Today's General Counsel, December 2015/January 2016 by Today's General Counsel

DEC/JAN 2016 VOLUME 1 2 / NUMBER 6 TODAYSGENER ALCOUNSEL.COM

Legal Hold

Avoiding Flotsam in Large Volumes of Data • Ingredients of a Sound Legal Hold • Applying “Moneyball” to the Legal Department • Building a Company-Wide Culture of Compliance

$199 Subscription rate per year ISSN: 2326-5000 View our digital edition: digital.todaysgeneralcounsel.com

How do boards serve as strategic assets? How do they anticipate and address emerging issues? How do they access insights and leading practices?

Surpass expectations. Join NACD.

NACD membership helps boards address all these challenges and enables them to: `` Elevate performance `` Gain insight `` Instill confidence

NACD provides what boards need to safely navigate risk, investor scrutiny, and rapidly changing business conditions. Thatâ&#x20AC;&#x2122;s why boards join NACD.

Save 20% on a new Full Board Membership for public, private, and nonprofit organizations. 20% savings end February 29, 2016.

Phone: 202-765-0878 E-mail: Join@NACDonline.org Online: NACDonline.org/Join

Inside track. When you’re in the race, every advantage counts. Like having a lawyer who’s been in your shoes. At Barnes & Thornburg, more than 70 of our attorneys have been in-house or general counsel. We understand your challenges – and what it takes to keep you ahead of the pack.

Uncommon Value

ATLANTA

CHICAGO

DALLAS

DELAWARE

INDIANA

LOS ANGELES btlaw.com

MICHIGAN

MINNEAPOLIS

OHIO WASHINGTON, D.C.

Dec/jan 2016 toDay’s gEnEr al counsEl

Editor’s Desk

Two years later the fallout from the massive data breach at Target continues to fall, though not in headlines. Subsequent data breaches at other corporations soon drew the media attention that had focused exclusively on Target, but thirteen of the company’s officers and directors still face shareholder lawsuits challenging their conduct before and after the breach. Hackers got into Target’s data through a contractor’s computers, but as Philip Gordon points out in this issue of Today’s General Counsel, negligent or malicious employees are behind the majority of such occurrences. Gordon lists ways that HR can enhance information security and notes that while IT and security professionals dominate discussions about the problem, a determined insider can undo safeguards they put in place. The software that becomes a hacker’s target can be the source of another type of legal headache. Eduardo Ramos and Eric Ray discuss contractual issues that arise when buying software, and then paying an expert to install and adapt it. Two separate contracts with very different kinds of warranties are involved, and the right to recover potentially huge costs and damages from the installer can be wiped out if the implementation agreement incorporates or is bound by the limited terms of the software company’s license agreement. Anybody who watched the world series can attest to the role that the management style known as “moneyball” plays in baseball today. Data derived from a micro-analysis of batters’ and pitchers’ strengths and weaknesses in various situations is a staple of play-by-play broadcast now, and managers who ignore that kind of data analysis have long since disappeared from the major leagues. In his article about legal department management, Andy Wilson draws parallels between moneyball

in baseball and a way general counsel can apply big data in a legal department management, notably to the challenge of e-discovery. Scott Wandstrat, in his article about how to implement a sound legal hold, finds yet another area where good lawyering requires clear communication to non-lawyers, in this case to “custodians.” He says the process has to start with a legal hold memo that explains in plain English what the dispute is about and what categories of information need to be preserved, but it can’t end there. It’s essential, he says, to revise the terms of the hold in response to changes in the focus of litigation – and even if things don’t change, to periodically remind data custodians of their obligations.

Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com

The future of labor and employment law is now. We developed the award-winning Littler CaseSmartÂŽ platform, an innovative, streamlined solution that offers immediate cost benefits in managing employment charges and single plaintiff litigation while increasing quality and consistency. But Littler CaseSmart is more than a case management system. It provides unique data analytics that not only give a comprehensive view of current key performance indicators, but also forecast trends to help minimize risk all within a privileged environment. And doesnâ&#x20AC;&#x2122;t your business deserve the platform considered to be the future of labor and employment law?

littler.com

dec/jan 2016 today’s gener al counsel

Features

C o lu m n s

SURvEy SHOWS CONfLICTING vIEWS Of IN-HOUSE AND LAW fIRM ATTORNEyS

Joseph E. O’Neil and Alfred R. Paliani In some key areas, not on the same page.

HOW THE INSURER SEE IT

SEPARATE AGREEMENTS fOR SOfTWARE PURCHASE, IMPLEMENTATION

Thomas F. Lysaught First offer frames the negotiation.

Eduardo Ramos and Eric Ray License refund won’t begin to cover a million dollar mess.

LIABILITy fOR THIRD PARTy vENDOR CONDUCT

USING EUROPE’S M&A REGIME fOR TACTICAL ADvANTAGE

WORKPLACE ISSUES Leverage HR to Address Risk of Data Breach Philip L. Gordon Malicious insiders can undo any safeguard.

THE ANTITRUST LITIGATOR The Pro-Competitive Justification

THE LEGAL MARKETPLACE What’s a Lawyer?

Jeffery M. Cross Grounds must be cognizable under antitrust laws.

Mark A. Cohen Legal service providers without law degrees.

John D. Finerty, Jr. and Ben Kaplan Insurance is the best policy.

Peter Cohen-Millstein and Nick Rumsby Fifty-one percent in Delaware, 95 percent in the EU.

Page 62

â&#x20AC;&#x201D; S T AY A H E A D. W AY A H E A D. We have new wa ys to ma n a ge r isk and c o mp lia nc e a c ro ss yo u r entire b us ine s s . LEARN MOR E AT DI SCOVE R R EADY.CO M

DEC/JAN 2016 TODAY’S GENER AL COUNSEL

Departments Editor’s Desk

Executive Summaries

Page 28

INTELLEC TUAL PROPERT Y

18 Differing IP Enforcement on Three Continents Brad Chin and Kevin Tamm A one-world economy, but there’s no substitute for local partners.

24 How Due Diligence Analysis Drives a Negotiation John Fleming Pathway to agreement on a patent’s value.

CYBERSECURIT Y

E-DISCOVERY

26 The Case for Lawyers as Cyber Risk Leaders

30 Applying “Moneyball” to the Legal Department

Steven Chabinsky Why lawyers need to take the lead in cyber risk management.

Andy Wilson What worked for the Royals might work for you.

Christina Lewis Browning-Ferris was not the only shoe that dropped.

28 Current Landscape of Cyber Insurance Coverage

32 Ingredients of a Sound Legal Hold

42 Federal Paid Sick Leave Mandate Sows Confusion

Alba Alessandro and Alyssa Conn In a period of flux, diversify your coverage.

Scott Wandstrat Plain English, with periodic updates.

34 Avoiding Flotsam in Large Volumes of Data Jim Gill Don’t waste time looking through irrelevant data.

36 Build a CompanyWide Culture of Compliance Brad Harris Compliance goes beyond the legal department.

L ABOR & EMPLOYMENT

40 2015 was a Big Year for the NLRB

Summer Austin Davis and Mary Clay Morgan One hour of leave for 30 hours of work, but for whom?

for your buck . Ranked the number one law firm in Ontario in the 2015 Canadian Lawyer Regional Firms Survey. WeirFoulds is ready to hear from you.

Protect your future. Gain a competitive advantage. WeirFoulds llp.

416.365.1110 www.weirfoulds.com

editor-in-Chief Robert Nienhouse Chief operating offiCer Stephen Lincoln managing editor David Rubenstein

exeCutive editor Bruce Rubenstein

senior viCe president & managing direCtor, today’s general Counsel institute Neil Signore art direCtion & photo illustration MPower Ideation, LLC law firm business development manager Scott Ziegler database manager Matt Tortora

Contributing editors and writers

Alba Alessandro Steven Chabinsky Brad Chin Mark A. Cohen Peter Cohen-Millstein Alyssa Conn Jeffery M. Cross Summer Austin Davis John D. Finerty, Jr. John Fleming Jim Gill Philip L. Gordon Brad Harris

Ben Kaplan Christina Lewis Thomas F. Lysaught Mary Clay Morgan Joseph E. O’Neil Alfred R. Paliani Eduardo Ramos Eric Ray Nick Rumsby Kevin Tamm Scott Wandstrat Andy Wilson

subsCription Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com

reprints For reprint requests, email rhondab@fosterprinting.com Rhonda Brown, Foster Printing

editorial advisory board Dennis Block GREENBERG TRAuRiG, LLP

Dale Heist BAKER HOSTETLER

Robert Profusek JONES DAy

Thomas Brunner

Joel Henning

Art Rosenbloom

WiLEy REiN

JOEL HENNiNG & ASSOCiATES

CHARLES RivER ASSOCiATES

Peter Bulmer JACKSON LEWiS

Sheila Hollis

George Ruttinger

Mark A. Carter

DuANE MORRiS

CROWELL & MORiNG

David Katz

Jonathan S. Sack

DiNSMORE & SHOHL

James Christie BLAKE CASSELS & GRAyDON

WACHTELL, LiPTON, ROSEN & KATz

Steven Kittrell

MORviLLO, ABRAMOWiTz, GRAND, iASON & ANELLO, P.C.

MCGuiREWOODS

victor Schwartz

FTi CONSuLTiNG

Jerome Libin

SHOOK, HARDy & BACON

Jeffery Cross

SuTHERLAND, ASBiLL & BRENNAN

Adam Cohen

FREEBORN & PETERS

Thomas Frederick WiNSTON & STRAWN

Jamie Gorelick WiLMERHALE

Robert Haig KELLEy DRyE & WARREN

Jean Hanson FRiED FRANK

Robert Heim DECHERT

Timothy Malloy Mc ANDREWS, HELD & MALLOy

Jean McCreary NixON PEABODy

Steven Molo MOLOLAMKEN

Thurston Moore HuNTON & WiLLiAMS

Jonathan Schiller BOiES, SCHiLLER & FLExNER

Robert Townsend CRAvATH, SWAiNE & MOORE

David Wingfield WEiRFOuLDS

Robert zahler PiLLSBuRy WiNTHROP SHAW PiTTMAN

Ron Myrick RONALD MyRiCK & CO, LLC

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, with out the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published six times per year by Nienhouse Media, Inc., 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2015 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Today’s General Counsel, 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Periodical postage paid at Oak Brook, Illinois, and additional mailing offices.

$110 BILLION

IN CLAIMS & COUNTERCLAIMS AdMINISTEREd IN 5 YEARS *

would you trust just anyone?

When everything is on the line, trust the leader in alternative dispute resolution (ADR) since 1926. The American Arbitration Association® (AAA®) has been entrusted to handle more “bet-the-company” cases than anyone in ADR today. We provide executive facilitation of your disputes by experienced leaders, and access to arbitrators and mediators who specialize in large cases. Meet your AAA executives at adr.org.

adr.org | 1.800.778.7879

DEC/JAN 2016 TODAY’S GENER AL COUNSEL

Executive Summaries INTELLEC TUAL PROPERT Y

CYBERSECURIT Y

PAGE 18

PAGE 24

PAGE 26

Differing IP Enforcement on Three Continents

How Due Diligence Analysis Drives a Negotiation

The Case For Lawyers as Cyber-Risk Leaders

By Brad Chin and Kevin Tamm Bracewell & Giuliani LLP

By John M. Fleming Banner & Witcoff Ltd.

By Steven Chabinsky CrowdStrike

In the United States, the America Invents Act has created new options for IP enforcement through post-grant proceedings at the U.S. Patent and Trademark Office. At the same time, the European Union is developing the Unified Patent Court to provide a common patent court for member states. The UPC as proposed will include a Court of First Instance, a Court of Appeal and a Registry. China recently issued “The Further Implementation of the National Intellectual Property Rights Strategy Action Plan.” It identifies four objectives: (1) to promote IP creation and utilization, (2) to strengthen IP protection, (3) to strengthen IP management and (4) to expand international IP cooperation. Chinese enterprises are actively creating strategic IP portfolios, and statistics demonstrate their rapid increase in patent filings compared to their foreign industry counterparts. A foreign enterprise seeking to enter the Chinese market and to develop and maintain a competitive edge in conducting business in China must understand and select the most effective form of IPR protection for its technology. To stay on an equal footing with Chinese enterprises, foreign companies must understand the procedural advantages and challenges associated with the use of administrative actions and judicial proceedings. They should develop relationships with local industry partners and legal representatives, gain an understanding of the administrative, regulatory, and judicial requirements for protecting and enforcing their IP rights, and work closely with legal counsel who have expertise navigating the pertinent system.

Due diligence allows parties to a negotiation the opportunity to drive the assigned value of assets up or down. Confidential, or often shielded from certain entities, a due diligence analysis can have an enormous impact on the negotiation process. Patents present unique due diligence issues. A seller should approach the sale from the perspective of the buyer. What will a buyer want this for? Which industry will be most impacted by this asset? This is where an infringement due diligence analysis can be a real benefit for a seller. Sometimes a seller may prepare generalized claim charts, showing a potential buyer how the patent claims stack up as a way of illustrating the patent’s value. A buyer should be concerned with enforcement and the potential to go after another entity. Thus validity is an important factor. A validity diligence analysis can inform a buyer about prior art that is not of record and may affect eventual enforcement. Similarly, a buyer should assess the potential for infringement action against a third party, whether through charts provided by a seller or independently. A buyer can seek to drive down the cost of an acquisition by discussing the weaknesses with the seller, without divulging their potential correction or removal in a pending application. In most cases, a broad view of the positives and negatives in a portfolio offering, derived through due diligence, should steer negotiations on both sides of the deal.

The author presents this article as an opening statement in a trial and proceeds to make his case. He submits that attorneys are fully capable of driving cyber risk management discussions and outcomes, and that there are two compelling reasons for them to do so. First, there is exceptionally strong client demand. Lawyers, whether corporate or outside counsel, are increasingly expected to understand the implications of cyber security when providing advice relating to a variety of issues. As a trusted neutral advisor, a lawyer is uniquely qualified to help clients navigate risk issues. Second is the matter of complying with professional ethics obligations. Hackers and foreign intelligence operatives are stealing sensitive information from law firm networks and in-house counsel. As lawyers adopt new technologies, they must consider security ramifications. Cybersecurity presents a growing risk to attorneys and their clients. In addition to the liability and ethical issues that poor cybersecurity may bring to a practice, cybersecurity is becoming a market differentiator. Clients have begun to retain lawyers based both on their ability to provide subject matter expertise and their ability to adequately secure information. Put another way, attorneys who fail to understand the dynamics of cybersecurity and who also fail to implement adequate information security practices are losing business or in house promotions to those who do. If you are an attorney who is not competent in cybersecurity matters, it is past time to gain those skills.

today’s gener al counsel dec/jan 2016

Executive Summaries cybersecurit y

e-Discovery

Page 28

Page 30

Page 32

Current Landscape of Cyber Insurance

Applying “Moneyball” to the Legal Department

Ingredients of a Sound Legal Hold

By Alba Alessandro and Alyssa Conn Hodgson Russ LLP

By Andy Wilson Logikcull.com

By Scott Wandstrat Arnall Golden Gregory LLP

Data breaches have policyholders “scrambling to fit the proverbial square peg into the round hole of their insurance programs.” Insurers have pushed back, and the result has been not only coverage disputes, but also the development of more cyber policies that specifically address data breach. It is the nascent state of cyber-specific insurance policies that accounts for many open coverage questions. But in Travelers Property Casualty Co. of America v. Federal Recovery Services, a case being called the first cyber-related liability dispute, a federal court in Utah found that typical insurance coverage issues of policy interpretation in fact do apply to a cyber-related fact pattern. The case turned on whether the terminology “errors and omissions” in the policy was broad enough to include withholding of data, regardless of the reason. Citing the general rule that “an insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint,” the court reasoned that Global Fitness’s allegations of “knowledge, willfulness, and malice” would not trigger Travelers’ duty to defend. Policyholders will be better armed to mitigate damages by diversifying their coverage. They can take advantage of a variety of types of policies that cover cyber-related threats. For example, some insurers offer an add-on to standard crime policies for “social engineering fraud,” which covers policyholders in the event that employees are misled into sending money or diverting information based on fraudulent emails or other means.

Twenty years ago, baseball front offices bankrolled scouts who would evaluate talent by box score and physical stature. Fast forward to the age of “moneyball,” a management philosophy that enhances performance through innovative analysis and use of data. The results are unity of purpose, operational efficiency and decision making that yields better results. Just as effective moneyball redounds to all areas of an organization, so too can savvy legal teams spearhead datadriven change that bridges departmental gaps, positively affecting compliance, security, risk, records management and revenue. Electronic discovery cuts across all these competencies and is ripe for a more data-focused assessment. Discovery is among the most expensive and risk-laden aspects of litigation, but it can be streamlined in ways that brings value. Data-driven legal departments reuse document collections and privilege decisions for similar matters, supplementing them only if necessary. They track document review costs by matter type, using data obtained from previous matters to project future costs. They make decisions about whether to fight a case or settle by weighing the amount in controversy with legal fees incurred from recent cases, and they look carefully at the documents and information likely to be relevant to assess the validity of the case and expected outcomes. In a cost conscious corporate environment it doesn’t pay to be indifferent toward the widely-accepted benefits of using data smartly. That way of thinking cost an entire generation of baseball executives their careers.

Among in-house counsel there is much angst around e-discovery, and for good reasons: mounting costs, rampant techno-babble and a pronounced uptick in the volume of filings asking for discovery sanctions, and orders granting those requests. The most common ground for those filings is failure to take reasonable steps to preserve potentially relevant information. The best protection against this threat is to institute a legal hold, starting with the prompt distribution of a legal hold memo to each information custodian, explaining the who, what, when, why and how of preservation. The memo should educate custodians about their obligation and how it impacts decisions about disposing of information. Employees are just one possible group of custodians. There may be third parties such as lawyers and accountants, among others, who need to receive the notice. Once the initial legal hold is sent out, remember the work is not done. As more about the dispute is discovered or the focus of litigation shifts, the hold will likely need to be revised. Explain in plain English what the dispute is about and what categories of information need to be preserved. The goal is to arm the recipients with the information they need to determine whether any particular piece of information is subject to the hold. Even when things don’t change, the best practice is to remind custodians about preservation obligations periodically throughout the litigation or investigation, and that the duty to preserve is ongoing.

Dec/jan 2016 today’S gEnEr al counSEl

Executive Summaries e-Discovery

l abor & emPloyment

Page 34

Page 36

Page 40

Avoiding Flotsam in Large Volumes of Data

Build a Company-Wide Culture of Compliance

2015 Was a Big Year for the NLRB

By Jim Gill Exterro Inc.

