APR/ MAY 2015 VOLUME 1 2 / NUMBER 2 TODAYSGENER A LCOUNSEL.COM
THE ELEPHANT IN THE ROOM
The FTC’s Elusive Security Standards Protecting Against the Malicious Insider Six Steps to Reduce Cyber-Risk Privacy Risk in Anti-Bribery and Corruption Programs The Long Reach of Europe’s “Right to be Forgotten” Ruling
Discoverable Data on Mobile Phones Predictive Coding in Context Legal Issues with Generics Unitary Patent Coming to Europe Judges Surveyed on E-Discovery Outsourcing Employees Know Your State’s Unemployment Laws Shareholder Activism vs Cooperation Strategic Management in the Law Department In-House Client Feedback WORKPLACE ISSUES EEOC’s Aggressive Pursuit of Discrimination Cases THE ANTITRUST LITIGATOR: Narrow Your Client’s Deposition
$199 Subscription rate per year ISSN: 2326-5000 View our digital edition: digital.todaysgeneralcounsel.com
L AW FIRM EVENT A LERT
A MON T HLY OPP OR T UNI T Y T O SHOWC A SE YOUR F IR M’S E V EN T PR OGR A MS F OR T ODAY ’S GENER A L C OUNSE L’S 60,000+ C OR P OR AT E L E GA L DEPA R T MEN T A ND C- L E V E L R E A DER SHIP. Give your firm its best chance to make sure that important events and programs are well attended by the right people. FOR ONLY $250 PER LISTING, take advantage of this opportunity to drive awareness and attendance to the many services you provide to existing clients and can offer to new ones. This is all we need: • Select date of Alert • Headline • 35 Words Event Description • URL • Logo • Date and Time
F O R M O R E I N F O R M AT I O N P L E A S E C O N TA C T
SCOTT ZIEGLER sziegler@todaysgc.com (774) 414-1498
En garde. We know how crucial your company’s trademarks are. From trademark prosecution and portfolio management to litigation, our approach is the same – aggressive. We guard your trademarks as if your business depends on it. Because often enough, it does.
Uncommon Value
ATLANTA
CHICAGO
DELAWARE
INDIANA
LOS ANGELES
MICHIGAN
btlaw.com
MINNEAPOLIS
OHIO WASHINGTON, D.C.
apr/ may 2015 toDay’s gEnEr al counsEl
Editor’s Desk
The right to privacy has gradually become enshrined in our legal system over the objections of many jurists, including some Supreme Court Justices, who argue that it is not expressly granted in the U.S. Constitution. Now a new iteration of that right is nudging its way into law, and according to an article by Francoise Gilbert in this issue of Today’s General Counsel, American companies that operate large databases should start to consider how it will affect their business in the near future. She writes that the 2014 Costeja v. Google opinion from the Court of Justice of the European Union gives Europeans the “right to be forgotten,” meaning that they can demand that a search engine expunge certain information about them, irrespective of its accuracy. How our courts will deal with this has yet to be seen, but the usual conservative-liberal split may not be operative when the topic is considered. When a company’s right to privacy is violated, a likely culprit is a “malicious insider,” and Lisa J. Berry-Tayman lists steps companies can take to protect themselves from this form of cyber-attack. Cybersecurity is also the topic in Guido van Drunen and Tabitha Gaustad’s article about problems endemic to the kind anti-bribery and corruption programs many corporations have instituted to protect themselves against Foreign Corrupt Practices Act violations. Regulators expect that companies understand the risk presented by their third parties, they write, and tailor their anti-bribery and corruption compliance programs accordingly, but the due diligence required to do so risks running afoul of data privacy laws. Judith A. Archer and Jami Mills Vibbert note that the Federal Trade Commission has gone after more than fifty companies
2
on data security issues, alleging failure to take reasonable steps to secure data or safeguard consumer information, but it has not publicized any rules prescribing what “reasonable” safeguards are. The authors describe some measures companies can take that can reasonably be described as reasonable. In this issue of Todays General Counsel we begin featuring a new column, Workplace Issues, about the major employment law problems impacting general counsel, while Jeffery Cross continues advising readers on M&A issues in The Antitrust Litigator.
Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com
More
for your buck . Inside Counsel reports that many companies are looking to increase their use of regional firms for their high-quality legal work, prioritized personal service, and a “faster on their feet” approach. Consistently ranked in Canadian Lawyer’s Top 10 Regional Firms, WeirFoulds is ready to hear from you.
Follow us on:
Protect your future. Gain a competitive advantage. WeirFoulds llp.
416.365.1110 www.weirfoulds.com
apr / May 2015 today’s gener al counsel
Features
4
50
ACTIVISTS HAVE CHANGED, THEIR TARGETS SHOULD TOO
52
DEPARTMENTS WITH COMPREHENSIVE MANAGEMENT PROGRAMS THRIVE
56
THE LONG REACH OF EUROPE’S RIGHT TO BE FORGOTTEN
60
CLIENT FEEDBACK VITAL FOR LAW DEPARTMENTS
Christopher J. Hewitt Olive Garden learned the hard way.
Bret Baccus Five years of surveys confirms their value.
Francoise Gilbert This may be the future of the Internet.
Merry Neitlich Working is not the same as communicating.
COLUMNS
46
WORKPLACE ISSUES EEOC Pursuing Discrimination Cases Aggressively Barry A. Hartstein More settlements for less money.
48
THE ANTITRUST LITIGATOR Narrow the Scope of the Client Representative’s Deposition Jefferey M. Cross Widely misunderstood rule can trip up defendants.
Page 60
Society, Commerce and Dispute Resolution: Goals for Justice and Trade FORDHAM UNIVERSITY SCHOOL OF LAW, NEW YORK, NY MAY 8, 2015
The Board of Directors of the American Arbitration Association® and Fordham Law School invite you to join us as we bring together some of the world’s leaders on resolving conflicts that result from commerce and trade. These experts will discuss the extent that real access to justice exists to resolve those conflicts. Global commerce drives economic development for both developed and underdeveloped countries. Yet, this same commerce and trade can result in significant conflicts. To complicate matters, courts in some countries struggle for legitimacy. Even in countries where courts are recognized as competent, they operate with limited resources and with some parties being denied access to justice. This program will address the role that governments, corporations and individuals can play to encourage economic development and improve the way disputes are resolved. AGENDA AT A GLANCE:
• Keynote, Framing the Access to Justice Problem – Steps New York Courts Have Taken • Global Corporations and Organizations – Impact on Trade and Access to Justice ❒ BP, GM, Penn State and other Large Claims Programs ❒ Mass Torts ❒ Chevron / Ecuador Litigations and Arbitrations • Individuals – Impact on Trade and Access to Justice ❒ ADR in Post-Conflict Society ❒ Online Dispute Resolution and Access to Justice and Arbitrations ❒ Peacemaker Courts – Learning from Cultural Legacies ❒ Pro Se Issues in Judicial and Arbitral Proceedings • Keynote, Access to Justice – Efforts to Provide Representation, the Civil Gideon Movement and Future Solutions ❒ Claims of Corruption in the Arbitral Forum ❒ In Defense of BITs and Investment Arbitration ❒ Arbitrators, Lawyers, and Ethics in Cross-border Arbitrations, Impact on Arbitration’s Image and ‘Brand’ • Corporate Social Responsibility – Impact on Trade and Access to Justice ❒ The Impact of Corporations on Social Welfare ❒ Involvement in Local Communities ❒ Federal Corrupt Practices Act and Corporate Ethics Investigations ❒ Prevention, Resolution and Lessons Learned
You can view the full agenda and additional conference information by visiting http://info.adr.org/goals-for-justice-and-trade/.
TO REGISTER, VISIT: https://www.aaau.org/courses/register?id=23735 KEYNOTE ADDRESSES: HON. JONATHAN LIPPMAN, Chief Judge of the State of New York and Chief Judge of the Court of Appeals HON. EARL JOHNSON, JR., Justice (Ret.) California Court of Appeal ADDITIONAL SPEAKERS INCLUDE: INDIA JOHNSON, President & CEO, American Arbitration Association JOHN D. FEERICK, Norris Professor of Law, Fordham University School of Law JOHN J. KERR, JR., Chair, Board of Directors, American Arbitration Association KENNETH R. FEINBERG, Founder, Managing Partner, Feinberg Rosen LLP PROFESSOR FRANCIS MCGOVERN, Professor of Law, Duke University School of Law PAUL M. BARRETT, Assistant Managing Editor and Senior Writer, Bloomberg Businessweek PAUL RADVANY, Clinical Associate Professor of Law, Fordham University School of Law BRIAN SPEERS, Managing Partner, SMG Solicitors BRIAN HUTCHISON, Senior Lecturer, University College Dublin, Sutherland School of Law HON. CHERYL DEMMERT FAIRBANKS, Justice for the Inter-Tribal Court of Appeals for Nevada HON. DEBORAH G. HANKINSON, Hankinson LLP JACQUELINE NOLAN–HALEY, Professor of Law, Fordham University School of Law JUDGE STEPHEN M. SCHWEBEL, Former President of the International Court of Justice CAROLYN B. LAMM, Partner, White & Case LLP KATHLEEN M. SCANLON, Adjunct Professor of Law, Fordham University School of Law SARAH FRANCOIS–PONCET, Global General Counsel, Chanel JOIA M. JOHNSON, Chief Legal Officer and General Counsel, Hanesbrands, Inc. BILLY MARTIN, Martin & Gitner, PLLC ERIC P. TUCHMANN, General Counsel and Corporate Secretary, American Arbitration Association
APR / MAY 2015 TODAY’S GENER AL COUNSEL
Departments Editor’s Desk
2
Executive Summaries
10
Page 22
INTELLEC TUAL PROPERT Y
16 Unitary Patent Coming to Europe 6
Wouter Pors New court and new patents will make management of IP easier in Europe.
18 Legal Issues Affecting Generic Drugs Alan Klein, Laura A. Vogel and Solomon David The vast majority of U.S. prescriptions being dispensed are generics and consumers are saving money, but legal issues remain.
E-DISCOVERY
22 Jury Still Out on Predictive Coding
L ABOR & EMPLOYMENT
Brajesh Mishra Its future depends on two key factors.
30 Know Your State’s Unemployment Laws
24 Unprotected Smartphone Data Easily Collected
Scott Cruz Calling an employee a consultant probably won’t work.
Andy Spore We’re all geo-tagged now.
26 How Judges Look at E-discovery An Exterro survey Jurists take dim view of lawyers’ e-discovery acumen.
32 Risks and Benefits of Outsourcing Employees Thomas M. White and Mark Rosenman A useful strategy, but not without pitfalls.
CYBERSECURIT Y
34 Six Steps to Reduce Cyber-Risk Gavin W. Skok Zero risk is impossible, but much can be done.
36 How to Interpret the FTC’s Vague Data Security Standards Judith A. Archer and Jami Mills Vibbert They say be reasonable, but they don’t tell you how.
40 Protecting the Company Against Malicious Insiders Lisa J. Berry-Tayman The most likely culprits.
42 Privacy Risk in Anti-bribery and Corruption Programs Guido van Drunen and Tabitha Gaustad When due diligence collides with data privacy.
Tangled up in new laws? Don’t lose momentum. Contact Littler today.
littler.com
editor-in-Chief Robert Nienhouse Chief operating offiCer Stephen Lincoln managing editor David Rubenstein
exeCutive editor Bruce Rubenstein
senior viCe president & managing direCtor, today’s general Counsel institute Neil Signore art direCtion & photo illustration MPower Ideation, LLC law firm business development manager Scott Ziegler database manager Matt Tortora
Contributing editors and writers
8
Judith A. Archer Bret Baccus Lisa J. Berry-Tayman Jeffery M. Cross Scott Cruz Solomon David Tabitha Gaustad Francoise Gilbert Barry A. Hartstein Chris Hewitt Alan Klein
Brajesh Mishra Merry Neitlich Wouter Pors Gavin W. Skok Andy Spore Mark Rosenman Guido van Drunen Jami Mills Vibbert Laura A. Vogel Thomas M. White
editorial advisory board Dennis Block GReeNBeRG TRAuRiG, LLP
Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com
reprints For reprint requests, email rhondab@fosterprinting.com Rhonda Brown, Foster Printing
Robert Profusek JONeS DAy
Thomas Brunner
Joel Henning
Art Rosenbloom
WiLey ReiN
JOeL HeNNiNG & ASSOCiATeS
CHARLeS RiVeR ASSOCiATeS
Peter Bulmer JACKSON LeWiS
Sheila Hollis
George Ruttinger
Mark A. Carter
DuANe MORRiS
CROWeLL & MORiNG
David Katz
Jonathan S. Sack
DiNSMORe & SHOHL
James Christie BLAKe CASSeLS & GRAyDON
Adam Cohen
WACHTeLL, LiPTON, ROSeN & KATz
Steven Kittrell MCGuiReWOODS
FTi CONSuLTiNG
Jerome Libin
Jeffery Cross
SuTHeRLAND, ASBiLL & BReNNAN
FReeBORN & PeTeRS
subsCription
Dale Heist BAKeR HOSTeTLeR
Thomas Frederick WiNSTON & STRAWN
Jamie Gorelick WiLMeRHALe
Robert Haig KeLLey DRye & WARReN
Jean Hanson FRieD FRANK
Robert Heim DeCHeRT
Timothy Malloy Mc ANDReWS, HeLD & MALLOy
Jean McCreary NixON PeABODy
Steven Molo MOLOLAMKeN
Thurston Moore HuNTON & WiLLiAMS
MORViLLO, ABRAMOWiTz, GRAND, iASON, ANeLLO & BOHReR, P.C.
Victor Schwartz SHOOK, HARDy & BACON
Jonathan Schiller BOieS, SCHiLLeR & FLexNeR
Robert Townsend CRAVATH, SWAiNe & MOORe
David Wingfield WeiRFOuLDS
Robert zahler PiLLSBuRy WiNTHROP SHAW PiTTMAN
Ron Myrick RONALD MyRiCK & CO, LLC
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, with out the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published six times per year by Nienhouse Media, Inc., 640 Park Avenue, Hinsdale, IL 60521-4644 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2014 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Today’s General Counsel, 640 Park Avenue, Hinsdale, IL 60521-4644 Periodical postage paid at Hinsdale, Illinois and additional mailing offices.
TodaysGeneralCounsel.com The newly redesigned website provides a daily glimpse of curated content from experts, consultants, law firms and other valued information sources.
T ODAYS G ENER A L C OUNSEL .C OM / SUB S C R IBE
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
Executive Summaries INTELLEC TUAL PROPERT Y
10
E-DISCOVERY
PAGE 16
PAGE 18
PAGE 22
Unitary Patent Coming to Europe
Legal Issues Affecting Generic Drugs
Jury Still Out On Predictive Coding
By Wouter Pors Bird & Bird
By Alan Klein, Laura A. Vogel and Solomon David Duane Morris LLP
By Brajesh Mishra LexInnova
With the introduction of the Unitary Patent and the Unified Patent Court (UPC), envisaged for 2016, Europe will have a single patent for 24 countries and a single court to enforce both the new Unitary Patent and traditional European patents. Patent protection is currently at the national level. Parallel to strictly national patents, there is a central system for the simultaneous prosecution of patents for 38 countries – the European Patent – but after it’s granted, patents still need to be registered in each country. Enforcement takes place in the national courts. Cross-border injunctions for the 28 EU countries are available only in exceptional situations. Now twenty-four EU Member States have joined forces to create a single patent covering their joint territory. The Unitary Patent will have the same effect in all of these countries. In addition, a new international court system, the Unified Patent Court, is being set up. It will have jurisdiction over actions on infringement and validity of both Unitary Patents and traditional European patents for 25 participating EU Member States. Through this new court, a decision covering all 25 countries in full proceedings on the merits can be obtained in about one year. It is important to start developing a strategy for Europe now. The patent portfolio needs to be shaped to fit the new system, including by way of decisions on prosecution, filing divisionals and maybe opt-out applications, which can probably be filed during a sunrise period starting later this year.
Today more than 86 percent of U.S. prescriptions are being dispensed as generic medicines. They have saved consumers more than $1 trillion in the past decade, fulfilling the promise of 1984 legislation sponsored by Senator Orrin Hatch and Representative Henry Waxman. At that time few generic pharmaceutical companies existed, primarily because of the absence of any efficient procedure for gaining FDA approval to market these products. This article highlights some issues of current interest to the generics industry and its corporate counsel. Inter partes review (IPR) by the Patent Office, a procedure to challenge the validity of a patent, has emerged as a useful tool for generic pharmaceutical companies to supplement litigation. To invalidate a patent in district court, the accused infringer must show by clear and convincing evidence that the claims are invalid, in contrast to the standard for invalidating claims before the Patent Trial and Appeal Board, where it’s a preponderance of evidence. An accused infringer in district court faces the presumption that a patent issued by the USPTO is valid, whereas there is no presumption of validity for a patent challenged in an IPR. However there is a potential downside. The PTAB decides not only whether an IPR will proceed, but also whether it will end. If the parties decide to settle the IPR (and possibly related district court litigation), the PTAB may still decide to proceed. Such a determination could have a catastrophic effect on settlements.
The future of predictive coding as the go-to technology for e-discovery depends on two factors: technical viability and legal sanction. With regard to the latter, opinions vary. Da Silva Moore v. Publicis Groupe was the first case in which predictive coding was approved, by Judge Andrew Peck. Subsequently, in Bridgestone v. IBM and Progressive v. Delaney, the decision went the other way. Technology assisted review (TAR) is sometimes referred to as predictive coding. However, TAR is a superset of all the technologies that assist document review, including predictive coding. Other TAR tools are more transparent, hence the “black box” concerns many lawyers have with regard to predictive coding. Also, predictive coding technology is very expensive compared to several contemporary proven TAR technologies that can achieve most of the efficiency it claims. The legal community is hesitant about predictive coding’s transparency and defensibility. Since predictive coding can be very useful, the decision to use it must depend on the nature of the case, and to some extent the parties and court involved. Predictive coding should be seen as one tool among many available to a litigator. Before deciding on any technology it is best to understand it, as well as the case in which it will be deployed. Ask your vendor about every aspect of the software, including cost. Legal practice evolves, and soon we will have good case law that will shape the future of predictive coding.
TODAY’S GENER AL COUNSEL APR/ MAY 2015
Executive Summaries E-DISCOVERY
L ABOR & EMPLOYMENT
PAGE 24
PAGE 26
PAGE 30
Unprotected Smartphone Data Easily Collected
How Judges look at E-Discovery
Know Your State’s Unemployment Laws
A survey from Exterro
By Andy Spore DSi
Attorneys, at the beginning of a case, need to be aware of the information that could be collected and produced from mobile devices, and note especially that it could include data that was thought to be deleted. Today’s smartphones track our every move, and if users don’t properly protect their information all of that data is available for collection. Cell towers record the geo-location of every phone call. Photos may be automatically geotagged when they are taken. When a Wi-Fi network is joined, location information is stored and many apps ask to use your location information. Access to a detailed log of where someone was at any time of day could be valuable in some ligation. Most people are aware that messages on their device can be collected, along with their time stamps, but the fact that much deleted information can be recovered is often a surprise. Full browsing history, including deleted information, can also be collected, and information used by third party apps may be stored on the device. That’s the case even for apps that are supposed to be secure or delete information. The best way to protect messages, browsing history and application information from collection is to strengthen the device’s general security. Using a longer password with uppercase and lowercase letters, numbers and symbols makes it harder for anyone to break into a phone. Even computer programs designed to break passwords could take months or years to hack a complex password.
By Scott Cruz Franczek Radelet P.C.
