Today's General Counsel, V13 N3, June/July 2016 by Today's General Counsel

JUN /JUL 2016 VOLUME 1 3 / NUMBER 3 TODAYSGENER ALCOUNSEL.COM

When Information Fades Away Tough Calls With Overseas Due Diligence Europe’s Privacy Never-Never Land

CYBER • AT TACK • L IA BIL IT Y • INSUR ANCE

$199 Subscription rate per year ISSN: 2326-5000 View our digital edition: digital.todaysgeneralcounsel.com

E-DISCOVERY “Proportionality” Getting Tested

How do boards serve as strategic assets? How do they anticipate and address emerging issues? How do they access insights and leading practices?

Commit to excellence. Join NACD.

NACD membership helps boards achieve excellence and enables them to: } Elevate performance } Gain insight } Instill confidence

NACD provides what boards need to ensure effectiveness while navigating risk, investor scrutiny, and rapidly changing business conditions. Thatâ&#x20AC;&#x2122;s why boards join NACD.

Save 20% on a new Full Board Membership for public, private, and nonprofit organizations. 20% savings end July 31, 2016.

Phone: 202-765-0878 E-mail: Join@NACDonline.org Online: NACDonline.org/Join

Problem solved. No matter how complex the legal challenge, our attorneys are up to the task. We’ll help you make the right moves and find solutions that work for your business. With fewer twists and turns.

Uncommon Value

ATLANTA

CHICAGO

DALLAS

DELAWARE

INDIANA

LOS ANGELES

MICHIGAN

MINNEAPOLIS

btlaw.com

Rubik’s Cube® used by permission Rubik’s Brand Ltd. www.rubiks.com

OHIO WASHINGTON, D.C.

Jun /Jul 20 16 toDay’s gEnEr al counsEl

Editor’s Desk

It’s the American way: A major new problem arises in the commercial arena, a conflict of interests is revealed with respect to solving it, the interested parties sue each other, and it is litigated to an impasse or a solution. Cyber attacks and the issues they raise are in the early litigation stage, and as Thomas Rohback and Patricia Carreiro write in this issue of Today’s General Counsel, the scope of cyber insurance coverage for companies has yet to be defined. In a recent case, an insurer argued that it was not responsible for a cyber breach settlement because the insured failed to follow minimum required safety practices. The case was dismissed on other grounds, so this fundamental issue remains unresolved. The authors warn that the frequency of incidents is increasing and cyber insurance policies have proliferated, arguably without sufficient data for underwriting. They predict bet the company-lawsuits in the near future. Mackenzie Wallace and Jennifer Ecklund discuss the threshold question of standing in such suits, i.e. deciding whether a plaintiff can allege or prove actual harm. The law was all on the defendants’ side until lower court rulings in the Target and Neiman Marcus data breach cases made it harder for defendants to succeed at the dismissal stage. Wafik Guirgis and Steve Falkin discuss the concept of shadow IT – the use of unauthorized software by employees – and the cybersecurity threat it poses to law departments specifically. Lawyers in general and in-house lawyers in particular will remember Ben Heineman, Jr., formerly General Electric’s senior vice president and chief legal officer and now a senior fellow at Harvard’s schools of law and government. An excerpt

from his recently-published book discusses risk management, and the importance of planning for incidents that are sometimes viewed as unthinkable and therefore not rigorously considered. General counsel play a crucial role in this process, Heineman says. Elsewhere in this issue Kevin Grande writes about the much stricter – but still vague – regulations that lawmakers in Europe are establishing in the area of data privacy, and Alexandra Wrage discusses the due diligence companies need to perform on their overseas intermediaries in order to avoid running afoul of the Foreign Corrupt Practices Act – and the dicier issue of what they can ignore.

Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com

To us, details are huge. Whether weâ&#x20AC;&#x2122;re using artificial intelligence to identify patterns in employee behavior, analyze legal risk, conduct damage assessments or improve corporate culture, Littler offers deep predictive analytic capabilities with the added layer of legal consultation, so better decisions come into focus.

littler.com/service-solutions

jun/jul 20 16 todayâ&#x20AC;&#x2122;s gener al counsel

Features

C o lu m n s

ENVIRONMENTAL CLEANUP AND RECOVERy FOR FRAUDULENT TRANSFERS

Rod M. Fliegel Be careful how you disclose that background check.

Phil Cha and Lindsay Brown Time limits imposed by the UFTA make recovery for cleanup costs problematic.

PREPARING FOR LOW-PROBABILITy HIGH-IMPACT EVENTS

INFORMATION GOVERNANCE CAN MAKE DATA AN ASSET

Ben W. Heineman, Jr. Debate response scenarios before it happens.

Karen Schuler and Douglas Herman Bury your dead data.

WORKPLACE ISSUES Plaintiffs Twist Meaning of Fair Credit Reporting Act

THE ANTITRUST LITIGATOR Antitrust Issues With Joint Ventures

INFORMATION GOVERNANCE OBSERVED The Dangers of Short-Term Thinking on Information

Jeffery M. Cross Spillover can violate the Sherman Act.

Barclay T. Blair Five years is forever.

Page 56

$110 BILLION

IN CLAIMS & COUNTERCLAIMS AdMINISTEREd IN 5 YEARS *

would you trust just anyone?

When everything is on the line, trust the leader in alternative dispute resolution (ADR) since 1926. The American Arbitration Association® (AAA®) has been entrusted to handle more “bet-the-company” cases than anyone in ADR today. We provide executive facilitation of your disputes by experienced leaders, and access to arbitrators and mediators who specialize in large cases. Meet your AAA executives at adr.org.

adr.org | 1.800.778.7879

JUN/JUL 20 16 TODAY’S GENER AL COUNSEL

Departments Editor’s Desk

Executive Summaries

L ABOR & EMPLOYMENT

16 Potential Pitfalls in “Uberizing” Your Workforce

Salvador P. Simao and Joanna S. Rich No global agreement on who is an employee and who isn’t. E-DISCOVERY

18 An ADA Decision Highlights “Proportionality” Limits

Page 34 INTELLEC TUAL PROPERT Y

26 A Powerful Weapon Against Infringing Imports

David Horrigan Courts are getting serious.

H. Jonathan Redway Section 337 forum is fast, powerful and knowledgeable.

20 The Challenge of Foreign Language Document Review

CYBERSECURIT Y

Sophie Ross Foreign language reviewers need training in U.S. e-discovery protocols.

22 Practical Proportionality through Science Julia L. Brickell and Bruce Hedin A methodical approach to limiting e-discovery.

32 Don’t Let “Shadow IT” Take Hold in Legal Department Wafik Guirgis and Steve Falkin Why short-circuiting IT is a bad idea.

34 Standing is Key Issue in Cyber Lawsuits Mackenzie S. Wallace and Jennifer R. Ecklund What counts as “harm”?

36 Lessons from Ransomware Attacks on Healthcare Providers Scott Lyon Employee training and the principle of “least privilege.”

40 Limits of Cyber Insurance Being Tested in Litigation Thomas Rohback and Patricia Carreiro Many policies, not much data for underwriting.

COMPLIANCE

44 Difficult Due Diligence on Overseas Intermediaries Alexandra Wrage Due diligence and the paper trail to prove it.

46 From Europe’s Privacy Regulators, Big Penalties But No Rules Kevin Grande The safe harbor is gone.

TodaysGeneralCounsel.com The newly redesigned website provides a daily glimpse of curated content from experts, consultants, law firms and other valued information sources.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

editor-in-Chief Robert Nienhouse Chief operating offiCer Stephen Lincoln managing editor David Rubenstein

exeCutive editor Bruce Rubenstein

senior viCe president & managing direCtor, today’s general Counsel institute Neil Signore art direCtion & photo illustration MPower Ideation, LLC law firm business development manager Scott Ziegler database manager Matt Tortora

Contributing editors and writers

Barclay T. Blair Julia Brickell Lindsay Brown Patricia Carreiro Phil Cha Jeffery M. Cross Jennifer R. Ecklund Steve Falkin Rod M. Fliegel Kevin Grande Wafik Guirgis Ben W. Heineman, Jr.

Douglas Herman David Horrigan Scott Lyon Jon Redway Joanna S. Rich Thomas Rohback Sophie Ross Karen Schuler Salvador P. Simao Mackenzie Wallace Alexandra Wrage

editorial advisory board Dennis Block GREEnBERG TRAuRiG, LLP

Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com

reprints

JOnES DAy

Joel Henning

Art Rosenbloom

WiLEy REin

JOEL HEnninG & ASSOCiATES

CHARLES RivER ASSOCiATES

Peter Bulmer JACKSOn LEWiS

Sheila Hollis

George Ruttinger

Mark A. Carter

DuAnE MORRiS

CROWELL & MORinG

David Katz

Jonathan S. Sack

DinSMORE & SHOHL

James Christie BLAKE CASSELS & GRAyDOn

WACHTELL, LiPTOn, ROSEn & KATz

Steven Kittrell

MORviLLO, ABRAMOWiTz, GRAnD, iASOn & AnELLO, P.C.