By Brad Harris Zapproved Inc.

By Christina L. Lewis Hinckley Allen

A recent survey finds that searching through vast amounts of electronically stored information for responsive data is the number one challenge for both IT and legal teams. Other problems include developing search criteria for determining document relevancy, using in-house e-discovery search collection software effectively, and working with third-party collection/processing providers. Many legal teams don’t have search tools to help with e-discovery, or they have a combination of tools from different vendors. Even with search tools, a knowledge of correct keywords and stopwords, as well as indexing various forms of ESI (email attachments, embedded audio, metadata) is required. The author suggests getting all players in the process working together as soon as possible, and creating an e-discovery liason role. The difference between an efficient search and useless time spent looking through irrelevant data often comes down to understanding Boolean logic and using it effectively, understanding nuances of date-filtering and other metadata, having a process for searching folders and files with no clear custodian, and making attorneys aware of what is required for a successful search. One game-changing tool, as cited by the e-discovery director of the largest health insurer in the U.S, is called In-Place Search. It is said to analyze data in its native environment to help expose critical ESI before organizations are forced to collect. This condenses the traditional flow of the e-discovery reference model moving analysis, so that analysis and search happen simultaneously.

Current digital technology trends are making the job of the corporate legal department more difficult. A shift in the IT landscape has left corporations creating far more data, and that data is fragmented across a big digital universe. However, for innovative law departments this is an opportunity to become proactive, and to reposition themselves within the organization as strategic business partner rather than a cost center. Innovative law departments are focusing on preservation best practices and developing a culture of compliance. That means that employees come to understand that compliance is intrinsic to the success of the business. Proactive data preservation readiness requires enterprise-wide attention because it involves a dramatic cultural change within the organization, with four key elements: building strategic alliances and effective communication across the organization, assessing and monitoring risk, investing in employee training and effective education, and establishing meaningful policies, procedures and practices. Compliance is no longer the exclusive concern of the legal department. The risks and complexities associated with burgeoning volumes of data are forcing companies to regard sound preservation practices as a business imperative requiring cultural change across the organization. An important part of establishing this culture of compliance is investing in the front end of the preservation process – automating it, to make the process more efficient, repeatable and trackable. In that way companies can be confident they are collecting only what they need, when they need it.

The NLRB was extremely active in 2015. It ruled that Browning-Ferris Industries is a “joint employer” of workers hired through a temporary agency; it issued guidelines for employee handbooks; and effective mid-April, it issued new expedited rules and procedures for union representation elections. Before the Browning-Ferris ruling, the NLRB’s standard for joint employer was not much different than that of other agencies. The key was whether or not both employers exerted control over the terms and conditions of employment. The Browning-Ferris ruling made clear that the question is not whether an employer actually exerts control, but whether it could exert control. In March, the Board issued guidance on how to create a lawful employee handbook. It is safe to say that a large majority of employers have at least one workplace rule in their handbook that could be perceived as overly broad. Specifically, the NLRB has made it clear that any rule that could chill concerted activity is unlawful, even if that was not the rule’s intent. One month later the Board’s “Final Rules” regarding expedited union elections took effect. The most noteworthy change was the shortening of the union representation election process from as many as 45 days to as few as 13. It’s clear the NLRB has been favoring labor in recent years, but it is essentially a political agency, and it remains to be seen whether or not this trend will continue after the presidential election.

today’s gener al counsel dec/jan 2016

Executive Summaries l abor & emPloyment

features

Page 42

Page 50

Page 52

Paid Sick Leave Mandate Sows Confusion

Survey Shows Conflicting Views of In-House, Law Firm Attorneys

How the Insurer Sees It

By Summer Austin Davis and Mary Clay Morgan Bradley Arant Boult Cummings LLP

By Joseph E. O’Neil and Alfred R. Paliani International Association of Defense Counsel

In an executive order released on Labor Day, President Obama declared that businesses contracting with the United States government must provide employees who work on those contracts with paid sick leave. The paid sick leave mandate will apply to federal contracts solicited or awarded on or after January 1, 2017. To comply, federal government contractors will need to provide at least one paid hour of sick leave for every 30 hours worked. The Executive Order does authorize contractors to limit the maximum annual paid sick leave an employee can accrue to 56 hours. The new federal mandate applies a one-size-fits-all policy to diverse companies. As a result, numerous questions arise. Among those questions: What about temporary employees or probationary employees? What level of connection to the project is required for the employee to be covered under the mandate? Would denial be considered an adverse employment action or a material change in the terms and conditions of employment? If your company already provides paid sick leave to employees, review your policy and confirm that it follows the minimum requirements of the federal paid sick leave mandate. Although the mandate applies only to employees, not independent contractors, it’s important to recall that the U.S. Department of Labor recently declared its opinion that thousands of workers are misclassified as independent contractors. Take care not to rely solely on the labels the workers wear to determine whether the mandate applies to your company.

Earlier this year, the International Association of Defense Counsel (IADC) conducted its 2015 Inside/Outside Counsel Relationship Survey, to provide its members and the legal industry as a whole with key insights into the relationship between in-house counsel and lawyers at private law firms. The survey revealed that corporate legal departments and their outside counsel have inconsistent views of important relationship factors, including communication tactics, the amount of work expected to be referred to outside counsel and costs for legal services. With regard to communication, inhouse and outside counsel have differing ideas regarding best practices. Corporate respondents stressed the need for the “right” principal contacts for each matter and active one-on-one communications. Outside counsel feel that regularly scheduled written status reports are the most important best practice. To achieve good communication, inhouse counsel must know their business, clearly state their objectives, and provide requested information quickly. Understanding in-house counsel’s expectations of outcome, risk, and budget is critical to a successful result for outside counsel. More work is being outsourced but it’s being consolidated to fewer law firms, as many corporate law departments have gone through a convergence process resulting in a select panel of outside counsel to serve the majority of the organization’s needs. Overall, having a smooth and workable arrangement for communicating and understanding the client’s needs is essential for successful outcomes and longevity in these types of relationships.

By Thomas F. Lysaught Hickey Smith LLP

Proactive claim and litigation management strategies are essential to improving an insurer’s performance. Most sophisticated insurers and self-insured entities develop strategies specifically designed to expedite the fair resolution of their claims, although those strategies will not always be successful. In many instances, a lawsuit is the first notice that an insurer receives of the claim. In any event, when a lawsuit is filed, outside counsel becomes a key partner in executing the client’s proactive litigation management strategies. Maximizing the success of a proactive litigation management strategy requires that outside counsel and in-house claims professional or general counsel are in alignment when it comes to business strategies, resolution objectives and economic interests. The first step in proactively managing litigation is early case assessment. Before a case can be properly evaluated, the critical information required to determine the extent of the client’s liability, any possible liability defenses, and the realistic range of damages must be obtained. Assuming liability is established at least to some degree, the next step is to evaluate the case, determine a fair settlement value and consider a realistic settlement offer. Experience tells us that the first offer tends to frame the negotiation. Outside counsel is a key partner in effectively executing a client’s proactive litigation management strategy. In this role, defense counsel not only demonstrates alignment with the client’s business strategies and specific case resolution objectives, but also with the economic interests of the client.

Dec/jan 2016 today’S gEnEr al counSEl

Executive Summaries features Page 56

Page 58

Page 62

Separate Agreements for Software Purchase, Implementation

Liability for Third Party Vendor Conduct

Using Europe’s M&A Regime for Tactical Advantage

By John D. Finerty, Jr. And Ben Kaplan Michael Best & Friedrich LLP

By Peter Cohen-Millstein and Nick Rumsby Linklaters LLP

Many services in today’s economy are being outsourced to third-party vendors, such as law firms, accountants, human resource consultants, payroll processors, recruiters and credit card processors. But it is difficult if not impossible to outsource liability. Regulators in some industries, and an increasing number of courts in jurisdictions across the country, are holding companies liable for mistakes made by their vendors. The banking industry in particular has had to deal with vendor liability issues, via regulations imposed by the FDIC and by Dodd-Frank, but it’s only a matter of time until similar standards apply outside banking and financial services. The authors provide a short list of best practices derived from the financial sector’s experience with third party vendors. These include conducting due diligence on vendors (because companies in any industry that are not selective in contracting with vendors may face an adverse presumption when their choice is called into question) and requiring vendors to adopt policies and procedures. The three most important policy areas are data security, employee controls and physical plant security. A comprehensive vendor management policy is important, but active enforcement is critical and so is documentation. Make certain your company can prove it managed its vendors and verified compliance. Insurance should play an important role. Implementing best practices and compliance audits will never reveal every risk, so there is no substitute for insuring against third-party vendor liability.

U.S. companies planning for public M&A in the EU face rules of engagement that are considerably different from those in the United States. Although each EU member state has its own merger and takeover regime, there are a number of common themes. In the UK, target companies are generally prohibited from entering into agreements to provide deal certainty to bidders, regardless of how friendly the transaction. Break fee and other similar arrangements are prohibited. In EU jurisdictions where break fees are permitted, usually they are limited to lower values than a U.S. bidder would expect. While U.S. companies can be placed under prolonged siege, EU merger regimes tend to impose limits on how long a company can be in play against its wishes. While the U.S. system offers acquirers broad latitude in crafting the terms of an offer, a number of EU regimes regulate the substance of offers in ways that can appear onerous to bidders. Consistent with the idea that bids should be determined by target shareholders (rather than target boards), and as a counterbalance to some of the rules that can seem onerous to bidders, in most EU countries there are restrictions on targets taking action designed to frustrate a bid. Unlike Delaware, where an acquirer only needs to acquire a majority of target shares to squeeze out all shareholders, in Europe a bidder will typically need to gain control of 90-95 percent of the shares.

By Eduardo Ramos and Eric Ray Holland & Knight LLP

If a business buys specialized software and pays an expert to adapt and set it up, there are two separate contracts involved, with two very different warranties. It’s crucial to keep the two contracts separate. Usually the company that installs and implement the software is not the same company that developed it, and each owes different obligations to the customer. When a business buys software, typically by way of a license, the most it can get if the software fails is the cost of the license. But if the party that customizes, installs and implements the software fails in its obligations, the business can sue for damages, which in some cases could be thousands, even millions of dollars. When negotiating an implementation agreement, the customer should never agree to limit its remedies. In case of failure, in addition to the significant cost of new software, a customer will spend thousands, and in some cases millions of dollars more implementing new software. These costs and any potential damages need to be considered when negotiating the agreement. One very important fact to keep in mind is that the right to recover costs and damages can be wiped out if the implementation agreement incorporates the terms of the license agreement, or is attached as an exhibit or schedule to the license agreement. In that case a court may decide that the terms of the license agreement limit the liability of the implementer.

cybersecurity

Cybersecurity is no longer an IT issue, but rather a business and legal issue —one in which the general counsel needs to take a key role.

SponSored SupplemenT To Today’S General CounSel

ILLUSTRATION BY ROY SCOTT

planning for trouble

cybersecurity

A response plAn should be put to the test with regulArity, through drills And simulAtions

orporate data breaches are increasingly common—and increasingly costly. According to the Ponemon Institute’s 2015 data breach report, each lost or stolen record with sensitive information costs a company, on average, $154, up from $145 the year before. Data breaches can spawn a range of costly legal issues. Regulatory agencies are keenly interested in corporate data security, and the risk of private lawsuits is increasing as well. In June 2015, for example, the 7th Circuit Court said that plaintiffs could have class action standing in data breach cases where there was not yet any injury-in-fact, but simply the reasonable likelihood of future injury. And in August 2015, the 3rd Circuit said that the Federal Trade Commission can regulate corporate cybersecurity and continue its lawsuit accusing a hotel operator of failing to protect consumers’ information. All of this means that cybersecurity is no longer an IT issue, but rather a business and legal issue—one in which the general counsel needs to take a key role. “IT and cyber risks pose some of the most dangerous, elusive, and costly threats to companies,” noted a recent report from FTI Consulting. A study by that firm found that 86% of surveyed general counsel are either extremely concerned or

concerned about cyber risk. Unfortunately, that’s a well-founded worry. The multifaceted, distributed nature of corporate technology—combined with relentless attacks from hackers— makes data breaches fairly likely. Thus, while it’s critical to do all they can to protect data, companies also need to plan for the worst.

the company might think that their head is going to roll, so they may not be very forthcoming in discussing the problem. Engaging with partners ahead of time helps minimize that level of fear.” He also recommends having outside counsel— people who are “focused on dealing with data breaches day in and out”—on retainer and ready to respond. “Without these pre-negotiated relationships in place, you may end up calling your third or fourth option,” he says.

How Well Does It Work?

Thinking Ahead A key element in data-breach preparedness is the incident response plan. This plan should be developed with input from the legal, finance, and HR departments as well as the executive team—and it should spell out what the company will do following a breach. “From the moment you become aware that your organization suffered a breach, you have to make many decisions,” says Chris Pogue, senior vice president, Cyber Threat Analysis, at Nuix, a provider of cybersecurity and other solutions. “It’s critical to think through as many of these decisions as you can beforehand.” For example, who will be notified and when? “There are 47 different breach disclosure notifications laws across the states, four within U.S.-governed territories, and 14 attorneys general who have unique reporting requirements—along with the clients that you are contractually obligated to notify when there’s a breach,” says Pogue. In preparing for a breach, it’s also important to have the necessary relationships and communications channels in place with various external service providers. “That way, organizations can build trust relationships with selected partners,” says Pogue. “When there is a breach, people in

Perhaps most important, the response plan should be put to the test with some regularity, through drills and realistic simulations. For example, companies can conduct penetration testing—essentially having outside experts try to hack into the corporate system—to find security weaknesses. Pogue says the incident response team should also be incorporated into this process to assess its ability to detect and respond to real world attack scenarios. “Is the response team seeing the outside team’s activity in their alerts? Are detection methods working properly?” he asks. “If you can’t keep an attack from happening, you’d better be able to detect it as quickly as possible.” That kind of real-world testing can be useful in ensuing litigation, as well. By doing more than simply running through a security checklist—by going the extra mile—companies can be in a position to argue that they have made the required “reasonable effort” to ensure security. Advancing technology can also play a vital role in an effective response. For example, Nuix provides a sophisticated best practice-based incident response solution that quickly collects and analyzes large amounts of data to guide response teams to key evidence needed to investigate a breach. Overall, planning ahead can help companies fend off litigation and comply with increasing regulatory scrutiny—which in turn can help them contain the costs and reputation damage from an all-too-likely data breach.

SponSored SupplemenT To Today’S General CounSel

DeC/jan 2016 today’s gener al counsel

Intellectual Property

Differing IP Enforcement on Three Continents By Brad Chin and Kevin Tamm

n the United States, intellectual property practitioners are using relatively new options for administrative IP enforcement through postgrant proceedings at the U.S. Patent and Trademark Office. The European Union is developing the Unified Patent Court (UPC) to provide a common patent court for member states. Meanwhile, China is shifting its focus to the development and implementation of a National IPR (intellectual property rights) Strategy Action Plan. The IPR Action Plan provides for mining, protecting, and enforcing domestic IPR to enhance capacity for leveraging IPR in global competition. As the U.S., European and Chinese economies grow and become more intertwined, IPR owners must understand new enforcement mechanisms in the U.S., Europe and China to maintain a competitive IPR strategy at home and abroad.

THE AMERICA INVENTS ACT

Much has been written regarding the America Invents Act and the new administrative procedures available in the United States to resolve IP disputes. New methods of challenging patents outside of the federal district courts include inter partes review, post-grant review and challenges to covered business methods (CBM) patents. Because the AIA enables federal district courts to stay a case in favor of a resolution at the USPTO, many IP practitioners have seen a slowdown in pending patent litigation and a decrease in new patent litigation filings. These new administrative procedures have historically not been kind to IPR owners. Over 77 percent of patent claims are invalidated by the Patent Trial and Appeal Board. While the ultimate effect these new procedures made available by the AIA

patent. Proceeding in several countries at once brings high costs, the risk of diverging court decisions and lack of legal certainty. Forum shopping has been a problem as parties take advantage of differences in national courts’ interpretations of European patent law and procedural laws. Certain countries have become known as having speedy or sluggish courts, and many firms are will have on future litigation remains aware of which countries to proceed yet to be seen, Europe and China are in based on the level of damages typinot following the same paths for IPR cally awarded. enforcement. The proposed Unified Patent Court attempts to address these problems by JURISDICTIONAL PROBLEMS creating a specialized court with excluIN EUROPE sive jurisdiction for litigation related Presently in Europe, individual counto European patents and European tries’ national courts and authorities of patents with unitary effect (unitary the contracting states of the European patents). Patent Convention (EPC) decide on The UPC as proposed will include infringement and validity of European a Court of First Instance, a Court of patents. A European patent is granted Appeal and a Registry. The Court of to an IPR owner by the European PatFirst Instance will have a central divient Office, and the owner must decide sion, including a seat in Paris and in which European countries it will two sections in London and Munich. In addition, there will be several local Foreign enterprises should and regional divisions in the “Contracting be aware that discovery is not Member States to the permitted in a judicial proceeding Agreement.” Based on the Agreement, the Court of Appeal will be located in China, and therefore an IPR in Luxembourg. Presently, the Agreeowner must rely on private ment has been signed by 25 European Union investigation – for example, Member States. Before it has legal effect, at least during an administrative 13 more states, including France, Germany and the action – to prove infringement United Kingdom, will need to ratify it. Many and damages. European practitioners believe that the Agreement could be ratified within the next few years, but some validate the patent by paying individual resistance has been encountered in the country fees and complying with indisouthern European states, including vidual country formalities. This system Spain and Italy. creates a number of difficulties when a It’s important that IPR owners stay patent proprietor attempts to enforce a abreast of developments with the UPC European patent. because it stands to greatly change In addition, IPR owners face many challenges when acting as a third party how IPR will be acquired and enforced throughout Europe. seeking the revocation of a European

Today’s gener al Counsel DeC/jan 2016

Intellectual Property

PROTECTING IP RIGHTS IN CHINA

With the development of its domestic technology, increased availability of human resources, and the implementation of the IPR Action Plan, Chinese enterprises are developing strategic IP portfolios to equip them for competition in the global marketplace. China recently issued “The Further Implementation of the National IPR Strategy Action Plan.” It identifies four objectives: (1) to promote IP creation and utilization, (2) to strengthen IP protection, (3) to strengthen IP management and (4) to expand international IP cooperation.