Twenty-two federal judges were queried on e-discovery trends and best practices. The results and associated comments are a snapshot of overall e-discovery competency and shortcomings, a glimpse at future trends, and a guide to how attorneys can improve their ediscovery acumen and practice. One of the most problematic areas for parties in e-discovery disputes is the identification stage. “Parties often fail to consider e-discovery pre-suit or even early in the lawsuit, and thus make potentially irreversible mistakes,” commented one judge. Most e-discovery mistakes stem from two common problems: lack of process and communication. Said one judge: “Most problems seem to relate to the absence of adequate procedures.” Another judge commented that he had seen problems “arise from poor cooperation among the parties, the lack of defensible policies, and a lack of knowledge on the part of lawyers and parties.” One underutilized strategy for e-discovery cost control is leveraging Federal Rules of Evidence 502(d) waiver agreements, which enable a federal court to order that the privilege is not waived “by disclosure connected with the litigation pending before the court – in which event the disclosure is also not a waiver in other federal or state proceeding.” This dissolves the risk of inadvertently producing privileged information usable against the producing party and ensures return of the material without motions being filed, but the survey revealed that few litigants take advantage of it. A proposed new federal rule addressing “proportionality” was cited as a potential game-changer.
Employers need to understand what unemployment benefits are available to former employees, what actions can disqualify a former employee from receiving benefits and how to navigate an unemployment insurance claim once it is filed. One important factor to keep in mind is that the premium for unemployment insurance is based in part on how many successful unemployment claims are filed against the company. Unemployment laws vary from state to state. The author provides a list of things employers should know that are generally applicable, but cautions that all state’s laws and regulations have nuances that without preparation won’t become obvious until a former employee files a claim or your organization contests a claim. Generally, a person needs to be “unemployed” in order to be eligible for benefits, but not always. If a former employee gets another job after involuntary separation from your company, and that other job is part-time, he or she could be classified as “underemployed” and could collect benefits, although at a reduced rate. In making their determinations, unemployment insurance officials care about the last incident that led to termination, not previous ones. Among other points to keep in mind: Labeling someone who works on site, at hours and on projects prescribed by the business, as an “independent contractor” probably won’t fool an unemployment official who is determining eligibility, and it is not always the case that an employee who voluntarily leaves is ineligible to collect unemployment benefits.
11
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
Executive Summaries L ABOR & EMPLOYMENT
CYBERSECURIT Y
PAGE 32
PAGE 34
PAGE 36
Risks and Benefits of Outsourcing Employees
Six Steps To Reduce Cyber-Risk
How to Interpret the FTC’s Vague Data Security Standards
By Thomas M. White Rimon and Mark Rosenman Newport Board Group
12
Many businesses have concluded that they should keep in-house only core functions that are critical to their differentiated competitive advantage, while outsourcing support activities like IT and HR to specialized providers. This has led to the emergence of the “Professional Employer Organization.” The PEO is a business that provides resources that function like a pool of employees but are on the books of the PEO. Employee outsourcing may give rise to complex issues under tax and benefit laws. If service providers are misclassified as independent contractors rather than employees, the recipient business may be responsible for tax withholding, FICA, FUTA, state unemployment taxes and worker compensation contributions. Moreover, depending on the terms of the recipient’s benefit programs, misclassified individuals may be eligible for costly retroactive inclusion in benefit plans. Additional issues arise if a business obtains the services of “leased” employees such as from a PEO. Businesses that have a retirement plan and want to lease employees should consult tax and benefits counsel before outsourcing arrangements are finalized. Intellectual property guarantees are likely to need attention if the outsourcing provider is foreign-based. Laws vary widely from country to country, and some provide less protection than under U.S. law. It’s especially important to determine whether the service provider has any of your competitors as clients. In any case, the recipient should have a strong non-disclosure agreement in place to protect business plans, products or services under development and other confidential information.
By Gavin W. Skok Riddell Williams
We’re likely to see more, and more intense, cyber-attacks as the technology continues to evolve. The author provides six steps that in-house and outside counsel can take to reduce the risk, cautioning at the outset that failure to do regular risk assessments is often cited by regulators as a factor in bringing data security enforcement actions. All companies are advised to review their data security at least annually and any time new threats are revealed or new technology or processes are implemented. Ensure the review complies with applicable law. For example, the Gramm Leach Bliley Act requires financial institutions to have external auditors certify compliance with certain standards. Make sure the review does not stop with security policies and procedures, but includes a technical assessment of risks posed by network and system configurations, code vulnerability reviews, assessment of network intrusion detection systems and/or intrusion prevention systems. Take steps to ensure vendors are protecting sensitive information. Review data security provisions in all vendor contracts. Do they require vendors to protect sensitive data and detail the procedure and timing for vendors to notify your company of suspected data breaches, and not unduly limit the vendor’s liability for losses? No network is invulnerable to intrusion, and the risks only multiply as greater amounts of data are generated and collected. Data security risks cannot be eliminated, but they can be reduced by ensuring that your clients are considering and addressing security challenges.
By Judith A. Archer and Jami Mills Vibbert Norton Rose Fulbright U.S. LLP
The Federal Trade Commission Act, Section 5, makes unlawful any “unfair or deceptive acts or practices in or affecting commerce.” Relying on Section 5, the Federal Trade Commission has aggressively pursued over fifty companies on a variety of data security issues, such as failing to take “reasonable” steps to secure data or safeguard consumer information and making false or misleading statements about their security measures. Most of these actions resulted in onerous settlements. Yet, the FTC has not promulgated written rules or standards prescribing what reasonable safeguards are. The FTC requires “reasonable oversight” of service providers, and that includes affirmative steps to ensure that they employ appropriate protections for consumer information. Specifically, companies should: Review information concerning the data security practices of service providers. Require that service providers maintain security measures capable of safeguarding consumer information. Ensure that they have access only to consumer data that directly relates to their business purpose, and for long enough to accomplish it. Use fictitious data sets where appropriate, and verify that service providers securely remove data when it is no longer necessary. Companies that employ some or all of the above measures should decrease the likelihood of an FTC action or provide a concrete basis to defend one, based on their having taken reasonable measures pursuant to a comprehensive data security program. Given the potential effect of an FTC action, that means decreasing the risk of significant future expense and burden.
TODAY’S GENER AL COUNSEL APR/ MAY 2015
Executive Summaries CYBERSECURIT Y
FEATURES
PAGE 40
PAGE 42
PAGE 50
Protecting the Company Against Malicious Insiders
Privacy Risk in Anti-Bribery and Corruption Programs
Activists Have Changed, Their Targets Should Too
By Lisa J. Berry-Tayman IDT911 Consulting
By Guido van Drunen and Tabitha Gaustad KPMG
By Christopher J. Hewitt Tucker Ellis LLP
The breach at Sony Pictures Entertainment and the leak of client records at Morgan Stanley likely involved information attacks from a malicious insider. Malicious insiders take confidential internal information from a business for their own purposes. They can be current or former employees, contractors, business partners – anyone with access to the organization’s confidential personal or corporate information. Organizations should observe this basic principle when they enter into employment and contractual relationships: Begin with the end in mind. At the beginning of the relationship, treat those who will have access to the company’s information similar to the way airport security treats travelers – as a potential threat – and take the extra precautions necessary to ensure security. The approach should be “layered.” Airport security doesn’t rely solely on an identification card check or a baggage screening. It uses such things as screenings, random secondary checks, watch lists and locked doors. Organizations too can use a layered multi-disciplinary approach, embracing security, privacy, and information management. To implement and enforce an effective program, personnel from the board level down need training that makes clear what kind of information is sensitive, protected or confidential, and what methods should be used to protect it. An effective program should also educate employees regarding malicious insiders – why they want information, how they steal it, how this hurts the company and how to report their actions, as well as what the consequences will be for the employee who does it.
Embedded in many anti-bribery and corruption compliance programs are due diligence practices that help identify and mitigate risks associated with third parties acting on behalf of a company, especially those operating in foreign jurisdictions. The use of thorough, risk-based third party due diligence figures prominently in guidance regarding compliance programs offered by the U.S. Department of Justice, U.S. Securities and Exchange Commission and the U.K. Ministry of Justice. Regulators expect that companies understand the risk presented by their third parties, and tailor their anti-bribery and corruption compliance programs accordingly. Like laws that criminalize bribery and other corruption, the body of international data protection and privacy law is dynamic, necessitating periodic monitoring to ensure compliance. An organization wishing to conduct due diligence may need to obtain consent from the individuals concerned to collect, use, disclose, and transfer their personal information cross-border. Consent requirements vary. Organizations are tailoring due diligence questionnaires for country-specific use based on prevailing data protection and privacy concerns. Many organizations embed data privacy notices or statements into due diligence questionnaires. Due diligence on third party intermediaries is a key component of a company’s anti-corruption compliance program, but companies should be mindful of the evolving legal landscape concerning data protection and privacy in order to successfully manage compliance with anti-corruption, data protection and privacy laws. The ultimate objective is to ensure compliance with the requirements under an effective risk management program while not falling afoul of any other regulations.
Depending on the source, there are between 100 and 400 activist investor funds, with between $100 billion and $400 billion to invest. According to a recent report by Activist Insight and the law firm of Schulte Roth & Zabel LLP, 344 companies were targeted by activists in 2014, up from 291 companies in 2013. This trend is expected to continue in 2015. The author, referring to his own experience participating in activist situations and proxy contests, says that both activists and companies need to revise the way they approach shareholder engagement. They need to establish dialogue, and if possible collaborate, before engaging in destructive behavior that is simply designed to obtain, or keep, board seats. The majority of activist funds operating in the first decade of this millennium were bad actors, so it is not surprising that most companies are suspicious. But today many activists are investing time and money to understand the companies in which they invest. They are finding independent directors to serve alongside nominees that work for the funds, not just proposing the same slate for every company. They may suggest creative strategic options to companies, not just the standard platform of distribute cash, buy back stock, divest assets or sell the company. This change in approach has allowed activism to go mainstream and gain institutional investor support. The debate about whether activism is good or bad should end. Activism is here to stay and the participants must engage collaboratively.
13
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
Executive Summaries FEATURES PAGE 52
PAGE 56
PAGE 60
Departments With Comprehensive Management Programs Thrive
The Long Reach Of Europe’s Right To Be Forgotten
Client Feedback Vital For Law Departments
By Francoise Gilbert IT Law Group
By Merry Neitlich Extreme Marketing
The so-called “right to be forgotten” (RTBF) has been the subject of much debate and attention since the publication of the Costeja v. Google opinion from the Court of Justice of the European Union in May of 2014. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him or her if that information is “inaccurate, inadequate, irrelevant or excessive” – a definition that may include information that is truthful. Cases similar to Costeja have been brought in Asia and the Americas, and the ruling and its aftermath are significant for businesses world-wide. The topic also has the attention of the Article 29 Working Party, which includes representative from the data protection authority of each EU Member State. In November 2014, the A29 published guidelines to explain the position of the EU Data Protection Authorities. Among other things, they provide that accepted delisting requests must be implemented on all domains operated, worldwide, by the entity receiving the delisting request, and not just on its EU domains. Though RTBF is still in its infancy, it has been the subject of much interest and comment. Hopefully, the concept will evolve and be refined. In the meantime, American companies that offer search capabilities or operate large databases should understand the likely implications of the CJEU and other cases addressing similar issues, and the application of the A29 Guidelines.
Internal client feedback is an effective tool for maximizing the satisfaction of internal clients. In one example, the legal department of a Fortune 500 pharmaceutical company wanted to measure the satisfaction of its internal corporate clients and what the department could do to improve it. Executives from sales and marketing, research and development and the finance/HR operating groups were interviewed. A central theme that emerged was that the legal department had “right-sized” itself to the point that it had become too small to get work done in a timely fashion. One change that ensued was a new process by which attorneys began working on specified days each month in the operating groups that requested this accommodation. Response time from executives’ queries was reduced by 25 percent. Another development was the establishment of a protocol for engaging select outside firms for intellectual property matters that have become bottle-necked in the legal department. Jeff Carr, former General Counsel for FMC Corporation, suggests some reasons why more corporate legal departments don’t seek feedback. “Some attorneys are afraid of what they might hear,” he says. Another reason is that some inhouse departments think they receive feedback on a daily basis just from interacting with clients. Carr contends that normal interaction is not feedback, it’s just the working process. He suggests adding a feedback loop that pointedly helps uncover what the lawyers in the department can do and their time frame for getting each matter accomplished.
By Bret Baccus Huron Legal
14
According to benchmarking surveys taken over the past five years, law departments with comprehensive management programs are the most cost effective overall. In the most recent survey, they realized 46 percent lower external legal spend as a percent of company revenue than those without such programs. For law departments with comprehensive programs, the median external legal spend as a percent of organization revenue was 0.11 percent, while for those without them, the figure was 0.21 percent. For purposes of analysis, the 2014 survey report included the following best practices related to outside counsel and financial management: having defined panels/pre-approved lists for sourcing; matter management and ebilling technology; detailed matter level budgets (phase and/or task level); alternative fee arrangements; and evaluation of outside counsel adherence to billing guidelines. Law departments with multiple program components in place have the most success. These components suggest a department has a plan for the selection of outside counsel and other providers who will handle their work, and for managing the cost of that work and employing tools to facilitate management tasks. With respect to technology, matter management/e-billing systems are fundamental. Beyond this core, there is a range of available technology to assist law departments, such as management reporting systems and systems for document management, legal hold management, IP management, and systems supporting specific legal services. Data analytics can help sharpen law department management by establishing metrics and key indicators against which to measure performance.
“THE EXCHANGE”
THE LE ADING INTER AC TI V E CORPOR ATE E-DISCOVERY PROGR AM SERIES
Chicago PA RK H YAT T CHICAGO
JUNE 1-2, 2015
SPECIAL OFFER FOR TGC RE ADERS: REGIS TER TODAY FOR
FREE
USING CODE T GCMAG100
FREE CA LIFORNIA CLE
TO REGIS T ER V ISIT www.todaysgeneralcounsel.com/institute/chicago Please no e-Discovery personnel allowed unless from one of the sponsoring companies
As in-house counsel you know litigation costs can blossom out of control often driven by e-Discovery. This two-day colloquium will give you the chance to share your experiences and develop solutions, all guided by and drawing on the expertise our panel of expert moderators.
2015 Exchange Program Series Sponsors Included:
Hear what a sampling of past attendees had to say: An educational bonanza for all litigators and those desiring a broader and more in-depth understanding of e-Discovery. –DUK E ENERGY
“An outstanding and highly informative program.” –THE DOW CHEMIC AL COMPANY
“I thoroughly enjoyed this roundtable conference on a topic that is so important to today’s operation of business, learned a lot, met great people, and am looking forward to the next one.”
S T R AT E G I C A L L I A N C E
S T R AT E G I C A L L I A N C E
–PMC BANCORP
L E A R N M O R E A B O U T T H E UP C O M IN G
NEW YORK EXCHANGE JULY, 2015
www.todaysgeneralcounsel.com/institute/new-york USE C ODE T GC M A G10 0 T O R EGIS T ER FOR F R EE
apr/ may 2015 today’s gener al counsel
Intellectual Property
16
today’s gener al counsel apr/ may 2015
Intellectual Property
Unitary Patent Coming to Europe By Wouter Pors
W
ith the introduction of the Unitary Patent and the Unified Patent Court (UPC), envisaged for 2016, Europe will finally see a single patent for 24 countries and a single court to enforce both the new Unitary Patent and traditional European patents. Patent protection in Europe is currently at the national level. Next to strictly national patents there is
Twenty-four EU Member States have joined forces to create a single patent. a central system for the prosecution of patents for 38 countries – the European Patent. But after being granted, these patents still need to be registered in each country where protection is needed. For the purpose of enforcement, and for all other practical purposes, these patents are then subject to national law. As a consequence, enforcement takes place in the national courts on a country-by-country basis. Crossborder injunctions for the 28 EU countries are only available in exceptional situations. In practice this doesn’t mean that each patent needs to be, or even can be, litigated in all 38 countries. Most patents are registered in a limited number of countries, often based on the size of their economy. If the infringement takes places in another European country, there is no protection. When patents are litigated, there often will be settlement negotiations after judgments have been
rendered in key jurisdictions, such as Germany and the United Kingdom, but this varies from case to case. As a result, it is hard to plan for effective protection of innovation, develop a patent strategy up front, and valuate European patents. All of this is about to change dramatically. Twenty-four EU Member States have joined forces to create a single patent covering their joint territory. The Unitary Patent will have the same effect in all of these countries. It will require just one central registration and one annual fee, to be handled by the European Patent Office. The legal basis for this is a socalled “EU Regulation” implementing enhanced cooperation. Such a regulation is the responsibility of the participating Member States, but otherwise has the same status as a regular EU regulation. This means that the Court of Justice of the European Union has jurisdiction to establish its interpretation. For now, Croatia, Italy, Poland and Spain do not participate, but could join in the near future. The Unitary Patent is created by applying for unitary effect within one month after the grant of a European patent. Thus, the prosecution of Unitary Patents is exactly the same as for traditional European patents. The fact that the decision to apply or not to apply for unitary effect is taken after grant means that the applicant can take into account how strong the patent came out of prosecution. The option to choose the traditional European patent registered nationally will remain. If protection is really only needed in a few countries, or if the patent is considered especially vulnerable in a central attack, this may be a useful option. From a business perspective the Unitary Patent has obvious advantages. The unitary effect makes the pat-
ent much more manageable. It covers a market of 400 million consumers. It is also much easier to attribute a concrete value to such a patent for investment and taxation purposes. In addition to the Unitary Patent, a new international court system, the Unified Patent Court, is being set up for patent enforcement. This court will have jurisdiction over actions on infringement and validity of both Unitary Patents and traditional European patents for 25 participating EU Member States (including Italy, for the traditional patents). Through this new court, a decision covering all 25 countries in full proceedings on the merits can be obtained in about one year. The Court of Appeal in Luxembourg will handle appeals in less than a year. The procedural law has been developed on the basis of expe-
It will require just one central registration and one annual fee, to be handled by the European Patent Office. rience throughout Europe, but as a totally new and independent system. The substantive law on validity is in the European Patent Convention. The substantive law on infringement is in the UPC Agreement itself. The costs of such litigation are not yet known, but given the structure continued on page 21
17
apr/ may 2015 today’s gener al counsel
Intellectual Property
Legal Issues Affecting Generic Drugs By Alan Klein, Laura A. Vogel and Solomon David
T
18
oday, more than 86 percent of U.S. prescriptions are being dispensed as generic medicines. These medicines have saved consumers and third-party payers more than $1 trillion over the past decade, fulfilling the promise of the legislation sponsored by Senator Orrin Hatch and Representative Henry Waxman, and signed into law by President Reagan in 1984. With access to affordable generics now a reality, and with generic drug product safety and effectiveness affirmed by both patients and their prescribing physicians, what are some of the remaining issues of interest to the industry and its corporate counsel? STRATEGIC OPTIONS THROUGH INTER PARTES REVIEW
The passage of the Leahy-Smith America Invents Act in 2011 effected major changes to U.S. patent law, including creating new procedures for non-patentees to challenge a patent’s validity at the U.S. Patent and Trademark Office. Previously the most common option for such a challenge was federal district court litigation. Among these new procedures, inter partes review (IPR) has emerged as a useful strategic tool for generic pharmaceutical companies to supplement litigation stemming from the strict procedural framework of the HatchWaxman Act (which was significantly updated by the Medicare Modernization Act of 2003). IPRs are of great
today’s gener al counsel apr/ may 2015
Intellectual Property interest to drug companies seeking to bring a generic version of a drug to market, because it is possible to file an IPR while district court litigation relating to the drug at issue is pending. Advantages are associated with a patent review by the USPTO via IPR particularly in the increasingly common situation of multiple generics seeking FDA approval for the same drug. But some down-sides to IPR should be considered by a generic filer, as well. Both are summarized later in this article. At the inception of the Hatch-Waxman Act in 1984, few generic pharmaceutical companies existed, primarily due to the absence of an efficient procedure for gaining FDA approval to market generic products. The evolution of the law and the pharmaceutical market as a whole created an extremely crowded generic market, in which creative legal strategies are key to setting a company apart. They can mean millions of dollars in added profit or lucrative “authorized generic” agreements for a generic filer that is perceived by the brand company to have the potential to damage its patent portfolio. Currently the most common scenario is when multiple companies (often as many as ten) file Abbreviated New Drug Applications (ANDAs) on the same product on the same day. This qualifies them for shared 180-day marketing exclusivity, upon FDA approval of the generic products. However, in order for the FDA to grant final approval, the patents listed in the FDA’s “Orange Book” (typically patents owned by the brand pharmaceutical company, and which cover the brand product), must be deemed invalid, not infringed or unenforceable in a court decision with no further opportunity for appeal. The brand company will usually sue all of the generic companies in the same jurisdiction for a determination of validity, infringement and enforceability of the patents. The generic companies then form joint defense groups (JDGs) to defend the suits and to save money on litigation expenses, given their shared interest in the 180-day exclusivity period. Although using a JDG can lower litigation costs for each party, product profits for each member are similarly
diminished once the group obtains approval and simultaneously launches their product, effectively flooding the market with the same generic medication. Hence, the desire by the individual generic filers to somehow set themselves apart from the pack and obtain a favorable settlement from the brand company that ensures a specific date when the generic can enter the market, and removes the risk of losing the litigation and waiting with the rest of the generics to launch their products upon expiration of the Orange Book-listed patents. Enter the IPR. ADVANTAGES AND DISADVANTAGES
While the Hatch-Waxman district court litigation is pending, IPR’s primary goals for the generic are to spur a faster settlement with the patent owner or invalidate the pertinent Orange Booklisted patent. Advantages to filing an IPR while district court litigation is pending include: • Lower Evidentiary Standard. In order to invalidate a patent in district court, the accused infringer must show by clear and convincing evidence that the claims are invalid over the prior art, whereas the standard for invalidating claims before the Patent Trial and Appeal Board is by a preponderance of evidence (51 percent or more). • No Presumption of Validity. An accused infringer in district court faces the presumption that a patent issued by the USPTO is valid, but there is no presumption of validity of a patent challenged in an IPR. • Heard by PTAB Judges. IPRs are reviewed and decided by administrative patent judges, who are technical decision makers well-versed in patent laws and the challenges of patent examination. In comparison, district court judges often are not familiar with patent laws and may be intimidated by the technology presented, particularly when chemistry is involved, as it often is in pharmaceutical litigation. • Speedy Resolution with Lower Cost.
