among existing and former employees, what can a targeted competitor do? One of the most helpful things can be to gather “frenemies” (as in, “the enemy of mine enemy is my friend”). Even competitors are likely to share information regarding a common litigation adversary.
This is an excellent way to reduce discovery costs and bring some leverage against an opponent that may have spread itself thin prosecuting cases in multiple jurisdictions. It is also an excellent way to gather intelligence on why a company may be so worried about its employees leaving. That intelligence can lead to evidence that may convince a jury that employees wanted to leave of their own accord and did not need to be recruited at all. In the Stearns case, coordination of activity and sharing of resources was very helpful. Prospect devoted seven lawyers to the litigation, and clearly had substantial experience with the subject matter and rel-
The general counsel instructed all former Prospect employees to be extremely careful not to be perceived as soliciting or recruiting. evant case law because of numerous similar lawsuits. Learning that there were strong similarities between all the complaints provided peace of mind to Stearns in knowing that it had not been singled out, but was just one of many who had hired former Prospect employees. Businesses confronted with the same quandary as Stearns can find solace in the fact that California case law is very much against blanket enforcement of non-solicitation agreements (absent identifiable trade secrets). In fact, one of the most effective cases for Stearns was a preEdwards case, Loral Corp. v. Moyes, (1985), that supported the following jury instruction: “Under California law, a person can always legally receive and consider job applications
and inquiries from former coworkers, regardless of any contract or circumstance restricting him or her from recruiting or soliciting the former coworkers.” This instruction was crucial for the jury to understand that merely receiving an email or application from a former co-worker is not impermissible, provided it was unsolicited. It also works well when the employees are instructed to keep track of all such unsolicited contacts, as the employees in Stearns were. The takeaways from the Prospect v. Stearns case are: • Reliance on the Edwards decision may ultimately protect a business from liability, but it provides no immunity from expensive litigation. • Putting the onus on employees to disclose their restrictive covenants is important, but providing an avenue for them to present any problems quickly is even more important. • The general counsel must be proactive in leading management to respond quickly and effectively to any perceived threat of litigation. • Diligently researching the plaintiff and any similar cases it has brought can be a cost-effective way to learn valuable information. A non-competition case disguised as one of non-solicitation can be beaten, but it requires diligence, planning and significant resolve by the defendant. ■
Todd R. Wulffson is a partner at Carothers DiSante & Freudenberger LLP. He has more than 24 years of experience counseling and defending businesses in labor and employment issues, and on issues related to human resources and the implementation of measures to reduce risk and cost. twulffson@cdflaborlaw
today’s gener al Counsel dec/jan 2015
Cybersecurity
Cyberattack Target continued from page 37
Organizations need be aware of the types of data they store, and have an especially clear grasp of their critical or sensitive data. They should pinpoint where those assets are kept and keep them isolated. 3) Evaluate internal threats. An organization’s technology and protocols are only as strong as their weakest link, and numerous studies find the weakest link to be insider threats. The actions of employees, both intentional and inadvertent, are a rising source of cyber-theft. Therefore, along with external threats, organizations must also contemplate the possible risk from employees who access, share, and destroy proprietary digital assets. All cybersecurity programs should identify who has access to which types of data and devise a method of searching for and flagging unorthodox data access and transfers. One technique to deter employees from making unauthorized use of data is to regularly audit, access and publish the results as a means of reaffirming the organization’s commitment to its security policies. In addition, human resources staff should partner with legal and IT teams to ensure that user accounts for departing employees are disabled as soon as practicable, to prevent the copying and transport of sensitive data. 4) Consider risks associated with third parties and their access to information. As the well-publicized theft of login credentials from Target’s heating and air conditioning contractor made clear, third parties should have access only to the data required for them to carry out their function. Organizations should monitor all third-party network access and immediately investigate any deviations from normal traffic. Retailers that use point-of-sale systems should limit their use to sale activities only, and prohibit any use of the web, email, or social media on these systems. Furthermore, organizations should regularly audit their vendors’ compliance with their cyber policies, including by assessing their cybersecurity risk and training protocols. This is particularly important for business associates of entities covered
by the Health Insurance Portability and Accountability Act (HIPAA). These third parties are responsible for protecting and encrypting covered entities’ protected health information. But regardless of industry, all third parties should be contractually required to provide prompt notice when any breach of their systems has occurred.
tions may need to readjust their data priorities. Moreover, as organizations modernize their infrastructure to make it more efficient and as they change from manual to digitized processes, greater security may be required. Oil and gas companies, for example, are increasingly susceptible to security breaches as they shift to electronic systems.
5) Secure and encrypt data on devices. Particularly for organizations whose employees use laptops and other mobile devices, encryption can limit embarrassment and potential liability from loss or theft. Organizations should periodically update and confirm that their encryption is active. Before disposing of or selling any computers, other digital devices, or information, the IT department should intervene to ensure all sensitive data is properly transferred, stored, or disposed of. Some industries are especially vulnerable to malware and similar threats. Medical device manufacturers, for example, must consider whether their devices contain systems that could be subject to breaches, and take steps to address these hazards, including limiting unauthorized access. Similarly, health-care providers must take steps to ensure their networks are protected with adequate firewalls and antivirus software, and to restrict access to the devices.
Accordingly, organizations should appoint a cybersecurity committee that regularly meets to review organizational changes, evaluate new data sources, assess stakeholder needs, and analyze developing threats. As organizations grow and evolve, the committee should integrate disparate compliance policies governing data and data security, and ensure that new stakeholders support the cybersecurity program. Finally, the committee should compare its cybersecurity policies and programs with developing protocols and industry best practices, in an effort to identify opportunities to improve. The relentless increase in the volume of data, the proliferation of data types, the development of new storage devices and systems, along with the ingenuity of cyber criminals, leave organizations vulnerable to cyber attacks from many directions. Successful cybersecurity requires ongoing monitoring, testing, and tweaking, to address both internal developments and emerging threats. It also requires an organizational culture where vigilance against cyber risks is part of every employee’s job. ■
6) Communicate with industry peers and organizations. Cybersecurity programs benefit from collaboration and information-sharing among industry peers, security groups and networks. Shared knowledge of specific indicators, signatures and intelligence helps organizations defend their networks, as well as locate and manage undetected threats and prevent unauthorized access. Both informal and formal intelligencesharing initiatives strengthen the capacity to be forewarned of potential attacks, address new threats, learn from the mistakes of others and create successful strategies for combating developing threats. 7) Focus on continuous improvement. Organizations are not static, and neither is their data. Through mergers, acquisitions and other major shifts in the corporate landscape, new security risks arise, and organiza-
Chris Salsberry, Senior Director at Huron Legal, has more than 20 years experience leading complex criminal, computer forensic, electronic discovery, and cyber-investigations. He has managed large technology projects relating to the forensic recovery and electronic discovery process of data demanded by subpoena, and has led complex network intrusion investigations for both government and corporate clients. csalsberry@huronconsultinggroup.com
41
dec/jan 2015 today’s gEnEr aL counsEL
Labor & Employment
Texting and Using Personal Devices For Business By usama Kahf and Brent cossrow
o
42
ne of the realities of the workplace is that employees use cell phones, smart phones and tablets, for work-related purposes and to communicate with other employees. The use of personal electronic devices to communicate, and generate what some may argue are business records, raises interesting issues for businesses, particularly in the face of threatened or pending litigation. Should your company formally authorize employees to use personal devices for work and adopt a Bring Your Own Device (BYOD) policy? Or should it do the opposite and prohibit employees from using their personal devices for work-related purposes? Or something in between? What
is the impact of a workplace policy or employment agreement provision that requires employees to return company property and documents that reside on an employee’s smart phone? A decision on any of these issues may, under certain circumstances, give rise to a legal duty to preserve information on your employees’ personal devices that is relevant to pending or reasonably anticipated litigation. Several courts across the country have recently grappled with the issue of whether data on employees’ personal devices is within the custody, possession or control of the employer. The answer, as you would typically expect from your attorney, is “it depends.”