Chinese enterprises are actively creating and developing strategic IP portfolios to protect IPR both domestically and internationally in order to enhance their capacity to leverage IPR in the global marketplace. Recent statistics from the State Intellectual Property Office (SIPO) demonstrate the rapid increase in patent filings by Chinese enterprises to protect their technology assets, as compared to their foreign industry counterparts. For example, Figure 1 (next page) shows the increase of patent application filings at SIPO for both Chinese and foreign enterprises from 2003

to 2014. In 2014, over 2.36 million patent applications were filed before SIPO (about 2.2 million being filed by Chinese enterprises), as compared to approximately 300,000 filed in 2003. In the past 11 years, the number of patent applications filed by Chinese enterprises has grown at an average annual rate of 21.9 percent, as compared to 10.2 percent for foreign enterprises. Similarly, the number of patents granted by SIPO has increased in the past decade, as indicated by Figure 2. In 2014, over 1.3 million patents were granted by SIPO (about 1.2 million of which were granted to Chinese enterprises). The

DeC/jan 2016 Todayâ&#x20AC;&#x2122;s gener al Counsel

Intellectual Property Patent aPPlications filed in china

figure 1

millions

Number of patent applications filed by domestic and foreign applicants before SIPO. 2.5

1.5

0.5

0 2003

2004

2005

2006

2007

By chinese

2008

2009

2010

By foriegners

2011

2012

2013

2014

2013

2014

total

Patents granted in china

figure 2

millions

Number of patents SIPO granted to domestic and foreign applicants. 1.4 1.2 1 0.8 0.6 0.4 0.2 0

2003

2004

2005

2006

2007

chinese

2008

2009

foriegners

2010 total

2011

2012

Today’s gener al Counsel DeC/jan 2016

Intellectual Property number of patents granted to Chinese enterprises has increased at an average annual rate of 21.9 percent in the last decade, as compared to 13.6 percent for foreign enterprises. Similar trends are observed in relation to the filing for protection of trademarks and copyrights in China. Chinese enterprises are also actively enforcing their IPR against other Chinese enterprises and foreign enterprises to improve their position in the global marketplace. China provides two primary mechanisms to enforce IPR: administrative agencies, and judicial proceedings (i.e., civil or criminal actions). Provincial or city-level IP offices govern administrative IPR enforcement. In an administrative procedure, a complainant must provide some prima facie evidence of infringement to the local agency. Remedies include destruction of an infringing product and/or destruction of the tooling to produce the infringing product, and injunctions. The administrative agencies cannot award damages to IPR owners, but the

enforcement of IPR is routinely much quicker than that provided by judicial proceedings. Administrative decisions can be appealed to the People’s Supreme Court. Traditionally, administrative IPR enforcement has been almost exclusively

in cases of serious infringement. Judicial enforcement is the most popular method chosen by foreign enterprises because of the familiarity with enforcing IPR in courts, and civil courts can award both injunctions and monetary damages. Foreign enterprises should also be aware that discovery is not permitted in a judicial proceeding in China, and therefore an IPR owner must rely on private investigation —for example during an administrative action—to prove infringement and damages. Chinese courts offer Chinese and foreign litigants a relatively speedy mechanism for IPR enforcement. The time to trial in China is usually less than a year from the filing of the complaint, compared to at least two years in the U.S. However, the adjudication of an action (for example, a patent infringement case) in China is routinely delayed for one to two years by a concurrent patent invalidity challenge, which can only be conducted by SIPO. China’s recent move to strengthen IP protection by enhancing speedy enforcement further

IPR owners face many challenges when acting as a third party seeking the revocation of a European patent. used by Chinese enterprises. This trend is slowly changing, however. All forms of IPR in China can be enforced through civil actions. In rare instances, criminal actions can be raised

Patent infringement cases filed in china

figure 3

civil courts

administrative agencies

14 20

13 20

12 20

11 20

10 20

09 20

08 20

07 20

06 20

05 20

04 20

03 20

thousands

Number of patent infringement cases filed in Chinese civil courts and administrative agencies.

DeC/jan 2016 Today’s gener al Counsel

Intellectual Property shows how important it is that foreign enterprises understand IPR acquisition and enforcement. In 2014 China established three specialized courts in Beijing, Shanghai and Guangzhou to handle IP cases. These courts are IP-heavy jurisdictions and are staffed by China’s most experienced IP judges.

To do that, they must understand and effectively protect their IPR through proactive methods of registration, and understand the advantages and challenges associated with the use of administrative actions and judicial proceedings, to enforce their IPR around the world. They should develop relationships with

In 2014 China established three specialized courts in Beijing, Shanghai and Guangzhou to handle IP cases.

BEYOND PRINT

TodaysGeneralCounsel.com

IN YOUR INBOX

Digital.TodaysGeneral Counsel.com

THE “EXCHANGE” CONFERENCES TodaysGeneralCounsel.com/ Institute

TodaysgeneralCounsel.CoM

Figure 3 shows the rapidly-increasing number of patent infringement cases filed in Chinese civil courts by Chinese and foreign patent holders. Chinese civil courts entertained 9648 patent infringement cases in 2014, as compared to only 2080 being filed in 2002, a growth rate of 464 percent. Similarly, patent right disputes are increasing in the administrative track of the Chinese IP enforcement system. For example, 4,684 patent infringement cases were filed before administrative agencies in 2013, more than double from 2012. Similar trends are observed in relation to the enforcement of trademarks and copyrights in China. The growth rates in patent filings (i.e., IPR protection) and enforcement of IPR through administrative agencies and civil court proceedings demonstrate that a foreign enterprise seeking to enter the Chinese market and develop a competitive edge must understand and select the most effective form of IPR protection for its technology, and understand the procedural advantages and challenges of administrative actions and judicial proceedings, to maintain an equal footing with Chinese enterprises. As free trade increases and world economies become more interdependent, both large established international corporations and individuals should understand the landscape of IPR enforcement world-wide. U.S., European, and Chinese enterprises are creating and developing strategic IP portfolios to equip them for competition with foreign companies in the global marketplace.

local industry partners and legal representatives, gain an understanding of the administrative, regulatory, and judicial requirements for protecting and enforcing their IPR, and work closely with their own legal counsel – a U.S., European, or Chinese patent attorney – who has expertise with navigating the IPR system. ■

Brad Chin is a partner and the IP practice group head at Bracewell & Giuliani LLP. He has a global IP practice with an emphasis on patent protection and portfolio management for U.S. and international clients in China, South Korea, Japan, and the Middle East. brad.chin@gllp.com

Kevin Tamm is an associate at Bracewell & Giuliani LLP. He focuses his practice on patent prosecution in the chemical and mechanical arts. He has experience prosecuting U.S. and foreign patents for large corporate clients, universities and independent inventors, and is admitted to practice before the USPTO. kevin.tamm@bgllp.com

The Magazine The six-time yearly publication, with strategies, best practices and analysis written by expert practitioners within the legal profession, offers an excellent branding opportunity to 58,000 qualified subscribers.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

DeC/jan 2016 todayâ&#x20AC;&#x2122;s gener al counsel

Intellectual Property

How Due Diligence Analysis Drives a Negotiation By John M. Fleming

ue diligence is the process of evaluating an asset or portfolio of assets to determine benefits and potential issues. Basically, itâ&#x20AC;&#x2122;s an assessment of pros and cons. Due diligence can allow either or both parties to a negotiation the opportunity to drive the value of the offering

up or down, as well as to appreciate the underlying problems that must be addressed. The legal hurdles that must be overcome weigh differently for a potential seller and buyer, and often each has different goals in its analysis of the value of an asset. With any given asset, a seller wants to sell high, and

the buyer would prefer to buy low. Confidential, or often shielded from certain entities, a due diligence analysis can have an enormous impact on the negotiation process. Patents present unique due diligence issues. There are a number of approaches that a patent asset seller

today’s gener al counsel DeC/jan 2016

Intellectual Property can take. Some sellers choose not to perform due diligence and leave it to the buyer, so the buyer will absorb the costs. In the end, however, that will cost the seller more than doing some level of up front diligence, perhaps even before a potential buyer is involved. A seller should approach the sale from the perspective of the buyer. What will a buyer want this for? Which industry will be most impacted by this asset? This is where an infringement due diligence analysis can be a real benefit for a seller. Sometimes a seller may prepare generalized claim charts with regard to a specific entity’s product/services. These charts show a potential buyer how the patent claims stack up and can be a good starting point for illustrating its value.

concerned with enforcement and the potential to go after another entity, whether immediately or sometime in the future. Thus, the validity of an asset to be acquired is an important factor in assessing the value. A validity diligence analysis can help inform a buyer about potential prior art that is not of record and that may affect eventual enforcement. The buyer should be assessing the offering as a defendant would – trying to uncover any applicable prior art, turning over any stone that could limit the scope or enforcement, and trying to discern the area of a non-infringement contention. Similarly with respect to infringement: A buyer should seek to assess the potential for an infringement action

Whether buying or selling, a party should appreciate the cost of correction associated with an asset. Emphasizing infringement by a competitor of the buyer, or perhaps the buyer itself, enhances the potential sale value of an asset. A keen seller can divulge enough information without disclosing all of its cards. Pendency is another relevant issue. An issued patent has a different value to a buyer than an offering that has a pending application at the U.S. Patent and Trademark Office, because a pending case allows the buyer to prosecute claims as it desires. The most important parts of an asset for sale may not be the issued patent itself. Subject matter in the patent application that can be developed and drafted in light of the specific goals of a buyer may be far more important. Accordingly, a seller should try to maintain pendency of an asset for sale throughout a negotiation process. For a patent buyer, the value of an asset offering is driven toward potential enforcement. Although buyers may desire to acquire an asset merely for defensive purposes – so that another party does not acquire it to bring suit against them – a buyer should be

against a third party, whether through charts provided by a seller or independently. In either case the buyer should look critically. The effect can be twofold. If the asset is pending, then even if the claims have problems, or do not read directly on a competitor’s product/service, additional claims may be drafted that do read directly. A buyer can seek to drive down the cost of an acquisition by discussing the weaknesses with the seller, without divulging the potential correction or removal of the weaknesses in a pending application. Whether buying or selling, a party should appreciate the cost of correction associated with an asset. Many issues regarding a patent can be fixed with time and money. A patent owner can file a Certificate of Correction, often with a fee. Larger problems can be corrected with a reissue filing of the patent, also with applicable fees. Ultimately, many issues can be addressed through some form of filing with the USPTO, but the costs and potential repercussions vary widely. A due diligence analysis can identify these issues, to allow a buyer or seller to better

appreciate the underlying cost or risks associated with correction. Again, these cost and risks can be used to drive the negotiation process. Due diligence is often conducted by the buyer, because the buyer has the biggest risk, namely acquiring something of no value. Although a seller may not be selling the asset at market price, it still receives some compensation. Still, due diligence analysis by a seller is beneficial in comparison to the cost. A negotiation often includes a back-and-forth discussion, with the need for due diligence by both parties. The process is akin to a used car deal, where a dealership wanting to sell a customer a nice car will tune the vehicle, wash it clean, vacuum it, and fix any aesthetic blemishes, all to win the heart of a buyer. Meanwhile, a potential buyer should be researching the vehicles’s pros and cons, researching the dealership, the vehicle’s market value and how it’s trending, and also getting an independent evaluation of the vehicle by a mechanic. All these things cost both parties money but help drive the cost to an agreed-upon medium. Like a car, a patent is a form of personal property and should be treated as such when assessing whether to acquire or let go. In most cases, a broad view of the positives and negatives in a portfolio offering derived through due diligence should steer the negotiation process on both sides of the deal. ■

John M. Fleming is a principal shareholder in the Washington D.C. office of Banner & Witcoff Ltd. He concentrates on preparing and prosecuting utility and design patent applications in a variety of technical fields, while participating in litigation matters, client counseling and opinion work. jfleming@bannerwitcoff.com

dec/jan 2016 todayâ&#x20AC;&#x2122;s gener al Counsel

Cybersecurity

The Case for Lawyers as Cyber Risk Leaders By Steven Chabinsky

today’s gener al Counsel dec/jan 2016

Cybersecurity

y strategy during this trial is straightforward and I will be brief. Allow me to submit to you that attorneys are fully capable of driving cyber risk management discussions and outcomes, and there are two compelling reasons for them to do so. First, there is exceptionally strong client demand. Lawyers, whether corporate or outside counsel, increasingly are expected to understand the implications of cybersecurity when providing advice relating to privacy compliance, contract compliance, data breach response, data breach litigation, M&A due diligence and insurance coverage. The facts will show that the lawyer, as a trusted neutral advisor, also is uniquely qualified to help clients navigate risk considerations that must conform customer deliverables and workforce expectations to adequate security and shifting legal requirements. Second, there is the important matter of complying with professional ethics obligations. Criminal hackers and foreign intelligence operatives (notably from China) are actively and successfully stealing sensitive information from law firm networks and from in-house counsel. As lawyers rapidly adopt new technologies, the facts will show that they must consider the security ramifications. We will accept as true that most attorneys recognize that their ethical obligation of confidentiality requires that they protect privileged communications stored on computers or transmitted through mobile devices. Perhaps less obvious is that a cyber-security requirement extends directly to an attorney’s ethical obligation of competence. We will hear that at least one state bar expressed its opinion that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, retain an expert consultant who does have such competence.” A long line of attorneys will testify that one of their most common concerns about becoming cyber risk leaders is that they don’t have the right technical background. We will demonstrate that

this is a non-issue. The facts will show that attorneys do not need to know their way around the enormous complexities of network security implementation, which we acknowledge often falls outside their competence. Rather, the evidence will show that attorneys are more than capable of becoming, and must in fact become, expert in understanding, implementing and overseeing the logical and iterative process of cyber risk management. PRESENTATION OF EVIDENCE

We move to introduce only one exhibit on direct, the Framework for Improving Critical Infrastructure Cybersecurity, from the the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce. It is freely available to lawyers and non-lawyers alike and can be easily googled. Not including the appendix, it’s only 17 pages long. At the risk of being argumentative, we can say that every attorney can find the time to read 17 pages, and none will testify to the contrary. Looking at Exhibit 1, it is the testimony of the first witness that “lawyers can understand and should help lead” a seven-step process: • To identify organizational mission priorities, scope the systems and assets that support those priorities, and make informed strategic decisions regarding how best to protect them with physical, administrative, and technical controls. • To identify dependencies of systems and assets, including with third parties, while opining on the legal requirements for protecting data internally and when outsourcing any data processing or data storage needs. • To create a risk profile incorporating the organization’s ability to identify, protect, detect, respond to, and recover from a breach. • To conduct a risk assessment that incorporates emerging risks and threat and vulnerability data, in order to understand the likelihood and impact of a cybersecurity incident impacting confidentiality, integrity or availability of data, systems, or services. • To define the company’s unique cybersecurity target profile of what “good” looks like.

• To assess and prioritize the gaps between the company’s current and target profiles. • To develop, implement, and oversee an action plan to reduce those gaps. Moving to our second witness, “attorneys must be prepared to respond when they or a client suffer from an intrusion.” In particular when they are security insurance counsel, attorneys should know in advance whom to call: security (a computer forensics firm, hopefully with a master services agreement already in place in order to avoid delayed response); insurance (to determine coverage and get any required pre-approvals before acting); and counsel (specifically, lawyers skilled in data breach). CLOSING ARGUMENT

Cybersecurity presents a real and growing risk to attorneys and the clients they represent. In addition to civil and ethical liability that poor cybersecurity may bring to a lawyer’s practice, the issue is becoming a market differentiator. Clients have begun to retain lawyers based both on their ability to provide subject matter expertise and on their ability to adequately secure information. Put differently, attorneys who fail to understand the dynamics of cybersecurity and who also fail to implement adequate information security practices are losing business or in house promotions to those who do. If you as an attorney are not competent in cybersecurity matters, it is past time to gain those skills and line up your experts. Your clients and the bar expect nothing less. ■