District court litigation can last for years and cost millions of dollars. IPRs must be resolved within 18 months of filing. A PTAB decision may be directly appealed to the Federal Circuit. Thus, IPRs may reach a favorable result in a shorter time for less money, all while the district court litigation is still pending. There are also some potential disadvantages to filing an IPR while HatchWaxman litigation is pending in district court. They include the following: • Limited Bases for Invalidity. A party challenging the validity of a patent in an IPR may assert invalidity based on prior art only under 35 U.S.C. Section 102 and Section 103 based on patents and printed publications. In district court, all invalidity defenses are available. • Estoppel. If the PTAB issues a final written decision in an IPR proceeding, an estoppel attaches based on any and all prior art that the challenger “raised or reasonably could have raised.” Thus, a final decision in an IPR can impart rather broad restrictions on the defenses that a patent challenger may assert if district court litigation continues after the IPR ends. • Limited Discovery. “Limited discovery” is permitted in an IPR proceeding, and only if it is “in the interest of justice.” • PTAB Controls Initiation/Conclusion. The standard applied by the PTAB in deciding whether to accept an IPR petition and allow it to proceed is whether there is a “reasonable likelihood that the petitioner would prevail with respect to at least one of the claims challenged.” While this may seem like a relatively low threshold, the PTAB not only decides whether an IPR will proceed, but also whether it will end. For example, if the IPR has been initiated and proceeds for some period of time, and the parties ultimately decide to settle the IPR (and possibly the related district court litigation), the PTAB may still decide to proceed with the IPR and determine that the patent(s) at issue are invalid. Such a determination
19
apr/ may 2015 today’s gener al counsel
Intellectual Property could have a catastrophic effect on settlements involving the patent – and potentially to the market for the brand product, as well, if no patent protection remains to block further generic entry into the market.
20
This list of advantages and disadvantages is not exhaustive, but it includes key considerations for a generic challenger who wants to obtain a fast and favorable settlement of Hatch-Waxman litigation and is considering filing an IPR. The rules allow for an IPR petition to be filed up to one year after an infringement complaint is filed in district court, providing ample time for the generic to arrive at a well-reasoned decision about pursuing IPR based on a thorough review of the litigation landscape and the infringement positions asserted by the patent owner. When a generic filer believes it has a particularly solid invalidity case, another tactic to consider is to prepare the petition and send it to the plaintiff/patentee, thus opening the door for a potential settlement before the generic’s invalidity positions are irreversibly released into the public domain. IPR is likely to become more widely used and sophisticated in coming years, but it already presents a paradigm that warrants consideration by ANDA filers, as they develop strategies to achieve their goal of getting their products to market as quickly, inexpensively and efficiently as possible. PRODUCT LIABILITY ISSUES
With few exceptions, generic drug companies, unlike their brand drug company competitors, have been freed of products liability litigation since the Supreme court, in two cases, found that failure-to-warn and design-defect claims against generics are precluded by the Supremacy Clause of the U.S. Constitution. In Pliva. v. Mensing, in 2011, and two years later in Bartlett v. Mutual Pharmaceutical, the Court found that under the Hatch-Waxman Amendments to the federal Food, Drug, and Cosmetic Act, generic drug labeling and design have to replicate and must always be “the same as” the brand drug which they copied. Suits by plaintiffs contending that generic drugs were improperly labeled or
badly designed were subsequently swept away by state and federal court decisions applying these Supreme Court precedents. Consumer groups and certain legislators responded to these rulings by calling upon the FDA to change its regulations to require both brand and generic drug manufacturers to have equal obligations to strengthen label warnings and improve product safety. The FDA has proposed new labeling regulations that would achieve these objectives. However, the proposed regulations have been criticized by the generic drug industry, consumer groups and physicians, among others, for permitting the public dissemination of multiple labels for the same drug from different manufacturers at the same time, potentially creating confusion in the prescription drug marketplace. As a consequence, the FDA has now reopened the public comment period, postponing until later this year the issuance of the new labeling rules that were anticipated last December. What they say will be vital in assessing the future exposure of generic drug companies in products cases. GENERIC BIOLOGICS
As the generic drug market has become integral to the healthcare industry, a new biosimilars market is emerging from existing biologics products. Unlike traditional branded and generic drugs with defined chemical structures, biologics and biosimilars are complex products made from biological components like proteins, nucleic acids, or living cells and tissues. Although not identical, biosimilars are “highly similar” to the reference biologic product, with no clinically meaningful difference. Biologics are a multibillion-dollar industry in the United States, with products used as vaccines, blood coagulants, and therapeutic hormones, tissues and proteins. The Biologics Price Competition and Innovation Act of 2009 established a route for biosimilars to enter the market by submitting applications to the FDA as early as four years into the reference biologic’s 12-year exclusivity period. Biologics are generally very expensive, with patients or their health insurance carriers spending upwards of $100,000 a year on such medicines
dispensed for the treatment of individual patients. Biosimilar applicants now have an opportunity to participate in this marketplace by offering consumers and third-party payers considerably lower prices for these complex products. Biosimilars have long been available abroad, but because of legislative and regulatory delays, they are only now beginning the FDA approval process in the United States. The FDA approved its first biosimilar application in 2015, and four other biosimilars applications are currently under FDA review. The generic drug industry will be closely monitoring the FDA’s criteria for approval of these products. ■
Alan Klein is a partner in the Trial Practice Group of Duane Morris. He represents generic drug and other companies in products liability litigation and in regulatory and complex commercial litigation matters. Aklein@duanemorris.com
Laura A. Vogel, a partner in the Boston office of Duane Morris, practices in intellectual property law, with an emphasis on complex patent litigation. She is a registered patent attorney, representing high-tech and generic pharmaceutical companies in both opinion and litigation matters. lavogel@duanemorris.com
Solomon David is an associate in the Trial Practice Group of Duane Morris. sdavid@ duanemorris. com
today’s gener al counsel apr/ may 2015
Intellectual Property Unitary Patent
continued from page 17 of the system, they will probably be somewhat higher than litigation in a single continental European country, but not much higher. In return, litigants get a decision that is immediately enforceable in 25 countries. The downside is that the patent can also be invalidated for 25 countries at once. However, there will be a transitional period of 7 years, which will almost certainly be extended to 14 years, during which parties can choose to bring actions on traditional European patents before national courts. In addition, during this period the patent owner can opt to take a traditional European patent out of the jurisdiction of the Unified Patent Court for its entire life span, thus excluding a
The downside is that the patent can also be invalidated for 25 countries at once.
central attack on its validity. It can be opted in again at any time if the patent needs to be enforced, unless actions in national courts have been started in the meantime. The judges for this new court will be recruited across Europe. The core will be experienced patent judges, who will be working at the Unified Patent Court next to their national courts. Cases in first instance will be handled by panels of three legal judges, supplemented by a technical judge where needed. The expectation is that at least two out of the three legal judges on each panel will have a lot of experience, while the third, initially, will be less experienced. The Court of First Instance will
have divisions for handling infringement cases and counterclaims for invalidity in many major European cities. Sweden and the Baltic states will cooperate in a regional division based in Stockholm. Many Eastern European countries are also expected to set up joint regional divisions. In most of these divisions litigation will be possible in English, next to the national language of the country that hosts the division. Divisions in the major patent jurisdictions will always have two judges from that country on the panel, which will result in some “couleur locale” and consequently some forum shopping within the court, but also reliability. An independent attack on the validity of the patent will have to be started in the Central Division, which will hold hearings in Paris (electronics patents), London (life sciences patents) and Munich (mechanical patents). This was a typical political compromise, but the judges will be part of the same international pool, so the location will not affect the way a case is handled. The basics of the procedural law for this new court are in the UPC Agreement, but the details are in a comprehensive set of Rules of Procedure, drafted by an independent team of patent judges and patent litigators from the UK, Germany, France and The Netherlands. The procedure is quite front loaded and strictly managed by a judge-rapporteur. Besides, it is totally digital, except for the hearings. The first stage is the so-called written procedure, during which both parties can file submissions and evidence online according to a strict schedule of deadlines. This is followed by an interim procedure of three months, during which the judge-rapporteur will prepare the case for the oral hearing. The judge-rapporteur will decide whether additional evidence is needed and whether experts and witnesses need to be heard. The final stage is the oral procedure before the panel, which may include witness and
expert hearings and a day in court for the pleadings. The pleadings themselves are supposed to take just a single day, but in complicated cases they might take two or three. A judgment on the merits will then be available in six weeks. Overall, this will be a very effective, expedient and highly professional system to enforce patents in Europe. The system, which is set to begin in 2016, will make patenting and patent enforcement in Europe much more attractive to U.S.-based companies. Together with a new system for protection of trade secrets, which is also being enacted at EU level, it will offer solid protection for innovation. In preparation it is important to start developing a strategy for Europe now. The patent portfolio needs to be shaped to fit the new system, by way of decisions on prosecution, filing divisionals and maybe opt-out applications, which can probably be filed during a sunrise period starting later this year. ■
Wouter Pors is a partner at Bird & Bird and head of the IP department in The Hague. Focusing on patent litigation, he handles a wide range of patent disputes, including mechanical issues, software and business method patents, and biotech disputes, for both national and international clients. He is also involved in trademark and copyright litigation, including cases before the Dutch Supreme Court and the European courts. wouter.pors@twobirds.com
21
APR/ MAY 20 15 TODAY’S GENER AL COUNSEL
E-Discovery
Jury Still Out On Predictive Coding By Brajesh Mishra
22
G
iven the large data volumes in even the most routine cases, it has become nearly impossible to conduct pure manual review of documents. Legal practitioners are turning to predictive coding as a solution for large data review, a classic example of machine taking over a task that human beings used to perform. Every industry has undergone this transformation, and it was inevitable for the legal industry. Is predictive coding the future of e-discovery? This depends largely on two factors, technical viability and legal sanction. There are numerous papers and publications endorsing predictive coding technology, including a handful of legal opinions. Vendors promoting the technology sell it as a medicine to cure every disease. But there are still
many hurdles to realizing predictive coding’s full potential. Predictive coding is not universally accepted among litigators and litigants, in part due to concerns about its “black box” technology. In addition, complex software and confusion over how different technologies work and under what names they are marketed (“Threading,” “Clustering,” “Semantic Indexing,” “TAR,” “CAR” or “Predictive Coding”) complicate matters. Technology assisted review (TAR) is sometimes referred to as predictive coding. However, TAR is a superset of all the technologies that assist document review, including predictive coding. Where other TAR tools are more open and easy to look at, predictive coding is less obvious, hence the “black box” concerns. Also, predictive coding
technology is still expensive compared to several contemporary proven TAR technologies that can obviate the black box aspect of predictive coding and achieve most of the efficiency it claims. COURT ACCEPTANCE VARIES
Some questions remain about predictive coding’s transparency and defensibility. Da Silva Moore v. Publicis Groupe was the first case in which predictive coding was approved, by Judge Andrew Peck. After that, in Bridgestone v. IBM and Progressive v. Delaney, decisions went the other way. Since predictive coding can be useful, the decision to use it must depend on the nature of the case, and to some extent the parties and the court involved. The technology should be evaluated against the other TAR options available.
toDay’s gEnEr al counsEl apr/ may 2015
E-Discovery
The purpose of e-discovery is identification and production of nonprivileged responsive documents, using a methodology that is transparent and agreed upon by the parties. Any methodology to conduct e-discovery, including predictive coding, won’t be perfect. The method chosen should yield results that are defensible, meet the producing party’s obligations, and are reasonable from the standpoint of cost and efficiency. THREE KEY CONSIDERATIONS
Predictive coding will be considered sufficient for a document review project when litigators and court are confident about the result it produces.
privileged documents that were used to train the machine in the discovery protocol. Here, the question is: Should parties, just to save some review cost, disclose to each other nonresponsive information that, per the Federal Rules of Civil Procedure, they are not legally bound to disclose? This is particularly important in the case of predictive coding to ascertain transparency. If the selection criterion and coding decisions applied to training documents are incorrect then it may jeopardize the purpose of discovery. However, in In Re: Biomet, Judge Miller held that Rule 26 does not require a party to disclose seed set
Parties to litigation never like to lose privileged information, even if a privilege review that is exhaustive enough to preclude it means extra cost. To gain such confidence, three key issues need to be addressed: privilege/ clawback; transparency; and cost. • Privilege and claw-back. Parties to litigation never like to lose privileged information, even if a privilege review that is exhaustive enough to preclude it means extra cost. Can predictive coding identify all privileged information while still reducing the overall costs associated with attorneys’ privilege review? In Good v. American Water Works Co., a federal court in the Southern District of West Virginia declined the use of only machine-based review for privilege. The risk of losing privileged information is one big reason why litigants do not want to experiment with a relatively new and opaque technology. Manual review is still required before documents are actually produced, and so is a very tight claw-back agreement. • Transparency. This issue arose in Da Silva Moore, when parties decided on voluntary disclosure of non-
documents used to train a predictive coding system. Similarly, in the case of Gordon v. Kaleida Health, plaintiffs wanted to acquire the seed set documents by forcing the defendant to fulfill its FRCP 34(a) obligations. Plaintiff’s motion to compel meet and confer was dismissed. • Cost. It would not be wrong to say the whole discussion around predictive coding is cost, but before reaching a conclusion about it, we need to examine each aspect of the technology. Predictive coding is new, and like every new technology its initial setup cost is high. With time and an increased number of vendors, it may come down, but for now it is important for economic reasons to take the nature of the case into consideration before deciding to deploy predictive coding. Predictive coding requires human coding decisions before it can learn relevant words and phrases and apply those decisions to other logically similar documents. If the
amount of data is large, then the statistically significant seed set will be large. Documents coded by machine need validation by attorneys, taking out sample documents. This process becomes even more complex if the attorneys find that the documents are not coded as they should have been. The per-hour cost of assessment by attorneys can be large. Additionally, privilege protection requires extra effort, and adds to the cost. There is also a cost for reviewing documents in limbo. Predictive coding software assigns a relevancy score to every document. Based on scores, software creates a bell curve and keeps relevant documents on one side and non-relevant documents on the other. This seems logical until software reaches a state of equilibrium and cannot decide about documents remaining at the bottom of the curve. Parties can go ahead with production, but if the receiving parties demand a review of remaining documents, who will bear the cost? In summary, predictive coding should be seen as one tool among many available to a litigator. Before deciding on any technology, that technology as well as the matter in which it may be deployed, must be understood. Ask your vendor about every aspect of the software, including cost. Legal practice, meanwhile, will evolve, and soon we will have good case law that will more clearly shape the future of predictive coding. ■
Brajesh Mishra is a manager at LexInnova, a legal outsourcing and litigation consulting firm. He has managed discovery on a variety of ediscovery projects and document reviews in complex commercial/financial litigation, pharmaceutical matters and cases involving IPR/patent infringement. brajesh.mishra@lexinnova.com
23
apr/ may 20 15 toDay’s gEnEr al counsEl
E-Discovery
Unprotected Smartphone Data is Easily Collected By Andy Spore
E
24
ven the most tech-savvy attorney has questions about how data collection works and what information is stored on mobile devices. What types of information can be found and produced? Can deleted information be restored? Must you have the password to collect the data? The answers to these questions may surprise you. Today’s smartphones track our every move, and if users don’t properly protect their information – including messages, browser history, location information, data from third party apps and more – all of it is available for collection. Let’s look at the data that’s stored on mobile devices in more detail and how you can protect it from collection. LOCATION
Cell towers record the geo-location of every phone call. Photos are automatically geo-tagged when they are taken. When a Wi-Fi network is joined, that location information is stored. Many apps ask to use your location information. Basically, a mobile device holds tons of information about where the user has physically been. That location information is recorded to increase the phone’s functionality: Facebook’s app can tell a user where a message was sent from, for example, and your iPhone can remember where your house is. The Google Now service on a Google phone is a particularly effective stealth repository of geographical information,
toDay’s gEnEr al counsEl apr/ may 2015
E-Discovery
as it continually identifies and records a phone’s physical location. Investigators can access this repository and get a complete history of where the phone has been, and when it was at each location. Investigators don’t even need the phone to access this information. They can get it all by logging into the user’s Google account. Obviously, having access to a detailed log of where someone was at any time of day could be quite valuable in some types of ligation. A forensics expert can gather a geographic history from all of the data stored on a phone, not just locationspecific apps like Google Now. Texts, photos, social media, exercise monitoring apps, GPS apps – anything that records data can be a source of location information. Software is available that scoops up all of this information and spits it out into a file. When this file is loaded into a program like Google Earth, investigators are able to plot out a history of where the phone has been, even, with some phones, linking photos to locations and when they were taken. Keeping some of this location data is unavoidable because smartphones must communicate with cell towers to operate. However, there are ways to protect your information. For example, photo geo-tagging can be disabled, so the metadata won’t include latitude and longitude information. Location information can also be turned off for other services, like Google Now, which will prevent the data from being recorded and potentially collected for litigation. MESSAGES AND OTHER DATA
Most people are aware that messages on the device can be collected, along with their time stamps. What surprises people is that even deleted messages can be acquired. When a text message or email is deleted, a flag is placed next to the item in the database, and it disappears from the user-facing part of the device, but the actual content stays stored on the phone until it is eventually overwritten. So, while the number of messages that can be stored on the device is not unlimited, deleted messages are easily recovered especially if they were sent or received recently.