MCGuiREWOODS

victor Schwartz

FTi COnSuLTinG

Jerome Libin

SHOOK, HARDy & BACOn

Jeffery Cross

SuTHERLAnD, ASBiLL & BREnnAn

Adam Cohen

FREEBORn & PETERS WinSTOn & STRAWn

Jamie Gorelick WiLMERHALE

Robert Haig KELLEy DRyE & WARREn

Jean Hanson For reprint requests, email rhondab@fosterprinting.com Rhonda Brown, Foster Printing

Robert Profusek

Thomas Brunner

Thomas Frederick

subsCription

Dale Heist BAKER HOSTETLER

FRiED FRAnK

Robert Heim DECHERT

Timothy Malloy Mc AnDREWS, HELD & MALLOy

Jean McCreary nixOn PEABODy

Steven Molo MOLOLAMKEn

Thurston Moore HunTOn & WiLLiAMS

Jonathan Schiller BOiES, SCHiLLER & FLExnER

Robert Townsend CRAvATH, SWAinE & MOORE

David Wingfield WEiRFOuLDS

Robert zahler PiLLSBuRy WinTHROP SHAW PiTTMAn

Ron Myrick ROnALD MyRiCK & CO, LLC

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, with out the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published six times per year by Nienhouse Media, Inc., 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2016 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Today’s General Counsel, 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Periodical postage paid at Oak Brook, Illinois, and additional mailing offices.

The Magazine The six-time yearly publication, with strategies, best practices and analysis written by expert practitioners within the legal profession, offers an excellent branding opportunity to 58,000 qualified subscribers.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

JUN /JUL 20 16 TODAY’S GENER AL COUNSEL

Executive Summaries L ABOR & EMPLOYMENT

E-DISCOVERY

PAGE 16

PAGE 18

PAGE 20

Potential Pitfalls in “Uberizing” Your Workforce

ADA Decision Highlights “Proportionality” Limits

The Challenge of Foreign Language Document Review

By Sal Simao and Joanna Rich Ford & Harrison LLP

By David Horrigan kCura

By Sophie Ross FTI Consulting

While the U.S. Department of Labor and state agencies often take a hardline approach to independent contractor misclassification, the United States is arguably more accepting of alternatives to the employee/employer model than other countries. In Argentina, the default relationship is that of employee and employer, and bona fide independent contractors are limited to professionals and very specific cases. In Brazil, the employer-employee relationship is the default agreement, and it’s difficult for workers and companies to choose a different legal regimen. In Mexico, an employment relationship is one in which the worker and no one else will provide the work, the worker is under the employer’s control and work is in exchange for wages. In France, the concept of subordination defines the employment relationship, meaning that the employer gives orders to employees, controls the execution of the orders, and may discipline employees. In Germany, the most important distinction between employees and independent contractors is the degree of independence the worker exercises over the work. In the UK, an increasing number of people take part in the on-demand economy. Individuals at work are defined as “self-employed,” “employees” and “workers,” but there is no legal test to determine employment status. Employers in all countries need to be be cautious about classifying workers as independent contractors. In the United States, unless the legal framework changes, it will be increasingly difficult to fit workers into the employee/independent contractor dichotomy.

A recent court decision serves as a reminder that even the Americans with Disabilities Act doesn’t give litigants a blank check in e-discovery. In Lieberg v. Red Robin Gourmet Burgers, Inc., a group of disabled customers of Red Robin Gourmet Burgers, Inc. claim they were denied equal access to the chain’s restaurants. Suing on behalf of wheelchair users who wanted to use parking facilities Red Robin owns or controls, they sought information on any store the company claimed was ADA compliant. In essence, plaintiffs asked for either discovery or a concession of non-compliance on every store. In granting in part and denying in part Red Robin’s motion for a protective order, the court noted the limits of the ADA. It obligates only those “who have some measure of control over the disputed public accommodation,” the judge wrote. The plaintiffs’ problem was that Red Robin owns the property for only 32 of its more than 500 restaurants, and it rarely has a role in designing or constructing common areas adjacent to its restaurants, including the parking facilities. Although the court ordered Red Robin to produce ADA policies for all it restaurants, it limited discovery to the 11 identified in the complaint and the 32 company-owned stores. For plaintiffs in compliance litigation involving retail chains, the case illustrates a significant challenge. It will be difficult to conduct nationwide e-discovery if retailers don’t own the real estate where their stores are located.

Cross-border matters are becoming more common and complex due in part to widely divergent privacy regulations worldwide. Organizations will often rely on external providers to manage e-discovery outside the U.S., but some providers won’t have the capability to screen and manage quality. When working with local reviewers, qualification is important. Conducting foreign language e-discovery requires a specialized talent pool, knowledge base and skill set. Security and compliance with data privacy regulations need to be priorities for cross-border teams, but can be undermined by local practices. For example, many reviewers and translators outside the U.S. work from home, taking sensitive data out of the controlled environment of the review center. Experts with experience in handling these issues can help ensure that review and translation activities take place onsite, in secure locations. This is an important factor in reducing the risk of data breaches. For some languages, the marketplace is so small that a single matter in a particular region could dramatically increase costs. Providers who have a foothold in the local area can be invaluable when there is a need to review in these languages. When a skilled team applies clustering or predictive coding across a multi-language data set, it increases the efficiency of the review. This practice can be applied to translation as well. Using analytics technology to evaluate the document set can help reduce the number of documents that need to be translated, leading to cost savings.

TODAY’S GENER AL COUNSEL JUN /JUL 20 16

Executive Summaries E-DISCOVERY

INTELLEC TUAL PROPERT Y

CYBERSECURIT Y

PAGE 22

PAGE 26

PAGE 32

Practical Proportionality through Science

A Powerful Weapon Against Infringing Imports

Don’t Let “Shadow It” Take Hold in the Legal Department

By Julia L. Brickell and Bruce Hedin H5

By H. Jonathan Redway Dickinson Wright PLLC

By Wafik Guirgis and Steve Falkin HBR Consulting

The change to Rule 26(b) in the Federal Rules of Civil Procedure emphasizes proportionality in discovery by elevating existing language to a more prominent place in the Rules. The intent is to encourage parties and the courts to reduce the time and costs of addressing the volumes of electronically stored information that may be implicated in discovery, while still uncovering the information that actually matters to the case. The ideal scenario would be for counsel to engage in a practical discovery effort, equipped with facts about the volume and quality of information relevant to a claim or defense, where it resides, and potential methods to get it. Such knowledge would enable a principled and defensible assessment of proportional discovery, whether or not the basis of the assessment is disclosed to the other side. But, if there were to be disclosure to, or a challenge by, the other side, facts about the approach would have to be persuasive. Success will depend on being able to demonstrate that a position has sufficient factual basis. The critical question then becomes: How can counsel, without full discovery, unearth that factual basis? Here, counsel can benefit from “practical proportionality through science.” In this case, the science of statistics, supported when circumstances warrant by the science of information retrieval (IR), offers both a practical and cost-effective approach to the proportionality dilemma, and one that would not impose undue burden in a very large range of matters.

Under section 337 of the Tariff Act, the U.S. International Trade Commission conducts investigations into allegations of certain unfair practices in import trade. Most involve claims of patent infringement or registered trademark infringement, but other forms of unfair competition such as misappropriation of trade secrets, common law trademark and trade dress infringement and “passing off” may also be asserted. Federal courts have broad discretion to issue injunctions to stop unlawful infringement, but only if needed to prevent irreparable injury. Moreover, district courts permit the litigation of all legal and equitable defenses, which can take time. Section 337 investigations have the advantages of speed, broad jurisdiction and expertise – ALJs work almost exclusively on IP cases. Investigations are instituted by the Commission based on a complaint. A formal evidentiary hearing is conducted by an administrative law judge. Following the hearing on the merits, the ALJ issues an Initial Determination (ID). The Commission may review and adopt the ID, decide not to review it, or modify or reverse or remand the ID to the ALJ. If the Commission adopts or declines to review an ID, it becomes the final determination. By statute, section 337 investigations must be completed “at the earliest practical time.” As a result, the Commission places great emphasis on the timeliness of investigations. The benefit of a fast, effective and reliable determination is what makes 337 investigations the number one weapon available to IP holders to stop infringing imports.