Steven Chabinsky is general counsel and chief risk officer for the cybersecurity technology firm CrowdStrike. He also is the cyber columnist for Security magazine, and previously served as Deputy Assistant Director of the FBI’s Cyber Division. steve.chabinsky@crowdstrike.com

dec/jan 2016 today’s gener al Counsel

Cybersecurity

Current Landscape of Cyber Insurance By Alba Alessandro and Alyssa Conn

ata breaches have policyholders scrambling to fit the proverbial square peg into the round hole of their insurance programs. Insurers have pushed back, resulting not only in coverage-related disputes, but also in an emphasis on the importance of cyber policies that address the specific perils of a data breach. A diverse insurance program is now more important than ever. In Recall Total Information Management v. Federal Insurance Co., the Supreme Court of Connecticut outlines a prime example of coverage limitations

under a Commercial General Liability (CGL) policy. In this case, Recall subcontracted with Ex Log to provide transportation services of tapes containing IBM employee information. Federal Insurance Company issued Ex Log a CGL and umbrella policy, naming Recall as an additional insured party. When Ex Log lost the tapes, IBM spent considerable money providing identity theft services, even though there was no evidence that anyone had accessed the tapes, and it sought reimbursement from Recall and Ex Log. The Connecticut Supreme Court held that

under the CGL policy, Federal Insurance Company had no duty to defend. Under the definitions, terms and conditions of the CGL policy, the settlement negotiations did not constitute a “suit” or “other dispute resolution proceeding,” and losing the tapes did not constitute a “publication” that would violate a person’s privacy. Thus the court did not find the requisite personal injury that would trigger the duty to defend. The decision in Recall has left insureds who make claims for a data breach under a CGL policy exposed. Insurance carriers can and are arguing that a data breach

today’s gener al Counsel dec/jan 2016

Cybersecurity

does not constitute a “publication.” An example is a recent Connecticut federal case, The Travelers Indemnity Company of Connecticut vs. P.F. Chang’s China Bistro Inc. The plaintiffs in the underlying actions allege that P.F. Chang’s did not appropriately safeguard customers’ financial information, allowing hackers to access the restaurant chain’s computer systems. In that case, much like in Recall, Travelers asserts that the lack of “publication” does not trigger the duty to defend or indemnify P.F. Chang’s in the class action suits. These are the scenarios that cyber-policies are meant to protect against. It’s the nascent state of cyber-specific insurance policies that accounts for many open coverage questions. But in Travelers Property Casualty Co. of America v. Federal Recovery Services, a case being called the first cyber-related liability dispute, the Utah federal court found that typical insurance coverage issues of policy interpretation do apply to a cyber-related fact pattern. Specifically, the court in this case discusses whether the “Technology Errors and Omissions Liability Form” absolved the insurers from their duty to defend. In the underlying dispute, Federal Recovery Systems, a business providing data processing, storage, and transmission services, allegedly refused to return member account data that it had handled for Global Fitness. The case turned on whether the terminology “errors and omissions” in the policy was broad enough to include withholding of data, regardless of the reason. Citing the general rule that “an insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint,” the court reasoned that Global Fitness’s allegations of “knowledge, willfulness, and malice” would not trigger Travelers’ duty to defend. Thus, issues of policy interpretation, concerning either overly narrow or broad language, are still relevant. Insureds can avoid interpretation problems through careful and active negotiation of the policy language. One case to watch is Columbia Casualty Co. v. Cottage Health System, filed

in California federal court in 2015. The complaint alleges that the insured failed to follow the “minimum required practices” outlined in the cyber policy, thereby releasing Columbia Casualty from its duty to cover the settlement costs. These minimum practices were outlined pursuant to a risk control self-assessment that Cottage Health Systems completed as part of its application. The requirements included maintenance of security patches on its systems, regular reassessment of its information security exposure and risk controls, establishment of systems to detect unauthorized access or attempts to access sensitive information stored on its servers, and controlling and tracking all changes to its network to ensure that it remained secure. The insurer seeks a declaratory judgment for reimbursement of defense and settlement payments. While the underlying matter in Columbia is guided by HIPAA, the case raises the question of how cyber liability insurance “minimum required practices” will evolve. Under the authority of the “unfairness” provision of the Federal Trade Commission Act, companies must at a minimum establish a privacy policy and abide by it. However, unlike the European Union (with its Commission’s Directive on Data Protection in 1998), the U.S. federal government has limited technical data security requirements to the healthcare industry. Consequently, cyber liability insurers have little to go by in developing these provisions, and that can result in wide variations in policy coverage. An added bonus of the application and underwriting process is that insureds will be able to identify cybersecurity issues and address them early. One source insurers and insureds alike could turn to for guidance is the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. The Framework, a collaboration between the public and private sector, offers a voluntary approach to address and manage cybersecurity risks. It is composed of three parts. “Core,” the first part, is a set of common activities that should be used in all programs. It demonstrates a high-level view of risk

management. The second part, “Tiers,” includes four tiers describing the rigor of risk management and how closely it is aligned with business requirements. It allows users to evaluate cybersecurity implementation and manage risk. Part three, “Profile,” helps an organization align cybersecurity activities with its own business requirements, evaluates current risk management activities and prioritizes improvements. Another good source is the guidelines for cybersecurity from the International Organization for Standardization (ISO). These guidelines provide a framework for information sharing, coordination and incident handling. Insureds can also take advantage of other types of policies in the market that cover cyber-related threats. Some insurers, for example, offer an add-on to standard crime policies for “social engineering fraud.” It covers policyholders in the event that employees are misled into sending money or diverting information based on fraudulent emails or other means. Given the trend towards increasing risk of cybersecurity breaches, policyholders will be better armed to mitigate damages by diversifying their coverage across different types of policies. ■

Alba Alessandro is a partner at Hodgson Russ LLP. She concentrates her practice on insurance coverage matters, with a focus on directors and officers liability, and cyber-liability and the cleantech family of industries, including solar, water, and wind energy. aalessan@hodgsonruss.com

Alyssa Conn was an intern at Hodgeson Russ, and is a student at Rutgers School of Law in Newark, New Jersey, where she is a law review staff editor, Child Advocacy Fellow and president of the International Law Society. aconn2@gmail.com

Dec/Jan 20 16 toDay’s gEnEr al counsEl

E-Discovery

Applying “Moneyball” to the Legal Department By Andy Wilson

wenty years ago, baseball front offices chose players based on appearances, superficial metrics and rudimentary analytics. They bankrolled crusty scouts who would evaluate talent

by box score and physical stature, not appreciating that batting average is one part dumb luck, or that bat speed, not the ability to fill out a jersey, correlates highly with home run power.

Fast forward to the age of “moneyball,” a management philosophy that seeks to enhance performance through innovative analysis and use of data. Moneyball was at once a debunking

toDay’s gEnEr al counsEl Dec/Jan 2016

E-Discovery

of the subjective signposts long thought to be determinants of success and an awakening to the powers of rigorous empirical analysis. It was as much a revolt against intellectual laziness as it was a bid for competitive advantage. These days, smart, cost-conscious teams focus not on the performance of individual silos (the bullpen, the outfield platoon) or standalone stats (stolen bases, RBIs), but on how these pieces – and pieces of intel – complement each other to perform as a whole. They mine advanced statistical formulas to project success, identify opportunity, exploit market inefficiency and calibrate resources. And, above all, they share information across the organization, with the assumption that data of value to the GM is also important to the manager, the pitching coach, the training staff and so forth. The results are unity of purpose, operational efficiency, and decision making that yields better results. It didn’t happen overnight, but intelligent ball clubs came to an important realization: Data is everywhere, and the ability to use that data in inventive ways is the key to driving higher performance across the organization at lower cost with less risk. THE DATA-DRIVEN LEGAL DEPARTMENT

Moneyball has important analogues and lessons for business-minded legal departments. It is among the most distinct examples of how the abstract concept of information governance can be applied in concrete terms. It shows how Big Data can be harnessed and brought to bear to realize benefits across departments. What are “sabermetrics,” after all, if not a rigorous application of Big Data? The same data revolution that gave rise to moneyball is underway in legal departments across the globe. Just as effective moneyball redounds to all areas of an organization, so too can savvy legal teams spearhead data-driven change that bridges departmental gaps, positively affecting compliance, security, risk, records management and revenue.

Electronic discovery is a thorny process under legal’s purview that both cuts across all these competencies and is ripe for a more data-focused assessment. Discovery, as most legal practitioners have come to lament, is among the most expensive, complicated and risky aspects of litigation. But it can be streamlined in a way that brings companywide value. Consider, for example, large organizations that routinely face similar types of lawsuits or regulatory investigations. Most begin discovery from scratch at the outset of every incoming matter, even though there is likely to be heavy overlap in the information and custodians at issue, the repositories to be probed, and the documents to be produced from case to case. Data-driven legal departments, by contrast, will reuse document collections and privilege decisions for similar matters, only supplementing them if necessary. They will track document review costs by matter type, using data obtained from previous matters to project future costs, and budget accordingly. They will make decisions about whether to fight a case or settle by weighing the amount in controversy with legal fees incurred from recent cases. And they will look carefully at the documents and information likely to be relevant, to assess the validity of the case and expected outcomes. Data-driven legal teams make small wins felt in a big way. Assume, for instance, you know emails authored by your chief technology officer have been, and likely will continue to be, relevant to serial patent litigation claims. How much time and money can be saved, and business disruption averted, if those emails are archived and readily producible when a discovery request hits? Data-driven legal departments can answer that question to the decimal point, pointing to the impact on the organization’s bottom line and making those cost-savings known across the executive suite. In the same vein, counsel who track performance of document reviewers by speed, accuracy and ability to identify important issues are better positioned

to reassign or eliminate under-performers and place superior personnel where they are needed most. Certainly this same benchmarking can be leveraged in other cost-intensive areas as well. TECHNOLOGY EMPOWERS CHANGE

It’s the emergence of robust technology that has made such data-driven decision-making a reality. The best tools empower collaboration with intuitive platforms that are widely accessible, transparent and easy to use. They facilitate sound judgments by measuring and making sense of seemingly inscrutable volumes of data. They illuminate black boxes. They turn information into knowledge. In an increasingly cutthroat corporate environment where every penny is pinched and every belt tightened, it is not enough to do business as it was done before, to rest on laurels, or to turn an indifferent eye toward the widely-accepted benefits of using data smartly. That way of thinking cost an entire generation of baseball executives their careers. The confluence of powerful technology and Big Data is revolutionizing every facet of our lives, and it has transformed an institution so stodgy as to be known as America’s Pastime. It is time for legal to embrace what it has long avoided. Leveraging data wisely can’t ensure success, but ignoring it will secure failure. ■

Andy Wilson is CEO and co-founder at Logikcull. com, which he launched in 2004 with CTO and co-founder, Sheng Yang. He established Logikcull’s product and marketing strategy, which focuses on simplifying and democratizing the discovery process. Andy.wilson@logikcull.com

Dec/Jan 20 16 toDay’s gEnEr al counsEl

E-Discovery

Ingredients of a Sound Legal Hold By Scott Wandstrat

or in-house counsel, there is general angst around e-discovery, and that’s understandable. Mounting costs, rampant techno-babble, and the constant threat of headlinegenerating sanctions is enough to make anyone queasy. And it’s true there has been a documented uptick in both the

volume of filings asking for discovery sanctions and orders granting those requests, and that trend doesn’t seem to be abating. The most common ground for these filings? A failure to take reasonable steps to preserve potentially relevant documents and data. Companies that

aren’t mindful of their preservation obligations are exposed to the possibility of significant sanctions. The best protection against this threat is to institute a legal hold. That is, to take prompt, affirmative and reasonable steps to ensure that the company is continued on page 39

TRADITIONAL DISCOVERY TOOLS CAN BE SLOW Waiting for your eDiscovery software to load and process data is slow. Painfully slow. Finding your way around complicated interfaces is slow, too, especially when unexpected downtime gets in the way. Confusing search and multiple clicks before you can redact slows things down even more. Fortunately, change is coming quickly. Thomson Reuters is releasing a faster, easier-to-use, and more reliable eDiscovery tool.

ÂŠ2015 Thomson Reuters S025928 Thomson Reuters and the Kinesis logo are trademarks of Thomson Reuters.

Are you ready for a new age of discovery? Get a preview at ANewAgeOfDiscovery.com

Dec/Jan 20 16 toDay’s gEnEr al counsEl

E-Discovery

Avoiding Flotsam in Large Volumes of Data By Jim Gill

indings from a recent survey indicate that searching through vast amounts of electronically stored information (ESI) to find responsive data is the number one challenge for both IT and legal teams at global enterprises. The survey, conducted by Exterro Inc. in July of this year, reflects 208 responses received from in-house attorneys, IT, paralegals and litigation support professionals. “Finding relevant ESI for e-discovery remains the number one challenge for in-house legal teams,” said Bill Piwonka, chief marketing officer at Exterro. The respondents in the July survey represented a wide variety of industries,

including financial services, energy, oil and gas, technology, healthcare, pharmaceutical and manufacturing. Overall, the survey ranked the biggest obstacles for finding responsive ESI as follows: • Searching through large amounts of data (39 percent). • Identifying / accessing data sources for collection (35 percent). • Developing search criteria for determining document relevancy (15 percent). • Using in-house e-discovery search / collection software effectively (8 percent). • Working with third-party collection / processing providers (3 percent).

Here are some specific responses: Attorney: “My organization still has a large amount of data in hard copy form that is located in a number of offices throughout our service territory. There is a high risk of us not finding responsive documents simply b/c we don’t know they exist.” IT: “We have a huge volume of unstructured data. Identifying and collecting from this data is daunting. The sheer volume also is a barrier to proper governance and retention.” Paralegal: “Data in our company is everywhere. So finding the right sources

toDay’s gEnEr al counsEl Dec/Jan 2016

E-Discovery

What is your biggest obstacle in locating potentially responsive data?

Searching through large amounts of data

39%

Identifying / accessing data sources for collection

35%

Developing search criteria for determining document relevancy Using in-house e-discovery search / collection software effectively Working with 3rd party collection / processing providers

15% 8% 3%

The Biggest Obstacles in Locating Potentially Responsive Data Survey © Exterro, Inc. 2015

is a challenge and sometimes it is difficult to get the data out of the sources they reside in.” To help legal professionals maneuver around some of these obstacles in searching for responsive data, here are some tips that will save time and enable working more efficiently with the numerous teams involved in the e-discovery search process. First, establish what is wrong with current search models. Many legal teams don’t even have search tools to help with the discovery process, and if they do they often have to use a combination of tools, at times from different vendors. Even with search tools, a knowledge of correct keywords and stopwords, as well as indexing various forms of ESI (email attachments, embedded audio, metadata) is required for a successful search. A variety of potential negative external outcomes can arise using these current search models. The first is the underproduction of documents due to the inability to locate responsive data – which can lead to sanctions, the opposing side possibly having information that your team doesn’t have, and the inability of your team to create effective strategies because of the lack of information. This possibility results in e-discovery teams casting too wide a

net. Lawyers by nature are risk averse, and because of the potential negative outcomes of an under-producing search, they tend to over-collect, involving more custodians. That is time consuming, costly and inefficient. So how do legal teams improve? • Get involved early. As soon as possible all players in the process should work together. Counsel, IT, search tool providers, employees, former employees, records managers, compliance departments – the sooner they all can be brought on board, the more likely they are to avoid a latency gap, which can amount to an elementary school “game of telephone.” • Create an e-discovery liaison role. Many legal teams (61 percent according to our user poll) use a dedicated e-discovery liaison whose role is to understand IT and legal needs, as well as the capabilities of search technology, and can communicate these to both sides. • Understand search parameters better. Understanding Boolean logic and being able to effectively use it; being able to understand the nuances of date-filtering and other metadata; having a process in place for searching folders and files with

no clear custodian – these can mean the difference between an efficient search and useless time spent looking through irrelevant data. • Make attorneys understand search capabilities. Many attorneys aren’t aware of what it takes to carry out a successful search. We’ve become spoiled by Google, thinking you simply type in a few keywords and get relevant data in return, without realizing all of the behind-the-scenes curation that goes on to make that happen. At the same time, many attorneys don’t realize there is technology available that can help with this process. Technology and search go hand in hand. Without e-discovery search technology, searching through terabytes of data would be nearly impossible. One game-changing tool is “In-Place Search,” which David Yerich, Director of E-Discovery at UnitedHealth Group calls “the next leading edge in e-discovery.” In-Place Search analyzes data in its native environment to help expose critical ESI before organizations are forced to collect. This condenses the traditional flow of the e-discovery reference model moving analysis (which normally falls very late in the process) ahead of collection, so that analysis and search happen simultaneously. This underscores our earlier point, that getting involved early is key. It allows legal teams to cut down on overcollection, to efficiently budget around the number of documents needed for collection, and to begin creating strategy based on the evidence at hand. ■

Jim Gill is Content Marketing Manager at Exterro. Prior to joining Exterro, he spent 19 years teaching college writing and working as an editor. jim.gill@exterro.com

Dec/Jan 20 16 toDay’s gEnEr al counsEl

E-Discovery

Build a Company-Wide Culture of Compliance By Brad Harris

orporate legal departments today are pushing employees to do more with less. But at the same time, as performance expectations increase, current digital technology trends are making the job of the corporate legal department more difficult. A shift in the IT landscape has left corporations creating far more data than before. Moreover, that data is fragmented across a vast digital universe that includes work computers, cloud repositories, personal mobile devices and even “Internet of things” applications. These factors increase corporate risk, because they require companies to manage a growing store of data in accordance with strict and evolving compliance requirements while deliver-

ing efficient responses to litigation – all without breaking the bank. Corporate counsel navigating this new digital terrain are realizing that their business-as-usual approach to e-discovery is unsustainable, and they are left feeling unprepared to respond when a litigation fire does break out. Once an organization has gone through an e-discovery crisis, awareness of the true scope of data-related risks becomes apparent, both to C-suite executives and board members. But for innovative law departments, this is an opportunity – to become proactive, and to reposition themselves within the organization as strategic business partners rather than a cost center.

Innovative teams are seeking better approaches, leading them to focus on preservation itself and the basic building blocks for sustainable and predictable e-discovery management. As companies search for a better way to seize opportunities, mitigate risk, improve litigation response and reduce overall costs, a company-wide “culture of compliance” is emerging, with legal at the center. Overall, the mission of the legal department is to help organizations cultivate and capitalize on business opportunities, while ensuring legal and regulatory compliance. It is to mitigate legal risk and costs, and to reduce litigation exposure. It is to provide legal

toDay’s gEnEr al counsEl Dec/Jan 2016

E-Discovery

counsel and representation, litigation and legal risk management, and compliance oversight. It is also to provide counsel on strategy and decision-making for the C-suite, and to advise on the legal implications of policy. To accomplish all of this, the department must perform these services expeditiously and proactively. Still, in many law departments, while the work just keeps on expanding, resources are being cut. DEVELOPING A CULTURE OF COMPLIANCE

To meet the challenge of effective and sustainable litigation response posed by the shifting IT landscape, innovative law departments aren’t just focusing on preservation best practices. They

C-suite, because it involves a dramatic cultural change within the organization. How do you transform the corporate culture so that compliance becomes an integral part of corporate business strategy? There are four key elements: building strategic alliances and effective communication across the organization, assessing and monitoring risk, investing in employee training and effective education, and establishing meaningful policies, procedures and practices. • Building Strategic Alliances and Means of Communication. Innovative legal departments seek understanding and input from all affected stakeholders, including inside and out-

the benefits of adopting new tools or applications, taking into consideration how they might foster innovation or operational efficiency, at the same time understanding in detail how the these tools maintain and provide access to data should it be necessary to respond to litigation. • Investing In Employee Training and Education. Another key component of creating a culture of compliance is providing quality, relevant and timely training and education to employees. Innovative organizations often develop programs from their records information management (RIM) office working in tandem with the legal department.