Full browsing history, including deleted information, can also be collected for litigation. When a site is deleted from the history, a flag is added to that record in the database so it doesn’t show up on the device. Just like with a computer’s browsing history, a record of visiting that site still exists in the database, so it can be collected. Information used by third party apps is also stored on the device - even for apps that are supposed to be secure or delete information. For
unlocked – like when you are confirming app purchases – and stick to a complex password to get into the device. New operating systems for iPhones and Google Android phones have made it much more difficult to break into a phone without a password, especially if the phone was powered off before it was handed over to a forensics investigator. In that case, the investigator is largely out of luck without knowing the password,
Texts, photos, social media, exercise monitoring apps, GPS apps – anything that records data can be a source of location information. example, even though messages sent via Snapchat “disappear” from the phone after they are viewed, the files are saved onto the device and can be collected. The best way to protect messages, browsing history and application information from collection is to strengthen the device’s general security. Many phones ask users to create a four-digit passcode to lock the device, but these passcodes are actually fairly easy to hack since there are a limited number of combinations. Using a longer password with uppercase and lowercase letters, numbers and symbols makes it exponentially harder for anyone, including digital forensics experts, to break into your phone. Even computer programs designed to break passwords could take months or years to hack a relatively complex password. The thumbprint is a newer way to lock and unlock a mobile device, but this can also create a privacy issue. Law enforcement cannot force someone to unlock a password-protected device (for now) because the password is protected intellectual property. If you use the thumbprint option, though, police in some jurisdictions can compel you to open your phone because the thumb is a body part and not intellectual property. To protect yourself, use the thumbprint for activities on your phone only after it is
because these new operating systems require a passcode to be entered when the phone is powered back on. Without it, everything is locked down. The investigator can try running password-cracking software, but it may not always work. In civil litigation, the court typically orders the custodian to share the necessary passwords to access any devices that house relevant data, and this opens the data floodgates. Heavy phone users can have thousands of files stored on their devices without even realizing it. Attorneys need to be aware of the information that could be collected and produced from mobile devices at the beginning of a case, and especially be aware that it could include data that the user thought was deleted. ■
Andy Spore is digital forensics analyst at Nashvillebased DSi, which provides advanced eDiscovery and digital forensics services. aspore@dscovery.com
25
APR/ MAY 20 15 TODAY’S GENER AL COUNSEL
E-Discovery
The Exterro survey
How Judges look at E-Discovery
E
26
Discovery is not a simple activity. Twenty years ago, few lawyers would have thought the notion of legal competency would come to include understanding and advising on technical issues surrounding the discovery of electronic information. In today’s digital age, however, lawyers must be both legally and technically savvy to competently advise their clients. While this might sound like common sense, the reality playing out in today’s courtrooms is that “many lawyers are still struggling to adequately advise their clients on e-discovery issues.” This reality was highlighted in a new survey published by Exterro during LegalTech New York 2015 entitled, “The Federal Judges Survey of E-Discovery Best Practices and Trends.” Exterro collected responses from 22 of the most influential and well-versed federal judges on e-discovery issues. The results and associated comments paint a clear picture of overall e-discovery competency, e-discovery trends to be aware of in the future and how attorneys can improve their e-discovery acumen. Shockingly, 0% percent of the responding judges completely agreed that the typical attorneys appearing before the court possess the subject matter knowledge required to effectively represent clients on e-discovery matters. Some of the direct comments stemming from the report include: • “Too many attorneys have not gained the knowledge they need to effectively represent their clients.” • “Frequently, knowledge about ediscovery is asymmetrical, with one side having no clue.” • “Parties often fail to consider ediscovery pre-suit or even early in the lawsuit and thus make potentially irreversible mistakes.” One of the most problematic areas for parties involved in e-discovery
Issue #1: Lack of Education Leading to Irreversible Mistakes The typical attorney appearing before me possesses the subject matter knowledge (legal and technical) required to effectively counsel clients on e-discovery matters.
0%
Completely agree
68%
Somewhat agree
32%
Don’t agree
Don’t know
0%
Other
0% 0
20
40
60
80
In my courtroom, the most common e-discovery mistakes occur in the Review
Other
Collection
Preservation
Production
0%
19%
13% 13%
55%
Identification
100
stage.
TODAY’S GENER AL COUNSEL APR/ MAY 2015
E-Discovery
disputes lies in the identification stage. A lack of preparation early in the process is often attributed. One judge commented that “parties often fail to consider e-discovery pre-suit or even early in the lawsuit and thus make potentially irreversible mistakes.” What is the source of the most common e-discovery problems for parties in your court? 32%
No or poor cooperation between the parties
27%
Miscommunication between internal team members
5%
Defensible policies are not implemented or followed
27% 9%
Most e-discovery mistakes stem from two common problems: a lack of process and communication. One judge noted, “Most problems seem to relate to the absence of adequate procedures.” Another commented, “I have seen problems arise from poor cooperation among the parties, the lack of defensible policies, and a lack of knowledge on the part of lawyers and parties.” One very underutilized area for cost control, particularly around e-discovery review, revealed by the survey, is parties leveraging (or lack thereof) Federal Rules of Evidence (FRE) 502(d) waiver agreements. The risk and costs associated with inadvertently producing privileged documents is a common source of concern among attorneys. FRE 502(d) enables “a federal court [to] order that the privilege or protection is not waived by disclosure connected with the litigation pending before the court – in which event the disclosure is also not a waiver in any other federal or state proceeding.” This dissolves the risk of inadvertently producing privileged information usable against the producing party and ensures the return of the privileged material without lengthy briefs or motions needing to be filed. The survey revealed that no one is taking advantage of this rule. “No one ever raises it. Ever,” said one judge. Another respondent elaborated further, “Not a single party has asked me to enter a 502(d) order.”
Parties are not educated on e-discovery issues
Other
Issue #2 – Underutilized Rules What is the most underutilized FRCP e-discovery rule used in your courtroom? 50% (FRE 502(d)) – Waiver agreement
27
32% Rule 26(f) – Meet & confer
14% Rule 26(b)(2)(C) – Proportionality principle 4% Rule 26(g) – “Reasonable inquiry” to completeness of discovery 0% Other
Issue #3 – Future Changes Can’t be Ignored Upcoming amendments to the FRCP will help solve many problems that currently occur in e-discovery today. Completely agree
43%
Somewhat agree Neither agree or disagree Don’t agree
24% 14%
Don’t know other
14% 5%
0%
apr/ may 20 15 toDay’s gEnEr al counsEl
E-Discovery
28
According to most judges and e-discovery attorneys, the pending changes to the Federal Rules of Civil Procedure (FRCP) around e-discovery are as good as passed. But when asked if these amendments will change anything, many judges were skeptical. One judge said, “Until there is a fundamental shift in the paradigm concerning e-discovery awareness, and I do not think we are there yet, rules will not solve all the problems.” Another judge stated, “The proposed amendments will be effective if counsel and the court learn to use the amendments effectively. Cultural change is necessary to achieve the full potential of the amendments.” When drilling down into the specific rule changes, FRCP Rule 26(b)(1) was called out as the biggest game changer. Rather than trying to fight essentially hopeless cost-shifting battles, the proposed changes to Rule 26(b)(1) attempt to reward attorneys who take a more proactive approach and address proportionality from strategic and technological perspectives. “Moving proportionality into the definition of discoverable evidence may increase the likelihood that parties will focus on proportionality, but it may do so at the expense of transparency if producing parties unilaterally withhold information on proportionality grounds, perhaps without alerting the adversary,” said one judge. Among the future changes that lie ahead for the legal industry, attorneys, particularly in-house counsel, must prepare for the fact that newer social media and mobile data platforms are subject to discovery, just like email. If the platforms hold relevant evidence, the data must be preserved. “For several years, BYOD was being treated like emails around the 1990s, i.e., I won’t ask for yours if you don’t ask for mine. That honeymoon ended, and I sense it is ending for mobile devices as well, since that is how many of us communicate most of the time, and because unique (and uniquely probative) data may reside there, in the form of IMs, etc,” explained one judge. The complete findings of Exterro’s first-annual Federal Judges Survey on E-Discovery Trends and Best Practices are available for complementary download on Exterro’s website at: www. exterro.com/judges-survey. ■
What FRCP e-discovery amendment will have the biggest effects on e-discovery practices?
82%
18%
Rule 26(b)(1)
Rule 37(e)
0%
0%
Rule 1
Other
Which technology trend will have the biggest effect on e-discovery over the next two years?
24%
33%
Mobile Devices
Social Media
29% Cloud Storage
14% Other
TODAY’S GENER AL COUNSEL APR/ MAY 2015
E-Discovery
Perspectives from the outside: “Education, preparedness, a willingness to apply proportionality principles and cooperation should be foundational principals for every attorney practicing today. Too often, we find one side prepared and another one not, and we judges have learned that cooperation is a function of competence. You cannot possibly expect to negotiate effectively if you are also trying to disguise that you are terrified that you do understand what the issues are. Counsel, both in-house and outside, need to become far more educated, not just on the law but also on the technology that is used to aid the process.” John Facciola, Retired Magistrate Judge from the District of Columbia
“Technology has advanced tremendously over the past 10 years, but lawyers did not go to law school to become technologists; they were trained to represent clients to win in often adversarial environments. Proportionality and cooperation can only be achieved if lawyers understand how and when to apply technology to find the facts and contain the scope prior to entering into negotiations. This process requires education and partnering with IT – as well as outside counsel – much earlier in the process. This type of change is not easy, but it’s essential to meet judicial requirements and protect client interests.” David Horrigan, Analyst and Counsel at 451 Research
“We’ve seen a tremendous amount of case law and changes to the Federal Rules of Civil Procedure (FRCP) in the past 10 years related to e-discovery in addition to rapid technology advancement. Our intent with this survey was to hear directly from the judges who are ruling on the issues and cases impacting today’s corporations, and get a sense for what they are experiencing in the courtroom. The findings of the survey were quite alarming, particularly for organizations involved in high-stakes litigation on a regular basis.”
BEYOND PRINT
TodaysGeneralCounsel.com
Bill Piwonka, Chief Marketing Officer at Exterro
IN YOUR INBOX
Digital.TodaysGeneral Counsel.com
E-DISCOVERY CONFERENCES
TodaysGeneralCounsel.com/ Institute
TODAYSGENERALCOUNSEL.COM
29
apr/may 2015 today’s gEnEr aL counsEL
Labor & Employment
Know Your State’s Unemployment Laws By Scott Cruz
I 30
t’s important for employers to understand the unemployment benefits that are available to former employees, what actions can disqualify former employees from receiving those benefits and how to navigate through an unemployment insurance claim once it is filed. Probably the most important reason to understand this is the fact that the premium a company pays for unemployment insurance is based in part on how many successful unemployment claims are filed against the company. Once you know how and why a former employee who is otherwise eligible for unemployment benefits can be deemed disqualified, you’ll spend less staff time and pay fewer legal fees figuring out your defense to an unemployment claim. Unemployment laws vary from state to state. I practice in Illinois. From what I have seen our laws are very similar but not identical to those in other states. With that caveat in mind, here are 10 things you need to know about unemployment insurance claims:
1
Generally, a person needs to be “unemployed” in order to be eligible for unemployment benefits, but not always. If one of your former employees gets another job after involuntary separation from your company, and that other job is part-time, he or she could be classified as “underemployed,” which means that the employee’s part-time wages are less than the weekly unemployment ben-
today’s gEnEr aL counsEL apr/ may 2015
Labor & Employment efits the employee was receiving after leaving your company. Under those circumstances, that former employee could continue to collect unemployment benefits at a reduced amount, offset by the part-time wages.
2
Once an employee has worked for a company for 30 days, that company is considered the “chargeable employer,” and it will be responsible should the employee be deemed eligible and there are no disqualifying provisions. The 30 days do not have to be consecutive. So if you hire a seasonal worker for 15 days only, and then hire the employee back a few months later for another 15 days, you
Be as specific as possible when describing the conduct that ultimately led to the termination.
organization down. Unless a supervisor can establish that the employee was intentionally doing a bad job, that worker is likely to be eligible for unemployment benefits. To avoid this problem, you should never characterize conduct that resulted in the termination as just “poor performance.” Be as specific as possible when describing the conduct that ultimately led to the termination, and always explain why you believe the employee intended to engage in the conduct.
5
Document everything and make sure to issue warnings. This is important, because it is much easier to demonstrate that an employee deliberately engaged in misconduct if you can show that the employee ignored repeated warnings.
6
The last incident that led to the termination is really the conduct that the unemployment insurance officials care about. In making their assessment, all they want to know is what happened on the day of the termination. So if you fire someone, do it on the day he or she deliberately violates a policy or willfully ignores job duties, not because the employee committed a minor infraction that served as the last straw.
7
It is not always the case that an employee who voluntarily leaves is ineligible to collect unemployment benefits. If the employee quits because your organization dramatically changed working hours or locations, unemployment insurance officials could characterize the termination to be “employer-caused discharge” and award unemployment benefits.
Putting your company’s policies in writing and distributing them to all employees can help establish that an employee knew the rules and willfully violated them. If they are not already included, the employee handbook should list specific breeches of conduct and assign penalties that include possible dismissal, and the policies should be enforced uniformly. Make sure all employees sign an acknowledgment that they received and read the handbooks, and likewise for any revisions to specific policies.
4
8
are the chargeable employer, even if he or she worked for multiple employers for less than 30 days between stints with you.
3
Underperformers who get fired for showing up late or falling short of expectations could successfully argue that they did their best and did not deliberately let the
Unemployment officials want to hear from the supervisor who witnessed the former employee’s misbehavior, not from the head of HR who probably heard about it second-
hand. So send the manager to all hearings, in person and on the phone. If it’s a close call, the officials are likely to give the employee the benefit of the doubt. Arm your company’s representative with documentation and specifics.
9
Labeling someone who works on site, at hours prescribed by the business and on projects assigned by a supervisor as an “independent contractor” probably won’t fool an unemployment official who is determining the person’s eligibility for benefits. In fact, mislabeling could trigger an audit and result in a costly determination and assessment. A worker has to be an employee to qualify for unemployment benefits. That’s decided by when, where and how a person works, not what you call them. So, make sure your company properly classifies the people who work for your organization as employees or independent contractors.
10
Unemployment rules and laws can vary from state to state, and they’re full of nuances that don’t become obvious until a former employee files a claim or your organization contests one. Make yourself aware of those nuances. If your company operates in multiple states, know the differences in unemployment insurance law from location to location. ■
Scott Cruz is a partner in the Labor & Employment and Education Law practice groups at Franczek Radelet P.C. He represents both public and private sector employers in all aspects of labor and employment law, including civil litigation and preventive counseling. sc@franczek.com
31
apr/may 2015 today’s gEnEr aL counsEL
Labor & Employment
Risks and Benefits of Outsourcing Employees Many Legal and Regulatory Issues By Thomas M. White and Mark Rosenman
I 32
n the last few decades, we have seen a significant change in the entrepreneurial and middle market economy, with the rise of alternatives to permanent, direct employment. Technological innovation and pressure to reduce costs and add value have disrupted industries and transformed many sectors of the economy. Talent has become the vital ingredient for creating value, often in the form of intangible assets and intellectual property. At the same time, a confluence of trends has led businesses to deploy people in roles other than as direct employees. • Powerful development tools and outside specialists are enabling businesses to create technology-based products and services with fewer direct, full time employees. In one spectacular recent example, the software company WhatsApp monetized, via a sale to Facebook, a $19 billion valuation it created with only 19 employees. • One reason for such low employee headcounts is that many of the indemand talented specialists who contribute to successes like WhatsApp can make more money working as contractors, consultants or advisors than they can as full time employees. • Businesses have generally come to believe they should keep in-house only “core” functions that are critical
to their differentiated competitive advantage, while outsourcing support activities like IT and HR to specialized providers. What has come to be called the “employee light” model seeks to shift a substantial portion of labor costs from fixed to variable, thereby enhancing ability to change direction, adapt to dynamic markets and seize fast-moving opportunities. These developments have lead to the emergence and rapid growth of the “Professional Employer Organization.”
The PEO is a business that provides resources that function like employees but are on the books of the PEO. PEOs allow a business to scale its work force up or down. It could, for example, provide as-needed access to experienced HR managers to deal with high-risk issues like employee terminations. Because they can offer their employees better benefits at lower cost, PEO’s often claim they can identify and attract higher quality personnel than businesses can attract on their own. With this model, the U.S. corporate
today’s gEnEr aL counsEL apr/ may 2015
Labor & Employment workforce has become more heterogeneous. Once thought of as commanding an army of employees, often management now orchestrates a web of contracted services, alliances and partnerships. Like any business model, this can present risks and hidden costs, both strategic and legal. Before making any decision to limit permanent or direct employees to a core few, there are a number of things decision makers need to consider. BUILD A BASE
When evaluating whether it will outsource some or most employees, entrepreneurs and CEOs should remember that companies are more than economic machines designed to maximize profits. They are complex communities of people who are not interchangeable commodities. People need to feel valued and motivated to go “above and beyond” to help the business succeed. An inspiring, demanding work environment leads people to commit more of themselves to a business, because they like being part of a growing organization and see their long-term self-interest as aligned with the success of the business. It is difficult to build this kind of culture with a talent base consisting almost entirely of contractors and leased employees. Feeling only temporarily engaged, they are less likely to act as a cohesive, committed team than individuals who see the possibility of a long-term future with the business. Contractors are more likely to regard the ideas and best practices they help to develop while working for you as their own. Therefore, even if management decides to outsource a large share of its employees, it must invest time and resources to build an engaged workforce and vibrant business culture. Doing so requires deep understanding and close alignment of talent, strategies and activities with business strategy and goals. This in turn requires an expert point of view on talent, in the form of a strong internal HR head, who must work with the CEO and management to provide leadership/ management development, communication systems and personnel involvement. Outsourcing that doesn’t build on strong internal talent leadership, or regards HR as largely dispensable overhead, will fail.
RISKS OF OUTSOURCING
Outsourcing major activities like IT requires management to understand the services to be delivered clearly enough to specify them in a contract and monitor their delivery. If you are outsourcing most of your IT function to a service provider, you need to be prepared to modify the contract to deal with new IT platform and application requirements that are sure to arise after the contact is signed. In considering the cost of outsourcing versus relying on employees, you must weigh what you have to pay a service provider, as well as the additional costs of negotiating, overseeing and enforcing the contract and resolving issues and conflicts that might arise. Outsourcing contracts, especially those that call for incentives and penalties for service provider’s over/under performance, can be complex to administer. Management must also be prepared if talent and experience from a service provider or PEO turns out to not be as good as could be developed internally. An HR supervisor obtained from a PEO, for example, may not understand the business’s aspirations and values as well as an in-house HR Director would. INDEPENDENT CONTRACTOR OR EMPLOYEE?