Employees are becoming empowered to take workplace technology adoption into their own hands, and that’s become a challenge for IT departments and companies. A 2016 Cisco research report found that “Shadow IT” – the use of unauthorized software by employees – has increased nearly 70 percent in less than a year. Shadow IT in law departments is almost never about intentionally risky behavior or uninformed staff. Rather it’s the byproduct of a deeper issue: ineffective partnerships between IT teams and the law department end users. For example, in legal teams that aren’t using enterprise or document management software, associates who need to store or share critical information and files may be left to fend for themselves. When IT leaders and law departments don’t consult before software or a cloud app is rolled out, there is increased chance of a botched implementation. Another issue is that marketing, operations and sales departments may value the ability to customize a program like SharePoint for cross-company collaboration, but that same accessibility might not suit lawyers, who must maintain confidentiality and/or privilege. This perceived lack of security can cause legal professionals to limit what they store to non-sensitive items. Change management is required and it doesn’t stop at implementation. Law department leaders should collaborate with IT and the C-suite to foster ongoing employee awareness of sanctioned technologies, reward staff for its adoption, and create processes to identify gaps between what employees need and the tools provided.

Jun /Jul 20 16 today’S gEnEr al counSEl

Executive Summaries CyberseCurit y

Page 34

Page 36

Page 40

Standing is Key Issue in Cyber Lawsuits

Lessons from Ransomware Attacks on Healthcare Providers

Limits of Cyber Attack Insurance Being Tested in Litigation

By Mackenzie S. Wallace and Jennifer R. Ecklund Thompson & Knight

By Scott Lyon Sedgwick LLP

By Thomas Rohback and Patricia Carreiro Axinn Veltrop & Harkrider LLP

A data breach plaintiff, like any federal plaintiff, must establish standing in order to survive a 12(b)(1) motion to dismiss. Traditionally, district courts have dismissed consumer suits for data breaches, reasoning that the plaintiffs could not prove actual harm, a requirement of standing that rests on a 2013 Supreme Court decision, Clapper v. Amnesty International USA. Courts applying Clapper to data breach complaints have generally found that the damage frequently pleaded by the plaintiffs – the risk of future identity theft – is too speculative to support standing for a lawsuit. Lower court rulings in the Target and Neiman Marcus data breach cases make it easier for consumer-plaintiffs to sue and succeed at the dismissal stage. Deviating from previous Clapper rulings, a Minnesota federal court held that a class of Target customers had standing to sue because they were temporarily unable to access money in their accounts. Target settled for $10 million. In Neiman Marcus, the Seventh Circuit reversed a lower court and accepted standing based on allegations of future injury. The question of standing under Clapper is only one of the important threshold class action lawsuit issues in play right now. Another is whether Congress may confer standing on a plaintiff who has suffered no specific harm but who alleges a violation of a federal statute. Companies should continue to be aware of this evolving situation so that when breaches occur they are prepared to consider their options.

Earlier this year a number of healthcare providers found themselves under siege by targeted ransomware attacks. In February, Hollywood Presbyterian Medical Center in Los Angeles had its network crippled, ultimately paying $17,000 in bitcoins to recover its systems. Three other ransomware attacks have targeted healthcare providers in California, and incidents have been reported in other states. These attacks may signal recognition by attackers of the particular vulnerability of these businesses. Healthcare companies store a vast amount of data, from patient medical records to insurance and billing information, in addition to ordinary operating data. In general when it comes to cybersecurity, among an organization’s weakest links are the employees. They should be trained to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network. Organizations should also closely monitor internal access controls, implementing the principle of least privilege (i.e., granting users only the minimal amount of access and permissions necessary to do their jobs). Rapid identification of potential infections with intrusion detection systems is crucial. It can facilitate the swift isolation of infected servers or endpoints and prevent the damage from spreading. In order to respond properly to a ransomware or other cybersecurity incident, organizations must prepare, implement and routinely test incident response plans. Rapid identification, isolation and mitigation of threats can mean the difference between a temporary disruption of service and a substantial, and potentially unrecoverable, business loss.

Some of the first cases relating to a cyberattack or data breach relied on traditional insurance forms that contained specific coverages relating to electronic data. A Delaware Superior Court analyzed Commercial General Liability (CGL) coverage for the hack of a bank’s credit card records. Although it found the attack fell within Electronic Risk Liability coverage, it also said it fell within the policy’s fraud exclusion for losses based on fraudulent activity. The court, however, refused to respect the exclusion, reasoning that every unauthorized use or access to the insured’s electronic data or software would almost necessarily involve fraud, thus rendering coverage illusory. In a 2015 case in the Central District of California, an insurer argued that it was not responsible for a settlement because of the insured’s “failure to follow minimum required practices.” The case was dismissed on other grounds so this important issue remains unresolved. Courts have found varying policy language in CGL insurance to either cover or exclude privacy claims resulting from the disclosure of personally identifiable information. The scope of cyber insurance is a work-in-progress. Cyber attacks and data breaches are becoming more common, hackers are more sophisticated, and there is an increasing amount litigation seeking redress. Meanwhile, cyber insurance policies have proliferated, arguably without sufficient data for comprehensive underwriting. With more lawsuits and higher damages, cyber insurance litigation may be a bet-the-company issue for many companies, as well as their insurers.

today’s gener al counsel Jun /Jul 20 16

Executive Summaries ComPlianCe

features

Page 44

Page 46

Page 56

Difficult Due Diligence on Overseas Intermediaries

From Europe’s Privacy Regulators, Big Penalties But No Rules

Environmental Cleanup and Recovery for Fraudulent Transfers

By Kevin J. Grande Determine, Inc.

By Phil Cha and Lindsay Brown Archer & Greiner P.C.

With the current state of European privacy regulations, American firms must make additional efforts with their contracts and guarantees of personal data protections to satisfy their European customers. Most previous deals were completed within the context of the Safe Harbor, but last October a European high court invalidated this long-standing agreement that allowed U.S. businesses to self-certify their protocols for handling Europeans’ personal data. That sent U.S. and European officials scrambling to hammer out a replacement agreement. The now proposed E.U.-U.S. Privacy Shield was submitted in February. As currently written, the Privacy Shield would require companies to have an established policy that commits to the principles of the agreement. It would also require modifying, updating or creating contracts with any third-party that will come into contact with a European’s data. The contracts must stipulate how the data will be protected under the provisions of the Privacy Shield, and summaries of those contracts must be made available to regulators. The problem is that the agreement has yet to be ratified by each of Europe’s 28 data-protection agencies, and these regulators don’t seem inclined to agree with many of the Privacy Shield’s provisions. In April, the European Parliament approved a new General Data Protection Regulation that will go into force in 2018. These laws include even more stringent protections for Europeans’ data. They also include the so-called “right to be forgotten” provision, requiring companies to delete data of Europeans who request anonymity.

The Uniform Fraudulent Transfer Act (UFTA) prevents debtors from transferring assets in an effort to frustrate creditors’ collection of debts. But the UFTA requires claimants to act promptly, imposing a strict statute of repose that requires claimants to bring claims for fraudulent transfer within four years after the transfer was made, or in certain circumstances within one year after the transfer was discovered or could reasonably have been discovered by the claimant. This short limitations period can pose a significant hurdle to recovery, particularly for claimants dealing with environmental liabilities. Under CERCLA, responsible parties are jointly and severally liable for cleanup costs. To ameliorate the potential unfairness of joint and several liability, a right of contribution to ensure equitable sharing is provided. However, the amount of time for CERCLA contribution claims to mature can be significantly longer than the limitations periods imposed by the UFTA. Clients faced with liability for legacy environmental harms must make a critical assessment of their exposure and potential recovery from other parties, and be aware in the very early stages of their evaluation that claims for fraudulent transfer have a short fuse. While a full-blown asset search on all potentially responsible parties is unnecessary, clients should be mindful of facts and circumstances that may trigger their duty to investigate and discover potentially fraudulent transfers. The UFTA can be a powerful and effective tool, but only for those who act promptly to preserve their rights.

By Alexandra Wrage TRACE

Under the Foreign Corrupt Practices Act, if the agent of a company pays or offers to pay a bribe to a foreign official in order to help secure business, the company itself can be held responsible. Given the magnitude of the potential liability, it is crucial to know something about the background of the person or entity your company is considering to represent you abroad. The author runs through a short list of hypothetical wrongdoings an intermediary might be discovered to have done, and assesses whether each is a deal-breaker. When the issues are not routine or straightforward, you need to be able to base your decision on a full assessment of the relevant circumstances, taking into consideration not only the nature of the assignment and the history of the potential intermediary, but also the balance between your company’s tolerance for risk, the urgency of the project, and the possibility of alternative courses of action. Protocols and standards for review are necessary, in part to show that your company has a compliance program in case something goes wrong. Each decision regarding an intermediary must be adequately documented. The documentation should include the nature of the work the intermediary will be performing and the business justification for the engagement. This would include such issues as whether other candidates were considered, whether there are employees who could fulfill the same role, and the resources the intermediary has to carry out the task.