Policies should address which data is retained, which devices can be used and under what circumstances, where data can be stored, and the retention time for different types of information. are developing a culture of compliance. That means that employees come to understand that compliance is more than a legal concern. It is intrinsic to the success of the business. A compliance-focused culture involves a combination of best practices and the implementation of user-friendly technology that supports and automates many of those practices, with an eye toward greater accuracy, efficiency, and visibility. Innovative law departments are also seeking solutions that empower their in-house legal teams to do the work surrounding litigation rather than outsourcing it. They want those in-house teams to have optimal control and visibility over the discovery process, so they are in a better position to focus on the substance of legal matters and more quickly resolve them. An essential component of a culture of compliance is carrying out the duty to preserve data in the face of potential litigation or investigation. Proactive preservation readiness requires enterprise-wide attention and focus, with buy-in from the

side counsel, e-discovery specialists, IT, records and information management specialists, and risk management professionals. In part, this is done because it results in greater buy-in to the policies governing information and risk. The development of sound preservation policies should be the work of a diverse team of professionals from across the organization, and they should be ready to discuss the risks and rewards of establishing specific policies. One goal of these discussions is for team members to gain a better understanding of each stakeholder’s area of expertise and what each is trying to accomplish. • Assessing and Monitoring Risk. Risk is inherent in doing business. Therefore assessing and monitoring risk is critically important, but there is no one-size-fits-all prescription. A company’s risk profile is influenced by the unique requirements of the business, the specific challenges it faces in the marketplace, its current goals and priorities, and its risk tolerance. Companies must, for example, assess

Incorporating preservation training into a records-retention training program, for example, can ensure that new hires and current employees adhere to preservation best practices. Training in a culture of compliance is not a one-shot affair. Periodic training on data preservation should be provided. That could be part of new-hire training, annual refresher training, or “just-in-time” training at the time of the hold. Regardless, it is imperative that employees know what to do and when they need to do it. Companies should also be tracking who needs to be trained and documenting when training has occurred. • Establishing Meaningful Policies, Procedures and Practices. This is the final pillar of a culture of compliance. Policies should address which data is retained, which devices can be used and under what circumstances, where data can be stored, and the retention time for different types of information. Policies may even dictate a standard for preservation, such as

Dec/Jan 20 16 toDay’s gEnEr al counsEl

E-Discovery

incorporating automated processes in relation to managing preservation efforts. The goal for all policies is to be effective, efficient and adaptable. They must also be reasonable and defensible, and take into consideration the impact of

that underscores the importance of defensible processes. Innovative law departments know that most cases don’t go to trial. They also know that if the case can be resolved with a smaller data set, they will

When the hold process is more intuitive, the legal team can spend less time on basic follow-up and more time on making strategic decisions that will help move cases forward. technology on the creation and storage of data. The retention schedules must reflect constantly changing regulatory and business needs, while also addressing differences across jurisdictions and geographic boundaries.

TECHNOLOGY TO SUPPORT E-DISCOVERY

Corporate legal teams know that e-discovery currently is simply too costly. That’s one reason innovative law departments are focusing on implementing solid preservation processes and developing a culture of compliance. They know that once they get their preservation process in order by establishing standardized, repeatable, trackable and automated preservation processes, everything becomes more efficient and cost-effective. Companies can reduce their downstream spend for collections, processing and review, because they are in a position to collect only what they need, when they need it, when a legal matter arises. Surprisingly, many corporations are still using manual processes for managing the legal hold notification process. In our 2015 Legal Hold and Data Preservation Benchmark Survey Report, more than half of survey respondents participating said they still use manual processes for tracking litigation holds, while 3.5 percent communicate litigation holds verbally. Moreover, 34 percent of respondents report having to defend their preservation efforts, a finding

have saved vast amounts of time and money. Law departments that focus on optimizing for a defensible process will reap the best results. Keep in mind the court’s standard is not perfection. As Judge Scheindlin pointed out in Pension Committee, when it comes to data preservation, collection and production, the standard requires reasonableness and good faith efforts, coupled with competency. A focus on best practices is what allows innovative law departments to take a more proportional and strategic approach to discovery, in the knowledge that electronically stored information is defensibly preserved. Automation and standardization can go a long way toward helping the legal department communicate more effectively with employees and change company culture with regard to preservation. Dawn Radcliffe, Manager, Discovery and Legal Support at TransCanada Pipelines, points out that their investment in legal hold automation technology provided an unexpected benefit: The software serves as a realtime educational tool regarding the components of a defensible process for employees. As employees use the technology, they take their role in the preservation process more seriously. Employees become more aware of the legal department as a strategic company resource, which in turn drives proactive behavior from employees. Success like this, however, requires technology that’s easy to use. Innovative

corporate law departments have made significant strides in improving custodian acknowledgment rates through implementation of purpose-built, user-friendly technology that supports preservation best practices. For example, Brett Tarr, e-discovery counsel at Caesars Entertainment, saw custodian acknowledgment rates nearly double for the initial legal hold notification after implementing an intuitive legal hold automation tool. When the hold process is more intuitive, the legal team can spend less time on basic follow-up and more time on making strategic decisions that will help move cases forward. In today’s corporate environment compliance is no longer the exclusive concern of the legal department. The risks and complexities associated with exploding data volumes and increasingly diverse sources of data are forcing companies to regard compliance issues in a strategic light, and to regard sound data preservation practices as a business imperative requiring cultural change across the organization. An important part of establishing this culture of compliance is investing in the front end of the preservation process – automating it, to make the process more efficient, repeatable and trackable. That way, companies can be confident they are collecting only what they need, when they need it. ■

Brad Harris is vice president of products at Zapproved, Inc. His more than 30 years experience in high technology and enterprise software includes assisting Fortune 1000 companies with e-discovery preparedness. He is an author and frequent speaker on data preservation and e-discovery issues, and has held senior management positions at public and privately held companies. From 2004 to 2009, prior to joining Zapproved, he led the development of electronic discovery readiness consulting efforts for Fios, Inc. brad@zapproved.com

toDay’s gEnEr al counsEl Dec/Jan 2016

E-Discovery

Sound Legal Hold

or others, who need to receive the legal hold notice.

properly preserving potentially relevant information. As you probably know, the legal hold starts with the prompt distribution of the eponymous “legal hold memo.” But be careful not to think of this memo as the beginning and the end, or a single box to be checked. It’s a process, one that spans the life of any particular matter. At its most basic, the memo is the directive that is sent to each person— also known as a “custodian”—with control over information that is in a client’s possession, explaining (in plain English, steering clear for example of words like “eponymous”) the who, what, when, why and how of preservation. The legal hold memo should avoid sending a message along the lines of everyone who might have anything should save everything forever. While that might be easier in the short-term, it’s not practical. Nor is it in a company’s best interest. Preserving information comes with both hard and soft costs, ranging from storage space and the operation of computer networks to business interruption and the hassle of having to wade through an expanding sea of data. So if “save everything” is out, what should the legal hold notice say? To answer, let’s talk about the who, what, when, why and how.

What

continued from page 32

Who

To figure out who needs to receive the legal hold notice, you’ll need to invest some time at the outset to figure out what the matter is about and what people have control over the relevant documents or systems. If you have a complaint, demand letter, or subpoena, start there. With that rough sketch, it’s a best practice to then follow up by interviewing key players, figuring out not just what their perspective is on the merits of the controversy, but also where potentially relevant information might reside. But don’t forget that your employees are just one possible group of custodians. There may be third parties – lawyers, accountants, cloud data-hosting providers

Take care to explain what the dispute is about and what categories of information need to be preserved. The goal is to arm the recipients of the hold with the information they need to realistically determine whether any particular piece of information is subject to the hold. This is the part of the memo that should be edited ruthlessly. Does the custodian need to know the case style or where the lawsuit is pending? Will the custodian understand what “misappropriation of trade secrets” means? Or should you just say that Company X claims we stole secret information about their Shiny New Product? In terms of the categories of information that should be preserved, good practice is to define them broadly, so that the custodian does not have to make a series of fine distinctions to figure out whether a particular document needs to be preserved. When

The custodians should know that their immediate compliance with the hold is expected. But timing also comes into play with regard to the preservation obligation. Is this a dispute where you need documents only from months or years ago, or is potentially relevant information continuing to be generated? It’s important to educate custodians to the nature of the obligation and how it might impact their decision-making when it comes to disposing of any information. hoW

One of the frustrating parts of e-discovery is that sometimes well-intentioned custodians can end up altering the data they are supposed to be preserving. Seemingly harmless steps, such as moving the information to a new location, for example, can alter the metadata of that document. In those cases where that kind of metadata is relevant, an adversary can assert a spoliation claim simply based on the effort made to meet its preservation obligations.

The more cautious approach is to advise the custodians to preserve the data that they have “in place,” so that if necessary you can engage more experienced technologists to extract the information in a way that won’t alter the metadata. That’s what people typically mean when they refer to a “forensically-sound collection.” Why

The legal hold memo should explain why preserving data is important. In addition to holding on to information that could help your case, preserving potentially relevant information avoids costly battles about spoliation, adverse inferences, monetary penalties and, in the case of government investigations, the possibility of an obstruction of justice charge. No legal hold memo is perfect. A legal hold, by necessity, is issued early in the litigation life cycle, when the landscape of the dispute may still be hazy and undefined. So when it comes to crafting the initial legal hold memo, don’t let perfect become the enemy of the good. The standard imposed by the discovery rules is one of reasonableness, not perfection. Once you’ve sent the initial legal hold, remember your work is not done. As more about the dispute is discovered, or as the focus of the litigation shifts, the legal hold should be revised as necessary. Moreover, even when things don’t change, the best practice is to remind custodians about preservation obligations periodically throughout the litigation or investigation, because the duty to preserve is ongoing. ■

Scott Wandstrat is a partner at Arnall Golden Gregory LLP, in the Litigation, Healthcare, and Governmental Investigations and Special Matters practices. He also chairs the firm’s Electronic Discovery Practice. scott.wandstrat@agg.com

DeC/jan 2016 today’s gEnEr aL counsEL

Labor & Employment

2015 Was a Big Year for the NLRB By Christina L. Lewis

s 2015 draws to a close, it’s a good time to reflect on lessons learned from some of the key National Labor Relations Board (NLRB) rulings of the past year, which was an extremely active one. Perhaps most notably, it ruled in August that California-based Browning-Ferris Industries is a “joint employer” of workers it hires through a temporary agency. This has been called the NLRB’s most significant ruling in 35 years, but it is not the only important decision coming from the Board in 2015. In March, it issued guidelines for writing employee handbooks that will avoid problematic and overly broad workplace policies. Then, the Board’s new “expedited” rules and procedures for union representation elections, which became effective in mid-April, significantly shortened the election process.

Let’s take a closer look at these developments and what they mean for employers and their counsel. REDEFINING “EMPLOYER”

The basic question addressed by Browning-Ferris is “What constitutes an employer?” Before the ruling, the NLRB’s standard for joint employer was not much different than that of other agencies, including the Department of Labor and the Equal Employment Opportunity Commission. The key was whether or not both employers exerted control over the terms and conditions of employment. With the Browning-Ferris ruling, the Board has made it clear that the question is not necessarily whether an employer actually exerts control, but whether it could exert control. This broadens the rule considerably. In many situations, a company has no

direct involvement in a decision made by a contractor, staffing agency, or franchisee – decisions such as whether to terminate an employee. As a result of Browning-Ferris, companies are held accountable for such decisions as if they were a joint employer, because they could have hypothetically exerted some control over the decision-making process or the circumstances that led to the termination. In light of this, some companies may simply accept that they are likely to be found a joint employer and decide to take a more hands-on approach with those who are employed by their contractors or franchisees. These companies may conclude they can better control risk by exercising more control over the decision-making process, and by doing so be more likely to establish policies and procedures that prevent disputes

today’s gEnEr aL counsEL DeC/jan 2016

Labor & Employment and unfair labor practice charges. An employer may decide, for example, to institute a minimum wage that is higher than the federal requirement in order to attract and motivate workers. Avoiding a joint employer designation, on the other hand, may prove more difficult. To do it, a company would need to distance itself from any decision-making or policy that affects the terms and conditions of employment, including workplace guidelines for the employees of a franchisee, subcontractor or other party. That could include the establishment of performance standards or an employee dress code. It could be especially problematic in the restaurant business, as many franchisers, for example, implement standards to ensure food quality across all franchisee locations.

not at thwarting concerted activity, but the NLRB has made clear that such rules could chill concerted activity and are unlawful. In short, workplace policies need to take into account an employee’s right to discuss the terms and conditions of employment, and employers need to review

NEW GUIDANCE FOR WORKPLACE POLICIES

NLRB could perceive

On March 18, NLRB General Counsel Richard Griffin released a 30-page report providing guidance for labor lawyers and human resources professionals on how to create a lawful employee handbook. It was clear from that guidance that the Board could find fault with a number of common workplace policies. It is safe to say that a large majority of employers have at least one workplace rule in their employee handbook that the NLRB could perceive as overly broad. The background here is Section 7 of the National Labor Relations Act, which protects the right of one or more employees to “engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.” This means employees have a right to assert collective complaints about workplace conditions, and workplace policies need to reflect this. Specifically, the NLRB has made it clear that any rule that could chill concerted activity is unlawful, even if that was not its intent. An overly broad policy might ask employees to refrain from discussing wages or prevent employees from disparaging the company. These rules might have been designed to keep employees from disclosing confidential information and/ or injuring the company’s reputation, and

It is safe to say that a large majority of employers have at least one workplace rule in their employee handbook that the as overly broad. each policy in their employee handbooks with that in mind. Any policy that suggests that employees cannot discuss the terms and conditions of their employment needs to be narrowed. The Board has offered guidance for employers on how to draft compliant workplace policies, including sample language, and this can be very useful for employers as they review their own policies. UNION REPRESENTATION ELECTIONS

One month after the Board issued its report on employee handbooks, its “Final Rules” regarding expedited union elections took effect. They involve the most significant changes to mandated procedures with regard to union representation issues in more than 50 years. Perhaps the most noteworthy was the shortening of the union representation election process from as many as 45 days to as few as 13. In the past, the typical length of a union election was between 30 and 45 days. The process would begin with a

filing of a petition and a pre-election posting. As a next step, any disputes – such as who would or would not vote – would be brought to the Board to be resolved, followed by a waiting period and the election itself. This time period gave employers an opportunity to tell their side of the story, explaining why they thought a union was not in the best interest of the company and its employees. Under the new rules, employers have far less time to have those conversations. In addition, under the Final Rules employers no longer have the right to a hearing and to present evidence on issues such as supervisory status prior to an election. While supervisors can’t vote in an election, they can be key in an employer’s effort to talk about what union representation would mean for the company. Under the Final Rules, supervisory status can only be determined after an election, which clouds who an employer can and cannot utilize to help get its message across to employees prior to an election. It’s clear the NLRB has been favoring labor in recent years, but it remains to be seen whether or not this trend will continue in 2016. The NLRB is a political entity, with the President having the authority to appoint those who are on it, and the Board has the ability to reverse past precedents based on its political leanings. A Democratic presidency would be more likely to lead to pro-union decisions, a Republican presidency to more decisions favoring employers. ■

Christina Lewis is a partner at Hinckley Allen in Boston, where she is the practice group leader for the Labor and Employment Group and a member of the Diversity and Inclusion Committee. She is a counselor to employers regarding employee relationships, and a litigator and trial attorney. clewis@hinckleyallen.com

DeC/jan 2016 today’s gEnEr aL counsEL

Labor & Employment

Federal Paid Sick Leave Mandate Sows Confusion By Summer Austin Davis and Mary Clay Morgan

n an Executive Order released on Labor Day, President Obama declared that businesses contracting with the government will have to provide employees who work on those contracts with paid sick leave. The paid sick leave mandate will apply to federal contracts solicited or awarded on or after January 1, 2017.

The new federal mandate eliminates any question regarding a covered employee’s eligibility for paid sick leave. All businesses that contract with the federal government must provide paid sick leave to “all employees, in the performance of the contract or any subcontract.” To comply with the Order, federal government contractors will have to

provide at least one paid hour of sick leave for every 30 hours worked. That’s almost 70 annual hours of paid sick leave for a person who works 40 hours per week, but don’t panic. The Executive Order does authorize contractors to limit the annual paid sick leave an employee can accrue to a maximum of 56 hours. The paid sick leave mandate applies not only to a covered employee’s own sickness, but also to time the employee spends caring for a family member or other loved one who is sick. The mandate also covers absences resulting from domestic violence, sexual assault, or stalking. The mandate does not require a medical certification to verify the covered sickness unless the employee is absent for three or more consecutive days. While most employers already offer their employees some form of sick leave, federal law does not require paid or unpaid sick leave. Although federal statutes protect employees with disabilities, as defined by the Americans with Disabilities Act, as well as those suffering from or caring for a family member with a serious health condition, as defined by the

today’s gEnEr aL counsEL DeC/jan 2016

Labor & Employment Family and Medical Leave Act, no federal statute requires employers to provide time off (paid or unpaid) for employees who are “sick,” which apparently means ( according to the new federal paid sick time mandate) having a “physical or mental illness, injury, or medical condition,” or “obtaining diagnosis, care, or preventive care from a health care provider.” Until Labor Day 2015, employers implemented sick leave policies without prodding from the federal government. Theoretically, employers offer sick leave to employees to attract the best employees. Also, most employers probably want to provide incentives for sick employees to stay home so they can recover and will not infect the remaining workforce. Employers also recognize that they get more bang for their buck with a worker who is well than from a worker who is ill or worried about a sick family member or newborn child. Case in point: In early August, Netflix announced that in addition to offering unlimited sick and vacation days, it would also allow employees to take unlimited paid parental leave. Until now, sick leave policies have been tailor-made and determined solely by individual companies according to their goals and needs. The new federal mandate applies a one-size-fits-all policy to diverse companies in unrelated industries only because they contract with the U.S. government. As a result, several questions arise about the mandate: • Does it apply to all employees regardless of tenure with the company? What about temporary employees or probationary employees? • What level of connection to the project is required for the employee to be covered under the mandate? Does it cover a secretary who answers the phone at the contractor’s headquarters? • What about joint employers? For example, if an employee’s salary is dually funded by two federal contractors, does the employee get to “double-dip” and accrue paid sick leave from each employer? • Although the mandate does not create a private right of action by the

employee for the denial of paid sick leave, would denial be considered an adverse employment action or a material change in the terms and conditions of employment? • Can employers require employees to use accrued paid sick time in conjunction with leave taken under the Family and Medical Leave Act or leave provided as an accommodation under the Americans with Disabilities Act? Confusion reigns, but federal contractors can expect some guidance next year. The Executive Order directs the Secretary of Labor to issue federal regulations necessary to carry out the Order no later than September 30, 2016. These regulations will, among other things, identify exclusions to the paid sick leave mandate where appropriate, define terms of the Order, and require federal contractors to maintain employee records that demonstrate compliance. Hopefully, the regulations will provide some much needed clarity. In the meantime, if your company plans to contract with the federal government in 2017, here are some steps you can take now to make sure it is on the path to eligibility for federal contracts: • If your company already provides paid sick leave to employees, great! Make sure you review your policy and confirm that it follows the minimum requirements of the federal paid sick leave mandate. • If your company does not provide paid sick leave, draft a policy that complies with the minimum requirements of the mandate. Consider a provision that sets the maximum amount of paid sick time that an employee can accrue at 56 hours. • Although the paid sick leave mandate applies only to employees, not independent contractors, recall that the U.S. Department of Labor recently declared its belief that thousands of workers are misclassified as independent contractors. Be careful not to rely solely on the labels your workers wear to determine whether the mandate applies to your company.