The court in one recent case found that the defendant-employer did not have possession, custody or control of computers and electronic devices personally owned by defendant’s members, employees and staff, in part because plaintiff failed to show that employees used their personal devices for defendant’s business. Similarly, another court found that a major warehouse retailer did not have possession, custody or control of text messages stored on employees’ personal cell phones where the phones were not being used for work-related purposes. Generally, when senior managers, officers, directors or owners of a company regularly use their personal cell phones for business, and the company knows or
today’s gEnEr aL counsEL dec/jan 2015
Labor & Employment should know that such use is standard practice, the court may find that these cell phones are within the custody, possession and/or control of the company. This means the company would have a legal duty to preserve the data on these cell phones, whether it is in the form of text messages or other information, and failure to preserve may have serious negative consequences in litigation. For example, in a case involving a telecommunications employer, the defendant company had a duty to preserve relevant emails from the personal email accounts of its former officers because it “presumably knew” that the officers used their personal email accounts to engage in company business. Absent a BYOD policy that permits (and in some cases expects) employees to use personal cell phones for work, employers are unlikely to have possession, custody or control (for purposes of discovery) of the personal cell phones of rank-and-file employees. But even without a BYOD policy, an employer’s knowledge and approval of employee use of personal devices for business, or any other facts that show that the employer has created and communicated an expectation that employees should be using personal devices for business, may give teeth to the argument that the employer behaved in a way consistent with undertaking a legal duty to preserve. In other words, if you behave as though you had control over an employee’s device, you risk being considered to have assumed control, which gives rise to a preservation duty. It is therefore critical and prudent for companies to regularly assess what level of control they have over their employees’ use of personal cell phones to send work-related text messages to other employees, managers, company clients, customers, vendors and other third parties. Companies should not wait until a judge decides whether they had at some point in the past a duty to preserve such text messages. By then the damage might be done. An employer that fails to preserve relevant text messages after a duty to preserve has been triggered, and then fails to produce responsive text messages in discovery, may be sanctioned
for spoliation. Federal courts have broad discretion to determine the severity of the sanction imposed. Although each case is fact-specific, recent court decisions have articulated parties’ obligations when it comes to text messages. For example, in In re Pradaxa (Dabigatran Etexilate) Products Liability Litigation, the court sanctioned defendants $931,500 for, among other things, failing to preserve and produce employees’ text messages on company-issued and personal phones. The court noted that a company that issues a litigation hold to its employees must include text messages within the scope of data to preserve, including workrelated text messages on employee-owned personal cell phones. Because text messages appeared to have not even been considered or covered in the litigation hold, the court found that failure to stop the automatic deletion of employee text messages justified imposition of sanctions on defendants. Additionally, the court stated that defendants should have questioned why none of their employees produced any text messages in the litigation. In a recent lawsuit by the U.S. Department of Labor, accusing a shipping industry employer of Fair Labor Standards Act violations, a federal judge sanctioned the employer for failing to adequately preserve electronically stored information, including text messages. The district court noted that, during the deposition of a key employee – the dispatcher whose job involved communicating daily with the company’s truck drivers about who will be picking up which loads – the dispatcher testified that he exchanged work related text messages with drivers on a daily basis on their mobile phones, including group messages. He also testified that his practice was to delete all of his text messages daily, and that no one ever instructed him to preserve any text messages. The court also noted that the use of text messaging was too widespread for the employer to claim (as it did) that it was unaware of the practice. Texting appeared to have been the dispatcher’s primary method of communication with the company’s drivers. Yet, for nearly six months prior to the dispatcher’s deposition and af-
ter receiving a discovery request expressly seeking text messages, the employer failed to even ask any of its employees whether they engaged in texting for work. In another case, the court issued an adverse inference jury instruction because the Blackberries issued to defendants’ employees were wiped of e-mails, text messages, calendar items, contacts and attachments at a time when defendants had a legal duty to preserve evidence relevant to the litigation. The court noted that the absence of any text messages or e-mails on employees mobile devices should be a red flag for defendants during discovery. Preserving employees text messages may be a logistical challenge, but in many cases the evidence preserved can be helpful to the company. If the reality of your business is that employees will be using their personal cell phones for work, then it may be in the company’s best interest to implement policies and procedures that provide the company the right to access and, if needed, the ability to preserve work-related information on employees’ personal devices. ■
Usama Kahf is an associate at the Irvine, California, office of Fisher & Phillips LLP. He represents and counsels employers on employment law matters. He is a member of the firm’s Electronic Discovery Committee, and he is co-author of a book on federal e-discovery practice. ukahf@laborlawyers.com
Brent Cossrow is a partner in the Philadelphia, Penn. office of Fisher & Phillips LLP. He represents and counsels employers in a range of employment issues, and he is the Chairman of the firm’s Electronic Discovery Committee. bcossrow@laborlawyers.com
43
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
Labor & Employment
44
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Labor & Employment
FCRA Compliance Moves up the To-Do List By Rod M. Fliegel, Jennifer Mora and William Simmons
F
or decades, lawsuits against employers under the Fair Credit Reporting Act (FCRA) were rare. Most claims instead targeted the nationwide credit bureaus. Times have changed, and now employers are in the cross-hairs. Indeed, since early 2014 there have been approximately 30 FCRA class-action lawsuits against employers. These lawsuits cut across all industries, including retail, restaurant chains, theater chains, manufacturers and transportation companies. These no-harm-to-anyone lawsuits can be frustrating because typically they allege hyper-technical FCRA non-compliance (e.g., paperwork defects). It is a tried and true recipe, most recently seen in wageand-hour class and collective actions: Pick a law that employers believe they have been following for decades, discern areas of ambiguity or potential technical noncompliance, find a disgruntled plaintiff, and file a class-action lawsuit where potentially devastating liability makes settlement seem like the only option. By prioritizing FCRA compliance on the “to-do” list, however, corporate counsel can take steps to armor their internal clients against this rising tide of class actions. FCRA AND EMPLOYERS
Enacted more than 40 years ago, the FCRA is widely-known as the federal law that regulates the exchange of credit reports between credit bureaus and lenders. But it also regulates the information exchange between employers and “consumer reporting agencies” (CRAs) that provide consumer reports (i.e., background reports). Furthermore, the obligations that the FCRA imposes on employers are triggered not only when an employer orders a credit report, but also when they order virtually any type of report from a CRA. Broadly speaking, the FCRA imposes requirements that employers must follow before they obtain a consumer
report from a CRA, and requirements that employers must follow if they take “adverse action” against an individual based even in part on information contained in the consumer report. Before an employer may obtain a consumer report, typically it must make a “clear and conspicuous” written disclosure to the consumer that a consumer report may be obtained, in a document that consists solely of the disclosure. The consumer also must provide authorization, and the employer must certify to the CRA that it has a “permissible purpose” for the report, and that it will comply with relevant FCRA provisions and with state and federal equal opportunity laws. If the employer procures an “investigative consumer report,” a special type of consumer report whereby the CRA obtains information through personal interviews (e.g., an in-depth reference check), additional disclosures are necessary. After the employer obtains the report, it must follow additional procedures if it intends to take adverse action against the individual based even in part on the report’s contents. An adverse action broadly includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.” First, before the employer implements the adverse action, it must provide a “preadverse action” notice to the individual, along with a copy of the consumer report and the statutory Summary of Rights. Then, if the employer takes adverse action against the applicant or employee, it must provide a second adverse action notice. The adverse action notice must include specific text. The FCRA does not dictate the minimum amount of time an employer must wait between delivering the pre-adverse action documents and adverse action notice. Courts have generally held, though, that employers who wait at least five
business days satisfied the obligation. CLASS ACTIONS BASED ON THE FCRA
Increasingly, solo practitioners and non-profit groups with experience in the FCRA’s requirements team with well-known wage-and-hour class action firms to file these lawsuits. There are two significant reasons for the increase in FCRA class-action filings: The plaintiff’s bar likely views the FCRA remedial provisions as class-action friendly, at a time when the U.S. Supreme Court has demonstrated hostility towards class actions, and there has been wide-spread publication of several significant seven-figure class-action settlements. The FCRA allows an applicant or an employee to sue an employer for “negligently” or “willfully” failing to comply with the FCRA, with a two-year statute of limitations that may be extended up to a maximum of five years total. Class actions under the FCRA typically allege “willful” non-compliance, likely because plaintiffs can pursue statutory damages (ranging from $100 to $1,000) for each aggrieved individual for “willful” violations. Negligent violations do not give rise to statutory damages, but rather only to “actual damages.” The U.S. Supreme Court held in 2013 that individualized damages issues may preclude class certification in appropriate cases. Plaintiffs’ class-action lawyers may believe that statutory damages under the FCRA makes class certification easier to obtain because they argue that individualized damages assessments are unnecessary. The FCRA also allows prevailing plaintiffs to recover their attorneys’ fees. Noteworthy settlements have also brought attention to the FCRA. Recently, several multi-million dollar settlements were reached. These settlements are continued on page 49
45
dec/jan 2015 Today’S Gener al CounSel
TGC Surveys
Data Protection a Spending Priority for 2015 Spending on information governance will increase in 2015, according to a TGC survey of in-house practitioners taken in October 2014. The survey sought to capture information about trends in information governance, especially with respect to what respondents’ organizations were planning for the coming year.