JUN /JUL 20 16 TODAY’S GENER AL COUNSEL

Executive Summaries FEATURES

PAGE 58

PAGE 62

Preparing For Low-Probability High-Impact Events

Information Governance Can Make Data an Asset

By Ben W. Heineman, Jr. Harvard’s schools of law and government

By Karen Schuler and Douglas Herman BDO Consulting

Risk appetite, the balance between risktaking and risk-management, should turn on a careful set of decisions by corporate leaders, with the general counsel and inside lawyers playing a central role. Risk management must follow strong organizational principles, and it must rigorously prioritize threats. Risk management must develop and implement systems and processes to prevent, mitigate, detect and respond. One of the most important risk management problems is addressing a catastrophe. One of the best tools for preventing and responding to such occurrences is a systematic process for “scenario planning” and for debating disasters before they occur. Scenario planning requires a group of crossfunctional experts (designated the “Blue Team”) to construct possible sequences and impacts of potential catastrophic events, and then to recommend preventive and responsive steps and costs to mitigate the effects of such events were they to occur. For truly high-impact events, an important companion of scenario planning is the Blue Team/Red Team debate. Drawing from a military war-game tradition, this involves forming a multidisciplinary Red Team to critique the Blue Team’s scenarios and its prevention and response plans. Business leaders must give strong support to the constructive tension created by competing teams. General counsel, experts in finding truth through competing viewpoints, can help structure this process. Without debates about disaster, the risks of inattention, complacency and failure to examine key technical, financial or other assumptions can lead to being overwhelmed by events.

Technologies like predictive coding play a significant role in narrowing the scope of data to potentially relevant evidence, but that early understanding is contingent on having an information governance program (IG) and data preservation strategies. “Data hoarding” of files that provide no value, duplicative information, or “dead” data that hasn’t been used or accessed in years, increase data security risks and also make identifying and accessing relevant information more time consuming when discovery begins. Organizations should consider the following to build a corporate-wide information governance program: Understand gaps and risks before litigation or investigations arise. Deliver meaningful intelligence through master data management and data analytics to ensure your Enterprise Resource Planning (ERP) systems provide accurate, consistent and clean data. Protect data according to industry standards, regulations and internal requirements, while ensuring the data is what it purports to be and that privacy standards are maintained. Develop policies and procedures to manage data throughout its lifetime. Develop policies that reflect the current state of the business, but also provide flexible means to maintain updates and deliver those updates to the organization. Determine that the use of data is aligned with business functions and employs technologies that are aligned with the organization and its needs. An effective approach to IG enables information to be leveraged as an asset and ensures its security, so that when an e-discovery request arises you can access the data you need, when you need it.

SUBSCRIBE Today’s General Counsel magazine

delivered to your door

Today’s General Counsel digital edition in your inbox and more! TODAYSGENERALCOUNSEL.COM/ SUBSCRIBE

NACD Board Recruitment Services is the source for exceptional directors.

Recruiting directors for your board? NACD delivers exceptional director candidates.

Learn more about NACD Board Recruitment Services: BoardRecruitment@NACDonline.org or 202-747-7167

`` We draw from our proprietary

pool of independent directors.

`` We quickly identify candidates

who match your criteria.

`` We offer a cost-effective

alternative to traditional search firms.

The result is a fast, affordable search that delivers exceptional candidates for your board.

Jun /Jul 20 16 today’s gener al counsel

Labor & Employment

Potential Pitfalls in “Uberizing” Your Workforce By Sal Simao and Joanna Rich

echnology is changing how, when, and where we work. With these changes come shifting attitudes in how workers view their relationship with employers. The “on-demand” economy purports to bridge this gap, giving workers flexibility to choose when to work and connecting employers with available skilled labor when they need it most. The on demand model would appear to provide both workers and employers what they want. But what hidden dangers lie in “Uberizing” your workforce?

Recent legal challenges highlight potential conflicts between the technologyenabled on demand economy and existing legal frameworks. Misclassifying workers can result in significant costs to a business, including government audits, class action lawsuits, back wage and overtime awards, fines and a possible public relations nightmare. If workers are found to be employees, they may also be entitled to employee benefits, unemployment and social security contributions.

This article aims to to help employers recognize and avoid misclassification by examining the differences between employees and independent contractors in the United States and abroad. FEDERAL AND STATE IN THE U.S.

Overlapping and sometimes conflicting federal and state laws in the United States govern the employment relationship and determination of whether a worker is an employee or an independent contractor.

today’s gener al counsel Jun /Jul 20 16

Labor & Employment At the federal level, the Fair Labor Standards Act governs maximum hour and minimum wage requirements for most workers. Part of a legislative plan to get more Americans back into the workforce after the Great Depression of the 1930s, the FLSA relies on the following broad definitions to determine which workers fall within its scope: • To employ is “to suffer or permit to work.” • An employee is “any individual employed by an employer.” • An employer is “any person acting directly or indirectly in the interest of an employer in relation to an employee.” In a series of decisions, the Supreme Court developed the “economic reality” test, which is used today to determine whether a worker is an employee. That test counsels that employment status is determined by considering the totality of the circumstances surrounding the parties’ relationship and the worker’s circumstances. Under the economic reality test, “employees are those who as a matter of economic reality are dependent upon the business to which they render service.” However, different states may use different tests to determine whether a worker is an employee. Generally, the more control the employer exercises – or even reserves the right to exercise – over the worker’s means and methods of work, the more likely it is the worker will be considered an employee. Independent contractors are workers engaged in an independent trade, business or profession in which they offer their services to the general public. The hallmark of an independent contractor is that he or she is not economically dependent on one employer. Independent contractors are generally able to control how, when and where the work is performed. To determine whether a worker is a bona fide independent contractor, courts use the following factors to analyze the economic reality of the parties’ relationship:

• Who has the right to control the work? If the employer can tell the worker how, when, and where to perform the work, the worker is likely an employee. The employer’s level of supervision or requirement that the worker report to a supervisor is also considered. • Is the work an integral part of business operations? If the worker’s services form an integral part of the employer’s business, the worker is likely an employee. • Did the worker make an investment in his or her business? A worker who has invested in his or her own equipment, supplies, facilities, or training is more likely an independent contractor. Generally, courts will compare the worker’s investment

the economic realities test should be applied in the context of the FLSA’s broad scope of employment and the Act’s “suffer or permit to work” standard. The Interpretation concluded that “most workers are employees” and cautioned against mechanical application of the economic realities factors and over-emphasizing the right-tocontrol factor. RECENT LEGISLATION AND LAWSUITS

Workers in the “on demand” service economy have recently filed class-action lawsuits against start-ups Uber, Lyft, Handy, Homejoy, Washio, and others. Workers argue that the companies control their work to such an extent that they are truly employees entitled to

The United States is arguably more accepting of alternatives to the traditional employee/employer model than other countries, but economic globalization and shifting cultural attitudes are putting pressure on the traditional model. with the employer’s investment. • Is there an opportunity for profit or loss? Is the worker’s opportunity for profit or loss determined by the employer, or the worker’s own managerial skill? For example, if the worker can make a profit by being more efficient or hiring helpers, that worker is likely an independent contractor. On the other hand, a worker that can increase earnings only by working more is likely an employee. • Does the work require specialized skill? This factor is often dependent on the industry and the employer’s business. Highly skilled workers can be employees, depending on the nature of the work or the industry. In July 2015, the U.S. Department of Labor issued “Administrator’s Interpretation 2015-1,” which argued that

minimum wage, overtime, reimbursement for expenses and other employee benefits. Some businesses, like Shyp and Instacart, responded to the lawsuits with announcements that they will reclassify workers as employees. Homejoy, however, cited one such lawsuit as the “deciding factor” to shutter the business. Still others, notably Uber – the startup that became the face of the on-demand economy – continue to battle allegations in court in a spate of lawsuits challenging its business practices, including its classification of drivers as independent contractors. In a federal lawsuit filed in Northern California, Uber drivers alleged that the company exercises such control over them that they should be considered employees entitled to minimum wage, overtime and other benefits. continued on page 25