Despite the creation of the federal paid sick leave mandate, there is no immediate need to make permanent changes to your company’s sick leave policies. Remember that one fact is certain: In January, 2017, a new chief executive will be occupying 1600 Pennsylvania Avenue. Until then, companies should have a plan in place to provide employees working on federal contracts with paid sick leave. Tweak the plan to comply with the applicable Department of Labor regulations (which will be released next year), and wait to see whether our new President will enforce, amend or overturn the Labor Day paid sick leave mandate. ■

Summer Austin Davis is a member of the Labor and Employment Group at Bradley Arant Boult Cummings LLP. Her practice is primarily focused on employment litigation and advising clients on a broad range of topics, from day-to-day employment questions to the drafting of employment policies and procedures. sdavis@babc.com

Mary Clay Morgan is a member of the Litigation and Labor and Employment Practice Groups at Bradley Arant Boult Cummings LLP. She counsels employers on a variety of employment litigation matters, including claims of discrimination, wrongful discharge, FLSA violations, and other matters arising in the workplace. mmorgan@babc.com

dec/jan 2016 today’s gener al counsel

work pl ace issues

Leverage HR to Address Risk of Data Breach By Philip l. gordon

ecent events demonstrate that a high-profile data breach is a good way for CEOs and other C-suite executives to lose their jobs, for a corporate brand to lose its luster and attract unflattering media attention, and to get embroiled in disruptive and expensive regulatory enforcement actions and class action litigation. Yet, many organizations fail to take advantage of one of the most cost-effective ways to reduce these risks, namely leveraging the organization’s human resources professionals and in-house employment counsel to enhance information security. While dramatic hacks often grab headlines, negligent and malicious employees account for most data breaches. According to the 2015 Verizon Data Breach Investigations Report, 65 percent of data breaches resulted from human errors, insider misuse, or physical theft or loss. One example: The Federal Communications Commission recently imposed a $25 million fine on a telecommunications provider whose call center employees allegedly

Philip l. gordon is co-chair of the Privacy and Background Checks practice at Littler Mendelson, the world’s largest employment and labor law practice representing management. He has years of experience litigating privacybased claims and counseling clients on workplace privacy and information security. pgordon@littler.com

Even the most sophisticated technical safeguards can be undone by a negligent or malicious insider. misused the account information of over 280,000 customers. Even though insiders are the most common cause of data breaches, HR professionals and in-house employment counsel typically are absent from the table when the discussion turns to cybersecurity. Instead, IT and security professionals dominate the discussion

of “IT spend” and technological fixes. However, as the Verizon study demonstrates, even the most sophisticated technical safeguards can be undone by a negligent or malicious insider. The HR team can make a difference at every stage of the employment lifecycle without a substantial impact on budgets. Implementing an effective

today’s gener al counsel Dec/jan 2016

and lawful pre-employment screening program and helping to create a “culture of data stewardship” are among the most important contributions that the HR team can make. Their efforts can be even more effective if the general counsel or other C-suite executives encourage a dialogue between HR and IT to foster a coordinated approach towards information security, security incident preparedness and security incident response. PRE-EMPLOYMENT SCREENING

Effective background screening can eliminate the insider threat before it ever occurs by identifying job applicants who pose a threat to the employer’s information assets. The HR team can help to identify positions for which applicants should be subject to special scrutiny and for which temporary employees cannot be hired, such as positions involving access to sensitive employee, customer or business information. HR professionals and in-house employment counsel responsible for evaluating background reports can also look not only for prior convictions for identity theft, but also for other crimes indicating an applicant’s propensity to misuse information, such as fraud and forgery. Pre-employment screening can itself expose an employer to significant risks. In the past few years, the plaintiffs’ class action bar has aggressively pursued employers for alleged violations of the federal Fair Credit Reporting Act (FCRA), which regulates the procurement of background checks from thirdparty consumer reporting agencies. As of mid-2015, nearly 20 jurisdictions – states, counties, and municipalities – have enacted “ban-the-box” legislation to restrict private employers’ inquiries into criminal history. At the same, the U.S. Equal Employment Opportunity Commission (EEOC) has filed several lawsuits against large employers, alleging their pre-employment screening practices have a disparate impact on AfricanAmerican and Hispanic job applicants. Consequently, in-house employment counsel should carefully review pre-

employment screening practices for compliance with the many federal, state and local laws aimed at helping ex-offenders secure employment. CREATE A DATA STEWARDSHIP CULTURE

Even applicants whose background has been thoroughly vetted could pose a significant risk if they do not appreciate the importance of protecting the organization’s information assets. HR professionals and in-house employment counsel can play a critical role in getting the message across to new hires, especially to Gen Y employees, 71 percent of whom responded to Cisco’s 2012 Annual Security Report by stating they “do not obey policies” set by corporate IT.

security. Training should address a range of topics, including (a) the employer’s legal and contractual obligations to safeguard sensitive data, (b) the types of information falling within the scope of this duty, (c) the consequences for the employer’s bottom line of a data breach, (d) the steps employees can take to safeguard information and, critically, (e) the situations that constitute a security incident and how to report one. Training should be recurring and be supplemented with periodic security awareness reminders. Third, HR professionals and in-house employment counsel can update key employment policies to educate employees on their roles as data stewards. These policies might

While dramatic hacks often grab headlines, negligent and malicious employees account for most data breaches. First, HR professionals can ensure that all new hires whose responsibilities will involve access to sensitive data execute a confidentiality agreement. In addition to identifying those categories of information that employees must keep confidential, the agreement should (a) summarize key steps employees must take to preserve confidentiality, (b) require return of the employer’s sensitive data upon termination of the employment relationship and (c) confer on the employer enforcement rights if the employee breaches the agreement. The confidentiality agreement must be carefully drafted. Several federal regulators, including the SEC, the National Labor Relations Board and the EEOC, have been flagging overly broad confidentiality agreements that effectively restrict employees’ rights to engage in legally protected conduct, such as whistleblowing. Second, training is a fundamental role of HR, and HR can team up with IT to educate employees on information

include the code of business conduct, the acceptable use policy, policies addressing the use of personal mobile devices for work, and the telecommuting policy. Fourth, HR can work with business unit leaders to find ways to recognize employees who take special steps to help enhance information security. These steps might include identifying possible flaws in physical security, like a broken lock, promptly reporting a security incident, or warning co-workers about a “phishing” e-mail. Finally, the HR team can ensure that the exit interview adequately addresses the protection of the employer’s information assets. For example, HR can remind departing employees of their ongoing obligations under their confidentiality agreement, ensure the return of employer-owned computer equipment, and coordinate the removal of company information from personal mobile devices and online accounts. ■

dec/jan 2016 today’s gener al counsel

T H E A N T I T R U S T L I T I G AT O R

The Pro-Competitive Justification By Jeffery M. cross

uring more than 40 years of practicing antitrust law, a substantial portion of my time has been spent counseling clients regarding marketing initiatives that may involve restraints on competition. Such initiatives may be in vertical relationships – a manufacturer imposing restraints on distributors – or in horizontal relationships, between competitors considering a joint venture or other collaboration. A fundamental antitrust principle in regard to such initiatives is the concept of a plausible pro-competitive justification. This column explores the significance of pro-competitive justifications and what they are. One of the principal antitrust statutes is Section 1 of the Sherman Act, which prohibits agreements between independent economic entities to unreasonably restrain trade. The other principal statute is Section 2 of the Sherman Act, which prohibits a monopolist from engaging in improper conduct to obtain or maintain mono– poly power. A determination of whether any marketing initiative would be lawful under either antitrust statute requires a consideration of whether there are procompetitive justifications.

Jeffery cross, is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a Partner in the Litigation Practice Group at Freeborn & Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com.

The Supreme Court has held that a monopoly is an important element of the free market system. There are two general modes of analysis to determine the legality of conduct under Section 1 of the Sherman Act: the Rule of Reason and the per se rule. The Rule of Reason is the presumptive standard. The ultimate test of the Rule of Reason is whether the anti-competitive effects outweigh any pro-competitive benefits. The per se rule is a shortcut established by the Supreme Court. It will be applied if a court can say with confidence based on prior experience that the

restraint will always or almost always have a net anti-competitive effect. In such a case, the restraint will be deemed unlawful and the anti-competitive effect is presumed. When a defendant advances a procompetitive argument that a practice enhances overall efficiency and makes markets more competitive, per se treatment is not appropriate. This is because such arguments mean that a court is unable to conclude that the likelihood of anti-competitive effects is clear.

today’s gener al counsel dec/jan 2016

Conversely, if there are not plausible or cognizable pro-competitive justifications, we say that the restraint is “naked” and the per se rule applies. Pro-competitive justifications for conduct are also important under Section 2 of the Sherman Act. We do not condemn monopolies under the antitrust laws. Indeed, the Supreme Court has held that a monopoly is an important element of the free market system. It has stated that

another competitor does not, free-riding on the other’s investment. The appellate court rejected that argument, concluding that free-riding did not occur because the members of the consortium charged each other for the break-down service. The justification must also be cognizable under the antitrust laws. For example, an argument is not cognizable if it asserts that an agreement to limit production of crude oil is justified because competition

A fundamental antitrust principle is the concept of a plausible, pro-competitive justification. the opportunity to charge monopoly prices – at least for a short period – is what attracts business acumen and innovation. Consequently, a key consideration for Section 2 is whether there is a pro-competitive justification. What then is a pro-competitive justification? Let me start by stating what it is not. A justification must not be pre-textual or a sham. In other words, it must be applicable to the case. For example, in one case that I successfully argued in the Seventh Circuit Court of Appeals, the restraint involved restrictions on members of a consortium of full-service truck lessors that provided each other with emergency service when a lessor’s truck suffered a breakdown outside the lessor’s local market. My opponent argued that the justification for the restraint was the prevention of “free-riding.” Free-riding occurs when one competitor invests in pointof-sale services to attract customers but

leads to unfair gasoline prices. A justification is also not cognizable if it claims that bidding for engineering jobs on the basis of price leads to more costly projects. Both assertions challenge competition itself. What then is a plausible procompetitive justification? If the restraint facilitates lower prices, increases output, or increases choices, it is pro-competitive. Two classic examples illustrate the concept. One involves the restrictive covenant accompanying the sale of a business which prevents the seller from opening a competing business in the same locale. Although a real restraint on the seller, it is deemed pro-competitive because it fosters the sale of businesses. A second example involves the restriction on an employee from competing with the employer’s business for a period of time after leaving. It is deemed procompetitive because it encourages

View our digital edition d IgI ta l .t od ay s g e ne r a l c oun s e l . c oM

employers to hire employees and give them access to trade secrets and other confidential proprietary information. A recent decision in the Seventh Circuit in which I was involved also helps to define the concept. Our client was a Canadian company in the business of mining and smelting copper and nickel. A by-product of the smelting process is the production of sulfuric acid. Because of increased environmental regulations, the client produced more acid than the Canadian market could absorb. Consequently, the client considered entering the U.S. market. However, it did not have any infrastructure or relationships with U.S. purchasers. The client approached U.S. companies that made acid by burning sulfur, and had the infrastructure and relationships necessary to distribute acid in the United States. The client entered into agreements with the U.S. producers to stop producing their own acid and buy the client’s. Our opponents argued that this was a classic output restraint, subject to the per se rule. The appellate court held, however, that there was a plausible pro-competitive justification for the limitation on output, because the restraint facilitated the entry of cheaper Canadian acid into the U.S. market, lowering prices and increasing output. In many marketing initiatives, the issue of whether there is a plausible pro-competitive justification becomes an important consideration of whether restraints will pass muster under the antitrust laws. Understanding this concept is a key to determining whether the initiative will be deemed lawful. ■

dec/jan 2016 today’s gener al counsel

THE lEgal mark E Tpl acE

What’s a Lawyer? By Mark a. cohen

ith the legal delivery system experiencing disruption, it is fair to ask: “What’s a

lawyer?” While legal practice – what lawyers do – may not have changed much over the past few decades, the delivery of legal service, the how and by what structure they are delivered, certainly has. Disaggregation of legal tasks has disrupted the longstanding hegemony law firms have had over the delivery of legal services.

NEW ELEMENTS OF LEGAL DELIVERY

Technology, as well as business processes and metrics, have become key elements of legal delivery. Increasingly, the traditional law firm partnership model is surrendering ground – and revenue – to in-house legal departments, service

Mark a. cohen is the CEO of Legalmosaic, a consultancy to service providers, consumers, investors, educators and new entrants into the legal vertical. Prior to founding Legalmosaic, he was co-founder of legal service provider Clearspire. This followed his founding of Qualitas, an early entrant into legal process outsourcing. Earlier in his career he was a civil trial lawyer. Currently he is Adjunct Professor of Law at Georgetown Law Center, and a blogger and public speaker. markacohen@legalmosaic.com

providers, and legal technology companies converting legal services into legal products. The new service providers do not operate under the partnership model that characterized law firms for so many years. Instead, they have a corporate structure that tends to be more client-centric, efficient and transparent than law firms. Plus, they can and often do tap into institutional funding sources that enable them to invest in technology, lure top management and IT talent, and engage in an inter-disciplinary model. Technicians, process and project managers, and financial experts work side-by-side with lawyers to deliver “legal” services. Lawyers are like hammers: Everything is a nail. To most lawyers, every business challenge is a legal one. But in today’s world, clients often view them as business issues that might require

some degree of legal involvement but do not require lawyers to take the lead. Translation: How and when lawyers are engaged is changing. And so we return to the question: What is a lawyer in today’s marketplace? The Oxford dictionary defines a lawyer as a person “who practices or studies law; an attorney or a counselor.” That definition might be expanded to include: (1) licensure, (2) engages in the practice of law, (3) exercises professional judgment and (4) acts on behalf of client(s). So, let’s go with: “A lawyer is a licensed legal professional who engages in the practice of law, exercising professional judgment on behalf of the client(s).” DISRUPTION IN LEGAL DELIVERY

This definition fit well when lawyers handled legal matters from start to finish. But in the past 20 years or so,

TODAY’S GENER AL COUNSEL DEC/JAN 2016

an ever-expanding list of “legal” tasks have been unbundled and are now frequently performed outside of law firms. Legal service companies, the “law firm alternative,” have followed Clayton Christensen’s theory of disruptive innovation, initially providing staffing, legal process outsourcing, and other low value/high volume low-end work. But now, with growing market acceptance and customer confidence in their work, these providers also

years ago: Other service professionals and para-professionals, managed by business executives, are performing what were once “bespoke” tasks undertaken by attorneys. And just as health care Goliaths are typically run by MBA’s, not MDs, so too are legal service providers often managed by business executives, not attorneys. While “legal service providers” serve as agents for law firms as well as in-house legal departments, they are

Lawyers and law firms are experiencing what physicians and medical groups did years ago. engage in higher-end consulting, risk management, cyber-security, regulatory compliance and other sophisticated functions once within the exclusive purview of law firms. The Big Four have emerged as largescale players in the delivery of legal services, although they do not engage in the “practice of law” (Law firms retain ultimate responsibility and risk for all work performed and, so, they are deemed to be the ones engaged in the practice of law.) Every Big Four firm employs thousands of lawyers, most of whom perform “legal” tasks but who, paradoxically, are not deemed to be functioning as lawyers because they work in concert with in-house legal departments or law firms. If one were to put the service offerings of the Big Four and other legal service providers side-by-side with practice areas of large law firms, the similarities would be striking. Risk retention – who bears ultimate responsibility in a principal/agent paradigm – separates the practice of law from the delivery of legal services. Sound like a fuzzy line? It is. But it underscores how and why “legal” tasks are subject to being performed by others who are not licensed lawyers. NEW MANAGERS AND PROVIDERS

Lawyers and law firms are experiencing what physicians and medical groups did

not subject to the regulatory and bar rules that govern law firms. This confers an enormous potential advantage on service providers that can accept outside investment (some would argue that law firms are funded by banks), go public, and expand into new jurisdictions and international markets more freely than law firms can. And, as noted, while legal service providers have many lawyers, those attorneys are not deemed to be engaged in the practice of law, at least not while they are working for the service provider. Paradoxically, were the same attorney to be on loan to a law firm, that attorney would be deemed to be engaged in the practice of law while doing the identical work. This brings up another element of the definition of a lawyer: One functions as an attorney when the risk is assumed either by the attorney or by the law firm for whom the attorney is working.

provides a small piece of the work product, ceding ground to other service professionals and para-professionals who do the rest. This underscores the need for lawyers to learn new skills, including the rudiments of technology as it impacts legal services, business process and project management, as well as better collaborative skills. “Just being a lawyer” does not cut it any more for most lawyers, except those few who have such specialized expertise and trusted judgment. The long-standing urban myth, one perpetuated by attorneys, that all tasks they perform are “bespoke” has been debunked. Not all legal tasks, as lawyers might characterize them, require attorneys. Many are more efficiently, costeffectively and competently performed by other service professionals or paraprofessionals. Clients, not lawyers, determine what is a “legal”issue and when and for what tasks an attorney is needed. In conclusion, a lawyer is a licensed professional who helps clients solve challenges. How those challenges are best resolved often involves collaboration between lawyers and other professionals. This is something new for attorneys and not something taught or even contemplated in law school, and it is something lawyers had better get used to lest their role be further marginalized. ■

THE LAWYER IN A CHANGED LANDSCAPE

Which brings us back to “what’s a lawyer?” In a legal landscape where process managers, technologists, data analysts, cyber-security experts and metric consultants are playing increasingly seminal roles in the delivery of legal services, a lawyer’s role is changing, if not narrowing. We appear to be moving to a legal system where, as in medicine, the lawyer

TODAYS G ENER AL C OUNSEL .COM

dec/jan 2016 today’s gener al counsel

Survey Shows Conflicting Views of In-house and Law Firm Attorneys By Joseph E. O’Neil and Alfred R. Paliani

arlier this year, the International Association of Defense Counsel (IADC) conducted its 2015 Inside/Outside Counsel Relationship Survey to provide its members and the legal industry as a whole with key insights into the relationship between in-house counsel and lawyers at private law firms. The survey revealed that corporate legal departments and their outside counsel have inconsistent views of key relationship factors, including communication tactics, the amount of work expected to be referred to outside counsel, and costs for legal services. Looking ahead to 2016, it is critically important for both outside and inside counsel to focus on the issues identified in this survey. Corporate law departments are consolidating their work with fewer firms, and effectiveness and efficiency of communication between outside lawyer and corporate counsel client is the only way to make these bigger and more complex relationships work. With more work flowing to fewer firms, there are simply more moving parts associated with the administration of the workflow.