Entrepreneurs who might want to go the “employee light” route need to consider the fact that employee outsourcing may give rise to complex issues under tax and benefit laws. If service providers are misclassified as independent contractors rather than employees, the recipient business may be responsible for tax withholding, FICA, FUTA, state unemployment taxes and worker compensation contributions. If the individuals are non-exempt employees, overtime pay may be due. Moreover, depending on the terms of the recipient’s benefit programs, misclassified individuals may be eligible for costly retroactive inclusion in benefit plans. In determining whether an individual is an employee or independent contractor, the courts and government agencies look at a number of factors, including
control of the work, type of supervision, ability to hire and fire and the location where the work is performed. Additional issues arise if a business obtains the services of “leased” employees, such as from a PEO. In general, an employer is not required by the IRS or ERISA to include all its employees in its benefit plans. However, all businesses under common control, in some instances including the portfolio companies of a private equity firm, must be aggregated to determine whether a retirement plan discriminates against rank and file employees in violation of Internal Revenue Code standards. Leased employees and other employees of the recipient business are examined together to determine whether these code requirements are satisfied. This requirement does not cause any difficulty if the leased employees are covered under the same plan as all other employees of the recipient and its aggregated affiliated businesses. However, because of the aggregation rules, a recipient’s plan may be disqualified if the benefits provided thereunder are more advantageous then those provided under the leasing organization’s plan. An example may help to explain this rule. Assume that Real Corp is owned 50 percent by John Smith and Mary Grace, who are also company officers. They are highly compensated, and Real Corp has established and maintains a defined benefit plan for them. All other work is provided by a PEO, and its employees are covered by a 10 percent money purchase plan. In this situation the benefits and features of the two plans would have to be analyzed on an aggregated basis. If the Real Corp. plan provides superior benefits then it could be disqualified. Note this situation would not arise if both Smith and Grace were covered only by the PEO’s plan or if Real Corp. did not maintain a retirement plan. The analysis becomes more complex if Smith and Grace are also shareholders in another business that it is in a controlled group with Real Corp. In that case the leasing entity’s plan features would have to be compared to those of the retirement plan provided under both continued on page 45
33
apr/ may 2015 today’s gener al Counsel
Cybersecurity
Six Steps To Reduce Cyber-Risk By Gavin W. Skok
34
C
ommentators have called 2014 “the year of the data breach.” The year ended with a highprofile hack on Sony Pictures and a federal judge’s decision to let a massive data breach class action lawsuit go forward against Target. These trends – more frequent cyber-attacks, more data breach lawsuits, continued emergence of new technology and new risks – promise to continue. Whether you are in-house counsel or an outside attorney, here are six proactive steps that you can take with your clients to reduce risk: (1) Review data security policies and procedures. All companies should review their data security at least
annually, and anytime the security environment changes (with new threats, new technology or new processes). Ensure any review complies with applicable law (e.g., the Gramm Leach Bliley Act, which requires financial institutions to have external auditors certify compliance with certain standards), any PCI data security standards requirements your client is subject to, and all security or audit provisions in contracts with customers or partners. Has your client established, maintained and distributed a security policy? Does the policy distinguish between different types of data and provide greater protection to more sensitive information? Does it in-
clude procedures for identifying vulnerabilities and assessing risks, and require they be carried out periodically? Does it require the destruction of confidential data when retention is no longer necessary for business purposes, and ensure the destruction is done securely? Do your client’s policies need updating to address new technology, emerging threats or new data collection? Consider conducting client and employee training on security policies and procedures at least annually. (2) Encourage your client to identify vulnerabilities and assess the risks to its network and systems. What consumer and employee information does the
today’s gener al Counsel apr/ may 2015
Cybersecurity
client collect and retain? Where is it located? Is it encrypted? (That’s a crucial factor under many state data breach statutes.) What are the key systems that transmit or store data? Identify vulnerabilities and threats, and evaluate security and risks to confidential information (audit logs, tracking capabilities). Make sure that your client’s review does not stop with security policies and procedures, but includes a technical assessment of risks posed by network and system configurations, code vulnerability reviews, and assessment of network intrusion detection systems and/or intrusion prevention systems. The absence of regular risk assessments is frequently cited by regulators as a factor in bringing data security enforcement actions. (3) Review and revise your client’s outward-facing data and privacy policies. Does your client disclose to consumers what information it is collecting and retaining about them, how that information is stored and protected, and whether and how it is shared? Collecting and sharing consumer information with others without express disclosure, or using such information for purposes other than those disclosed, may be considered by regulators to be an unfair or deceptive act under state or federal consumer protection laws. The disclosure requirements promise to get more stringent, not less. In December of 2014, the Indiana attorney general proposed legislation that would require any website collecting information from Indiana residents to conspicuously post a privacy policy, identifying the personal information collected by the site and stating whether that information is shared or sold, and to whom. Failure to disclose that a website operator was profiting from selling user data would be considered a knowing misrepresentation under state law. California already has similar laws in place. (4) Help your client review and refresh its crisis response plan. What happens if your client experiences a cyber-attack or loss of customer or
employee information? Who is their first call? Does your client have a ready-to-go crisis response management team with decision-makers from key groups (IT, security, legal/compliance, communications, customer service, executive management)?
(6) Review your client’s cyber-risk insurance. Check policies, both at the vendor level and at the company, to determine what cyber-risk protection exists. Is it sufficient? Does the policy require any annual audit or assessment? If so, has it been done?
Absence of regular risk assessments is frequently cited by regulators as a factor in bringing data security enforcement actions. When do they call counsel? How will your client identify the source of the breach, plug the hole, determine what data was affected, and make appropriate notifications? If your client has cyber-risk insurance, exactly what must be done to put the carrier on notice and trigger coverage? (5) Take steps to ensure vendors are properly protecting sensitive information. Review the data security provisions in your client’s existing vendor contracts. Do they require vendors to protect sensitive data, detail the procedure and timing for the vendor to notify the company of any suspected data breach, and not unduly limit the vendor’s liability for security-related losses? Have your client seek verification that those requirements are actually being carried out, for example by asking vendors to provide copies of written security assessments or audits. Consider holding training sessions for the vendor’s employees, to ensure proper implementation of necessary protections. Remind your clients to conduct proper due diligence when selecting new third party vendors by reviewing their security policies and the results of any security audits or assessments, or by conducting their own cyber-security risk assessment if that information is non-existent or inadequate.
Consider working with a cyber-risk insurance specialist to ensure proper coverage and avoid running afoul of policy requirements. Unfortunately, no network is invulnerable to intrusion and the risks only multiply as greater amounts of data are generated and collected. As FBI Director James Comey said during a recent appearance on 60 Minutes: “There are two kinds of big companies in the United States. There are those who’ve been hacked ... and those who don’t know they’ve been hacked…” Data security risks cannot be eliminated, but they can be reduced by proactively considering and addressing them. ■
Gavin W. Skok is chair of Riddell Williams’ Litigation Group and a member of the firm’s Privacy and Data Security Group. He was counsel to Starbucks in the seminal data breach case, Krottner v. Starbucks, and continues to advise on privacy issues and defend companies in data security litigation. gskok@riddellwilliams.com
35
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
Cybersecurity
How to Interpret the FTC’s Vague Data Security Standards By Judith A. Archer and Jami Mills Vibbert
36
T
he Federal Trade Commission Act, Section 5, makes unlawful any “unfair or deceptive acts or practices in or affecting commerce.” Relying on the broad authority of Section 5, the Federal Trade Commission has aggressively pursued over fifty companies on a variety of data security issues, such as failing to take “reasonable” steps to secure data or safeguard consumer information and making false or misleading statements about
their security measures. Most of these actions resulted in onerous settlements. Yet, the FTC has not promulgated written rules or standards prescribing what “reasonable” safeguards are. Recognizing this uncertainty, an administrative law judge ordered the FTC to testify about its published data security standards. The FTC testified that its authority permits a case-by-case determination of whether a company acted reasonably, pointing
companies to a morass of information, including the fifty settlement orders, unidentified FTC speeches, Congressional testimony and a generic reference to other publicly available information on what constitutes reasonable data security. Similarly, on March 3 of this year, when a Third Circuit Court of Appeals panel questioned the FTC during oral argument about its lack of guidance concerning what constitutes an
today’s gener al Counsel apr/ may 2015
Cybersecurity
unreasonable data security practice, the FTC again pointed generally to its complaints and consent decrees in its data security actions. The FTC opined that careful general counsel should be looking at what the FTC is doing. FTC Chairwoman Edith Ramirez has explained that a company’s data security measures “must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.” Two days after questioning by the Third Circuit, the FTC announced an education initiative aimed at clarifying the data security practices it expects businesses to follow. The chair-
practical guidance for companies setting up a data security program. ENFORCEMENT ACTIONS
The FTC’s data security enforcement actions allege that companies failed to employ reasonable measures to protect or prevent unauthorized access to personal information, or made a false or misleading statement that caused, or was likely to cause, substantial injury to consumers. A data breach need not have occurred. While many enforcement actions resulted from data breaches, some companies (like Nationwide Mortgage Group) were preemptively targeted for failing to take precautions to help prevent a future breach. To supplement its broad authority
The FTC has not promulgated written rules or standards prescribing what “reasonable” safeguards are.
woman stated that the FTC wants to be “more concrete in some of the guidance we are putting out there,” but she did not announce a start date or format for the initiative. In today’s economy, businesses can’t avoid dealing with employee, consumer or patient information. Identity theft remains the primary consumer complaint received by the FTC every year, and data breaches and other security incidents affecting millions have become the norm. Companies, therefore, must be proactive in addressing data security to avoid agency action and private litigation by consumers and other affected parties. Given the current lack of specific rules as to what practices are “reasonable,” this article reviews the FTC’s settlement orders, speeches and testimony for insights on its approach to data security – including what measures it has deemed unreasonable – in order to provide some
under Section 5, the FTC is lobbying for legislation authorizing it to seek civil penalties and bring actions against nonprofits (such as universities and health systems). Perhaps in response, on February 27 of this year the White House announced draft legislation that would give the FTC authority to seek civil penalties for violations of the Consumer Privacy Bill of Rights Act, including violations of its security provisions. Faced with an FTC enforcement action, the vast majority of companies settle. Such settlements typically require remedial actions over many years, including (1) filing compliance reports for up to twenty years, (2) implementing comprehensive information security programs with designated employees to coordinate them, (3) identifying internal and external risks to data security and (4) submitting to biennial assessments by independent experts as to the data se-
curity program. These requirements add a significant administrative burden for companies that do not ensure compliance in advance of FTC action. HOW TO AVOID SCRUTINY
Data security should involve an ongoing assessment that identifies potential problems and implements solutions before any data breach occurs. No single security procedure or process, or standard information security program, will necessarily prevent FTC action. But what follows is a sampling of security measures, gleaned from FTC data security settlements, that should be considered as part of a comprehensive information security program. What is reasonable may change, but implementing and maintaining effective procedures and policies is key to keeping the FTC from knocking on your door. REpRESENTATIONS TO CONSUMERS
Companies should use caution in making affirmative representations to consumers about data security. The FTC has indicated that the security protections companies must adopt stem in part from such representations. For example, the FTC admonished SnapChat for failing to employ the reasonable security measures it had marketed to its customers. • To avoid FTC action, a company should: Ŋ Accurately disclose the exact nature of any data security programs, processes or functions employed. Ŋ For applications requiring users to provide name or phone number credentials, include a verification feature to prevent creation of accounts with the information of others. Ŋ If representing compliance with the EU-US Safe Harbor Framework, maintain certification at all times. DATA SECURITY plANS
Companies should also adopt a comprehensive written consumer information security program that has at least one
37
apr/ may 2015 today’s gener al Counsel
Cybersecurity
employee responsible for its implementation and maintenance. This program must be routinely tested and updated, and the company must address “reasonably foreseeable” internal and external risks by remaining abreast of developments in data security.
38
• Based on FTC enforcement actions, companies should consider a data security program that will, among other things: Ŋ Maintain and update all mobile devices, networks and databases with current antivirus software, firewalls and other readily available security measures. Ŋ Routinely test security measures and monitor access to datastorage systems. Ŋ Employ authentication-related security measures to make sure only legitimate users can gain access to consumer data. They should: (1) Require a periodically changed strong login credential, such as a password that is not easy to guess and not similar to credentials used for third-party Web sites or other programs, (2) suspend user credentials after a certain number of unsuccessful logins, and (3) disallow, in clear readable text, the storage of login credentials. Ŋ Implement procedures for verifying the identity of new users to systems that will allow access to personal information. Ŋ Employ means to detect unauthorized access to or irregularities in systems, and retain all system logs to facilitate identification of security threats. Ŋ Use software to prevent users from installing data-transfer programs, such as P2P file sharing. Ŋ Control connections from company networks to the Internet using readily available security measures, such as re-
stricting connections to specified IP addresses and monitoring or blocking transmissions of sensitive data through such connections. Ŋ Separate systems containing sensitive information from the rest of the network by, for example, using a firewall.
Identity theft remains the primary consumer complaint received by the FTC every year. Ŋ Develop policies for disposal of confidential information consistent with the FTC’s disposal standards, and audit those policies. Ŋ Implement an incident response plan that provides employees with information on how to handle a security incident (including, for example, by providing notice to law enforcement and consumers). DaTa ColleCTion, STorage anD TranSmiSSion
FTC actions often focus on how companies collect, store and transmit data, including sensitive and personal financial, medical and other data. Typically, companies use software to facilitate data collection, sometimes retaining and/or collecting – inadvertently or purposefully – unnecessary confidential information, such as passwords or credit card numbers. There are data filters and algorithms that will prevent or minimize collection of much of this unwanted personal data, and because such screening tools are readily available, the FTC has not distinguished between breaches of data that companies intended to collect and
breaches of data collected inadvertently. The FTC, for example, brought an enforcement action against HTC America Inc. for, among other things, breaches of GPS-based location information inadvertently collected in an error-reporting tool. • The type of security systems employed should be commensurate with the type of data collected. Ŋ Collect only information the company has been authorized to collect by the consumer, and test software to ensure unwanted data is not being collected. Ŋ Employ – and test – filters and algorithms to prevent the collection of data the company has not been authorized to collect. Ŋ Ensure that personal or sensitive data transmitted to or from company networks, remote computers, remote servers or Web-based applications is encrypted and not transmitted in clear readable text. Ŋ Store personal or sensitive data, including network login credentials, in encrypted form. Ŋ Take steps to ensure backup tapes and other portable media containing or used to access personal information are unusable, unreadable or indecipherable in case of unauthorized access. Ŋ Destroy personal information for which the company no longer has a business purpose, and formalize policies regarding the length of time consumer data will be stored. Training
Critical to any data security program is proper training of employees and others regarding the risk of data breach and how to mitigate harmful disclosures. Training should extend to any user with access to company networks, databases, Web-based applications or other company information, not just those with direct access to sensitive consumer data.
today’s gener al Counsel apr/ may 2015
Cybersecurity
Employees who work directly with consumer data require specialized training in how to access, store, transmit and delete sensitive information in accordance with their job function and business purpose. Companies should also limit information access to those users for whom that access is a part of their job responsibilities. An information security program should have both a comprehensive training program to address a user’s access to information, and restrict access to sensitive and personal data to a small number of users, to limit risk of exposure by potential rogue employees. • To minimize the risk of disclosure of unauthorized data and to ensure meaningful participation in and compliance with a data security program, companies should consider the following steps: Ŋ Screen users with access to sensitive consumer information, including by checking references or performing background checks. Ŋ Train users about information security and preventing unauthorized disclosures of personal information, including by providing detailed guidance on the proper use, storage, transmission, and disposal of sensitive data. Ŋ Ensure employees understand technology necessary to their job performance well enough to avoid inadvertent disclosure. Ŋ Conduct training sessions using fictitious data sets to minimize unnecessary exposure to data or ensure immediate removal of any real consumer information used. Ŋ Develop policies for appropriate use and protection of laptops and mobile devices. Where possible, limit remote access to consumer data and internal networks. Ŋ Disallow use of personal email for work purposes without readily available measures to protect information from unauthorized disclosure.
Ŋ Provide oversight of users working from remote locations. Ensure internal systems are accessed in a secure manner from secure devices. Reasonable oveRsight of seRvice PRovideRs
Companies often use third party service providers to assist with such tasks as payroll processing, software development and information processing, and these processes may require providers to have access to a company’s consumer data. Just as it holds companies responsible for actions by employees and other users of company information, the FTC likewise holds companies responsible for breaches by their service providers. For example, the FTC brought an enforcement action against GMR Transcription Services for using a service provider who, through a File Transfer Protocol application, gave anyone conducting a search on a search engine access to thousands of files containing confidential GMR consumer information. • The FTC requires “reasonable oversight” of service providers, and that includes affirmative steps to ensure that they employ appropriate protections for consumer information. Companies should: Ŋ Select, retain and require by contract that service providers implement and maintain security measures capable of safeguarding consumer information. Ŋ Request and review information concerning the data security practices of service providers. Ŋ Ensure that service providers have access only to consumer data that directly relates to their business purpose, and only for long enough to accomplish it. Use fictitious data sets where appropriate, such as in developing new applications or for training purposes. Ŋ Verify that service providers have systems in place to
securely remove data when it is no longer necessary to the business purpose. Companies that employ some or all of the above measures may decrease the likelihood of an FTC action or provide a concrete basis to defend one, based on their having taken reasonable measures pursuant to a comprehensive data security program. Given the potential effect of an FTC action, including costly and lengthy oversight, these steps will decrease the risk of significant future expense and burden. ■
Judith A. Archer, a former inhouse counsel at AT&T, is a litigation partner in the New York office of Norton Rose Fulbright U.S. LLP. She handles a wide variety of cases in state and federal courts at the trial and appellate level, as well as in arbitrations and regulatory proceedings. She concentrates her practice on complex commercial matters, representing clients in disputes involving breach of contract, financial services, telecommunications, intellectual property, entertainment and bankruptcy. judith.archer@nortonrosefulbright.com
Jami Mills Vibbert is an associate working with the disputes group at Norton Rose Fulbright U.S. LLP. She focuses on a wide range of commercial litigation matters, including international and cross-border disputes and arbitrations, business and securities litigation, and data privacy and security. She has also represented clients in white collar cases, including internal company investigations and SEC and FBI investigations. jami.vibbert@nortonrosefulbright.com
39
apr/ may 2015 today’s gener al Counsel
Cybersecurity
Protecting the Company Against Malicious Insiders By Lisa J. Berry-Tayman
40
T
wo recent large-scale breaches had a similar origin. Both the breach at Sony Pictures Entertainment and the leak of client records at Morgan Stanley likely involved an information attack from the same kind of sinister source: a malicious insider. Malicious insiders intentionally take confidential internal information from a business for their own purposes. They can be current or former employees, contractors or business
partners - anyone with access to the organization’s confidential personal or corporate information. Given this profile, it’s critical for organizations to observe this basic principle when they enter into employment and contractual relationships: Begin with the end in mind. At the beginning of the relationship, treat those that will have access to the company’s confidential or personal information similar to the way airport security treats travelers, as
a potential threat, and then take the extra precautions necessary to ensure the security of all. LIMITED ACCESS
How can this be done? The first rule is to limit access. In airports, people can’t wander wherever they like. Access to certain areas and information is limited. Those with rights of entry have uniforms and badges, key cards, and authentication for log-in to computers that require it.
today’s gener al Counsel apr/ may 2015
Cybersecurity
Using technology as well as physical locks, an organization can do the same. Access controls should be in place so people can go only where they are supposed to go, and access only information that’s required for their job. No one person, even in IT, should have access to everything. And even where system administrators need elevated privileges, their activities should require secondary approval and be monitored and logged. Just as a passenger or airport restaurant worker cannot arbitrarily enter a gateway, an employee or contractor should not arbitrarily be given additional access upon request. There must be justification for the request, and the need should be investigated and confirmed. Note too that in an airport, passengers and most airport employees are prohibited from carrying firearms. Only federal air marshals and airport police are authorized to possess and use firearms to protect. A company can protect itself with a similar approach. For example, an organization heavy with intellectual property assets can authorize only certain vetted, trusted employees to possess on the premises, or use on the premises, cell phones with cameras, external hard drives, flash drives, or other removable storage devices, in order to protect these IP assets from malicious insiders. And just as airport police have uniforms and badges to signify their authority to carry and use firearms, a company can signify authorized users with authorized equipment by posting visible stickers on the equipment. A list of endorsed users can be included on the authorized equipment sticker, thus reducing the ability of a malicious insider to bring in unauthorized equipment or use company equipment for nefarious uses. People know what to expect at an airport. They must comply with screening or face the consequences. A company policy can convey a similar message about unauthorized access to or copying of sensitive information. The policy should explain that employees and contractors that fail to comply could face termination of their employment or contractual relationship, and they could be at risk of personal lawsuits, depending on how the information was misused.
It can’t be an empty threat. In order to quash any notions of information theft by a malicious insider, the threat needs to be believable and plausible. The information security approach should be “layered.” Airport security doesn’t rely solely on an identification card check or a baggage screening. It involves a layered approach that includes screenings, random secondary checks, watch lists of known terrorists, physical pat-downs, locked doors, etc. Organizations too can establish a layered, holistic progression, using the multi-disciplinary approaches of security, privacy, and information management. Good information security should protect an organization both inside and out by using controls and technology to protect the perimeter as well as to monitor and limit access to activities inside. Physical controls, like locks, fences, or biometrics, prevent unauthorized entry into the organization or into areas containing internal data centers. Technical controls, such as firewalls, antivirus software, user authentication and monitoring software, prevent unauthorized intruders from entering the organization’s network, at the same they limit access by those within the organization. Controls monitor unusual activity or suspect actions, and sound alerts. Monitoring controls also log network artifacts to support later investigative work. At the same time, administrative controls help secure information by influencing personnel behavior through security training, policies and procedures, and overall supervision of employees. Whenever sensitive, personal or confidential information is involved, privacy also needs to be addressed. There must be policies regarding what information is collected, how it’s used, and how it’s protected, especially with personally identifiable information like full names and social security numbers. A clear understanding of how information is to be used can facilitate limiting the types of information collected. If, for example, an organization doesn’t need social security numbers for marketing or any other purpose, it shouldn’t collect them. Obviously, if the information isn’t there, malicious insid-
ers cannot get their hands on it. If the organization does need social security numbers, it can apply higher-level security controls around that information. The goal of information management is to handle information throughout its life-cycle, beginning from when it’s created or acquired. Information is then retained in accordance with record keeping requirements or business need, and preserved in case of anticipated litigation or investigation. Proper information management details periods of retention, as well as location and appropriate storage methods, and what information can be defensibly disposed of. To implement and enforce a layered security approach, personnel from the board level down need to receive training. It should make clear what kind of information is sensitive, protected, or confidential, and what methods should be used to protect it. It should also educate employees regarding malicious insiders – why they might want information, how they steal it, how this hurts the company and how to report their actions, as well as what the consequences and damage will be for the employee. Malicious insiders do not wear signs saying “information thief,” but informed and educated employees can go a long way toward thwarting them. ■
Lisa J. Berry-Tayman is Senior Privacy and Information Governance Advisor at IDT911 Consulting. She assists organizations with information governance and compliance, privacy, security and e-discovery, and she speaks on these topics at corporate, legal, governmental and university events in the United States and Canada. She is an adjunct professor at the School of Informatics at Indiana University-Purdue University Indianapolis, a former practicing attorney and former assistant attorney general in the state of Missouri. lberrytayman@idt911Consulting.com
41
apr/ may 2015 today’s gener al Counsel
Cybersecurity
Privacy Risk in Anti-Bribery and Corruption Programs By Guido van Drunen and Tabitha Gaustad
42
E
mbedded in many anti-bribery and corruption (ABC) compliance programs are due diligence practices that help identify and mitigate the risk associated with third parties acting on behalf of a company, especially those operating in foreign jurisdictions. The use of thorough, risk-based third party due diligence figures prominently in compliance program guidance offered by the U.S. Department of Justice, U.S. Securities and Exchange Commission and the U.K. Ministry of Justice.