JUN /JUL 20 16 TODAY’S GENER AL COUNSEL

E-Discovery

ADA Decision Highlights “Proportionality” Limits By David Horrigan

today’s gener al counsel Jun /Jul 20 16

E-Discovery

ven in our very partisan political world, every once in a while combatants come together for the greater good. The passage of the Americans with Disabilities Act of 1990 (ADA) was one of those moments. A Republican president signed a bill introduced by a Democratic senator and passed overwhelmingly by both houses of Congress. Its significance in making public accommodations available to people with disabilities would be hard to overstate. However, as we were reminded in a recent court decision, even the ADA doesn’t give litigants a blank check in ediscovery. In almost any case, e-discovery has its limits. This case involved Red Robin Gourmet Burgers, Inc., which opened its first location in Seattle in 1969, went

in lawsuits alleging ADA compliance failures. Gary Lieberg and Brent King, Red Robin customers who use wheelchairs, sued Red Robin “on behalf of all wheelchair users who have attempted, or will attempt, to utilize the parking facilities at locations for which Defendant owns and/or controls the parking facilities.” That part about controlling the parking facilities would be key in the legal opinion. As they launched their e-discovery in hopes of obtaining certification for a class of disabled Red Robin customers, Lieberg and King filed extensive discovery requests, seeking discovery from all the company’s stores. For instance, they sought information from Red Robin on any store the company claimed was ADA

In addition, the company’s leases often give the landlord control and responsibility for common areas, including the parking lots. Thus, although the court ordered Red Robin to produce ADA policies and procedures for all Red Robin restaurants, it limited discovery to the 11 restaurants identified in the complaint and the 32 company-owned stores. Judge Zilly’s decision is yet another indication that proportionality is, in fact, becoming a more important factor in litigation. Broad-based “give us everything and the kitchen sink” e-discovery, without limiting such requests in view of the facts of the case is rapidly becoming a thing of the past. For potential class-action plaintiffs in regulatory compliance litigation involv-

Judge Zilly’s decision is yet another indication that proportionality is, in fact, becoming a more important factor in litigation.

public in 2012, and has grown into a major fast food chain across the United States and Canada, with about 32,000 employees in over 500 locations. The company says it has four core values: honesty, integrity, continually seeking knowledge, and having fun. The company embroiders these values on the sleeves of employees’ uniforms, and it says it applies them to its customers. Red Robin claims these values are manifested through what it calls its “Unbridled Acts.” It defines these as “random acts of kindness staffers bestow upon guests and other team members.” However, a group of disabled Red Robin customers claim they missed out on the Unbridled Acts because Red Robin Gourmet Burgers Inc. failed to give them unbridled access to the company’s restaurants, in violation of the ADA. In Lieberg v. Red Robin Gourmet Burgers, Inc., a decision rendered in April of this year, the U.S. District Court for the Western Division of Washington considered the limits of e-discovery

compliant. In essence, the plaintiffs said, “send us discovery on every store or concede the stores not providing discovery are non-compliant with the ADA.” Finding the unpalatable choice of providing discovery or conceding noncompliance unacceptable, Red Robin moved for a protective order seeking to limit discovery. By granting in part and denying in part Red Robin’s motion for a protective order, the court noted the limits of the ADA.”The ADA only obligates individuals who have some measure of control over the disputed public accommodation,” wrote U.S. District Judge Thomas Zilly. The problem for the plaintiffs was that, out of its more than 500 restaurants, Red Robin owns the property for only 32 of them. Red Robin “rarely, if ever,” the court noted, “has a role in designing, constructing, or maintaining the ‘common areas’ that are adjacent to its restaurants, including parking facilities, curbs, sidewalks, and exterior entries.”

ing retail chains, the case also illustrates a significant challenge. It’s going to be somewhat more difficult to conduct nationwide e-discovery to establish the facts of the case if retailers don’t own the real estate where many of their stores are located. ■

David Horrigan is e-discovery counsel and legal content director at software company kCura. A law school guest lecturer, e-discovery industry analyst, and award-winning journalist, he has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research. dhorrigan@kcura.com

JUN /JUL 20 16 TODAYâ&#x20AC;&#x2122;S GENER AL COUNSEL

E-Discovery

The Challenge of Foreign Language Document Review By Sophie Ross

iven the global nature of e-discovery today, reviewing documents in multiple languages is a challenge for an increasing number of corporate legal teams. Even the most sophisticated legal departments, with the most finely-tuned e-discovery process, may struggle with the review phase

when non-English language documents are involved. A recent FTI Consulting Advice from Counsel survey found that 35 percent of respondents from Fortune 1000 legal departments were regularly managing litigation, investigations or regulatory requests that involved data from outside the United States, and

65 percent had experienced a recent matter involving data from international jurisdictions. Not only are cross-border matters becoming more common, they are becoming more complex, given varying and evolving data privacy regulations around the world. Conducting foreign

today’s gener al counsel Jun /Jul 20 16

E-Discovery

language e-discovery requires a highly specialized talent pool, knowledge base and skill set. Consider, for one example, a global investigation into a U.S.-based corporation doing business abroad. The data residing in other countries is subject to various data protection laws and cannot simply be taken out of the country to the United States for legal review. Producing data across borders opens up the potential for penalties from local and regional authorities. Moreover, the data could include documents in several, even dozens of languages, requiring review by experts fluent in those languages, accurate translation, or both. This scenario is not uncommon in today’s litigation environment, and organizations that do business abroad should be prepared to see these types of situations crop up regularly. The following is an outline of some common challenges parties could then face, with some suggestions for how to address them.

Reviewers: It can be challenging to put feet on the ground in the region where the data originates. Often, organizations will rely on external providers to manage e-discovery activity in the non-U.S. locales, but some providers may not have the capability to screen and manage the quality of these reviews. Qualification is important when working with local reviewers, and the requirements vary by country. Legal and language qualification, which ensure reviewers are appropriately qualified for their region and fluent in the language, are highly beneficial when working abroad. Also important are training and management. Foreign language reviewers who are trained in the standard practices of e-discovery review in the United States, and who understand the underlying concepts and document coding nuances for the purposes of U.S. courts, are more efficient. The presence of on-site review managers with fluency in the language can also strengthen quality control and consistency. For example, an on-site manager can evaluate reviewer fluency, monitor the uniformity of coding decisions across the assignment, and enforce

the accurate application of standard coding practices.

Workflows: Cross-border review teams can benefit by establishing and maintaining workflows that address data protection regulations for each region, while also managing the volume of data that will need review and translation. For example, specialized processes can incorporate the tracking of unique document identities to minimize the repeat handling of the same documents across different geographies. Workflows can also be adjusted to reduce the total number of documents that need translation. Translation is timeconsuming and expensive, so doing it at an early stage in the process can be inefficient. A process that allows reviewers to first establish what is in the documents and then translate a smaller subset can save time and money.

Security & Confidentiality: Security and compliance with data privacy regulations should be a top priority for cross-border teams. However, common local practices can undermine these important considerations. For example, many reviewers and translators outside the United States work from home, taking sensitive data out of the controlled environment of the review center. Experts with experience in handling these issues can help ensure that review and translation activities take place onsite, in secure locations. That practice can also reduce the risk of a data breach.

Pricing & Reviewer Scarcity: Some languages are so specialized that few quality reviewers are available, so there may be long lead times. For some languages, the marketplace is so small that a single matter in a particular region could dramatically increase costs or drain the resource pool for any other subsequent reviews in the area. The guidance of providers who have a strong foothold in the local area and access to their own trained and trusted reviewer teams can be invaluable when the need to review in such languages arises.