Why is communication between inside and outside counsel perceived as such an important element? The IADC Relationship Survey revealed that in-house and outside counsel have distinctly

different preferences regarding best practices for communicating with each other. Corporate counsel respondents stressed the need for the “right” principal contacts for each legal matter, along with active, one-on-one communications. By and large, outside counsel responded that they feel that regularly scheduled and written status reports are the top best practice for communicating with their clients. Essentially, good communication between inside and outside counsel enables efficient, timely and well-informed decisions during the representation, which increases the likelihood of success. To achieve good communication, in-house counsel must know their business, clearly state their objectives, and provide requested information as quickly as possible. Outside counsel, whether in litigation or a transaction, is ultimately responsible for how a matter progresses. Often, outside counsel will make commitments based on promises made by inside counsel. This can encompass a wide range of issues, such as a commitment to a compromise position or strategic goal, or a commitment to what documents will be produced. Outside counsel has to trust and count on the commitments of in-house counsel to provide effective representation.

today’s gener al counsel dec/jan 2016

Good communications between inside and outside counsel is essential to understanding the expectations of in-house counsel at the outset. Periodic evaluations of the matter help avoid a disconnect between the outcome and the expectations of in-house counsel. Understanding in-house counsel’s expectations of outcome, risk and budget is critical to a successful result for outside counsel. In-house counsel must be able to effectively communicate the processes of the company and where information can be obtained to outside counsel. If they are too ill-informed to communicate this effectively, the representation suffers. Obviously, this communication is not a oneway street. It is incumbent upon outside counsel to provide details of the risk, costs, and necessary documents and information. But once outside counsel lays this out, in-house has to do its job. The entire representation cannot be delegated. In-house must follow through to ensure success.

How much work is going to outside counsel? There seems to be a perception, based on survey responses from in-house counsel, that there is an increase in the amount of work going to outside counsel. However, the survey also reveals that not all law firms are reporting an increase in work. This suggests that, while there may be an increase in outsourced work, it is being consolidated to fewer law firms. Thus, there may be law firms that have a substantial increase in the amount of work received, while other firms struggle. The recent economic crisis has required inhouse counsel to critically evaluate how they use outside counsel. It is no secret that many corporate law departments have come through a convergence process resulting in a select panel of preferred outside counsel to serve the majority of the organization’s legal needs in ways that are valuable for both client and firm. The IADC Survey confirms the trend of less law firms receiving more outside legal work. For outside counsel, the trick is making sure that yours is among the firms that are receiving consolidated work, and if it is not, making adjustments to increase your chances of receiving it. How do we deal with the vexing issue of hourly rates, and measuring the value of an outside counsel’s work by the amount of time devoted to it? The biggest challenge for inside counsel when working with law firms is the unpredictability and/or improper management of costs and expenses, according to the Survey.

Corporate counsel said they want their outside counsel to be creative in suggesting and promoting efficiencies that could help them complete work amid budget constraints. Outside counsel pointed to specific concerns about delays from their clients in processing bills, and what they perceive as unreasonable rate level demands and staffing limitations that impact their client service. The hourly rate model is a transparent billing arrangement that allows for accountability in providing legal services. It has come under criticism for perceived inefficiencies that require detailed budgeting and micro-managing of tasks and expenses, to allow for some predictability. Hourly rates also have been criticized as creating law firm incentives that are not always consistent with the client’s best interests. As a result, alternative fee arrangements are becoming more routine. There are a variety of alternative fee arrangements, but they all seek to establish predictable legal fees with less micro-managing by in-house counsel. Many are tied to the outcome of the case. Alternative fee arrangements run the gamut from flat fee or fixed fee arrangements to discounted fees in exchange for a performance bonus, blended rates, capped rates, volume discounts, or a combination of two or more. The alternative fee arrangement should be negotiated at the outset of the case, and the arrangement for sharing risk and reward with outside counsel should result in a win-win scenario. The ground rules must be thought through and be beneficial to both parties. Requiring outside counsel to share in the risk of the outcome by reducing legal fees in the event of a bad result needs to be balanced with a performance reward for a successful outcome. For law firms to partner with their clients to achieve mutually beneficial outcomes they need to be good managers of their legal services, and fully assess the risks involved with alternative fee arrangements. The IADC Relationship Survey demonstrates that in-house counsel are looking to outside counsel to become more like business partners in providing legal services. Having a smooth and workable arrangement for communicating with one another and understanding what the corporate client needs are essential building blocks for successful outcomes and longevity in these types of relationships. ■

Joseph E. O’Neil is president of the International Association of Defense Counsel and a shareholder in the Litigation Practice Group of Lavin O’Neil Cedrone & DiSipio. He concentrates his practice on product liability, mass tort, medical device and commercial litigation. joneil@lavin-law.com

Alfred R. Paliani is the vice president of corporate and a board member of the International Association of Defense Counsel. He is also general counsel of Quality King Distributors, Inc. and its subsidiaries and affiliates. He is responsible for all legal affairs for the 2,500-employee corporate group and oversees outside counsel relationships across the globe. fpaliani@qkd.com

dec/jan 2016 todayâ&#x20AC;&#x2122;s gener al counsel

today’s gener al counsel dec/jan 2016

P r o a c t i v e L i t i g at i o n M a na g e m e n t

How the Insurer Sees It B y T h o m a s F. Ly s au g h t

roactive claim and litigation management strategies are essential to improving an insurer’s performance. These strategies can also determine how well an insurer’s claims organization is able to

differentiate itself in the eyes of customers in a very competitive marketplace. For those reasons, most sophisticated insurers and self-insured entities develop strategies specifically designed to expedite the fair resolution of their claims. Such strategies serve to improve claim outcomes, increase staff productivity, and reduce the considerable expenses associated with adjudicating and litigating a large portfolio of claims. However, those strategies will not always be successful at resolving a specific claim at a fair price. In many instances, a lawsuit may be the first notice that an insurer receives of the claim. In any event, when a lawsuit is filed, outside counsel becomes a key partner in effectively executing the client’s proactive litigation management strategies. Proactive litigation management is not about paying any price to resolve the matter and close the file. Consistently overpaying claims to increase closing ratios or decrease cycle times is not a recipe for long-term financial

In many instances outside counsel becomes a key partner in executing the insurer’s proactive litigation management strategies. success. Rather, proactive litigation management is designed to expedite all aspects of the adjudication or litigation process to the reasonable extent possible to achieve the best realistic outcome, considering both the target resolution amount and the attendant costs of achieving that result. While this management approach is particularly applicable to commoditytype cases, which generally involve limited degrees of complexity and exposure, it can theoretically be applied to a wide variety of cases. The

dec/jan 2016 today’s gener al counsel

potential benefits are largely a function of the types of litigated matters in the portfolio, the opportunity to reduce legal costs and improve operational performance, and the client’s litigation risk appetite. Maximizing the success of a proactive litigation management strategy requires that outside counsel and in-house claims professional or general counsel are in alignment when it comes to business strategies, specific case resolution

opposing party, agreements to delay responsive pleadings or discovery to permit negotiations, and planned early mediation (assuming opposing counsel is also willing to negotiate an expedited resolution at a realistic price). While the parties may not be able to resolve the matter at an early stage and litigation may be required, every reasonable effort should be pursued before deciding that litigation is the only viable alternative. Even if litigation is determined

Even if litigation is determined to be the best option at some point, counsel should revisit the plan over the course of the case and look for opportunities for resolution.

objectives and economic interests. Ensuring that both parts of the defense team work together toward documented goals and understand the steps necessary to achieve them can significantly increase the chances of success. Below are steps to consider when proactively managing litigation. Early Case Assessment. The first step in proactively managing litigation is early case assessment, an approach that can be used with a wide variety of disputes, both before and after litigation begins. It often works best as part of a formal program focused on the proactive management and resolution of specific portfolios of commodity-type matters. Not only are opposing counsel much more likely to routinely play ball in regards to such matters, but clients are in a much better position to credibly measure the success of the strategy across the specific portfolio. Early case assessments, and the resulting proactive resolution plans, will generally involve: • An objective evaluation of the potential liability and damages exposure. • Identification of any additional, critical information needed to more fully evaluate the case. • A plan to obtain that information, if possible, outside of formal discovery. • Key decision points requiring dialogue with the client. • A negotiation strategy designed to expedite the resolution of the case at the target price. The proactive resolution plan may also include voluntary information exchanges with the

to be the best option at some point, counsel should revisit the plan over the course of the case and look for opportunities for resolution rather than incurring time, effort and litigation costs that can be avoided. Obtaining Critical Information. Before a case can be properly evaluated, the critical information required to determine the extent of the client’s liability, any possible liability defenses, and the realistic range of damages must be obtained. Many defense counsel pursue every piece of available information in the hopes of finding the “smoking gun.” This leave-nostone-unturned approach is an inefficient and expensive approach to case management. It rarely has any real impact on the outcome of a case and may actually serve to increase the value of the case. Once counsel and the client have agreed on the critical information, creating a focused plan to expeditiously acquire that information will accelerate the information gathering process and better position the case for early evaluation, negotiation, and resolution. That plan should consider the following questions: To what extent can the information be quickly gathered outside of the standard discovery process? Is opposing counsel willing to voluntarily provide the information to expedite settlement? Can the information be obtained from other sources? The same mindset should also apply to the discovery process. While opposing counsel may pursue their own scorched-earth approach to discovery, as good stewards of the client’s

today’s gener al counsel dec/jan 2016

money, counsel should be as focused and costconscious as possible. Client Dialogue and Decision Points. Part of an effective proactive resolution plan includes dialogue with the client at key decision points throughout the case. Managing to decision points helps to keep the litigation and the associated costs aligned with the plan and budget. Decision points typically occur once agreed upon actions have been completed and/or critical pieces of information are obtained. At that point, counsel and client review the status of the case, discuss the impact of any newly obtained information, and agree upon the course of action that best positions the case for resolution at the target amount, weighing the various benefits, risks and costs associated with different actions or tactics. Proactive Evaluation. Once the critical information is obtained, and assuming liability is established at least to some degree, the next step is to evaluate the case and determine a fair settlement value. Evaluations should be a detailed, objective, and transparent assessment of liability and damages. The best approach will generally include a detailed breakdown of the realistic range of damages and some form of a decision tree analysis to help determine the most likely outcome, or estimated value of a litigated case. The approach should foster a meaningful dialogue and allow the client to

offer tends to frame the negotiation, the defense should make the initial offer to commence negotiations, outlining the merits of the case from the defense perspective and managing plaintiff’s expectations as to the value of the case. The key to proactive negotiation is making a realistic initial offer, based on the legal standards and a thoughtful discussion of the relevant facts. Low-ball, unrealistic offers only serve to harden the respective positions of the parties and make an expedited resolution of the case virtually impossible. Proactive negotiations, and proactive litigation management in general, should be put in the right context. This process is not about settling the case at all costs simply to get the file closed. If the opposition is not willing to play ball, they need to understand that the defense team is equally willing and able to take the case to verdict, where plaintiff runs the risk of getting less than the client’s offer or nothing at all. Outside counsel is a key partner in effectively executing an insurer’s proactive litigation management strategy. In this role, defense counsel not only demonstrates alignment with the client’s business strategies and specific case resolution objectives, but also with the economic interests of the client. While that can often be a challenge considering the strategies employed by other parties to the case, defense counsel should still approach each case in a creative manner and with the appropriate sense of urgency.

The leave-no-stone-unturned approach is an inefficient and expensive approach to case management. determine a reasonable settlement value in the context of the facts and the applicable law, the potential litigation risk, and the projected costs associated with continued litigation. Proactive Negotiation. Once the case has been evaluated, the next step is to consider making a settlement offer. Based on the assumption that the plaintiff’s counsel might under-evaluate their case, many claim professionals and defense counsel prefer to wait for opposing counsel to make a demand. That rarely, if ever, happens in practice. Moreover, studies have shown that people subconsciously anchor on the first offer presented in a negotiation. Because the first

This often requires a new way of thinking, different from the safe approach of methodically executing the standard litigation drill, pursuing every piece of information to ensure no one is second-guessed later, and waiting to commence negotiations until after discovery is completed and trial is imminent. When outside counsel use creativity, courage and perseverance, they can help their clients meet performance objectives, reduce their legal spend, and better differentiate themselves in a very competitive legal market. When counsel and the client are truly aligned, everyone wins. ■

Thomas Lysaught is Legal Operations Partner at Hickey Smith LLP. Prior to joining Hickey Smith, he held a number of executive management roles in the commercial insurance claims industry, most recently as senior vice president of Liability Claims for Zurich North America. tlysaught@ hickeysmith.com

dec/jan 2016 today’s gener al counsel

Separate Agreements for Software Purchase, Implementation By Eduardo Ramos and Eric Ray

rowing a company and competing in the business world requires keeping up with technology. Companies invest millions of dollars upgrading hardware, maintaining an infrastructure and implementing the best and newest software to monitor, track and increase business efficiency. However, those necessary software implementations and upgrades are fraught with peril and unintended consequences. Despite sizeable investments, many businesses fail to anticipate and address potential pitfalls or prevent legal and operational risks. These risks are manageable if you understand the controlling agreements that are in play.

DEVELOPER VS. IMPLEMENTER Software customers can purchase software “out of the box,” which means buying the software off the shelf and installing it themselves. However, this is not the scenario for most companies,

where installing software requires configuration and sometimes risky customization to address particular business processes. Whether they have five employees or 500 offices, most companies will need to hire an expert software implementer to do the installation. Often, the company that will install and implement the software is not the same company that developed it, and each owes very different obligations to the customer. Typically, the software developer is merely licensing the software to the customer and has no further obligations. In contrast, the implementer is responsible for assessing the customer’s needs through a business process re-engineering study and/or a “gap analysis,” ensuring that the software the customer is purchasing will support the customer’s business processes either out-ofthe-box or without extensive (and often risky) customization, setting fourth realistic milestones to complete the implementation, migrating the

today’s gener al counsel dec/jan 2016

vast amount of data from the legacy software to the new system, and providing the customer with adequate testing and training for the end users.

LICENSE AGREEMENT VS. IMPLEMENTATION AGREEMENT Because the obligations of the software developer are very different than the obligations of the implementer, two separate agreements are required: a license agreement and an implementation agreement. Through a license agreement, the software developer (licensor) grants the customer (licensee) a license to use the software. Typical license agreements contain limitation of liability and limitation of damages provisions that drastically limit a licensor’s exposure if the software malfunctions. Many jurisdictions enforce these provisions, limiting a customer’s remedies against a software developer to, at best, the cost of the software or recovery of the license fees paid, and excluding all other types of indirect, consequential, reliance and even punitive damages. By contrast, an implementation agreement is a service agreement. It governs the services undertaken to implement the software. License

the possible loss of data during migration, loss of productivity, disruption of day-to-day operations, including reorganizing existing employees to provide additional support, changing business processes to match the software that will need to be purchased, the cost of a new implementer or new software to replace the failed system and, ultimately, customer dissatisfaction. These damages can translate into millions of dollars for a customer.

NEGOTIATING THE AGREEMENTS The terms found in software license agreements are by and large standard across the industry: limited warranties, indemnification and, of course, limitations of liabilities. There is not much to negotiate, especially when a customer purchases the software out of the box. However, an implementation agreement (i.e., services agreement) is completely negotiable, and it should be negotiated, especially the provisions addressing damages. When negotiating an implementation agreement, the customer should never agree to limit its remedies. Doing so can be economically catastrophic. In addition to the already significant cost of purchasing new software, a customer

Often the company that will install and implement the software is not the same company that developed it, and each owes very different obligations to the customer. agreements and implementation agreements should be treated as two different agreements with two very different purposes and should be negotiated separately. In other words, a license agreement must not incorporate by reference or otherwise the terms of an implementation agreement, and vice-versa. Failure to observe this simple rule can have devastating economic consequences for the customer, effectively limiting the damages the customer can recover for an implementation failure to, at best, reimbursement for the cost of the software or paid licensing fees. Unfortunately, when an implementer fails to properly implement software, the resulting damages far exceed the cost of the software or any licensing fees the customer paid. Typical damages resulting from software implementation failures include the cost of purchasing hardware necessary for the implementation, the need to hire new employees to assist with the implementation,

will spend thousands, and in some cases millions of additional dollars implementing the new software, with additional costs if that implementation fails. These costs and any potential damages need to be considered when negotiating an implementation agreement. Importantly, the right to recover these costs and any ensuing damages can be completely wiped out if the implementation agreement incorporates the terms of the license agreement, or is simply attached as an exhibit or schedule to the license agreement. The mere attachment or incorporation by reference could be enough for a court to determine that the limitation of damages provision found in the license agreement applies equally to the implementation agreement, leaving the customer with little, if any, recourse. Negotiating a separate implementation agreement to address liability and damages is critical to reduce the chances of an expensive mistake. ■

Eduardo Ramos is a partner in Holland & Knight’s Miami office. He focuses on complex commercial litigation and arbitration, with particular experience representing plaintiffs in software implementation disputes. eduardo.ramos@ hklaw.com

Eric Ray is a partner in Holland & Knight’s Miami office. He focuses on complex commercial litigation and arbitration, with particular experience representing plaintiffs in software implementation disputes. eric.ray@hklaw.com

dec/jan 2016 todayâ&#x20AC;&#x2122;s gener al counsel

today’s gener al counsel dec/jan 2016

Liability for Third-Party Vendor Conduct By John D. Finerty, Jr. and Ben Kaplan

hird-party vendors – such as law firms, accountants, human resource consultants, payroll processors, recruiters and credit card processors – continue to play an integral role in how companies function. There is no doubt that out-sourcing remains a popular way to cut costs in many industries, and research suggests there is no end in sight to this trend. But it is difficult if not impossible to out-source liability. Does your company know the vendors it does business with? Does it know them well enough to take legal responsibility for all their acts and omissions? Regulators in some industries, and an increasing number of courts in jurisdictions nationwide, are holding companies liable for mistakes made by their vendors. So how do companies measure this risk and address it? The banking industry can teach us plenty about best practices to reduce risks posed by vendor liability. The Federal Deposit Insurance Company and Office of the Comptroller of the Currency have been regulating how banks handle customer data, share it with vendors, and thus control how it is kept confidential. The Dodd-Frank banking act extended the regulation of service provider relationships from banks to non-bank financial service companies. It is only a matter of time until these standards, or something similar, apply outside the banking and financial services industries. In the meantime, let’s look at a few recent cases.