46
Several respondents replied to an optional follow-up question: If the budget will increase, how much will it increase? “Unclear, several hundred thousand at a minimum,” said one. “The Budget won’t change, however, the actual dollars spent will increase as we work towards implementation,” said another. Judging from the priorities the respondents identified, increased spending will focus on enhanced data protection systems, staff training, improving compliance and upgrading technology. More than half reported that their organization’s highest priority for 2015 is to enhance their data protection systems.
In 2015, how will spending on information governance be affected in your organization? It will decrease 2%
It will remain the same 44%
It will increase 54%
Only about one-fifth said that adding email to information governance planning was a key priority for 2015.
What are your organization’s highest priorities in 2015? % who said it was the Number 1 or 2 priority 1
Enhance data protection systems
55%
2
Improve compliance monitoring
51%
3
Improve staff training and education
51%
4
Review our retention policies
48%
5
Upgrade technology
48%
6
Delete electronic records that no longer need to be retained
41%
7
Improve electronic records storage capabilities
40%
8
Reduce the volume of paper records stored
39%
9
Exploit information resources
38%
10
Improve auto-classification systems
33%
11
Add staff to help with information management
30%
12
Review classification systems
28%
13
Find appropriate outsourcers for records management
26%
14
Add email and social media to our information governance planning
22%
Today’S Gener al CounSel dec/jan 2015
TGC Surveys
“That may reflect a sense that email is already being addressed by investing in archiving, or limited retention of mailbox content,” says Brad Harris, Vice President of Products at Zapproved, Inc. “In practice, I do find that many companies lack adequate email governance.” According to Harris, often an email retention policy is applied at the server, but employees circumvent the intent by retaining email in a local PST file. Or an email archive is implemented with the intent to apply retention policies, but expiration is never enabled. “Clearly, from an e-discovery risk perspective, gaining true control over email retention and deletion is the right place to focus attention,” he says. Several survey respondents commented that it was difficult to get business people to take information governance seriously. “Business people care about information governance in the same way an elevator passenger cares about elevator maintenance, says Julie Colgan, Head of Information Governance Solutions at Nuix. “They know it is valuable, but it isn’t their job.”
Colgan suggests that rather than asking business people to perform information management tasks, the conversation should be about how information governance can help them do their jobs better, and deliver higher value to the company. “Talk with them about how you want to ensure data integrity so decisions are made on good data,” she says. “Tell them how you want to help get the right information to the right person at the right time to achieve business objectives. They’ll listen to that.” One respondent noted that in a selling organization such as his, stifling communication means stifling sales. He was wary of clamping down on communication in the name of information management. Harris, of Zapproved, Inc., agrees, with some reservations. “Companies are wise to look for opportunities to leverage innovations like messaging, chats, social media and cloud storage, but they need to understand the risks. That means planning how information governance should apply to those channels, and how ESI can be preserved and collected if required, to comply with legal obligations.”
Respondents were asked to rate their company’s overall approach to information governance - planning, policies, and procedures. Twelve percent rated their organization as “excellent,” the same percentage that rated it as “not very good.” Most respondents said “fairly good” or “just average.” There were no clear trends by department or organization size. Asked to write their reasons for assigning grades, respondents who rated their organization as being excellent emphasized the experience and longevity of their approach to information governance or the people in charge of it. One respondent wrote that his/her organization had a “long history of litigation that drove the focus on our information governance policy.” Those who described their organization as rating a grade of “not very good,” mentioned what was lacking - “devotion of thought to the process,” “experience or apprehension,” “money for infrastructure.” Several noted a lack of centralization for data repositories, data governance, and managing information. ■
Rate your organization’s overall approach to information governance planning, policies, procedures. (Scale of 1 to 5)
12%
Excellent
35%
Fairly Good
41%
Just Average
12%
Not Very Good
Non-existent
0%
47
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
TGC Surveys
Comments from Respondents Respondents were given the opportunity to comment, without attribution, about any issues addressed in the survey. “A particular challenge relates to the massive volume of information that we have stored in email. The challenge has three components: (1) what authors are including in internal email exchanges may not be appropriate or desirable if it later becomes the subject of discovery; (2) whether email is stored or deleted, and how stored email is organized – or not – varies widely from user to user and from group to group; and (3) we have no enforced policy for how long email is to be preserved, or any procedure to ensure it is deleted thereafter.”
“Business people don’t understand need for robust data governance structure.”
communication in the name of information management.”
“Seemingly constant data breaches scream for something to be done, yet it seems easier and cheaper to ignore the problem.”
“We are looking to implement an integrated approach that combines corporate governance with data security.”
“One man’s “information” is another man’s “communication.” If you are a selling organization, as we are, stifling communication means stifling sales. So you need to view the broader picture before you begin clamping down on
“We have found that “technology” is not a great solution in itself without good policy and training first.” ■
48
View our digital edition
D I G I TA L .T O D AY S G E N E R A L C O U N S E L . C O M
today’s gEnEr aL counsEL dec/jan 2015
Labor & Employment FCRA Compliance continued from page 45
dwarfed by a number of high-profile settlements in cases brought against CRAs, which have run into the tens of millions of dollars, but they have galvanized the interest of the plaintiffs’ bar in pursuing class FCRA claims against employers. Although employee-friendly California has seen the biggest share of FCRA class-action filings, the trend is nationwide. There have been filings in Florida, Georgia, Maryland, Missouri, New Jersey, New York, Oregon, Pennsylvania, Tennessee and Virginia. The most popular claims are that the employer’s background check disclosure form contains language that is “extraneous,” and that the employer fails to provide any pre-adverse action notice, or if notice has been provided, that the employer fails to wait an appropriate amount of time before taking final adverse action against an individual (holding the job open in the meantime). The class-action suits challenging the employer’s background check disclosures tend to target those that are included within the employer’s job application or, if separate from the job application, include allegedly impermissible text, such as a release of liability. At least two district courts have upheld these theories, one in a certified class action. However, courts have reached conflicting conclusions, and for good reason. The exact phrasing that would satisfy the statute arguably is uncertain. No specific language, and no model form, specifies the phrasing that is required. The FCRA is also unclear as to what language, if any, can be combined with the required disclosure. For instance, even though the text of the FCRA states in one place that the disclosure document must consist “solely of the disclosure,” it goes on to state that an “authorization” may be in the same document. The term “authorization” is also undefined. Although the potential ambiguity should favor employers arguing that they could not have “willfully” violated an unclear statute, it also breeds theories as to why disclosure or authorization forms many employers thought
were compliant violate the FCRA. RISK-MITIGATING MEASURES
Here are five steps corporate counsel can take to reduce the risk of FCRA class-actions: • Educate key stakeholders, like hiring managers, to escalate issues involving potential adverse actions for background-check related reasons. Counsel or the designated non-attorney stakeholder versed in FCRA can then help ensure that the FCRA requirements have been satisfied. • Consider arranging for a privileged review of background check forms and procedures. If this review has been planned but is languishing on the “to-do” list, it is time to give it high priority. To help ensure consistency, another consideration is whether background check related language is included in other personnel documents, such as job applications. • Consider implementing procedures to ensure that adverse action notices are not sent to applicants or employees before a certain waiting period (e.g., five business days). • Consider how best to record personnel decisions such that, if necessary, the employer can establish that the reason an applicant was rejected was something other than the background report. • Consider having written backgroundcheck policies that document, among other things, the purposes of background checks and their proper handling, including confidential destruction. A rarely cited, decade-old amendment to the FCRA provides that if a communication from a CRA is made to an employer in connection with an investigation of either “suspected misconduct” or compliance with “Federal, State, or local laws and regulations, the rules of a self-regulatory organization, or any preexisting written policies of the employer,” then the communication is not a “consumer report.” The upshot of this is an argument, at least, that the other “technical” requirements of the FCRA may not apply because the amendment removes the communication from the definition of “consumer report” and
may relieve an employer from some of the FCRA’s more onerous requirements. To address these issues and develop a compliant policy, corporate counsel should consider convening a working group of internal subject matter experts, including representatives from human resources, operations, IT, security or loss prevention, procurement and legal. Taking these steps can help prevent an employer from becoming the next target of a FCRA class action. ■
Rod Fliegel is a shareholder and cochair of Littler Mendelson’s Hiring and Background Checks Practice Group in San Francisco. He has broad subject matter experience and expertise in class action defense and the intersection of the federal and state background check laws, such as Title VII and the Fair Credit Reporting Act, and their state law equivalents. rfliegel@littler.com
Jennifer Mora is a shareholder in Littler Mendelson’s L.A.-Century City office. She advises employers and consumer reporting agencies on the intersection of federal and state background check laws, including Title VII, the Fair Credit Reporting Act and their state law equivalents. jmora@littler.com
William Simmons in an associate in Littler Mendelson’s Philadelphia office. He has represented employers in a wide variety of labor and employment matters. wsimmons@littler.com
49
dec/jan 2015 today’s gener al counsel
The TruTh abouT PaTenT damage awards
Colum n
by Brian Howard
P
50
atent litigation has become notorious in the last few years for jury verdicts with astronomical awards of damages. However, data from Lex Machina’s Patent litigation damages report, released earlier this year, reveals that very few patent infringement cases result in damages, and those that do usually result in much lower numbers than a reading of the headlines would suggest. Understanding this report and its conclusions can be valuable to both counsel and parties involved in patent litigation. The report covers more than 36,000 patent infringement cases filed in U.S. district courts between 2000 and 2013, and finds the vast majority settled. Only 13.9 percent – 5,098 cases – were adjudicated on the merits. Damages, costs or fees were awarded in even fewer cases, 1,392. That’s 3.8 percent of terminated cases. And plaintiffs won compensatory damages for infringement in only 708 of the terminated cases, or just 1.9 percent of the cases filed.