Technology: U.S. attorneys have started to move beyond linear review to embrace advanced technologies as a way to reduce e-discovery costs and boost efficiency. These methods can also apply to foreign language review in other jurisdictions, and moreso when applied by experienced practitioners with knowledge of the workflow nuances for other languages. For example, when a skilled team using the right tools applies clustering or predictive coding across a multi-language dataset, it will increase the efficiency of the review no matter how many non-English languages are involved. This practice can be applied to translation as well. Using analytics technology to strategically evaluate the document set can help reduce the number of documents that need to be translated, leading to cost savings for the parties involved. When choosing a provider, it is advisable to keep in mind the challenges inherent in multilingual review and set a high standard for the ability of teams to navigate the legal landscape in nonU.S. jurisdictions. Missing pieces in the process can leave an opening for higher costs, longer timelines, overlooked data, or even a data breach. Well-designed workflows and seasoned teams lead to greater security and efficiency. ■

Sophie Ross is a senior managing director in the FTI Technology Practice, based in San Francisco. She heads the western region for FTI Technology, while also leading FTI’s Acuity Document Review business. She specializes in helping clients manage their overall e-discovery and review through predictable pricing models and simplified layers of discovery management. sophie.ross@fticonsulting.com

JUN /JUL 20 16 TODAY’S GENER AL COUNSEL

E-Discovery

Practical Proportionality through Science By Julia L. Brickell and Bruce Hedin

mong the more buzzworthy of the recent amendments to the Federal Rules of Civil Procedure is the change to Rule 26(b), which emphasizes proportionality in discovery by elevating existing language to a more prominent place in the rules. The intent is to encourage parties and the courts to reduce the time and costs of addressing the massive volumes of ESI that may be implicated in discovery, while still uncovering the information that actually matters to the case. The road to proportionality remains a bumpy one for both litigants and the bench. The ideal scenario would be for counsel to engage in a practical discov-

ery effort, equipped with facts about the volume and quality of information relevant to a claim or defense, where it resides and potential methods to get it. Such knowledge would enable a principled and defensible assessment of proportional discovery, whether or not the basis of the assessment is disclosed to the other side. However, if there were to be disclosure to or a challenge by the other side, facts about the approach would have to be persuasive. What would it take to convince opposing counsel (or the court) that the “proportional” discovery proposed for the just, speedy and inexpensive resolution of the matter will not

deprive opposing counsel of information they need? Or, taking the perspective of the requesting party, what would it take to show that the requests had a reasonable likelihood of leading to material information that isn’t redundant and is not simply an element in a “war-ofattrition” approach to the litigation? From either perspective, success will depend on being able to demonstrate that a position has sufficient factual basis and is not based on conjecture. The critical question then becomes: How can counsel, without full discovery, unearth that factual basis? Here, counsel can benefit from “practical proportionality through science.” In this case,

today’s gener al counsel Jun /Jul 20 16

E-Discovery

the science of statistics, supported when circumstances warrant by the science of information retrieval (IR), offers both a practical and cost-effective approach to the proportionality dilemma, and one that would not impose undue burden in a very large range of matters. By statistically sampling data populations and manually reviewing or using more cost-effective IR methods to determine the presence – or even better, the absence – of probative fact patterns in the samples, it can indeed be determined in advance if the heavy lifting of full discovery is warranted. The resulting intelligence from this exercise could lead to decision-making that results in discovery at costs far lower than those incurred by a broad approach. Admittedly, statistics and IR skills are typically beyond the competencies of most counsel. But such expertise does exist in the field of e-discovery and could be harnessed. As a prominent judge wellversed in e-discovery has noted, statistics have been widely used in other aspects of the adjudication of legal claims, so it is probably a matter of time before they are habitually applied in the realm of discovery, and for good reason. Science can contribute solutions that are principled, concrete, low cost and actionable. Let’s take a look at some commonplace scenarios in which these scientific skills might help address the proportionality conundrum for data that isn’t clearly out of scope. Scenario 1

Party A (the requesting party) provides a list of 100 custodians whose data it asserts is within the scope of discovery. Party B responds that, given the lack of merit of the claims and its view of the role of the custodians in the relevant activity, only ten of those custodians would have any significant amount of responsive ESI. Solution: A statistician designs a sampling protocol to which both parties agree and which Party B implements, to obtain an initial sounding of the amount of responsive material held by the 90 disputed custodians. The sampling protocol could be simple or sophisticated, depending on the cir-

cumstances. For example, the protocol could simply treat the 90 custodians’ data as a single population, identify a representative subset for collection, and from that subset draw and review a statistical sample for relevance. Or, it could follow a stratified sample design, allowing distinctions to be made among the custodians. The protocol might fol-

both linguistics and statistics, is supplied with the competing keyword lists and a sample of Party B’s data. The expert is tasked with testing, iteratively refining the keywords and suggesting new keywords as needed, until the list is doing a reasonably effective job of culling in potentially responsive and excluding non-responsive data. Party B benefits

By statistically sampling data populations and manually reviewing or using more cost-effective methods to determine the presence – or even better, the absence – of probative fact patterns in the samples, it can be determined in advance if the heavy lifting of full discovery is warranted. low a phased approach, looking first at custodians thought most likely to hold responsive data and then, if warranted, moving on to the other custodians. Indeed, the protocol itself serves as a cost-effective way to gather the information needed to arrive at a fact-based resolution of the dispute and to calibrate the cost of any additional discovery. The expert statistician might advise one side, or it might serve as an “honest broker” by common agreement of the parties (or perhaps even be appointed by the court). The protocol would include provisions to ensure that no non-responsive information held by any of the custodians would be disclosed to Party A. Results of the analysis could be summarized in abstract but meaningful and quantitative terms. Scenario 2

Party A proposes a list of keywords for culling down Party B’s data. Party B objects to the list and proposes a much pared-down list of its own, arguing that the keywords proposed by Party A are much too broad and would entail an unduly lengthy and expensive review. Solution: Design a protocol whereby a neutral third party, with expertise in

by having a smaller culled-in set to review for responsiveness (and privilege), and Party A benefits from knowing that the culling step has been refined to better capture responsive information. The protocol includes provisions to ensure that no sample data is shared with Party A. Scenario 3

Party A discloses the existence of an additional archive of email in its possession but argues that the archive is redundant, given the email from other sources that has already been reviewed and produced. Party B argues that Party A should conduct a complete review of the newly disclosed archive and should bear the associated cost. Solution: A protocol is designed and executed that – via a combination of sampling, de-duplication technologies and review – allows the estimation of the proportion of the newly disclosed archive that is responsive, and the proportion of the responsive material in the archive that is not duplicated by material that was already reviewed and produced. With these estimates in hand, the parties (or the court) can resolve or adjudicate the dispute, informed by

Jun /Jul 20 16 today’s gener al counsel

E-Discovery

the likely amount and value of the new responsive information contained in the newly disclosed archive. Scenario 4

Party A complains that all but a bare minimum of discovery is disproportionate, given the size and significance of the case and the modest revenues of Party A. Party B counters that the all-in costs for broad discovery will only total $X. Party A puts the estimate at $7X. Solution: Because sampling allows incremental and low-cost probing of Party A’s data sources, the cost of discovery would be better assessed after such efforts provide at least provisional estimates of the amount of data in-scope for collection and review, and the amount of responsive data residing in the in-scope population. Equipped with such factbased estimates, Party A could substantiate its views. Further, if Party A’s initial disproportionality argument is unsuccessful, Party A could propose an incremental sampling process (sample design, collection of sample, search, privilege review) in its proposed discovery plan, whereby discovery could be targeted to the most salient information. In addition to using a statistician, Party A might gain credibility in its cost analysis by drawing on appropriate expertise in budgeting and financial analysis to create a reliable cost model. Practical, empirically-driven methods along these lines would allow a betterinformed application of the principle of proportionality. Where data sources would provide merely tangential or redundant information, eliminating them from discovery will save time and money, and allow all resources to focus on what has the most value. To the extent that the remaining sources differ in richness, producing counsel might propose phased discovery that starts with the source or sources deemed most rich. The proportionality of requiring additional discovery could be discussed subsequently, when the requesting party, armed with real information, can articulate why it needs more information about a topic, and the responding party can rely on the sampling results to explain to what degree

those topics are present in the additional sources (or are covered in data that has already been produced). Of course, there will be the inevitable procedural considerations, chief among them being who will design and oversee the sampling protocols, and who will pay for it. With regard to “who does it,” the legal realm is increasingly adopting technologies where expertise in statistics and data analysis is required, so individuals with the requisite skills are available. The expertise could be provided by an individual selected with the consent of both parties to serve as an honest broker to gather the empirical evidence appropriate to the question at hand. Or it might be provided by an individual hired by one party, someone whose qualifications and transparency render the findings credible, if they are to be disclosed. Alternatively, the expertise could come from a neutral third party appointed by the court. The “who pays for it” question, normally fraught with contention, will diminish in significance when the mutual benefits are properly considered. One party might bear the full cost, but there are possible cost-sharing arrangements that could be negotiated in good faith. Important to note, however, is that regardless of the specific arrangement, the cost of both the expert’s hours in sampling design and oversight of the sampling protocol, and the review of the sample (whether manually or by technology-assisted means), should be very small when compared to the cost of a discovery effort that does not utilize statistics and data science in order to focus only on the sources of data that may yield meaningful and nonredundant information. In addition to the demonstrated benefits to the parties, the application of appropriate expertise to the problem benefits the court by: • Displacing much of the resource drain of unnecessary motion practice. • Reducing the time that the court spends listening to and refereeing discovery gamesmanship. • Enabling the prompt, effective and efficient initial assessment of the validity

of each party’s position on discoveryrelated questions. • Perhaps most important of all, offering a replicable, reliable, scientifically sound course of action to the court. There are challenges that will have to be addressed as a more practical approach to proportionality evolves. They are not insurmountable as long as litigating parties and the courts come to recognize that science, which today is an increasingly routine part of discovery protocols enabling technology-assisted review, has a role to play in making proportionality discussions both better grounded and more efficient. The amended Rule 26 reflects an earnest desire by the courts and the bar to lessen the e-discovery burden and align discovery proportionately with a case. Making that vision a reality will take work, but with a scientific foundation and the proper expertise, it can be realized. ■