EXAMPLES FROM BANKING • In September, 2012, the Consumer Financial Protection Board (CFPB), which was created by Congress in Dodd-Frank, announced a joint enforcement action with the FDIC against Discover Bank. It targeted the telemarketing of Discover’s credit card “add-ons,” such as payment protection, identity theft protection and credit score tracking. Discover in this endeavor

had contracted with telemarking vendors to make outbound sales calls. The CFPB determined that Discover was engaged in “deceptive tactics” in selling these add-on products. The CFPB and Discover settled the case and entered into a consent order that assessed Discover with $14 million in civil penalties and ordered approximately $200 million in restitution to more than 3.5 million Discover customers. Discover also agreed to change its telemarking program. It would draft and adhere to a compliance plan, including training, oversight and access to third-party telemarketers, and submit to an independent audit to ensure adherence to the consent order. • In September of 2013, the CFPB targeted JPMorgan Chase. It found that the company “through its vendors, engaged in unfair acts and practices,” by collecting and accepting monthly payments from consumers for credit monitoring services, even though those services were not fully provided. The CFPB said that Chase also enrolled customers in various credit card “addons,” alleging it charged consumers for credit monitoring programs prior to or without receiving the mandatory written authorization, and sometimes not even providing those services. The CFPB issued a consent order, whereby Chase paid $309 million in restitution to its customers and $20 million in civil penalties to the CFPB, the largest such fine at the time. The consent order required Chase to “take reasonable measures to ensure that its Vendors and other agents cease and desist from engaging in violations of law or regulations ...” Chase was also required to develop a vendor management policy. • In October, 2012, the Office of the Comptroller of the Currency (OCC) announced a $500,000 penalty against American Express and ordered approximately $6 million in restitution

dec/jan 2016 today’s gener al counsel

to an estimated 17,000 affected customers. The OCC alleged that American Express collection firms, in the course of consumer debt collection, made various untrue or misleading statements, including informing consumers that settling their

Security of the vendor’s premises seems basic but is often overlooked. debts with the bank could improve their credit score, while in fact the debt was no longer being reported to the credit reporting agencies. In addition to the financial penalties, the OCC ordered American Express to establish a vendor management program that included analysis of a potential vendor’s ability to comply to all applicable laws, regulations and policies. The program also required American Express to work with its vendors to clearly delineate the responsibilities of each party for complying with those laws, regulations and policies, including by creating and maintaining internal controls and providing adequate training.

BEST PRACTICES Now that we have a few sobering examples from the banking industry, let’s look at what banking and financial services industry regulators are describing as best practices to address this potential liability. The most helpful of these may be found in a recent CFPB bulletin, Steps to Ensure That Business Arrangements Do Not Present Unwarranted Risks to Consumers. Even this source, however, doesn’t include much generally applicable substance. Here is a summary of the recommendations, with comments.

1 John D. Finerty, Jr. is a partner in the Litigation Practice Group at Michael Best & Friedrich. He has extensive experience in ERISA defense, corporate governance and D&O liability claims. jdfinerty@ michaelbest.com

Conduct due diligence on vendors. Companies in any industry that are not at least minimally selective in their choice of vendors may face an adverse presumption when their choice is called into question. The basic requirement that regulators set for banks is that vendors must be capable of complying with federal laws and regulations applicable to banks, such as bank privacy laws and regulations protecting customer financial information. Due diligence, then, should start with the basics: an evaluation of the vendor’s experience in the industry; a review of complaints and litigation against the vendor (plenty of which may be found on-line); and reference checks and follow-up interviews of management employees

responsible for carrying out compliance, with a review of their individual backgrounds and credentials. If your industry requires licenses or certifications, those should also be verified as a threshold requirement. A second level of due diligence may be appropriate, depending on the nature of the relationship and the value and/or sensitivity of the information entrusted to the vendor. For example, does the vendor use a sub-contractor to perform any functions necessary to provide services to your company? We often do not consider this point, especially when we think we have hired a company that can handle all our company’s needs. But there may be layers of vendors within vendors for such seemingly menial tasks as copying or processing documents in litigation, storing data, providing building security or off-site records storage. Simply turning your company’s proprietary information or customer data over to a reputable vendor that promises “one-stop shopping” may still be a significant risk.

Require vendors to adopt policies and procedures. This is where things can get complicated. There are many potential areas of policies that could be required. The decision on where to focus your company’s resources will depend on the industry. The three most important policy areas in our experience are: (1) data security, (2) employee controls and (3) physical plant security. With regard to the first, if your vendor receives confidential information or takes possession of customer data or processes transactions, state of the art security measures need to be evaluated. These include encrypted e-mail and fax capability, secure data storage and a process or policy to return or destroy confidential information when it is no longer needed or the relationship terminates. Employee controls include background criminal checks on relevant employees, procedures for on-boarding and terminating employees to ensure your company’s data doesn’t leave the vendor’s possession, and limits on which employees have access to data and proprietary information. Security of the vendor’s premises seems basic but is often overlooked, as is securing your company’s data or files within the vendor’s office.

Require compliance with policies and procedures in vendor contracts. In vendor contracts, there should also be contractual protections that require compliance with applicable laws and regulations, as well as with the vendor’s

today’s gener al counsel dec/jan 2016

own policies and procedures. Special attention should be given to liability limits vendors attempt to impose, such as limiting liability to the amount of fees paid or value of the work performed. Simply requiring the vendor to pay back amounts it was compensated may not be an adequate incentive to ensure compliance.

Conduct on-going monitoring (i.e. audits). There is no substitute for an on-site audit to make sure your company’s data and files are secure. Banks, for example, routinely audit their outside vendors, including their law firms. These audits can last for days and cover topics from building security to the inspection of paper files – making sure they are in locked file cabinets – to desk audits. Some companies hire consultants to inspect and even test data security, and then certify compliance. Audits also verify that policies and procedures the vendor has assured the company are in place are actually carried out. This may be done through on-site employee interviews.

Enforce the terms of vendor contracts, and industry best practices, up to and including termination of the relationship. It may seem obvious, but simply requiring vendors to have policies and procedure in place to protect your company’s proprietary information and customer data, and even subjecting vendors to audits, is worth little if there are no consequences to breaching the protocols. A vendor contract may have a progressive “discipline” process or simply reserve the right of the company to terminate the relationship. Much depends on the nature of the relationship and how difficult separation would be. In any event, vendor contracts typically contain provisions to require continuing protection of confidential and proprietary information and customer data until it can be recovered or destroyed. EXPOSING CUSTOMER DATA The retail industry is replete with examples of data breaches that give rise to liability for exposing customer names, addresses, credit card numbers or social security numbers. Whether your company manages customer data and processes credit card transactions in house or outsources those functions, there is exposure to the acts and omissions of one or more vendors. In a 2012 case from the federal district court in Nevada, In re Zappos, Inc., the court consolidated multiple cases from across the country and denied Zappos’s motion to dismiss and compel arbitration of consumer claims that arose out

of a data breach. A hacker broke into Zappos’s in-house system and attempted to download customer names and address. The court refused to enforce the company’s browse-wrap agreement and compel arbitration. The end result is that Zappos, like other large retailers recently, is forced to defend lawsuits across the country. Could payroll mistakes by third parties give rise to wage and hour liability? Not necessarily. The federal Fair Labor Standards Act (FLSA) sets minimum wage and overtime standards for most employers. In Featsent v. City of Youngstown, a 1995 case from the Sixth Federal Circuit, the court held the employer was entitled to assert the affirmative defense that it had a reasonable belief it was in compliance with the FLSA because its attorney led it to believe its overtime calculations complied with the Act. Likewise, in Michon v. Western Express, Inc., a 2014 case out of Tennessee, the employer had a viable defense to enhanced damages because it established that an inadvertent coding error in third party software misclassified some nonexempt employees as exempt. The employer relied in good faith on payroll software, and such reliance was reasonable.

Ben Kaplan is a member of the Litigation Practice Group at Michael Best & Friedrich. He practices primarily in the areas of commercial tort litigation, product liability and class action defense, and has jury trial experience in both state and federal court. bakaplan@michaelbest. com

LESSONS LEARNED • Partnerships are limited. Vendors want to be “business partners,” but they rarely partner to share liability. • Trust but verify. Reliance on vendors to abide by state and federal law must be reasonable, but if your company never verified that its vendor

It is difficult if not impossible to out-source liability. was in compliance with the law it will have a hard time proving reasonable reliance. • Insurance is the best policy. Implementing best practices and compliance audits will never reveal every risk, so there is no substitute for insuring against third-party vendor liability. These and other lessons are often learned the hard way, through a lawsuit or government investigation. A comprehensive vendor management policy is important, but active enforcement is critical. The final piece is documentation. Make certain your company can prove that it managed its vendors and verified compliance. ■

dec/jan 2016 todayâ&#x20AC;&#x2122;s gener al counsel

Using Europeâ&#x20AC;&#x2122;s M&A Regime for Tactical Advantage By Peter Cohen-Millstein and Nick Rumsby

U.S.

companies planning for public M&A in the EU face rules of engagement that are considerably different from those in the United States. Even the most seasoned deal professionals who are accustomed to the mandates of Delaware law and the regulations of the SEC must take into account the impact of European takeover regulation in their strategic planning efforts. Onerous limitations on deal certainty measures, leak announcement requirements, target-friendly shareholder regimes, restrictions on targets taking actions to frustrate

a bid, mandatory offer triggers and significantly higher squeeze-out thresholds can have a considerable impact on the best tactics to employ in a bid. These differences will become increasingly important in light of the renewed interest U.S. bidders have shown in EU targets. From January to October 1 of this year, the value of public takeover offers announced by U.S. bidders has been valued at approximately $94 billion. With the exception of 2014, which was clearly a bumper year with the value of $108 billion skewed

today’s gener al counsel dec/jan 2016

by the rise in tax-inversion deals, in particular the successful Covidien-Medtronic merger, this is a considerable increase over prior years. Looking at the same period in 2013, the value of these offers was $54 billion, and in 2012 was $31billion. The interest of U.S. corporations in EU companies is clearly on the rise. Although each EU member state has its own merger and takeover regime, a number of common themes emerged following the 2004 adoption by the EU of the Takeovers Directive, which sought to create community-wide clarity and efficiency in public takeovers. As a reference point, in what follows we have compiled the key differences between the majority EU themes and U.S. rules of engagement for key aspects of public M&A transactions in the EU.

LIMITED DEAL CERTAINTY In the United States, in friendly transactions, most acquirers of public companies are able to negotiate some degree of “deal protection” from the target. By contrast, in the UK target companies are generally prohibited from entering into agreements to provide any form of deal certainty to bidders, regardless of how friendly the transaction. Exclusivity, break fee and other similar arrangements (from the target to the bidder) are all prohibited in the UK, although there is nothing to prevent the target from requiring a reverse break fee from the bidder. In those EU jurisdictions where break fees are permitted, these are usually limited to lower values than a U.S. bidder would expect to see. Consequently, deal certainty measures are sometimes limited to purchasing shares in the market (where this is permitted) and, if the shareholder register allows, gathering irrevocable undertakings from shareholders to accept an offer. In the UK there are very few companies that have controlling shareholders (or small numbers of shareholders) whose support could ensure the success of a bid. Conversely, in Belgium, many public companies are tightly held by one or more controlling shareholders or other large, stable shareholders. The key point to note is that bidders can find it very difficult to achieve the level of deal certainty that they are used to at the outset of a transaction.

“PUT UP OR SHUT UP” While U.S. companies can be placed under prolonged siege by an acquirer, EU merger regimes tend to impose limits on how long a company can be in play against its wishes. In the UK, for example, a leak announcement (triggered by rumor or speculation or untoward

movement in a target’s share price, and regardless of how well developed a possible proposal or negotiation) requires the target to identify any possible bidder(s) with whom it is currently in talks. Similarly, following speculation or an untoward movement in the target’s share price, a possible bidder can be required to reveal its interests even before it has made a proposal to the target.

EU merger regimes tend to impose limits on how long a company can be in play against its wishes. Following a leak announcement, in the UK a possible bidder must make a firm offer or walk away within 28 days of being identified, unless the deadline is extended by the UK Takeover Panel, with the agreement of the target. In the Netherlands, if a possible bidder has made public statements indicating that it may make an offer, the regulator may, at the target’s request, require it to clarify its intentions within six weeks. In France and in the UK, if a possible bidder walks away, it will be prevented from making another offer for six months. In the Netherlands if a bidder does not comply with the regulator’s request to clarify its intentions the period is nine months. As a result, in order to avoid having to make a leak announcement, secrecy is paramount, and any bidder seriously considering a takeover offer should be prepared to lay its cards on the table in short order to “put up or shut up.” A hostile strategy involving a prolonged “bear hug” of public persuasion might not be permissible.

LIMITED FLEXIBILITY FOR OFFERERS While the U.S. system offers acquirers fairly broad latitude in crafting the terms of an offer so long as disclosure is fair and complete, a number of EU regimes regulate the substance of offers in ways that, while principally designed to protect the shareholders of the target company, can appear onerous to bidders, particularly when contrasted to some U.S. market practices. In some instances this manifests itself through rules that are designed to ensure that a bidder is effectively bound by what it says in the public domain. For example, a bidder will be held to statements that it will not bid, or the terms on which it will bid, or that it won’t increase a bid. Similarly, once a bidder announces a firm rather than a possible offer, EU takeover rules tend to be much more restrictive regarding the

dec/jan 2016 today’s gener al counsel

Peter Cohen-Millstein is a corporate/M&A partner in the New York office of Linklaters LLP. He represents domestic and international companies as well as financial institutions in complex crossborder transactions. peter.cohen-millstein@ linklaters.com

Nick Rumsby is a corporate partner of Linklaters LLP, based in London. His areas of practice include international public mergers and acquisitions, and he has spent two years on secondment at the Takeover Panel as a senior case officer. He has advised on a number of recommended and hostile situations involving both UK and overseas offerors. nick.rumsby@ linklaters.com

conditions that the bidder can include in its offer (or that it can rely on to enable it not to proceed with the offer). In a number of jurisdictions, including the UK, a bidder cannot include or invoke conditions commonly seen in the United States, such as material adverse change conditions (relating to the target or the wider market). It is vitally important that bidders understand the extent to which local rules allow a bidder to walk away. For example, in the UK bidders will be allowed to lapse a bid if insufficient target shareholders accept the offer, or if a required bidder shareholder approval is not forthcoming. However, nearly all other conditions, other than EU anti-trust conditions, are unlikely to be capable of being invoked, and a bidder will be forced to complete the offer even if it would prefer not to. Unlike in the United States, financing conditions are also not permissible. If an offer is for cash or contains a cash element, most EU regimes will require that the bidder have certainty of funding prior to making the bid. This typically requires confirmation from a financial adviser, either in the public documents or to the local regulator, that the bidder has sufficient resources to satisfy full acceptance of the offer. In practical terms, it means that any bank financing required for the offer will need to be put in place, usually on a bridge-loan basis and with the associated cost, prior to the announcement of the offer.

LIMITED FRUSTRATING ACTIONS While Delaware directors are generally permitted to implement defensive measures in response to a threat to corporate policy so long as the measure adopted is proportional and reasonable, given the threat, European targets are generally not given such leeway. Consistent with the idea that bids should be determined by target shareholders (rather than target boards), and as a counterbalance to some of the rules that can seem onerous to bidders, in most EU countries there are restrictions on targets taking action designed to frustrate a bid, other than seeking alternative bids, without the express approval of target shareholder. Tactics such as a poison-pill defense, which might be expected by a U.S. bidder, will generally not be available to a target board in the EU. In the event of a hostile offer, a target board will generally be limited to (1) making public announcements to explain why a bidder’s offer should be rejected and why the target board believes that the company would be better to continue as an independent business, and (2) seeking

alternative bidders, “white knight” or otherwise, or seeking to persuade target shareholders of the merit of pursuing a different strategy.

MANDATORY OFFERS While stakebuilding and partial tender offers are possible in the United States, assuming compliance with all applicable regulations, offers for less than all of a public company may not be feasible in Europe. All EU takeover regimes provide that all target shareholders must be treated equally and once an investor reaches a certain threshold of control (usually 30 percent of issued shares and/or voting rights), this will trigger a mandatory obligation to make a bid for the entire company. A mandatory offer for the whole company may be beyond the financial reach of the bidder and will have to be made on an unconditional basis, other than an acceptance threshold of 50 percent plus one. A mandatory offer can be triggered not only by direct ownership of shares, but also beneficial ownership and the granting of options. It will take into account the shareholdings of a bidder’s concert parties, generally any other shareholder with whom the offerer is acting in conjunction or is otherwise colluding. This means that a bidder needs to be very careful when stake-building to ensure that it does not trigger a mandatory offer, and a bidder together with its advisers will want to prioritize the analysis of those with whom it might be deemed to be acting in concert.

SQUEEZE-OUT In contrast to Delaware, where an acquirer needs to acquire only a majority of the target shares to squeeze out all shareholders, in Europe a bidder will typically need to gain control of 90-95 percent of the shares to which an offer relates in order to squeeze-out the remaining investors and delist the target. Correspondingly, once this threshold is reached there is usually also a right for the minority shareholder to sell to the majority shareholder. As a result, most takeover offers will be made conditional upon an acceptance threshold of 90-95 percent, which can then be waived down by the bidder if it so chooses. A bidder should be informed that although its takeover offer may be successful from a control and economic perspective, unless it gets to the relevant squeeze-out threshold (or the threshold for delisting the company that is likely to encourage target shareholders to accept the offer), it may be left owning most of a company alongside a sizeable number of minority investors. ■

TodaysGC Daily Newsletter The daily newsletter is a terrific advertising vehicle to reach 46,000 corporate subscribers. With a high open rate, the newsletter is unmatched as a marketing vehicle within the corporate counsel community.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

MARK BRIOL. A FIGHTER IN THE COURTROOM. 90+ CASES TRIED TO AWARD OR VERDICT. ACTED AS LEAD COUNSEL IN 27 STATES. BOUTIQUE FIRM, NATIONAL REACH. Complex Commercial Litigation 路 High Asset Marital Dissolutions 路 Securities Litigation Minority Shareholder Disputes 路 Internal Investigations 路 Bet-the-Company Litigation

Briol & Associates, PLLC. Your other outside counsel.

3700 IDS Center, 80 South Eighth Street, Minneapolis, MN 55402

www.briollaw.com

612.756.7777