Brian Howard is a legal data scientist at Lex Machina and co-author of the Patent Litigation Damages Report. He came to Lex Machina in September 2013 after working as a patent litigator at Durie Tangri, and earlier for Quinn Emanuel Urquhart & Sullivan. As a litigator, his focus was on defense against high tech and software patents in forums including the Eastern District of Texas, the Northern District of California and the U.S. International Trade Commission. bhoward@lexmachina.com
The Lex Machina report also shows that, while these 708 cases represent over $13 billion in cumulative damages, the sum is distributed very unevenly. The top three damages awards compensating plaintiffs
For plaintiff-side firms, this data may assist in counseling clients on what to expect from potential litigation, in terms of time, reward and cost. Understanding the likelihood of a big win, and seeing the data on
Plaintiffs won compensatory damages for infringement in only 1.9 percent of cases filed.
were all more than $1 billion, and the top ten all more than $300 million, but these large awards were few in number. The median compensatory damages award per case (meaning that as many cases resulted in a larger figure as a lesser figure) was only $372,000. The overwhelming number of cases result in far smaller damages. Seventyfive percent ended with compensatory awards of less than $5 million, and 90 percent less than $25.4 million. Moreover, many of the parties winning the largest awards litigated other cases to less successful outcomes. For these parties, the big payday must be viewed against the larger number of cases and their attendant costs. These statistics can be used in practice to great effect, as litigators and litigants alike can better understand the cost/benefit of patent suits. What we see is that the rarity of damages awards and their low median value contrasts sharply with the cost of several million to litigate even a small patent case through completion.
the few cases that were big wins, may help temper the expectations of inventors and be useful when advising clients in licensing negotiations or considering litigation. Especially for those firms working on contingency, this data underscores that great care is needed to sift the rare high-value wheat from the bulk of low-value or non-meritorious chaff. As a former defense-side litigator, I found data like this to represent valuable bargaining leverage, both in licensing negotiations and later during litigation. As a backdrop to a more specific legal analysis of the patent and product, such statistics were helpful in counseling clients on their litigation exposure, and in persuading component and service suppliers that indemnity is worthwhile. And for those with smaller clients, for whom even a lesser award might be fatal, understanding the tail-off of the distribution shown in the report allows for better advice. Other data published in the Lex
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Machina report, regarding enhanced damages, was not available when I was practicing, and it would have been immensely useful. These muchfeared additional damages for willful
For those with more immediate concerns, the report may help formulate better expectations of budget, based on the judges and districts of their cases. This kind of data may
These statistics can be used in practice to great effect, as litigators and litigants alike can better understand the cost/benefit of patent suits. infringement have been awarded in only 160 cases (that is 0.6 percent of terminated cases), and the median award was $474,996 per case. A litigator with this information would be well-armed in countering and deflating outrageous demand figures from patent monetization entities claiming willfulness. This data also provides insight for attorneys working in-house at companies, whether first-time players or regulars. For example, knowing that high damages are relatively rare outside a few industries may help in budgeting future potential litigation.
also enter into the decision regarding which and how many patents to file in the first place. Of particular interest to in-house counsel are attorneys’ fees. Although the recent Supreme Court rulings in Octane Fitness v. Icon Health and Highmark v. Allcare will affect the willingness of courts to award attorneys’ fees in the future, courts have not in the past been particularly willing or generous. In the 342 cases in which attorney’s fees were awarded, the median award per case was only $43,183, a paltry amount compared to the costs of litigating. Even though the chance
of winning fees is greater under the new standards, the median is instructive regarding the amount the courts consider “reasonable” and something that counsel looking at the cost of the motion practice would be well advised to consider. The report also sheds light on longterm trends of interest to litigants, some of which might not otherwise be easily discernible. I was surprised, for example, that the lost-profits theory underlies far more of the recent damages (by amount) than the reasonable royalty theory, which is considered the floor amount under patent law and easier to prove than lost profits. And despite an increase in the background volume of litigation, both awards of enhanced damages and awards of attorneys’ fees have generally declined over the last ten years. As more cases filed in the last few years reach their final stage, accurate data on damages will become increasingly important. How rare damages awards are, and the fact that the distribution of compensatory damages skews towards a number far less than the cost of litigating – these are things that all participants or potential participants in patent litigation should understand. ■
51
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
TAKE CONTROL OF THE M& A PROCESS COLUM N
by JEFFERY M. CROSS
I
52
n a merger or acquisition, one of the first recommendations that I make to clients is to take control of the pre-closing process. Failure to do so could lead to antitrust liability. Clearly a firm contemplating a merger must consider the potential anticompetitive effects of the deal. However, in addition to the question of whether the transaction is likely to violate the antitrust laws, the firm must be concerned with whether the merger process itself could result in antitrust liability. There are three aspects of the process that create antitrust risk. First, the acquiring firms could engage in improper pre-closing control of the acquired firm. Second, the acquiring and acquired firms could engage in improper preclosing coordination. (These first two are often referred to as “gun-jumping.”) Third, the exchange of confidential information during the due diligence process could create antitrust risks. To avoid these risks, I recommend that counsel proactively manage this process. Gun-jumping could be a violation of the Sherman Act, Section 1, which prohibits agreements among competitors to unreasonably restrain trade. Improper control prior to closing by one competitor over the other, or improper coordination of the two competitors, could be deemed an agreement to unreasonably restrain trade.