Julia Brickell is executive managing director and general counsel of H5. Prior to joining H5, she was associate general counsel of Altria Client Services, and vice president and deputy general counsel of Philip Morris USA. She is on the board of Lawyers for Civil Justice and serves on the faculty of Columbia University’s Executive Master of Science in Technology Management program. jbrickell@h5.com

Bruce Hedin is H5’s principal scientist. His areas of focus have been process design, sampling, and measurement. Prior to joining H5, he worked at YY Technologies, a firm developing natural language processing software. bhedin@h5.com

TODAY’S GENER AL COUNSEL JUN /JUL 20 16

Labor & Employment “Uberizing” Workforce continued from page 17

As independent contractors, the drivers pay their own expenses. In late April, Uber and the drivers reached a tentative settlement whereby Uber would pay up to $100 million to drivers in California and Massachusetts, allow drivers to post signs in their vehicles soliciting tips from riders, and change its practice of deactivating drivers from the Uber app without warning or recourse. While this settlement would resolve the claims of the drivers in the class, it does not finally resolve the drivers’ status as employees or independent contractors, or set a legal precedent. Uber would still be open to misclassification challenges by state and federal government agencies, and its promise to permit further recourse by deactivated drivers may provide additional support to the argument that drivers are in fact employees. A GLOBAL ISSUE

While the U.S. Department of Labor and state agencies often take a hardline approach to independent contractor misclassification, the United States is arguably more accepting of alternatives to the traditional employee/employer model than other countries. However, economic globalization and shifting cultural attitudes toward the traditional employment relationship are putting pressure on the traditional model. In Argentina, the default relationship is that of employee and employer, and bona fide independent contractors are limited to professionals and very specific cases. Generally, all employment activities must be covered by a collective bargaining agreement and employees represented by a union. Employers are responding to workers’ shifting attitudes by increasing flexibility in working time and prioritizing results over time spent at work. In Brazil, the employer-employee relationship is the default agreement, and workers and companies cannot choose a different legal regimen if the worker will in fact act as an employee. As in the United States, courts will evaluate the facts and circumstances

of the parties’ relationship, and how the parties label their relationship is entitled to little weight. To be a bona fide independent contractor in Brazil, the worker must not be subject to any administrative supervision, necessary interference must be minimal, and the company must evaluate and pay the worker according to deliverables, not based on time worked. Mexico’s employers have embraced technology, including such things as virtual meetings, as a way to adapt to workers’ shifting prioritization of productivity and personal happiness. With this new technology has come variations on the traditional employment model. In Mexico, an employment relationship is one which is (1) personal, meaning that the worker and no one else will provide the work, (2) subordinating, meaning that the worker is under the employer’s control and (3) the work is provided in exchange for wages. In France, the concept of subordination defines the employment relationship, meaning that the employer gives orders to employees, controls the execution of the orders, and may discipline employees if necessary. In contrast, an independent contractor is free to determine how the assigned task is to be carried out and bears the economic risks associated with the business. In Germany, the most important distinction between employees and independent contractors is the degree of independence the worker exercises over the work. Factors relevant for determining the degree of independence include the extent to which the worker must comply with the employer’s instructions regarding working hours and the place of work. In the UK, an increasing number of people take part in the on-demand economy. Individuals in work are defined as “self-employed,” “employees” or “workers,” but there is no legal test to determine employment status. In the UK legal proceedings have been filed by Uber drivers claiming to be “workers” and seeking the national minimum wage and holiday pay. Employers in all countries should be cautious in classifying workers as

independent contractors, despite the lure of new technology. In the United States, unless and until the legal framework changes to reflect the new varieties of working arrangements made possible by technology, it will be difficult to fit these workers into the traditional dichotomy of employee or independent contractor. As aptly stated by the federal judge hearing a misclassification suit against Uber-rival Lyft, any jury tasked with determining worker classification in this new on-demand economy “will be handed a square peg and asked to choose between two round holes.” ■

Sal Simao is a partner at the Berkeley Heights, New Jersey, office of Ford & Harrison LLP. He focuses his practice on the representation of companies in employment law matters with a specialization in wage and hour litigation and compliance. ssimao@fordharrison.com

Joanna Rich is a senior associate in the Berkeley Heights, New Jersey, office of FordHarrison LLP. She concentrates her practice on the representation of employers in labor and employment law matters. jrich@fordharrison.com Input on this article also came from Hannah Price, partner at UK law firm Lewis Silkin; Fadi Sfeir, partner at French law firm Capstan; Alexander Ulrich, partner at German law firm Kliemt & Vollstädt; Eduardo Juan Viñales, partner at Argentinian law firm Funes de Rioja & Asociados; Jose Carlos Wahle, partner at Brazilian law firm Veirano Advogados; and Jaime Alejandro Vazquez, partner at Mexican law firm Basham, Ringe y Correa SC. All firms are members of the global HR and employment law firm alliance Ius Laboris.

Jun /Jul 20 16 today’s gener al counsel

Intellectual Property

A Powerful Weapon Against Infringing Imports By H. Jonathan Redway

ccording to the International AntiCounterfeiting Coalition, the projected value of global trade in counterfeit and pirated goods in 2015 was $1.77 trillion. That figure is strong evidence that the protection of intellectual property rights is critical to companies both at home and abroad. In the United States, intellectual property litigants addressing infringement activities are able to choose from a variety of enforcement mechanisms. The best known venues for IP enforcement are the federal courts, including the Eastern District of Texas, Eastern District of Virginia, Northern District of California and the District of Delaware.

intellectual property against infringing imports. Under Section 337, the U.S. International Trade Commission conducts investigations into allegations of certain unfair practices in import trade. Most investigations involve claims of patent infringement or registered trademard infringement, but other forms of unfair competition, such as misappropriation of trade secrets, common law trademark and trade dress infringement and “passing off” may also be asserted. Section 337 investigations are instituted by the Commission based on a properly filed complaint, and a formal evidentiary hearing on the merits of a Section 337 case is conducted by an

the Commission may issue an exclusion order barring the products at issue from entry into the United States and/or “cease and desist” orders directing the violating parties to cease certain actions, such as warehousing inventory of the infringing products in the United States for distribution. These orders are enforced by U.S. Customs and Border Protection. In eBay v. MercExchange, the U.S. Supreme Court held that there is no general rule that a permanent injunction will issue upon a finding of infringement in district court cases. An intellectual property right holder must show that it will suffer irreparable harm unless the relief is granted because remedies

Section 337 remains the single most powerful weapon a company can use to protect its intellectual property against infringing imports.

Federal courts such as these have broad discretion to issue injunctions to stop unlawful infringement, but only if the IP holder can show an injunction is needed to prevent irreparable injury. Moreover, district courts permit the litigation of all legal and equitable defenses, which can take time. More recently, the United States Patent and Trademark Office (USPTO) began entertaining certain invalidity defenses in what are commonly referred to as post-patent grant proceedings. If this happens, federal court actions are often stayed pending the outcome of the post grant proceeding. As a result, Section 337 of the Tariff Act of 1930 remains the single most powerful and reliable weapon a company can use to protect its United States

administrative law judge. The parties have the right to adequate notice, discovery, cross-examination, presenting of evidence, objections and all other rights essential to a fair hearing. Following the hearing on the merits, the presiding ALJ issues an Initial Determination (ID). The ID contains findings of fact and conclusions of law on whether Section 337 has been violated, and it is certified to the Commission along with the evidentiary record. The Commission may review and adopt the ID, decide not to review it, or modify or reverse or remand it to the ALJ. If the Commission adopts or declines to review an ID, the ID becomes the Commission’s final determination. In the event the Commission determines that Section 337 has been violated,

otherwise available are inadequate. Because Section 337 exclusion orders have “different statutory underpinnings” from relief available in district court, they need not satisfy the irreparable harm test set out by the Court in eBay, which is why the U.S. Customs and Border Protection can staunchly enforce the Commission’s cease and desist orders. This heavy-handed authority is part of what sets Section 337 apart from other IP enforcement venues. But the benefits of Section 337 go further still. SPEED

In essence Section 337 is a “rocket docket” that is almost always faster than the federal district courts, where intellectual property disputes often take several years to complete. By statute,

today’s gener al counsel Jun /Jul 20 16

Intellectual Property

Section 337 investigations must be completed “at the earliest practical time.” As a result, the Commission places great emphasis on the timeliness of Section 337 investigations. A typical 337 investigation is completed in 14 to 16 months. In patent cases, claim construction determinations – when held prior

to the evidentiary hearing – usually take place within just four or five months of institution, and the hearing on the merits usually takes place within nine months of institution. The speed of Section 337 investigations is particularly beneficial for products that are already known to be entering the market.