By definition, these third party intermediaries promote a company’s business interests, typically abroad, but they operate out of the company’s direct line of sight. Regulators expect that companies understand the risk presented by their third parties, and tailor their anti-bribery and corruption compliance programs accordingly. Risk-based due diligence pertaining to the hiring and oversight of third party intermediaries can include direct inquiry, questionnaires, public record checks, enhanced due diligence (indi-
rect investigations) and compliance certifications. DATA PROTECTION AND PRIVACY
In the context of bribery and corruption compliance, due diligence involves the assessment of risk through the collection and use of information regarding entities and individuals in foreign countries. Data collected may extend to personal or sensitive data about a third party’s key personnel or principals, and that data may be protected by various international data
today’s gener al Counsel apr/ may 2015
Cybersecurity
protection and privacy regulations, e.g., regarding financial information, birth dates, tax identification numbers, debarments, relationships with government officials, and criminal history. Like laws that criminalize bribery and other corruption, the body of international data protection and privacy law is fluid and dynamic, necessitating periodic monitoring to ensure compli-
In some countries, sensitive data cannot be transferred cross-border without meeting certain criteria. ance. Organizations should carefully evaluate whether or not their third party due diligence practices are conducted in accordance with international data protection and privacy frameworks. In some cases, privacy laws may be in conflict with leading anti-bribery and corruption compliance practices. Key elements that comprise all major privacy laws and regulations include notice, consent, and restrictions. • Notice. Many privacy laws require notice to be provided to the individual whose personal information may be collected, used or shared. Notice often includes information regarding the extent of data being collected, how it will be used, disclosure to the subjects as to who is collecting their data, and how subjects may access and make corrections to inaccurate data. As organizations collect due diligence data on third parties in a multitude of ways, complying with notice requirements may be challenging and unique to each circumstance, and may be at odds with the notion of trying to obtain certain information without alerting the subject of the inquiry.
• Consent. An organization wishing to conduct due diligence may need to obtain consent from the individuals concerned before it can collect, use, disclose, and transfer their personal information cross-border. Consent requirements vary from country to country. There are three main issues associated with consent that impact antibribery and corruption due diligence effectiveness: refusal to grant consent; refusal for cross-border transfer; and form of consent (verbal, explicit written and signed consent, etc.) Organizations should be prepared to address each of these scenarios and issues. They can be just as troublesome in the context of integrity-focused diligence as they are in internal investigations. • Restrictions. There may be country-specific considerations and protections related to the type of public or other due diligence related information that may be collected or transmitted after collection. For example, information regarding political affiliation and criminal history may require special treatment, including express written consent to be obtained prior to collection or use or sharing. Ŋ In some European countries, organizations may not collect certain types of information (such as criminal data, political affiliation, sensitive data) without preapproval from data protection authorities. Ŋ In some countries, organizations may need approval of workers’ councils before collecting and transferring certain types of information. Ŋ In other countries, sensitive data cannot be transferred cross-border without meeting certain criteria. In these cases, the fact that the acquisition is acquired and transferred in order to comply with the laws of other countries is not considered sufficient justification. Ŋ In some countries, certain information (such as criminal history) may be collected and used only by public authorities.
FIVE TRENDS AND PRACTICES
1
Organizations formerly used one standard form due diligence questionnaire for third party due diligence worldwide. We now find that organizations are tailoring due diligence questionnaires for country-specific use based on prevailing country-specific data protection and privacy concerns.
2
Many organizations embed data privacy notices or statements into corruption due diligence questionnaires.
3
Third party risk management is an on-going process that may be initiated and used by various organizational stakeholders, including sales, finance, procurement, internal audit, compliance, human resources and legal. Due diligence policies should be communicated effectively to all affected groups to ensure appropriate and consistent execution, and documentation of due diligence activities.
4
To comply with certain data privacy laws and regulations, organizations may need to implement a data protection protocol to keep data collected as part of third party due diligence efforts within the country or geography from which they were collected.
5
Some organizations have recently turned to outside service providers to centralize, manage and execute third party due diligence. Organizations should take adequate steps to ensure that data protection and privacy concerns are not overlooked in these situations. Questions they might consider asking their third party due diligence providers include, but are not limited to: • Does the service provider have a privacy policy that contains guidance on collection, use, disclosure and retention/destruction of personal information? • Does it have a communications/ training plan for its employees who handle or have access to personally identifiable information?
43
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
Cybersecurity
44
Guido van Drunen is a
Tabitha Gaustad is
• Does it have a privacy compliance function, such as a privacy officer responsible for the firm’s privacy practices? • How does the service provider handle the transfer of data collected outside of the collection jurisdiction? • Are there any limitations on the types of data the service provider can collect in certain jurisdictions due to lack of permissions? • In an enhanced due diligence scenario, is the service provider able to work under the direction of the organization’s internal or external counsel, to allow the organization to assert work product and attorney-client privileges?
principal in the Seattle office of the U.S. Forensic Advisory Services practice at KPMG LLP. He has over thirty years of experience in forensic accounting, auditing, finance, law enforcement and alternative investments/asset management, and leads the Diversified Industrials initiatives for KPMG Forensics globally. gvandrunen@kpmg.com
a member of the KPMG Forensic practice specializing in dispute advisory services, corporate internal investigations, forensic accounting, and antifraud program consulting. She provides professional services to clients in a variety of industries. Her experience includes five years of accounting services focused on Fortune 500 companies in the retail and consumer markets sector. tabithagaustad@kpmg.com
Organizations should be prepared to provide their due diligence service providers with a data privacy legal framework that will ensure consistent and appropriate delivery of services. Although many organizations, especially larger and multinational ones, may have in-house privacy counsel who can
be consulted in the design of due diligence activities, it is our experience that many organizations prefer to seek outside counsel with deeper country-specific data protection and privacy expertise to guide them. Due diligence on third party intermediaries is a key component of a company’s anti-corruption compliance program, but companies should be mindful of
the evolving legal landscape concerning data protection and privacy in order to successfully manage compliance with anti-corruption, data protection and privacy laws. The ultimate objective is to ensure compliance with the requirements under an effective ABC risk management program, while at the same time not running afoul of any other regulations. ■
TO D AY S G E N E R A L C O U N S E L . C O M
today’s gEnEr aL counsEL apr/ may 2015
Labor & Employment Outsourcing Employees continued from page 33
of the controlled group’s plans. This example suggests that businesses that have a retirement plan and want to lease employees should consult tax and benefits counsel before outsourcing arrangements are finalized. Decision makers must also determine whether there are statutory or regulatory limitations on outsourcing particular business functions, particularly in highly regulated environments. A careful review should also be done of any contractual limitations on outsourcing. OFFSHORE SERVICE PROVIDERS
CEO’s and boards need to know if they are receiving services from foreign companies. Identification is simple if you are looking only at first-tier contractors, but the analysis becomes more difficult if the contractor acquires services from offshore subcontractors. The service recipient should determine what subcontracts it wants veto rights over and whether notice provisions should be part of its contract with the service provider. It must review contracts with domestic service providers to see under what conditions they may send work overseas. Another complexity to consider is whether local law trumps the terms of the negotiated contract. Local laws can make terms of the contract inoperative or make it hard for the recipient to protect its rights in a timely fashion. Litigating a dispute in a foreign forum can take a long time, and it may be difficult to collect a judgment. Decision makers also need to understand what tax and employment laws affect the parties’ relationship. The latter may have important implications for terminating the relationship. Geopolitical risk must also be considered. Is the country where the outsourcing will occur politically stable? Recent news suggests this may be a critical determination. Because political upheaval can disrupt communications and business conditions very quickly, consider negotiating terms that will permit termination of the relationship on short notice if the quality or timeliness of the work is unsatisfactory.
OTHER ISSUES
Intellectual property guarantees are likely to need attention. What are the local regulations governing IP ownership? Laws in this area vary widely from country to country, and some provide less protection to service recipients than they are used to getting under U.S. law. It’s also important to determine whether the service provider has any of your competitors as clients. In any case, the recipient should have a strong non-disclosure agreement in place to protect business plans, products or services under development, and other confidential information. Another important area for scrutiny is privacy protection under local law. Any local legal rules need to be coordinated with contractual protections and U.S. requirements. CEO’s and decision makers growing businesses in today’s dynamic economy may be able to have the best of both worlds by both building an internal organization and taking advantage of PEO’s. Companies need to develop a core of talented, dedicated permanent employees who share a compelling vision of the company mission, understand what differentiates it, and can drive its competitive advantage. HR administrative tasks may be outsourced, but companies should not outsource high value HR activities and decision making, such as design of compensation, benefits, recognition, retention, performance management or talent acquisition. Bear in mind that service providers make money by standardizing processes. It’s only after your HR function has designed systems to meet the specific goals of your business that a standardized approach to day-to day-administration can and probably should be outsourced. If a business can’t afford a full time HR person, other options include use of fractional executives. A mid-sized business can’t usually afford a full time high-level human capital strategist, but it probably can for a few days a month. One necessary attribute of a fractional HR executive is expertise on how the business should navigate the changing regulatory environment – for example, the requirements of the Affordable Care Act.
With all that said, outsourcing “variable cost” workers to drive non-core activities can offer critical cost and flexibility advantages to businesses, across industries and stages of development. To maximize the likelihood that outsourcing expectations will be met, decision makers should consider the nature of their business, the activities to be outsourced and practical and legal considerations. It may be helpful to engage an advisor to assist in defining the activities to be outsourced and in selecting and contracting a provider, and monitoring its delivery of services. For many entrepreneurial businesses, steering a middle course between a traditional organization and the “employee light” model is the right approach. A well designed mix of the advantages of both may provide the best chance to beat the competition and generate real wealth. ■
Thomas M. White is a partner with Rimon. Based in Chicago, he specializes in human resources management, including benefits, executive compensation, healthcare, and employment law. thomas.white@rimonlaw.com
Mark Rosenman is Chief Knowledge Officer of Newport Board Group, a national professional services firm of CEO’s and senior executives that serves emerging growth companies and private equity firms. His career in knowledge management has included leadership roles with McKinsey, KPMG, Gartner and Tatum LLC. He thanks Irene Helsinger, a partner in Newport’s Houston practice and an expert in talent strategy and management, for her assistance with this article. mark.rosenman@ newportboardgroup.com
45
apr/ may 2015 today’s gener al counsel
WORK PL ACE ISSUES
EEOC Pursuing Discrimination Cases Aggressively By Barry a. Hartstein
W
46
hile the Equal Employment Opportunity Commission experienced challenges that may have slowed it down in 2014, we’ve seen companies continue to face an onslaught of employee lawsuits involving discrimination or harassment claims, and the EEOC has remained aggressive in its enforcement of equal employment laws. Since December 2012, the EEOC has been focused on addressing “systemic discrimination,” which involves alleged discriminatory patterns or practices of discriminatory conduct and/or discriminatory policies that have a “broad impact on an industry, profession, company or geographic location.” In an analysis Littler conducted comparing EEOC activity in 2014 to 2013, we found that the Commission fell short on its systemic investigations initiative. For example, in 2014 the agency completed fewer systemic investigations (260 in 2014 compared to 300 in 2013). It also recovered less despite more settlements (in 2014, $13 million in monetary relief was recovered through 78 voluntary agreements, compared to $40 million recovered through 63 voluntary
Barry Hartstein is co-chair of the EEO & Diversity Practice at Littler Mendelson. He has more than 35 years of experience representing employers in discrimination lawsuits and advising on a broad range of employment matters. bhartstein@littler.com
agreements in 2013), and it filed fewer systemic lawsuits (17 in 2014 compared to 21 in 2013). The EEOC did not have a strong year in 2014 pursuing systemic discrimination litigation, as best illustrated by its focus on “failure to hire” cases. The EEOC lost one major case on appeal, EEOC v. Kaplan Higher Education Corporation, et al., when the Sixth Circuit affirmed dismissal of a case challenging the use of credit checks. A second case involving use of both credit and criminal background checks, EEOC v. Freeman, was appealed to the Fourth Circuit after the EEOC lost on summary judgment. Both cases involved reliance on the same expert. Regardless of the outcome in the Fourth Circuit case, the EEOC may be rethinking its reliance on certain experts in pursuing failure-to-hire cases, which focus on neutral employment practices that allegedly have a disparate
impact on the hiring of members of certain protected groups (e.g., AfricanAmericans and Hispanics). The EEOC suffered a similar setback in equal-pay litigation, as shown by a case filed on behalf of female attorneys in EEOC v. Port Authority of NY and NJ. The Second Circuit affirmed a dismissal in a harshly worded opinion, stating, “We conclude that the EEOC’s failure to allege any facts concerning the attorneys’ actual job duties deprives the Court of any basis from which to draw a reasonable inference that the attorneys performed ‘equal work,’ the touchstone of an EPA claim.” A closer question may be at stake in the religious accommodation case, EEOC v. Abercrombie, which the EEOC lost on appeal in the Tenth Circuit and then appealed to the Supreme Court. Oral argument on the Abercrombie case was held before the Supreme Court in February 2015.
TODAY’S GENER AL COUNSEL APR/MAY 2015
Despite recent setbacks, I anticipate that the EEOC will continue to aggressively pursue its various strategic initiatives, based on approval of David Lopez as general counsel for a second term and the fact that the Commission is now fully staffed with a 3-2 Democratic majority. Following are the key areas I think employers should be watching: • Conciliation Obligations of EEOC Prior to Filing Suit. The Supreme Court’s upcoming ruling in Mach Mining will provide clarity on whether the EEOC’s approach to conciliation before filing a lawsuit is subject to review by the courts. • Employer Obligations Involving Pregnant Workers. In Young v. UPS, the Supreme Court will weigh in on how and the extent to which the courts will require employers to make reasonable accommodations to pregnant workers similar to obligations existing under the Americans With Disabilities Act. • EEOC Challenges to the Use of Criminal History in the Hiring Process. Employers will continue to face scrutiny for any practices that may present hiring barriers, and they should monitor the pending Fourth Circuit decision in EEOC v. Freeman, examining the use of criminal history in the hiring process, as well as other cases of alleged intentional discrimination involving race, national origin, age and gender. • Scope of Reasonable Accommodation Under the ADA. Cases such as EEOC v. Ford Motor Company, currently pending before the Sixth Circuit, are examining required accommodation under the ADA, including whether the courts will begin to challenge required attendance on the job. • Required Accommodations Involving Religion. The Supreme Court’s upcoming decision in Abercrombie will impact the scope of reasonable accommodation to avoid religious discrimination,
•
•
•
•
•
and whether an individual has to make a specific request for an accommodation in circumstances where an employer arguably has enough information to believe there may be a potential conflict between the individual’s religious practices and employer policies. EEOC Challenges to Wellness Programs. The courts will look to reconcile the Affordable Care Act’s encouragement of wellness programs with the EEOC’s focus on the “voluntariness” of participation in such programs. Rights of LGBT Workers Under Title VII. Another key area to watch is the nature and extent to which courts adopt the view of the EEOC and expand the rights of LGBT workers under Title VII, despite the absence of federal legislation to cover sexual orientation and sexual identity. Challenges to Releases and/or Arbitration Programs. Also important are challenges to employer releases by the EEOC and/or arbitration programs (e.g., EEOC v. Doherty Enterprises [S.D. FL]), as the EEOC believes such employer documents interfere with access to EEOC processes. “Directed Investigations” Involving Equal Pay and Age Discrimination. The EEOC’s authority to conduct directed investigations gives rise to potential broad-based investigations of alleged equal pay violations under the Equal Pay Act and/or age discrimination under the ADEA without a charge of discrimination even being filed against an employer. Scope of Permitted Pattern or Practice Litigation against Employers. As the EEOC continues to pursue pattern-or-practice litigation, the extent to which a lawsuit by the EEOC will be limited based on the scope of its investigation and/or the failure to identify purported victims prior to bringing suit remains to be seen.