Jeffery Cross, a member of the Editorial Advisory Board of Today’s General Counsel, is a partner in the Litigation Practice Group at Freeborn & Peters LLP, and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com
Gun-jumping could also be a violation of the Hart Scott Rodino Act. The HSR Act requires the parties to notify antitrust agencies of the transaction and then wait a prescribed period before closing. Gun-jumping can amount to the transfer of beneficial ownership, and effectively a merger, before the termination of the required waiting period. The fines for either a violation of Section 1 of the Sherman Act or the HSR Act can be substantial. In addition to fines, the agencies have obtained injunctions that prohibit certain conduct with respect to future deals and may impose compliance programs or monitoring. Even if the transaction is not reportable under the HSR Act, a violation of Section 1 may be charged. A violation can also exist even though the government has completed its merger analysis and terminated its investigation. In addition, liability could be found even
if the merger is blocked or the transaction partners decide to terminate the deal because the remedies imposed by the agencies are too onerous. Management of the process begins with drafting the purchase agreement. The purchaser clearly has an interest in including provisions that prevent the to-be-acquired entity from taking actions that could seriously impair the value of what the acquiring firm had agreed to buy. These are standard and customary provisions that are recognized as appropriate. They include provisions that require the company to carry on its business in the ordinary course and in substantially the same manner as it was conducted in the past. Although these provisions limit the to-be-acquired company’s ability to make business decisions without the acquiring company’s consent, they are deemed reason-
TODAY’S GENER AL COUNSEL DEC/JAN 2015
able and necessary to protect the value of the transaction and do not constitute a violation of the antitrust laws. Provisions in the purchase agreement may go beyond such customary restrictions, and create a situation where the acquiring company is exerting such control over the company that it amounts to collusion and/or an improper transfer of beneficial control. For example, in one litigated deal, the merger agreement prohibited the to-beacquired company, without approval of the acquiring company, from entering into any agreement which would provide services to its customers for more than 30 days at a fixed or capped price, entering into agreements at discounts in excess of 20 percent, or entering into agreements with non-standard terms. The court deemed such provisions to have crossed over the line into impermissible collusion and transfer of beneficial control. The second aspect of the pre-closing process that creates antitrust risk is improper coordination. The agencies and the courts recognize that a certain amount of pre-closing planning is necessary for a successful merger. This includes early planning for the integration of human and physical assets, early pursuit of cost savings, and coordinated announcements to customers, vendors, and employees. But certain pre-closing coordination can cross the line. For example, in one transaction in which I was involved, the investment bankers set up a meeting between competing plant and sales managers to discuss the merits of planned upgrades to one of the plants. Fortunately, the general counsel was in control of the process and contacted me. We canceled the meeting. Such pre-closing planning can be necessary and salutary. How can it be accomplished without creating antitrust risks? In the above example, we did it by establishing a “clean team” of executives and employees not involved in the production and marketing process. This team interviewed the plant and sales managers from each company separately and assembled the appropriate analy-
sis for the board without revealing confidential and proprietary data from either company. In this way, the combined company was ready to implement the plans as soon as the closing occurred. The third aspect of the process that raises potential antitrust risks is the exchange of confidential information. This often occurs during the due diligence process. The exchange of such information may be viewed as facilitat-
Even if the transaction is not reportable under Hart Scott Rodino, a violation of Section 1 may be charged. BEYOND PRINT
ing collusive behavior. For example, if the sales managers of each company know the cost and margin structure for customer-specific business, they can more easily collude. To deal with this risk, counsel should insist on an agreement that limits access to confidential information to employees who are essential to evaluating the transaction and excludes those involved in competition between the two companies. For example, it may be appropriate for the chief financial officer of the acquiring company to have access to customer margin data, but not the vice-president of sales. I advise my clients to consider whether they would want their competitor to have access to the data if the deal fell apart. Parties involved in a merger or acquisition often focus only on the competitive effects of the consummated deal and forget the potential risks for antitrust liability in the process of doing the deal itself. Counsel can avoid such risks by aggressively and proactively managing the process. ■
TodaysGeneralCounsel.com
IN YOUR INBOX
Digital.TodaysGeneral Counsel.com
E-DISCOVERY CONFERENCES
TodaysGeneralCounsel.com/ Institute
TODAYSGENERALCOUNSEL.COM
53
dec/jan 2015 today’s gener al counsel
Reviewed by SuSan L. Shin
book review
Business and Commercial Litigation in Federal Courts (Thomas West, Third edition), edited by Robert L. Haig
B 54
y the time I started practicing in 2001, all my legal research was done electronically. Yet I did not hesitate in agreeing to review Robert L. Haig’s treatise, business and Commercial Litigation in Federal Courts (Thomas West, Third Edition), having found its prior digital editions useful in the course of conducting electronic research on various topics over years of litigation practice. But then an enormous box arrived one afternoon, and I panicked a little, recognizing the contents to be a twelvevolume set of hard-cover books with gold embossing, the kind we were halfheartedly taught to use in law school. How would I find the time to read these volumes in the next six months while keeping up with my caseload? To my surprise, however, I have reached for this treatise at least twice a week since it arrived. It has quickly become my time-saving, trusty advisor. And the sections I have found most
susan l. shin is a partner in the New York office of Arnold & Porter LLP, practicing complex business litigation on behalf of financial institutions and corporate clients in state and federal courts and arbitrations. She also defends institutions and individuals in investigations and enforcement proceedings conducted by state and federal agencies. She serves on the board of directors of the Asian American Bar Association of New York. Susan.Shin@aporter.com
useful are not the ones I would have thought to research on Lexis or Westlaw. This publication is far from a clunky academic treatise laying out the Federal Rules of Civil Procedure and referencing interpretive cases and authority. Rather, it is a practical compilation of the experiences and insights of 251 of the country’s most distinguished practitioners and judges, who provide 130 chapters of step-by-step guidance, on not only procedure, substantive law and trial advocacy, but also on strategic and tactical considerations for both plaintiff and defense counsel. Despite its numerous and varied topics, the compilation is stylistically and substantively cohesive and logically organized, an impressive achievement by a gifted editor. First and foremost, the treatise is practical and user-friendly. Each chapter includes a section on scope and in-depth strategy considerations and analyses, a detailed table of contents for easy reference, and extensive citations to authority and cross-references. Each chapter also includes practice aids, such as checklists for allegations, defenses, sources of proof and internal investigations, as well as time-saving litigation forms and pattern jury instructions. Second, the treatise is refreshingly modern. It provides cutting-edge guidance on substantive issues that plague
today’s commercial litigator. Even basic litigation topics such as pleadings, discovery, motion practice and trials come alive with varying perspectives from some of the most seasoned litigators and judges. In the last six months, many issues have arisen in my practice that led me to refer to the treatise again and again. Strategic considerations in Chapter 10 (Comparison with Commercial Litigation in State Courts) and Chapter 11 (Removal), for example, were particularly enlightening and helpful in deciding whether it made sense to remove a case from a state court judge in the New York Supreme Court, Queens County, who seemed unsympathetic to my adversary’s case. Third, it provides clear, measured guidance on some of the most difficult issues faced by litigators. The chapters on discovery are particularly well-done. For instance, Chapter 23 provides practical instruction on every aspect of deposition procedure and conduct, including the many challenges of preparing and defending witnesses under Fed. R. Civ. P. 30(b)(6), and the effective use of deposition testimony down the road at trial.
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Chapter 25, which discusses ESI Discovery and is co-authored by the trailblazer in the field of e-discovery, Judge Shira Scheindlin, includes commentary on the current doctrine, duties to preserve, claims of spoliation, and practical guidance and considerations. Chapters 26 and 27, which discuss interrogatories and requests to admit, provide refreshing insights on how to maximize the benefit of these potentially powerful discovery tools that too often are only an additional burden on the process with little yield. Chapter 28 has an extensive and helpful discussion on expert discovery, including finding, selecting and managing experts, reports and depositions of experts, and pre-trial Daubert considerations. Finally, I would be remiss in not praising the treatise’s thoughtful and pragmatic attention to law practice issues that have little to do with federal procedure, substantive law or
the courtroom. For example, Chapter 47 (Alternative Dispute Resolution), authored by the late Judge Harold Baer, reviews the practice of mediation and arbitration. Likewise, Chapter 33 (Settlements) contains practical discussions on dealing with insurance carriers, conducting litigation risk assessments at the outset of the representation, timing of settlements, and techniques for achieving a favorable outcome outside the courtroom. This treatise recognizes that a growing number of litigators practice in-house, hired by corporations to manage litigation. With this in mind, Chapter 58 is devoted to litigation avoidance and prevention, while Chapter 60 covers techniques for expediting and streamlining litigation. Also excellent are Chapters 62 and 63, “Litigation Management by Law Firms” and “Litigation Management by Corporations,” respectively, which
explore the realities of and approaches to budgeting and managing everincreasing litigation costs. Litigators at all levels of experience will find this compilation invaluable in its readability, practicality and usefulness. For those who are still intimidated by the hefty physical volumes, the complete treatise is available online through Westlaw. But from one practitioner to another, I’d say nothing replicates the experience of having the full twelvevolume set of wisdom, experience and authority at your literal fingertips. Buy “the book” – the investment is worth every penny. ■ Reprinted with permission from the Fall 2014, Volume XVI, Issue III of AABANY Advocate (c) 2014 Asian American Bar Association of New York. All rights reserved. Further duplication without prior written permission is prohibited. For information, contact AABANY at (718) 228-7206 or e-mail main@aabany.org.
Database Marketing for Lead Generation With over 300,000 names, the TGC database enables marketers an unmatched array of choices to send out co-branded emails with content of their own choosing to several desirable segments within the database.
T ODAYSG ENER A LC OUNSEL .C OM /A DV ER T ISE
55
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
STRATEGIES FOR MINIMIZING RISK OF PRIVACY CLASS ACTIONS BY RACHAEL MENY AND JEN HUBER
56
B
usinesses are increasingly facing class action lawsuits alleging they have violated someone’s privacy under state or U.S. laws. Most states have privacy statutes, including California with its Invasion of Privacy Act (CIPA), which provides criminal and civil liability for violations like recording communications without consent. Federal privacy statutes include the Electronic Communications Privacy Act (ECPA), which provides criminal and civil liability for intercepting “electronic communications” or permitting access to electronically-stored information. Criminal provisions of these statutes are rarely invoked, but businesses increasingly are seeing civil class action lawsuits under these statutes. One reason that lawsuits alleging privacy violations are proliferating is that privacy statutes allow plaintiffs to recover both statutory damages and attorneys’ fees, such as the $5000 “per violation” award set forth in CIPA. This combination of statutory damages and attorneys’ fees encourages plaintiffs’ lawyers to file lawsuits based on theoretical privacy injuries, regardless of whether anyone has suffered actual damages. Defending such claims can be tricky and costly, especially considering that many of these statutes were drafted long ago and do not clearly address modern business practices. Plaintiff lawyers try to exploit these ambiguities, and they are broadening their use of privacy claims to look beyond traditional defendants like telemarketers. A wide range of businesses have been targeted in the past few years, including social-networking companies, Internet companies, App providers and content-streaming companies. These lawsuits have alleged a diverse set of privacy violations for practices such as gathering personal information via a website, App or cookie; using customer data for practices like advertising; and transmitting customer data to third parties, including advertisers. With these privacy lawsuits proliferating, businesses should take steps now to protect themselves from claims before they are filed, and lay the groundwork for a defense in case they are filed. PREVENTION STRATEGIES If your business records, collects or uses consumer data, periodically review your disclosures about these practices to confirm they are accurate and satisfy current law. Good disclosures can include standard and unvarying statements, such as Terms of Service (TOS) and/or Privacy Policies, which describe how information is recorded, used or transmitted. Having good disclo-
sures can help dissuade plaintiff lawyers or help defeat a lawsuit by making clear that consumers know how their information is being used. Consider whether your TOS or user/customer contracts should include a mandatory arbitration clause or a class action waiver. Businesses that have such clauses should pay attention to the fact that legal requirements vary among states and change over time. Thus user/customer contracts should also be periodically reviewed for legal compliance. If your business interacts with users/customers, occasionally consult outside counsel about whether your business practices implicate any privacy issues or require privacy-related precautions. POTENTIAL DEFENSES Sometimes even the best strategies cannot prevent a lawsuit. If your business is sued for privacy violations, consider the following questions to determine which defenses may apply. Does the Statute Fit the Alleged Conduct? Many privacy statutes were enacted before the development of technology like the Internet, and with other kinds of activities in mind. Thus, a viable defense may be that the alleged privacy violation simply does not fit the statute. For example, the ECPA (enacted during the 1980s to prohibit hacking or eavesdropping) authorizes civil claims for the disclosure of the content of an intercepted communication, but not other communication-related information. Thus, privacy claims involving the interception of information revealing an author’s identity or geo-location are not actionable. See In re IPhone Application Litig., from the Northern District of California. Similarly, sometimes the technology at issue is not addressed by the statute. Claims for unauthorized access under the federal Stored Communications Act, for example, apply only to material in “electronic storage.” This law’s narrow definition of storage excludes, for example, claims that electronic information like cookies were accessed from a user’s computer. Differing state laws may also enable an argument that one state’s laws do not reach those who live outside the state. For example, although CIPA requires all parties to consent to call recording, many other states require just one party’s consent. One court dismissed a class action brought by non-California residents under CIPA, finding that the interests of the plaintiff’s state of residence would be significantly impaired if California law was applied. See Jonczyk v. First National Capital Corp., from the Central District of California.
57
Rachael Meny is a partner at the San Francisco law firm Keker & Van Nest. She handles complex civil litigation and white collar cases, including class actions, privacy cases, securities issues, and trade secret and employee mobility disputes. She has litigated cases in state and federal courts throughout California and the United States. rmeny@kvn.com
dec/jan 2015 today’s gener al counsel
Do Plaintiffs Have an Actual Injury or Standing? An alleged data privacy violation rarely leads to actual or quantifiable damages, and especially in federal court the absence of injury can be grounds for obtaining dismissal. To establish standing in federal court, a plaintiff must suffer an “injury in fact” that is “concrete and particularized,” and there must be “a causal connection between the injury and the [alleged] conduct.” Given these requirements, a number of privacy class actions have been dismissed for lack of standing because the plaintiff suffered no injury in fact. Similarly, a plaintiff may not have standing if a third party (e.g., a hacker) intervened to cause the alleged privacy violation. Unfortunately, defendants in the Ninth Circuit may be less likely to win dismissal on standing grounds because, in some instances, a statutory violation alone can establish standing. The Ninth Circuit has held that a plaintiff could sue a title insurer under one federal law, regardless of whether she was overcharged, because the statute did not require monetary damages. But standing is still an important defense to assert and preserve, because the law remains unsettled. Even the Ninth Circuit has never recognized standing on the sole basis of an alleged violation of a state statute, such as CIPA. Moreover, there are differing circuit decisions on this issue, and the Supreme Court has not weighed in.