We’ll be keeping an eye on these decisions and suggest that general counsel do likewise. ■
SUBSCR IBE TO
“Informative and worth reading.” “I refer to the magazine often and the information is useful in my daily work.” “Very useful publication.”
todaysgeneralcounsel.com/ subscribe
47
apr/ may 2015 today’s gener al counsel
T H E A N T I T R U S T L I T I G AT O R
Narrow the Scope of the Client Representative’s Deposition By Jeffery M. cross
W
48
henever my clients receive a notice for the deposition of a corporate representative pursuant to Federal Rule of Civil Procedure 30(b)(6), my first recommendation is to seek to limit the scope of the topics to be examined. This can be done through up-front negotiations with opposing counsel, or through a motion for a protective order from the court. It has multiple benefits that can contribute to a successful outcome for the client. Rule 30(b)(6) is one of the most misunderstood of federal civil discovery rules and is fraught with danger for the corporate defendant if not handled properly. It allows a party to litigation to serve a deposition notice to another party, or a subpoena to a non-party, which names as the deponent a public or private corporation, a partnership, association, governmental agency or other entity, and to describe with reasonable particularity the matters for examination. The named organization must then designate one or more officers, directors or managing agents to testify, and identify the topics on which each designated person will testify. The organization could also designate other
Jeffery cross, is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a partner in the Litigation Practice Group at Freeborn & Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com
persons who would consent to testify on its behalf. Many practitioners believe that Rule 30(b)(6) only requires the corporation to designate the person or persons most knowledgeable regarding the topics for examination. This belief has no basis in the federal rule. Indeed, the rule explicitly states that the person or persons designated must testify about information known or reasonably available to the organization. The obligation to testify about information known or reasonably available on the designated topics requires the representative to affirmatively learn the information known or reasonably available to the entire corporation. For a large multi-national corporation, this can be a daunting task, often requiring review of documents and interviews of other employees. This can be especially difficult if
there are no longer employees in the corporation who were involved in the events covered by the topics designated, a situation in which I found myself several years ago. In that situation, the rules do not require a corporation to designate an officer, director, or employee to testify. The corporation could hire an actor to testify, as long as he or she was prepared to testify to the corporate knowledge. Compounding the problem is the fact that the corporation will be bound by the testimony of the corporate representative. Indeed, a Rule 30(b) (6) deposition has been referred to as the equivalent of oral interrogatories. In some jurisdictions, a corporation is prohibited from introducing evidence that contradicts the testimony of the corporate representative, including in cases where the corporate representative testifies that the corporation has
TODAY’S GENER AL COUNSEL APR/MAY 2015
no knowledge of a particular fact. This puts an enormous amount of emphasis on thorough preparation by the corporate representative. That might be made easier if the designee has some knowledge of the topics, but it is still incumbent on the designee to be prepared to testify as to all information known or reasonably available to the corporation, not just his or her personal knowledge. In my opinion, the most important step that counsel can take to prepare for such a deposition is to narrow the scope of the topics on which the examination will focus. Narrowing the scope makes the preparation more manageable. It ensures that the designee will testify accurately as to corporate knowledge, and avoid the “I don’t know” answer that could come back to haunt the client at trial. The first step in narrowing the scope of the topics is for counsel to completely understand the preparation task at hand. This includes understanding
the difficulty of determining what the corporate knowledge is. For example, are the persons with corporate knowledge located in multiple countries, requiring interviews all over the globe? Or are the topics so broad that the designee will have to review thousands of pages of documents? Armed with such information, counsel should promptly commence negotiations with counsel for the party noticing the deposition. These negotiations should be informed by two principles: First, Rule 30(b)(6) expressly states that the designation of the topics must be described “with reasonable particularity.” Second, Rule 1 requires that the Rules of Civil Procedure are to be construed and administered to secure the just, speedy, and inexpensive determination of every action. In addition, Rule 26 requires that the burden or expense of the proposed discovery must not outweigh its likely benefit considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at
stake in the action and the importance of the discovery in resolving the issues. I use these principles to aggressively insist that the party noticing the deposition narrow the matters for examination, stating them with particularity. If negotiations with opposing counsel are unsuccessful, I do not hesitate to seek help from the court. I use the information I have gleaned about the difficulty of preparing a designee to testify to the corporate knowledge, as well as the principles found in the rules regarding the expense of discovery versus its benefits, as support for my motion for a protective order. A deposition of a corporate representative pursuant to Federal Rule of Civil Procedure 30(b)(6) could not only be burdensome, but it could also expose the client to difficulties at trial if not handled properly. Narrowing the scope of the matters to be examined goes a long way toward overcoming these problems and contributes to a successful outcome. ■
View our digital edition
D I G I TA L .T O D AY S G E N E R A L C O U N S E L . C O M
49
ACTIVISTS HAVE CHANGED, THEIR TARGETS SHOULD TOO By Christopher J. Hewitt
50
today’s gener al counsel apr/ may 2015
I
n 2014, activist investor Starboard Value LP used a slide show containing a scathing critique of Olive Garden restaurants to win all 12 seats up for election to parent Darden Restaurants Inc.’s board. Among the criticisms: They don’t put salt in their pasta water at Olive Garden so they can get a longer warranty on their pasta pots. Starboard Value is one of many activist investors. Depending on the source, there are between 100 and 400 such funds with between $100 billion and $400 billion to invest. According to a recent report by Activist Insight and the law firm Schulte Roth & Zabel LLP, 344 companies were targeted by activists in 2014, up from 291 companies in 2013. The activist trend is expected to continue in 2015. Having participated in many activist situations and proxy contests and witnessed many others from the sidelines, it has become apparent, to me anyway, that both activists (notwithstanding their success) and companies need to revise the way they approach activism and shareholder engagement. They need to establish some dialogue and, if possible, collaborate before engaging in destructive behavior simply designed to obtain, or keep, board seats. Unfortunately, not everyone agrees that collaboration is the best first step. There are plenty of commentators who have staked a position on either the company side or the activist investor side, without seeming to acknowledge a middle ground. The running dialogue between Marty Lipton, a leading corporate governance lawyer and a founding partner in Wachtell, Lipton, Rosen & Katz, and Lucian Bebchuk, Professor of Law, Economics and Finance at Harvard Law School, serves to illustrate the diametrically opposed views on the utility of activism. There is no question that there are some unscrupulous activist investors. It’s probably fair to say that the vast majority of activist funds operating in the first decade of this millennium were bad actors. Even those who were not, were self-described event-based funds with a clear agenda to make something happen. Their business model did not include dropping millions of dollars into a company’s stock to tell management to stay the course. Thus, it is not surprising that most companies are suspicious. But times are changing. Today, many activists are investing time and money to understand the companies they invest in. They are finding independent directors to serve alongside nominees that work for the funds, not just proposing the same slate for
every company. They are suggesting creative strategic options to companies, not just the standard platform of distribute cash, buy back stock, divest assets or sell the company. This change in approach has allowed activism to go mainstream and gain institutional investors’ support. In some cases, however, this time and effort is lost in the messaging by the activist investor. The Barington Capital Group’s situation with OMNOVA Solutions is a good example. Because Barington has less than 5 percent of OMNOVA’s outstanding shares, it is not required to file a Schedule 13D, and thus we don’t have
A chAnge In ApproAch hAs Allowed ActIvIsm to go mAInstreAm And gAIn the support of InstItutIonAl Investors. the actual text of letter it sent to OMNOVA. However, in its preliminary proxy statement, Barington summarizes it as follows: “In the letter to Mr. McMullen, dated December 3, 2014, Barington noted that the Company’s shares have dramatically underperformed its peers and the market as a whole over the past one, three, five and ten-year periods, as well as during Mr. McMullen’s entire 14-year tenure as CEO. Barington stated in the letter that it is its belief that OMNOVA’s poor share price performance reflects the market’s dissatisfaction with the company’s lack of strategic focus, disappointing organic growth and return on invested capital, frequent earnings shortfalls and poor executive compensation and corporate governance practices.” Barington apparently concluded the letter by threatening to run a proxy contest, couched in terms of proposing three board candidates, “who can assist the company in improving long-term shareholder value.” A week later, Barington continued on page 55
51
APR/ MAY 2015 TODAY’S GENER AL COUNSEL
52
TODAY’S GENER AL COUNSEL APR/ MAY 2015
Departments With Comprehensive Management Programs Thrive
F
BY BRET BACCUS
or the past five years, Huron Legal has conducted the IMPACT® Benchmarking Survey, in association with The General Counsel Forum. The survey was designed with the input of law department leaders to obtain benchmark data that will help them operate their departments more efficiently and cost-effectively. While the numbers may change, one survey result has remained consistent over the years: law departments with comprehensive management programs are the most cost effective overall. In this article, we discuss this year’s survey’s findings regarding management programs and the tools that help law departments manage those programs, including strategically deployed technology and data analytics to aid in decision-making.
MANAGEMENT PROGRAMS LOWER SPEND
The 2014 IMPACT Benchmarking Report found that law departments with comprehensive management programs had a 46 percent lower external legal spend as a percent of company revenue than those without them. For law departments with these programs, the median external legal spend as a percent of organization revenue was 0.11 percent, while for those without similar programs, that ratio was 0.21 percent. For purposes of this analysis, the 2014 report included the following best practices related to management of outside counsel and financial management:
• Defined panels/pre-approved lists for sourcing. • Matter management and e-billing technology. • Detailed matter-level budgets (phase and/or task level). • Alternative fee arrangements. • Evaluation of outside counsel adherence to billing guidelines. This list is not a fixed “recipe” for a comprehensive management program. Successful programs are individually tailored to a department’s needs. But these components are likely to form the core of any comprehensive management program. They are based on a holistic approach that takes into account the full portfolio of the law department’s work and its value, based on its alignment with the organization’s strategy and risk priorities, with the work assigned to the appropriate type and level of resources. These resources might be within the law department, other departments, law firms of various sizes, locations, or specialties, or within other external providers in areas such as e-discovery. Once the work is assigned to the appropriate resources, comprehensive portfolio management includes effective management of the work. Cost management is, of course, a major feature. According to the IMPACT survey, an increasing number of law departments are using detailed matter level budgets: The percent of departments reporting the establishment of budgets at the phase/task level has increased from 23 percent to 57 percent since 2011, and the percent reporting using budgets at the phase/task/timekeeper level has increased from five percent to 20 percent since 2011. Information from budgets at this level of detail allows
53
apr/ may 2015 today’s gener al counsel
law departments to move toward legal project management, ensuring that matters are staffed appropriately and that the appropriate level of effort is being given to the right tasks. Alternative fee arrangements (AFAs) are another cost-management tool. Eighty-three percent of the survey respondents reported using AFAs, compared to 69 percent reported in 2011. In the process of refining their use of AFAs, law departments are becoming more sophisticated in how they understand the value of legal services to their organizations, and better at partnering with outside counsel in ways that are beneficial for both parties.
INTEGRATED TECHNOLOGIES
54
Bret Baccus, a Senior Director at Huron Legal, has been serving the legal industry since 1990. He consults with both law firms and corporate legal departments regarding business systems and processes, practice management and matter-management systems. Prior to joining Huron, he was a senior manager with Arthur Andersen. He is a board member of Texas A&M University Center for Information Management Bbaccus@ huronconsultinggroup .com
Technology tools can help law departments manage their programs and measure their performance. Among the fundamental core technologies are matter management/e-billing systems. These systems can be used to track expenditures as a matter unfolds, at the same time as they become a source of valuable data to more accurately plan for and budget future matters. Matter management and e-billing technologies have essentially become the norm for companies with revenue over $10 billion (85 percent of those respondents reported using them), and they are used by the majority of responding companies of all sizes. Beyond this core, there is a range of additional technologies that can assist law departments. The core technologies can integrate with the others, which include management reporting systems, document management, legal hold management, IP management, and other systems supporting specific legal services. With the wide range of technologies available to law departments, a strategic technology development plan is essential to ensure smooth technology integration. A strategic technology plan also helps avoid poor investments that fail to serve the intended purpose, end up not being used, or don’t integrate appropriately with other systems, potentially increasing workload rather than streamlining it. Yet, only 45 percent of the law departments responding to the IMPACT Survey reported having a long-term strategic technology development plan. (The percentage was higher in larger organizations. Seventy percent of organizations with over $10 billion in revenue reported having such a plan.) A law department’s operational objectives and business processes should drive its technology priorities and define the long-term strategic technology plan. Questions to consider are the services which the department provides
or should provide, the essential processes for these functions, and growth plans for the company and the department.
DATA ANALYTICS
Most law departments have extensive data from their billing records and access to external repositories for similar kinds of data. These sources can be used to analyze trends, reveal opportunities and support decision making in areas such as spend management, budgeting, outside counsel negotiations and firm selection. Fifty-seven percent of law departments responding to the 2014 survey reported they use data analytics to drive some form of decision making. The most common reported use was to assist with decisions regarding outside counsel fee arrangements and rate negotiations (41 percent), followed by matter budgeting and legal project management (38 percent). Analytics are used less commonly for discovery spend management (15 percent), risk management and litigation avoidance (20 percent), and outside counsel/vendor selection (28 percent), all of which represent opportunities. Data analytics can help law departments take their management to a higher level by establishing metrics and key indicators against which to measure their performance. While technologies such as matter management/ebilling systems allow departments to track progress and performance on current matters, analytics can provide underlying information that can be used to establish more accurate, detailed metrics, and to better manage outside counsel and other providers with regard to factors such as rates and the time spent on performing specific tasks. They can provide data to support the development of AFAs that are likely to be successful for both law departments and law firms, because they are based on strong underlying premises. They can provide information that can help in the selection of appropriate counsel for specific matters. The horizon of data analytics also extends to using data to predict outcomes, and to risk reduction through identifying areas of exposure and measures that can address them. Comprehensive management programs, aided by the use of the right technology and data analytics, allow law departments to move to the next level of strategic impact on the organization. Having become more mature in their expense management efforts, law departments can focus on making those savings sustainable and on overall improvement in the quality of their services. ■
today’s gener al counsel apr/ may 2015
Activists Have Changed continued from page 51
commenced its proxy contest by nominating three directors to the OMNOVA board. Interestingly, one of those candidates is the CEO of a company Barington targeted a decade ago. Of course, we don’t know the tone of the dialogue before Barington sent its letter, but it’s hard to fault OMNOVA for reacting negatively. There are many similar examples, but on the flip side, there are still companies that simply refuse to engage with their shareholders. Management’s time is finite. The vast majority of it should be spent on running the day-to-day operations of the company and planning and executing business strategy. Managing shareholder relations cannot become its full-time job. That said, I have worked with companies that have put time and effort into avoiding shareholder engagement, even at the annual meeting. I have drafted scripts for annual meetings that don’t include a management presentation and do not allow for Q&A or any shareholder discussion. I have seen annual meetings moved to locations designed to make it difficult for any shareholder to actually attend. Even companies whose management engages with shareholders around the time of the annual meeting often do so simply to solicit votes for the meeting, in particular if they are seeking approval for a management-sponsored initiative. It’s not meaningful dialogue about the company’s business, and it usually does not continue past the annual meeting. In many cases the investor relations function at a public company is managed by the chief financial officer. The company views the investor relations function as merely the means by which to convey the financial results of the company, nothing more. Therefore, it is little wonder that when an activist comes calling there is a failure to meaningfully engage. Management is used to having guarded conversations, at best, with anyone other than directors and other management. There is also the Regulation FD (selective disclosure of information) factor, which circumscribes how much management can share. The jury is still out on whether activist investors create value for anyone but themselves. In arguing that increased restrictions should not be put on activist investors, Professor Bebchuk purports to demonstrate that activist investors do not have an adverse effect on the long-term interests of shareholders, and may even have a positive effect. Conversely, John Coffee, professor of law
at Columbia University, conducted a study that concludes that there is little evidence that the operating performance of companies targeted by activists improves. If you were to randomly select activist situations where the activist obtained board representation, and then look at the stock price of the target companies before and after the
I have seen annual meetIngs moved to locatIons desIgned to make It dIffIcult for any shareholder to actually attend. 55 activists obtained board seats, you would see that some have improved, some have fallen, and some have remained relatively flat. This completely unscientific analysis demonstrates what most of us would conclude intuitively, which is that some activism is successful and some is not. Activist shareholders and companies need to work on improving their dialogue. Activists don’t target successful companies. Boards and management of targeted companies should honestly assess their situation when an activist comes calling, and activists need to make an attempt to work with management first. While there may be some successful activist situations that started and finished in a hostile manner, and some situations where companies survived an activist charge and turned performance around, I’m willing to bet there are more situations that resulted in a win for everyone: Management embraced the views of the activist, and the activist truly tried to work with current management, and that collaboration reaped better dividends for everyone involved. Morgan’s Foods and Fidelity National Financial are two situations worth reviewing in that context. We need to end the debate about whether activism is good or bad and acknowledge it is here to stay, and the participants must engage collaboratively, not destructively. ■
Christopher J. Hewitt is a partner and chair of the M&A and Corporate Governance practices of Tucker Ellis LLP. He represents public and private companies on mergers and acquisitions, takeover preparedness, proxy contests and corporate governance. He also represents investment banks in their capacity as financial advisors to acquirers and targets in public mergers. Christopher.hewitt@ tuckerellis.com
THE LONG REACH OF EUROPE’S RIGHT TO By Francoise Gilbert 56
T
he so-called “right to be forgotten” (RTBF), or right of erasure, has been the subject of much debate and attention since the publication of the Costeja v. Google opinion from the Court of Justice of the European Union (CJEU) in May of 2014. The CJEU held that, under certain conditions, a European citizen has the right to demand that a search engine remove links to information pertaining to him or her if that information is “inaccurate, inadequate, irrelevant or excessive” – a definition which may include information that is truthful. Since the publication of the CJEU opinion, search engines have been flooded with delisting requests. According to the Google Transparency Report, as of the end of February of this year, Google had received more than 220,000 delisting requests and had evaluated over 800,000 URLs. The topic has also garnered the attention of the Article 29 Working Party. (“The A29,” which includes, among others, representatives from the data protection authority of each EU Member State). In November of 2014, the A29 published Guidelines to explain the position of the EU Data Protection Authorities. Among other things, the Guidelines provide that accepted delisting requests must be implemented on all domains operated, worldwide, by the entity receiving the
delisting request, and not just on its EU domains. Interest in RTBF extends beyond the European Economic Area (EEA). Cases similar to Costeja have been brought in Asia and the Americas, and it’s clear that a strong movement is building. The CJEU Costeja ruling and its aftermath are significant for businesses worldwide. The genie is out of the bottle and could disrupt many businesses. THE CJEU RULING The questions addressed in Costeja v. Google are not new. The Internet and search technologies provide immediate access to significant amounts of information, but this magic has a dark side. The same search engine that enables the discovery of information for a research project may also unearth secrets that someone would rather see buried. In the Costeja case, the CJEU found that Google, Inc., a U.S.-based company, was subject to EU laws as a data controller, and that EU law required the removal of links to certain articles that had become “inaccurate, inadequate, irrelevant or excessive.” The court found that the interference with Mr. Costeja’s right to data protection could not be justified merely by Google’s economic interest. Jurisdiction was a major hurdle in the Costeja case. Google argued that it was not subject to
57
EU laws because all processing was conducted in the United States, and its Spanish subsidiary was intended only to promote and sell products. But the CJEU found that Google had an establishment in Spain through its subsidiary, and that the processing was conducted in the context of that establishment’s activities. According to the CJEU, EU laws apply to the foreign entity responsible for that server if it has, in a member state, a branch or subsidiary that promotes the sale of advertising space offered by the foreign entity. This is an important ruling that significantly increases the probability that a foreign company operating in the EU through a domestic subsidiary might find itself subject to EU jurisdiction. A complex corporate structure with layers of subsidiaries may not shield U.S. companies from EU laws. A DATA CONTROLLER The CJEU found that a search engine is a data controller. The court stated that the activity of a search engine – consisting of finding information published on the Internet by third parties,
indexing it automatically, storing it temporarily and making it available according to a particular order of preference – must be classified as “processing of personal data” within the meaning of the 1995 EU Data Protection Directive, and that the search engine operator must be regarded as the “controller” with respect to that processing. This position is consistent with a trend in the European Union. EU agencies, data protection authorities and the A29 are refining the concept of the data processor and data controller and, rather than a dichotomy, they are defining a sliding scale. A company can be both a controller for certain activities and a processor for others. Two companies may be deemed joint data controllers. This is a very significant ruling. U.S. companies, including cloud service providers, have vehemently argued that they are data processors only, and not data controllers. The Costeja ruling weakens this position. THE A29 GUIDELINES The A29 Guidelines take the CJEU ruling to the next stage and enlarge its scope. They are especially
apr/ may 2015 today’s gener al counsel
58
Francoise Gilbert is the founder and managing attorney of the IT Law Group, a niche law firm that focuses on U.S. and global information privacy and security, data governance, cloud computing, big data and other emerging technology issues. She is the author and editor of the two-volume treatise Global Privacy & Security Law, www. globalprivacybook. com (Aspen Publishers/ Wolters Kluwer Law and Business), which analyzes the laws of 68 countries. fgilbert@ itlawgroup.com
relevant to American companies, which might find themselves unexpectedly caught in a quandary after receiving a RTBF delisting request. The Guidelines expand the CJEU ruling to organizations other than search engines. The A29 advises that while the ruling is specially addressed to generalist search engines, that does not mean that it cannot be applied to other intermediaries. The delisting right may be exercised whenever the conditions established in the ruling are met. It’s not clear which types of organizations might be affected. The Guidelines do not identify these other intermediaries, leaving room for expansion as cases arise. Potential targets might include entities that process large amounts of data, such as data brokers, credits reporting organizations and other companies specializing in background checks, and archives, library or research organizations that offer searchable databases. Anyone who processes data that affect an individual might become a target. The A29 also believes that limiting delisting to EU domains would not satisfactorily guarantee the data subjects’ rights. Delisting decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights, and that EU Law cannot be circumvented. Thus, companies should expect that they may have to implement delisting requests on all relevant domains that they use or operate. This requirement is likely to cause significant concern and create technical and legal hurdles for American companies. Google, for example, has vehemently argued that its implementation of RTBF requests should cover only EU-based search engines. A worldwide implementation is likely to encounter the significant conflicts between EU and the other countries’ laws and cultures. Information rights and freedom of expression, for example, are areas where EU and U.S. laws differ. The First Amendment to the U.S. constitution protects freedom of speech. European laws, on the other hand, restrict certain forms of expression, such as hate speech, that would be legal in the United States. If publication of certain content might violate EU laws, the delisting of the same content might violate some U.S. laws. American companies with operations in Europe that receive delisting requests may have to struggle to accommodate both viewpoints. At a minimum, they should be aware that delisting might have to be implemented on all of their domains rather than in a specific region. Whether and how they will be able to accommodate the nuances of U.S. and EU freedom of expression laws remains to be seen.