58
Jennifer Huber is a partner at the San Francisco law firm Keker & Van Nest. She handles white collar matters and complex civil litigation, including privacy class actions, securities matters, and trade secret, contract and employee mobility disputes. She has litigated cases before state and federal courts throughout California and the United States. jhuber@kvn.com
Did Plaintiffs Consent to the Alleged Practice? Under many privacy statutes, a consumer’s “consent” to a business action is a defense. Thus, even if your disclosure and consent procedures do not dissuade a plaintiff from filing a lawsuit, the fact of “consent” can still be grounds for dismissal. See a California Supreme Court decision, Kearney v. Salomon Smith Barney, Inc. However, the question of what constitutes consent varies from one statute to the next, and sometimes within a given statute. For example, although many states allow calls to be recorded if one party consents, some states require that all parties do so. Similarly, CIPA’s numerous provisions require different types of consent, including “consent,” “authority or consent” or “express written consent.” Thus, your business cannot necessarily assume that obtaining a given type of consent is sufficient to prevent or defend against a privacy class action. Instead, for each business practice that may implicate a privacy issue, you should determine what laws potentially apply and what type of consent is required. If the applicable TOS and/or Privacy Policies provide clear notice and appropriate consent was obtained, there is precedent in a number of district
courts for early dismissal. Keep in mind, however, that some courts, including the Northern District of California, in Cohen v. Facebook, have refused to grant early dismissal if there were questions regarding the sufficiency of disclosure or consent. Lastly, because consent can be a critical defense, businesses should consider maintaining documentation of their TOS or Privacy Policies as they change over time, and/or maintaining records confirming customer consent. These practices may make it easier to obtain early dismissal. Did Plaintiffs Have a Reasonable Expectation of Privacy? Privacy statutes often require that plaintiffs have an objectively reasonable expectation of privacy, so it is worth considering whether the communication at issue can support such an expectation. The Ninth Circuit recently upheld dismissal of a CIPA class action in which the plaintiff had called the defendant, his home security provider, to dispute a charge, holding that the nature of this call did not establish an objectively reasonable expectation of confidentiality. Moreover, as discussed below, if individualized allegations are necessary to establish expectations of confidentiality, this can pose a hurdle to class certification. Are There Fact-Based Defenses to Class Certification? Under federal law, numerous requirements must be satisfied before a class can be certified, including number of class members, commonality of issues, typicality of the plaintiff claims or defenses, whether there is an ascertainable class, and the predominance of common questions. Numerous factual issues can create a basis for disputing privacy class action certification. The fact that a company’s TOS has changed over time, for example, may defeat commonality. At least some courts have refused to certify a class when potential class members likely received different information, or had different expectations about a business practice, necessitating individual assessment of notice and consent. Similarly, if there is not an easy way to track or identify the instances in which alleged privacy violations have occurred, then certification may be denied because the class is unascertainable. (See In re Hulu Privacy Litigation in the Northern District of California.) Even in the current climate, with the proliferation of privacy class actions, implementing best practices can help your business minimize risk and lay the groundwork for defense. Thinking strategically before a lawsuit is filed and being aware of potential key defenses can often lead to early dismissal. ■
“THE EXCHANGE”
THE LE ADING INTER AC TI V E CORPOR ATE E-DISCOVERY PROGR AM SERIES
Los Angeles BE V ERLY WIL SHIRE
DEC 9-10, 2014 SPECIAL OFFER FOR TGC RE ADERS: REGIS TER TODAY FOR
FREE
USING CODE T GCMAG100
FREE CA LIFORNIA CLE
TO REGIS T ER V ISIT www.todaysgeneralcounsel.com/institute/los-angeles Please no e-Discovery personnel allowed unless from one of the sponsoring companies
As in-house counsel you know litigation costs can blossom out of control often driven by e-Discovery. This two-day colloquium will give you the chance to share your experiences and develop solutions, all guided by and drawing on the expertise our panel of expert moderators.
2014 Exchange Program Series Sponsors Included:
Hear what a sampling of past attendees had to say: An educational bonanza for all litigators and those desiring a broader and more in-depth understanding of e-Discovery. –DUK E ENERGY
“An outstanding and highly informative program.” –R AY ASHBURG, SENIOR COUNSEL THE DOW CHEMIC AL COMPANY
“I thoroughly enjoyed this roundtable conference on a topic that is so important to today’s operation of business, learned a lot, met great people, and am looking forward to the next one.”
S T R AT E G I C A L L I A N C E
S T R AT E G I C A L L I A N C E
–DANIEL K IM, CORPOR ATE COUNSEL PMC BANCORP
L E A R N M O R E A B O U T T H E UP C O M IN G
SAN FRANCISCO EXCHANGE MARCH, 2015 www.todaysgeneralcounsel.com/institute/san-francisco USE C ODE T GC M A G10 0 T O R EGIS T ER FOR F R EE
DEC/JAN 2015 TODAY’S GENER AL COUNSEL
COM PLIANCE PLANS SHOU LD R E DUCE RISK NOT CR E ATE LIAB I L IT Y By Michael G. Considine
60
alls for improved corporate compliance are coming from boards of directors, shareholders and the government. The media regularly reports on prominent compliance failures. Much of this has to do with whistleblower provisions that are part of the Dodd-Frank legislation, and qui tam provisions under the False Claims Act. Both reward employees for reporting corporate misconduct. Board members are now exposed to personal liability for failing to ensure that compliance measures are deployed. Outside and in-house counsel constantly remind upper management that legal developments around the globe demand focus on compliance. They refer, for example, to the UK Bribery Act, which includes provisions enabling companies to avoid criminal liability for unlawful employee conduct if a valid compliance program exists. They recount recent Department of Justice initiatives, and the prospect that in coming years similar provisions will surface across the globe. Given these developments, there is little corporate resistance to the concept of implementing a compliance program. Nevertheless, given cost and other pressures, after committing to crafting a compliance program, companies may patch one together with insufficient planning. They may deputize personnel with little compliance experience, and
and Christopher M. Favo
no reporting lines to the board, to spearhead the compliance initiative, and then add that task to their normal business functions. Those “compliance officers” may get a limited budget and inexperienced staff. They may have the compliance function thrust upon them without adequate training, and they may be given a copy of the compliance program of an established competitor and encouraged to use it to fashion a new plan. Such steps may enable management to “check the box” and report to important constituencies that compliance is a priority and that a formal plan is in the works. That approach may prove lethal. While the competitor’s company may be similar in some respects, it likely has substantially different risks, and replication of its compliance plan is probably misguided. For example, the risk profile of a company that delivers products to the Middle East cannot be compared to one that ships only to the United States and Canada. Nor can a company in the food industry be analyzed with respect to a similarly sized operation in the oil industry. When such comparisons are made, poorly crafted compliance plans emerge, and various provisions of the plans are ignored because they are too impractical to implement. Additionally, reporting and auditing provisions may be deemed too burdensome to follow. All of this may occur because the templates used to craft the plans were off the mark.
TODAY’S GENER AL COUNSEL DEC/JAN 2015
Even provisions that are neither impractical nor burdensome may be deliberately ignored for other reasons. For example, provisions regarding the imposition of disciplinary measures following the discovery of misconduct may sound authoritative when crafted, but are subject to being side-stepped when the behavior of important business leaders is scrutinized. The rationale for bypassing provisions of a compliance plan may appear justifiable at the time. But once the plan is analyzed, typically after misconduct occurs, its weaknesses will be apparent, and these weaknesses are precisely what government investigators and plaintiffs’ counsel can easily exploit. For example, the failure to conduct annual anti-bribery training mandated by a compliance plan will be hard to explain when seeking to resolve a DOJ investigation of employees who bribed foreign officials. And the failure to conduct due diligence on a third-party vendor as required under a plan will prove problematic if products shipped to an unrestricted country suddenly appear in sanctioned countries. On the civil litigation front, a company’s failure to discipline a valued supervisor for serious misconduct involving subordinates might effectively arm plaintiffs’ counsel in a subsequent discrimination lawsuit. In addition to the risk that government regulators and plaintiffs counsel can exploit these weaknesses, there is a risk that internal erosion will occur if a poorly crafted plan is implemented. Compliance officers will lose credibility if they seek to enforce unworkable provisions. Rank-and-file employees, in turn, will view the company’s overall compliance efforts as hollow. Given such consequences, if a company doesn’t ensure that a compliance plan addresses the real risks the company confronts, and that employees can follow it in practice, one might ask whether the company is better off with no plan at plan at all. Developing a truly effective compliance plan can enable companies to stop improper conduct early and reduce the likelihood or impact of civil lawsuits and government probes. There are times when the benefits of such a plan may be demonstrable, as a major financial institution learned after enduring an extensive DOJ bribery investigation into its problematic Asian business operations. After analyzing the robust application of the company’s well-designed compliance program, the government opted to prosecute the individual employee but not the company, given the latter’s extensive compliance efforts. In so doing, DOJ observed: “After considering all the available facts and circumstances, including that [the financial institution] constructed and maintained a system of internal
controls, which provided reasonable assurances that its employees were not bribing government officials, the [DOJ] declined to bring any enforcement action against [the company] related to [the employee’s] conduct …” DOJ maintains that similar decisions have been made in other cases, though the details cannot be publicized. It’s true the benefits of an effective plan may not always be so easily discernable. Obviously it is challenging to identify misconduct that would have occurred but for the existence of a plan. Moreover, an effective plan will not necessarily halt all improper conduct. Even in the best of companies, the formation of effective auditing processes does not eliminate embezzlement, and the creation of environmental, health and safety departments does not halt all illegal dumping. But a compliance plan can and should be effective. Its implementation should be undertaken with the same kind of rigor that’s employed when contemplating the launch of a new business line, or expansion into a new region. It requires, among other things, appointing compliance officers with stature and experience; equipping them with adequate resources; and providing them with a direct reporting line to the board or upper management. It requires developing a corporate culture of compliance, from the top down, and establishing procedures and processes that are workable. It’s important to focus substantial efforts on areas posing the most risk. Assessing risk requires a comprehensive review of the business lines, the federal statutes implicated in the business operations, the countries involved and their reputations for corruption. Vendor relationships should be reviewed, as should particular practices closely scrutinized by the government. Existing, threatened and potential lawsuits and regulatory probes should be reviewed, and consideration should be given to conducting such planning in a privileged context. After establishing a plan that addresses the identified risks, an experienced internal team should be tasked with responding to complaints that surface, and an outside legal team should help fashion appropriate responses to questioned behavior – not make problems worse. Formation of the plan should not end the process. It must be regularly reviewed. Staffing and budgets must be carefully monitored to ensure compliance remains a priority. The plan should be audited, and changes should be made as the business and the risks evolve. By taking these steps, the resulting plan will more likely be deemed effective, both on paper and in practice, and will reduce risk, not increase it. ■
61
Michael G. Considine is co-head of the Government Enforcement and Internal Investigations Practice Group at Seward & Kissel LLP in New York City. He is a former supervisory federal prosecutor in New York. considine@sewkis.com
Christopher M. Favo is Senior Counsel, Compliance and Business Conduct, at 3M Company in St. Paul, Minnesota, and former Supervisory Special Agent in the FBI’s Office of Integrity and Compliance.
TodaysGC Daily Newsletter The daily newsletter is a terrific advertising vehicle to reach 46,000 corporate subscribers. With a high open rate, the newsletter is unmatched as a marketing vehicle within the corporate counsel community.
T ODAYS G ENER A L C OUNSEL .C OM / SUB S C R IBE
Sponsored Partners
Presents HEALTH
LEADERSHIP PROFILES
CARE
L AW
ANKNER & LEVY, P.C.
116 HUNTINGTON AVENUE, BOSTON MA 02116 ♦ www.anknerlevy.com
♦ EXPERIENCED ♦ RESPONSIVE ♦ INDUSTRY FOCUSED ♦ EFFICIENT & LIANNE ANKNER kla@anknerlevy.com
SALLY KAPLAN LEVY slevy@anknerlevy.com
Boston Magazine “Super Lawyer” since 2007
Boston Magazine “Super Lawyer” since 2004
COST-EFFECTIVE The Only Chambers-Ranked Boutique Healthcare Law Firm In New England
A Forbes Legal Black Book Top U.S. Health Care Law Firm – 2014
SHOWCASE YOUR EXPERTISE TO GENERAL COUNSEL & CORPORATE LEGAL DEPARTMENTS ACROSS THE U.S. d Partners
Sponsore
wAD E wEL cH
nal injury, law, perso oyment law, civil and trial e, and empl practice in ing a solid cal malpractic rous professional While build liability, medi nuing ved in nume e, products while conti actively invol negligenc profession has remained ibute to his his ability. Alton Todd him to contr the best of Law and a ions that allow r to serve clients to Trial nizat orga and Civil ation in orde nal Injury national Acad his legal educ in both Perso rs, the Inter d d certified trial lawye rican Boar College of Alton is boar of the Ame Supreme Diplomat the American U.S. and with the ber w re Fello a mem befo t to practice Lawyers and District Cour as admitted emy of Trial als, the U.S. of t of Appe cates; as well rn District the Easte the U.S. Cour of Trial Advo , Circuit of of Texas and Texas of Fifth icts Bar the Distr Court, Southern of the State County hern and , a member n, Brazoria for the Nort sed in Texas Associatio ciation. He is licen County Bar Lawyers Asso Louisiana. rs, Galveston Texas Trial lawye the Trial of Houston Director n, and is a Bar Associatio
tod d aLt on c.
Drive Friendswood 312 South , TX 77546 Friendswood 2.8633 Phone: 281.99 8.8633 Fax: 281.64
62
S
IP ProFILe
LeaderSH
Presents atIon LItIG
d.com
www.cet
Capone, llp Cetrulo & Lane, Boston, MA 02210
ip Pages
TGC Leadersh
LEADERSH
Presents LEctu AL PRO P
Sponsore
IP PROFILE
ERt y L Aw
The firm is lead who is a Lifetim by Wade Welch, e VIP mem Strathmore ’s Who’s Who ber of named its and was 2011 Profe ssion Year in the area of Comp al of the cial Litiga lex Comm tion. These er eraccolades the result are of T. Wade Welch & Associates’ centr practice, which alized litigation offers natio representa nwide tion where a partic to its clients no matte r ular dispu te takes place . At T. Wade Welch & Assoc alize that superior know iates, we rere ledge of black letter law only provid es the mentals of effective repre fundayour busin sentation-t ess objec he art is drawn tives. We because we from its use make it our appreciate in furthering business to the value with our client know your in having s’ industries, business, an advocate, because when an intimate familiarity you need it counts, a partner solutions you don’t – someone in dynamic who can provid just need situations; and who is a firm that accessible is totally comm e creative at a mom ent’s notice itted to its ; a proven clients What our leade clients want r. are swift, problems comprehen in a cost-e sible ffectiv Associates resolutions e manner. formula for to their This has been success since T. Wade Welch the firm bega & n in 1994.
ntod www.alto
e LLP lo & Capon York, Cetru l. ruL o and New and on appea , Providence ce G. cet ion at trial tive n, New Haven L aw ren lex civil litigat provide innova s in Bosto se of comp insurers to With office rers, in the defen ement and rs, re-insu al presence el, manag is a nation rations, insure rate couns e 500 corpo y with corpo entation that reason, Fortun for repres We work closel good LLP e With Capon ies. Cetrulo & litigation strateg e results. ies turn to of cost-effectiv nmental agenc t r gover pursui and ives in national leade nized as a business object and considers LLP is recog beryllium, & Capone benzene, and of Cetrulo e, asbestos, United States G. Cetrulo Agent Orang Lawrence state in the arising from Columbia, almost every of claims District of clients in in defense Jersey, the defended York, New The firm has New nd, paint. Expertise. lead New Engla sippi. throughout and Missis Experience. son-West, tried cases Louisiana, hed by Thom a, Maryland, Efficiency. , tion, publis Pennsylvani Tort Litiga Practice Group se on Toxic Toxic Tort tts Us For the treati On of me chuse “Rely chair a 4-volu in Massa Solutions.” partner and Author of Litigation defendants founding for asbestos G. Cetrulo, n Counsel Lawrence nted Liaiso court-appoi serves as Island. and Rhode cap.com
rt Two Seapo 617.217.5500
IntEL
d Partners
S
T. Wade Welc h & Asso ciates is a Houston, Texas-base representin d g entreprene law firm and Fortu urial intere ne 500 ® comp sts anies in litigation throu States, result ghout the United ing in the firm being named as a Go-To Law Firm ® for several years in a row. BTI Group has Cons ulting identified T. Wade Welch & Associates as a Clien t Services MVP based on multip le reviews a Fortune by 50 worldwide conglome agriculture rate, and the firm was also spotli ghted in News magazine’s week 2011 Top Attorneys the Coun in try showcase.
PM 8/4/14 4:08
63
2401 Founta in View Drive Suite 700 Houston, TX Phone: 713.9577057 www.twwlaw 2.4334 .com
d 62
t 2014.ind
Aug_Sep
Presents
LEADERSHIP PROFILES
For More Information Contact Lester Goodman 914.588.1369 • profiles@TodaysGC.com
63
Database Marketing for Lead Generation With over 300,000 names, the TGC database enables marketers an unmatched array of choices to send out co-branded emails with content of their own choosing to several desirable segments within the database.
T ODAYS G ENER A L C OUNSEL .C OM /A D V ER T ISE
.
Hold all the
You’re ahead of the game when the cards are in your favour. Our litigators are the aces in your pack. That’s why WeirFoulds is a “litigation firm through and through with a marvelous track record”, Chambers Global.
Follow us on:
Protect your future. Gain a competitive advantage. WeirFoulds LLP.
416.365.1110 www.weirfoulds.com
daegis www.daegis.com/tap
info@daegis.com 800.828.7660
Tap into the heart of your data. You need to not only manage content archives, but also prepare for electronic discovery. With Daegis AXS-One Archive and Edge eDiscovery you get an all-in-one solution that streamlines your Information Governance lifecycle to meet the demands of litigation, compliance, and regulatory deadlines. Finally, an end-to-end solution that is simple, secure, and defensible.