EFFECT ON THE REST OF THE WORLD The geographic scope of application of the CJEU decision and the Guidelines is limited to the EU territory. According to A29, the EU Data Protection Authorities will focus on claims where there is a clear link between the data subject and the EU, such as where the data subject is a citizen or resident of an EU member state. Nevertheless, the CJEU ruling has been followed with great interest throughout the world, and in similar cases being filed and adjudicated outside the EEA. The primary target has been Google, due to the popularity and widespread use of its search engine. In October 2014, for example, a Japanese Court ordered Google, Inc. to remove certain Internet results that suggested that an individual might have been involved in criminal activities. In January 2015, the Mexican Data Protection Authority ruled against Google on facts similar to those of the Costeja case. It found that Google Mexico is a data controller, and that it must remove the offending information. The right-to-be-forgotten is still in development and in need of refinement to provide a more balanced approach. Many components remain to be evaluated. If different countries are faced with the same issue, the discussions might mature and better solutions might be found. Many individuals hope to erase a portion of their past - an adolescent mistake, a petty crime for which they have paid, or articles about them that they find invasive, such as news regarding their health. The CJEU ruling, the A29 Guidelines, and the recent RTBF cases open the opportunity to request such masking, delisting, or blocking, and in some cases to obtain it. There are, however, significant ethical and societal implications in removing or not referencing data that can be unearthed only because of the extraordinary power of search technologies. Search engines may not be the best judges to decide whether and what information should be available to society at large. The United Kingdom and the United States are questioning the soundness of giving search engines this power. Though RTBF is still in its infancy, it has garnered great interest and generated much comment. Hopefully the concept will evolve and be refined. In the meantime, American companies that offer search capabilities or operate large databases should stay tuned and understand the likely implications of the CJEU and other cases, and the application of the A29 Guidelines. ■
TodaysGC Daily Newsletter The daily newsletter is a terrific advertising vehicle to reach 46,000 corporate subscribers. With a high open rate, the newsletter is unmatched as a marketing vehicle within the corporate counsel community.
T ODAYS G ENER A L C OUNSEL .C OM / SUB S C R IBE
CLIENT FEEDBACK VITAL FOR LAW DEPARTMENTS By Merry Neitlich
60
T
he larger the corporate legal department, the more cumbersome getting internal client feedback can become. However, it can be done, and doing it is a good way to maximize the satisfaction of those internal clients. One example is the legal department of a Fortune 500 pharmaceutical corporation that wanted to find out how satisfied its internal corporate clients were, and what the department could do to create a higher level of service. Executives from sales and marketing, research and development, and the finance/HR operating groups were interviewed, and they provided actionable feedback that the legal department was able to act on. Their level of satisfaction at the time of the interviews and survey was an average of 4.5 out of a possible 6.0. The legal department wanted to raise that number to 5.0 to 5.5 within 18 months. One central theme that emerged was that the legal department had “right-sized” itself to the point that it was too small to get work done in a timely fashion.
In addition to requesting that more attorneys be brought on board, the executives of each operating group had their own unique challenges and suggestions for improvement. A variety of issues surfaced, each requiring accommodations from the attorneys and the legal department as a whole. Among the changes made were: • Attorneys began working on specified days each month in the operating groups that requested this accommodation. The executives wanted more direct interface so that the attorneys could learn to serve their needs more fully. Having the ability to ask attorneys quick questions and check on the status of matters was one positive outcome of this arrangement. • The legal department improved their intake and tracking of all new matters. A standard of communication and projected time line was set for every new matter. • Response time for executive legal guidance queries was reduced by 25 percent. Even if a clear answer could not be provided, the legal
today’s gener al counsel apr/ may 2015
department would respond within 24 hours with an initial reaction and projected time line. Paralegals became a major interface in carrying out this improvement. • A protocol for engaging select outside firms was put in place for intellectual property matters that became bottle-necked in the legal department. • Additional attorneys were slated to be hired within the following 12 months. ROUTINE INTERACTION IS NOT FEEDBACK Jeff Carr, former General Counsel for FMC Corporation, has an interesting take on this topic. He frequently asked the attorneys in his legal department, “Why aren’t you providing feedback to your law firms?” To address that problem, he and his in-house team developed a vehicle for providing feedback to their outside counsel and used this same form to discuss feedback with the executives they serviced. According to Carr, feedback is always enlightening. He suggests several reasons why more corporate legal departments don’t seek it. “Some attorneys are afraid of what they might hear,” he says. Another reason, Carr says, is that some inhouse departments think they receive feedback on a daily basis just from interacting with clients. Carr maintains that normal interaction is not feedback - it’s just the working process. But implementing a feedback loop will uncover what the lawyers can do (their capabilities) and their time frame for getting each matter accomplished. Developing a structured process forces the gathering of real information about whether service providers are efficient, responsive, and able to communicate. In his feedback instruments, Carr always added a component asking for concrete information on effectiveness, predictive accuracy, the knowledge base each attorney possessed, and how accurate the attorney’s judgment was. It was each attorney’s job to find out what was going well and what needed improvement. “At the end of each project, we talked openly about what could be done better,” says Carr. The focus was on how the team worked together and the facts and circumstances that gave rise to the project, mostly in order to change behavior so that the company did not have the same issue again. TOP LEVEL BUY-IN REQUIRED Setting up internal client feedback programs
requires commitment from in-house leadership. Malvina Longoria, Associate General Counsel and head of Strategy and Transformation for MasterCard’s legal department, is directly involved in the feedback process. She reports that over the years they have tried numerous programs to gather and respond to internal client feedback to improve the way their services are delivered. According to Longoria, with 100 in-house counsel, and many operating groups and divisions needing legal advice, unless the feedback is specific and contains actionable suggestions the process is frustrating and offers little value. MasterCard started gathering internal client feedback by using an outside consulting firm to conduct written surveys. The surveys were conducted for several years. Some of the data gathered was given to the managing attorneys, providing them with specific feedback to share with the attorneys they supervised. This led to creating productive ways to tailor the delivery of legal services for better client satisfaction. Some years the consultant’s survey produced the desired actionable results and yielded positive changes. Other years the process seemed to lose focus, resulting in information that was not actionable. In order to get a process that was more consistently usable, the process was brought in-house. They are now looking more closely at individual written comments combined with metrics to identify process improvement strategies. Examples include codifying how long it takes to complete certain types of transactions. The results have led to crafting a more refined intake process for new matters, with questions such as: What are the timing requirements and degree of communication preferred for this matter? How can we work together to get the deal done in a timely fashion? Longoria now heads a legal management team to spearhead the internal feedback process. As the head of Strategy and Transformation, she has the team focused on developing specific suggestions based on client input to optimize the experience between the attorneys and the groups and individuals they serve. The past few years have brought increased awareness of the need for legal departments to better serve and provide increased value to their internal clients. Neither law firms nor corporate legal departments can afford to ignore pressure from clients who want better service – as they define it. ■
61
Merry Neitlich is a founding partner with Extreme Marketing, a professional services firm that assists corporate legal departments and law firms. merry@ extrememarketing.org
Database Marketing for Lead Generation With over 300,000 names, the TGC database enables marketers an unmatched array of choices to send out co-branded emails with content of their own choosing to several desirable segments within the database.
T ODAYS G ENER A L C OUNSEL .C OM /A D V ER T ISE
Charles H. Camp p c
Sponsored Partners Sponsored Partners
C H A R L E S C A M P L A W. C O M • 2 0 2 - 4 5 7-7 7 8 6 • W A S H I N G T O N , D C
64
Mr. Rath is a trial and appellate attorney and assists employers in OSHA counseling, citations, and rulemaking. Contact Mr. Rath at rath@khlaw.com.
LEADERSHIP LEADERSHIP PROFILES PROFILES
Presents Presents HEALTH CARE
I N T E R N AT I O N A L A R B I T R AT I O N , L I T I G AT I O N A N D D E B T R E C O V E R Y
L AW
You’re invitedRIM to the Targeted & Partners llp A PREEMINENT Teraoka PACIFIC LAW FIRM ANKNER & LEVY , P.C. strategies, 116 HUNTINGTON AVENUE, BOSTON MA 02116 ♦ www.anknerlevy.com T precision and webinars with Manesh Rath A FORBES
LEGAL
B L AC K B O O K 2015
OSHA 30/30
hird generations including KikkoELITE US tion Japaneseman Sales USA, Inc., L AW F I R M American Steve JFC International Inc., Teraoka instinctively NTT Facilities, Sega, MARCHXPERIENCED 25 / APRIL 22 NRI / MAY 20 understands how to Secure Technolomediate cross-cultural gies Ltd. (an affi liate Keller and Heckman Partner Manesh Rath hosts legal issues. Serving ofwebinar Nomura Research the OSHA 30/30, a complimentary series ESPONSIVE Institute) and more. clients for over 41 that covers OSHA legal developments years, his firm handles Teraoka’s mission in 30 minutes every 30 to days. cross-border corpofacilitate crossNDUSTRY OCUSED rate and business RECENT TOPICS: cultural business transactions, mergers relationships is deeper OSHA Recordkeeping FFICIENT and acquisitions, than building a sucCitation Contests: Employer Knowledge employment, real cessfulStandard law firm. “As The Revised Hazard Communication OST FFECTIVE estate leasing and the world shrinks with acquisitions, executive increased globalizaLIANNE SALLY KAPLAN immigration and civil tion, developing trust ANKNER LEVY litigation. Equipped that bridges different www.khlaw.com/OSHA3030 with bilingual and cultures becomes the slevy@anknerlevy.com kla@anknerlevy.com bicultural staff, Teraoka key to promoting and Boston Magazine & Partners LLP has Boston Magazine maintaining successful FRANK TAPIA PHOTOGRAPHY L A W active O F F I in C EUSS OF been business relation“Super Lawyer” since 2004 “Super Lawyer” since 2007 Japan mergers and acquisitions, representing business enterprises on both ships for our clients.” Teraoka & Partners LLP is the go-to law firm for all legal pc sides of the Pacific from due diligence to closing the deal and beyond. business matters involving Japanese and Pacific Rim businesses operating or Mr. Rath is US. a trial and appellate attorney and assists Mr. Teraoka and his firm serve as counsel to leading Pacific Rim corporaplanning to operate in the
intelligence to resolve any international dispute.
♦E ♦R ♦I
♦E
-E
F &
C
The Only Chambers-Ranked Boutique Healthcare Law Firm In New England
Charles H. Camp
employers in OSHA counseling, A Forbes Legal Black Book Top U.S. Health Care Lawcitations, Firmand–rulemaking. 2014 TERAOKALAW.COM Contact Mr. Rath at rath@khlaw.com.
C H A R L E S C A M P L A W. C O M • 2 0 2 - 4 5 7-7 7 8 6 • W A S H I N G T O N , D C
64
I N T E R N AT I O N A L A R B I T R AT I O N , L I T I G AT I O N A N D D E B T R E C O V E R Y
S A N F R A N C I S C O ( 4 1 5 .9 8 1 . 3 1 0 0 ) • PA LO A LTO ( 4 0 8 .9 7 1 . 3 1 0 0 ) • LO S A N G E L E S ( 3 1 0 . 5 5 2 . 2 6 0 0 )
Teraoka & Partners llp A TO PREEMINENT PACIFIC RIM LAW FIRM SHOWCASE YOUR EXPERTISE GENERAL COUNSEL & T CORPORATE LEGAL DEPARTMENTS ACROSS THE U.S.
TGC Leadership Pages FEB_MARCH_20155.indd 64 hird genera-
tions including Kikkotion Japaneseman Sales USA, Inc., American Steve JFC International Inc., Teraoka instinctively NTT Facilities, Sega, understands how to NRI Secure Technolomediate cross-cultural gies Ltd. (an affiliate legal issues. Serving of Nomura Research clients for over 41 Institute) and more. years, his firm handles Teraoka’s mission cross-border corpoto facilitate crossrate and business cultural business transactions, mergers relationships is deeper and acquisitions, than building a sucemployment, real cessful law firm. “As estate leasing and the world shrinks with acquisitions, executive increased globalizaimmigration and civil tion, developing trust litigation. Equipped that bridges different with bilingual and cultures becomes the bicultural staff, Teraoka key to promoting and & Partners LLP has maintaining successful FRANK TAPIA PHOTOGRAPHY been active in USbusiness relationPresents Japan mergers and acquisitions, representing business enterprises on both ships for our clients.” Teraoka & Partners LLP is the go-to law firm for all legal sides of the Pacific from due diligence to closing the deal and beyond. business matters involving Japanese and Pacific Rim businesses operating or For toMore Information Lester Mr. Teraoka and his firm serve as counsel leading Pacifi c Rim corpora- Contact planning to operate in theGoodman US. d Partners
Sponsore
wAD E wEL cH
nal injury, law, perso oyment law, civil and trial e, and empl practice in ing a solid cal malpractic rous professional While build liability, medi nuing ved in nume e, products while conti actively invol negligenc profession has remained ibute to his his ability. Alton Todd him to contr the best of allow to ts that clien ns Law and a r to serve organizatio and Civil Trial ation in orde nal Injury ational Acad educ Perso Intern legal both his rs, the certified in trial lawye rican Board College of Alton is board of the Ame me mat rican Ame Supre Diplo the U.S. and Fellow with a member before the t to practice Lawyers and District Cour as admitted emy of Trial als, the U.S. of cates; as well rn District Court of Appe of Trial Advo and the Easte it of the U.S. , Texas Circu of Fifth Bar of Texas ern Districts Court, the the State ern and South ria County member of a , Brazo North n, the Texas for ciatio sed in ciation. ty Bar Asso He is licen ston Coun Lawyers Asso Louisiana. Galve Trial rs, Texas lawye the Houston Trial Director of n, and is a Bar Associatio d.com
tod d aLt on c.
Drive Friendswood 312 South , TX 77546 Friendswood 2.8633 Phone: 281.99 8.8633 Fax: 281.64
62
S
IP ProFILe
LeaderSH
Presents atIon LItIG
www.cet
Capone, llp Cetrulo & Lane, Boston, MA 02210
ip Pages
TGC Leadersh
LEADERSH
Presents LEctu AL PRO P
Sponsore
IP PROFILE
ERt y L Aw
The firm is lead who is a Lifetim by Wade Welch, e VIP memb Strathmore er of ’s Who’s Who named its and was 2011 Profe ssiona Year in the area of Comp l of the cial Litiga lex Comm tion. These er eraccolades the result are of T. Wade Welch & Associates’ centralized litigation practice, which offers nation representa wide tion where a partic to its clients no matte r ular dispu te takes place . At T. Wade Welch & Assoc alize that superior know iates, we rere ledge of black letter law only provid es the mentals of effective repre fundayour busin sentation-t ess objec he art is drawn tives. We because we from its use make it our appreciate in furthering business to the value with our client know your in having s’ industries, business, an advocate, because when an intimate familiarity you need it counts, a partner solutions you don’t – someone in dynamic who can provid just need situations; and who is a firm that accessible is totally comm e creative at a mom ent’s notice itted to its ; a proven clients What our leader. clients want are swift, problems comprehen in a cost-e sible resolu ffective mann Associates tions to their er. This has formula for been T. Wade success since Welch & the firm bega n in 1994.
ntod www.alto
e LLP o & Capon York, Cetrul l. ruL o and New and on appea e G. cet , Providence on at trial tive New Haven L awr enc lex civil litigati in Boston, provide innova se of comp insurers to With offices rers, in the defen ement and rs, re-insu al presence el, manag is a nation rations, insure rate couns e 500 corpo n that with corpo representatio reason, Fortun for We work closely good LLP e Capon ies. With Cetrulo & litigation strateg e results. ies turn to cost-effectiv mental agenc of t govern and ives in pursui national leader nized as a business object and considers LLP is recog beryllium, & Capone benzene, and of Cetrulo e, asbestos, United States G. Cetrulo Agent Orang Lawrence state in the bia, arising from almost every t of Colum of claims clients in , the Distric in defense defended New Jersey The firm has d, New York, Expertise. lead paint. New Englan sippi. throughout est, Experience. ana, and Missis tried cases nd, Louisi by Thomson-W hed ncy. Maryla , publis Efficie Pennsylvania Litigation, e Group, Toxic Tort Tort Practic Us For tts treatise on of the Toxic me chuse “Rely On chair ns.” Massa 4-volu a in Solutio partner and Author of Litigation defendants founding asbestos G. Cetrulo, Counsel for Lawrence nted Liaison court-appoi serves as . Island and Rhode cap.com
rt Two Seapo 617.217.5500
IntEL
d Partners
S
T. Wade Welch & Associates is a Houston, Texas-base representin d g entreprene law firm and Fortu urial intere ne 500 ® comp sts anies in litigation throu States, result ghout the United ing in the firm being named as a Go-To Law Firm ® for several years in a row. BTI Group has Consulting identified T. Wade Welch & Associates as a Clien t Services MVP based on multip le reviews a Fortune by 50 worldwide conglomer agriculture ate, and the firm was also spotli ghted in News magazine’s week 2011 Top Attorneys the Coun in try showcase.
63
2401 Founta in View Drive Suite 700
Houston, TX Phone: 713.9577057 www.twwlaw 2.4334 .com
PM 8/4/14 4:08
d 62
t 2014.ind
Aug_Sep
LEADERSHIP PROFILES
914.588.1369 • profiles@TodaysGC.com TERAOKALAW.COM
S A N F R A N C I S C O ( 4 1 5 .9 8 1 . 3 1 0 0 ) • PA LO A LTO ( 4 0 8 .9 7 1 . 3 1 0 0 ) • LO S A N G E L E S ( 3 1 0 . 5 5 2 . 2 6 0 0 )
63 63
2/16/15 2:47 PM
The Magazine The six-time yearly publication, with strategies, best practices and analysis written by expert practitioners within the legal profession, offers an excellent branding opportunity to 58,000 qualified subscribers.
T ODAYS G ENER A L C OUNSEL .C OM / SUB S C R IBE
THE ABA SECTION OF INTERNATIONAL LAW 2015 SPRING MEETING
brings together over 1,200 leading international attorneys, corporate counsel, government officials, policy makers, academics and NGO lawyers for a unique four day forum in the beautiful and historic city of Washington, DC.
THE 2015 SPRING MEETING WILL OFFER YOU:
• Networking opportunities with counterparts, decision makers and potential clients from around the world who are active in international practice areas; • An entire year’s worth of CLE and over 70 substantive concurrent panel sessions that will cover themes including: Africa/Eurasia; Americas/Middle East; Business Law; Business Regulation; Constituent; Disputes; Finance; Legal Practice; Public International Law; Tax, Estate and Individuals; and • Special programming for young lawyers, law students, and legal educators.
OUTSTANDING NETWORKING OPPORTUNITIES INCLUDING:
• Receptions at the Flying Bridge, Smithsonian’s National Museum of American History, the Library of Congress and Hyatt Regency on Capitol Hill; • 3rd Annual International Human Rights Lobby Day; • Field Trip to the Law Library of Congress; and • Special Joint Swearing-In Ceremony before the U.S. Court of Appeals for the Federal Circuit and the U.S. Court of International Trade.
LEARN, NETWORK, PARTICIPATE
• Learn the latest from top experts and receive information that is relevant to you in your international law practice area; • Network with thought leaders and experts, policy makers, key international enforcers, decision makers and international leaders in the law particularly at our twice daily networking breaks, evening events and ticketed luncheons; and • Participate in specialized meetings with colleagues who share your areas of interest by attending committee working business meetings, division breakfasts and committee dinners; A “Must-Attend” meeting for lawyers with a practice or interest in international legal issues. Join us in Washington, DC for a spectacular SPRING Meeting! For more information and to register, please visit http://ambar.org/ILSpring2015
$110 BILLION
IN CLAIMS & COUNTERCLAIMS AdMINISTEREd IN 5 YEARS *
would you trust just anyone?
When everything is on the line, trust the leader in alternative dispute resolution (ADR) since 1926. The American Arbitration Association® (AAA®) has been entrusted to handle more “bet-the-company” cases than anyone in ADR today. We provide executive facilitation of your disputes by experienced leaders, and access to arbitrators and mediators who specialize in large cases. Meet your AAA executives at adr.org.
adr.org | 1.800.778.7879
RESOLVE the Complex. The total of all claims and counterclaims for commercial arbitrations filed with the AAA between 2009-2013. ©2015 American Arbitration Association, Inc. All rights reserved.
*