The fast pace of a Section 337 investigation puts the complainant at a tremendous advantage. Because the complainant chooses when to file its complaint, it can undertake appropriate discovery preparation before the investigation actually begins and may serve discovery requests once the notice of

Jun /Jul 20 16 today’s gener al counsel

Intellectual Property institution is published in the Federal Register. Lacking this advantage, a respondent always enters an investigation behind, and it must immediately undertake a number of actions, including responding to the complaint within 20 days and responding to discovery requests within just ten days. Another advantage of a Section 337 investigation is that once it starts, it is not easy to stop. A party may terminate an

information, it can and does impose substantial sanctions that often provide respondents with more than enough incentive to participate in Section 337 investigations. In addition, as long as the respondent’s products are being imported into the United States, the ITC may grant relief related to those products. This is particularly advantageous when some or all of the infringers are foreign entities

ALJs. There expertise is reflected in the relatively high number of determinations that are affirmed at the Commission level and on appeal before the Federal Circuit. Recent studies have shown that the Commission determines to review only about a third of the issues petitioned. Moreover, upon review, the Commission affirms the ALJ two thirds of the time. Similarly, recent studies have shown that the Federal Circuit reverses the

The speed of Section 337 investigations is particularly beneficial for products that are already known to be entering the market.

investigation with respect to one or more respondents on the basis of a licensing or other settlement agreement. In the alternative, an investigation may be terminated as to one or more respondents on the basis of a Consent Order. To date, no 337 investigation has been stayed pending resolution of a post grant proceeding initiated by a respondent before the USPTO. In contrast, federal courts regularly grant stays in patent enforcement action until post grant proceedings are concluded. BROAD JURISDICTION

The broad jurisdiction of the ITC is also an advantage in discovery. Sometimes, manufacturing information is needed to prove a case, and in some instances that information is located outside the United States. As a result, it can be difficult to obtain, not only because of the distance involved, but because foreign governments may place limits on discovery procedures. In Section 337 investigations, a complainant does not need to wait to perfect service on foreign parties, as is the case in a U.S. district court matter. Instead, such discovery may begin pursuant to the Hague Convention, once notice of the investigation is published in the Federal Register. Although the Commission cannot issue subpoenas to compel foreign companies to produce documents or divulge

with limited contacts with the United States. For example, foreign companies using assembly methods to manufacture products that infringe a United States method patent, and domestic companies that sell products in the United States assembled by the protected method, can be stopped cold in a single proceeding if the assembled products are imported into the United States. An intellectual property rights holder wishing to enforce its rights in U.S. district courts would likely need to bring several separate lawsuits in multiple locations in order to satisfy the jurisdictional and venue requirements of each infringer.

Commission less than one third of the time. Other studies have shown a higher rate of reversal of district court or USPTO judgments by the Federal Circuit. There is no question that the procedural rules, including the individual ALJ Ground Rules, are challenging to the unfamiliar and mistakes can prove costly, but the advantages of Section 337 proceedings clearly outweigh the potential drawbacks in most cases. Although the speed of the proceeding is at times disruptive even to those with litigation experience, the benefit of a fast, effective and reliable determination makes 337 investigations the number one weapon available to IP holders to stop infringing imports. ■

EXPERTISE

Another benefit of pursuing Section 337 investigations is that the presiding ALJs work almost exclusively on intellectual property cases. The judges, and the clerks, are regularly exposed to a wide variety of technologies from almost every industry imaginable. As a result, the ALJs are very experienced in the application of complex legal principles governing the resolution of such cases, unlike district court judges whose dockets in most jurisdictions cover a wide range of topics. Other than a case-specific tutorial on the specific technology at issue, little time needs to be spent educating the

H. Jonathan Redway is a member attorney with Dickinson Wright PLLC, where he co-chairs the firm’s Intellectual Property Litigation Practice Group. His practice is focused on intellectual property litigation, including Section 337 investigations. JRedway@dickinson-wright.com.

SPECI A L A DVE RT I S I NG S EC T I O N

Super Lawyers, a part of Thomson Reuters, is the only lawyer-ranking service with a patented selection process.* How do we do it? The infographic on the right shows, at a very high level, the steps we go through to vet the attorneys selected to our list each year. Because of our rigorous selection process, and the fact that our selection is limited to no more than 5 percent of the attorneys in any state or region, you can rely on us as one of your sources for finding an attorney who exhibits excellence in the practice of law.

This issue continues the unique partnership between Todayâ&#x20AC;&#x2122;s General Counsel and Super Lawyers. In each issue, you will learn about lawyers and firms that have passed muster with Super Lawyers. We honor attorneys in commercial and consumer practice areas, and the focus with our partnership will be on those selected in a business-related practice area. If you find yourself in need of legal services, whether for your business or personally, start your search with Super Lawyers. For more information on our selection process or to find a lawyer in a specific region or practice area, please visit SuperLawyers.com. LEARN MORE

SuperLawyers.com/SelectionProcess

QUESTIONS?

SL-Research@thomsonreuters.com

visit SuperLawyers.com Search for an attorney by practice area and location, and read features on attorneys selected to our lists.

*U.S. Pat. No. 8,412,564

DISCLAIMER: The information presented in Super Lawyers is not legal advice, nor is Super Lawyers a legal referral service. We strive to maintain a high degree of accuracy in the information provided, but make no claim, promise or guarantee about the accuracy, completeness or adequacy of the information contained in this special section or linked to SuperLawyers.com and its associated sites. The hiring of an attorney is an important decision that should not be solely based upon advertising or the listings in this special section. No representation is made that the quality of the legal services performed by the attorneys listed in this special section will be greater than that of other licensed attorneys. Super Lawyers is an independent publisher that has developed its own selection methodology. Super Lawyers is not affiliated with any state or regulatory body, and its listings do not certify or designate an attorney as a specialist. State required disclaimers can be found on the respective state pages on superlawyers.com.

SPECIA L A DVE RT IS IN G S EC T ION JUN/JUL 2016 TODAY’S GENERAL COUNSEL

RISING STARS

ROBERT B. MILLIGAN SEYFARTH SHAW LLP 2029 Century Park East Suite 3500 Los Angeles, CA 90067 Tel: 310-201-1579 Fax: 310-201-5219 rmilligan@seyfarth.com www.seyfarth.com

JODI K. SWICK

EDISON, MCDOWELL & HETHERINGTON LLP 1 Kaiser Plaza Suite 340 Oakland, CA 94612 Tel: 510-628-2194 Fax: 510-628-2146 jodi.swick@emhllp.com www.emhllp.com

BUSINESS LITIGATION INTELLECTUAL PROPERTY LITIGATION EMPLOYMENT LITIGATION: DEFENSE

BUSINESS LITIGATION INSURANCE COVERAGE CLASS ACTION/MASS TORTS

Robert Milligan is a partner with Seyfarth Shaw LLP. His practice encompasses a variety of business litigation and employment matters, including trade secrets and other IP disputes, real estate and insurance litigation, and consumer/employee class actions. His experience includes trials, arbitrations, and appellate proceedings. He provides advice concerning employment and IP issues and has conducted numerous employment and intellectual property audits. He focuses on trade secret, non-compete, and data protection/ privacy litigation and transactional work on a state, national, and international platform. He has spoken and written extensively on employment and IP issues and is the editor of www.tradesecretslaw. com. You can also follow him @tradesecretslaw on Twitter.

Championed by her clients for her ability to resolve tough cases, Jodi litigates and resolves class action lawsuits and insurance coverage matters for her technology, insurance, and corporate clients. Jodi is the managing partner of EMH’s California office, has been recognized by the San Francisco Business Times as one of its Forty under 40, and is a fellow in the invitation-only trial lawyer society Litigation Counsel of America. Sourcing from her in-house experience, Jodi understands the importance of litigating key issues while managing legal spend. Jodi’s strong individual track record of success in Fair Credit Report Act and consumer class actions, as well as insurance coverage matters, makes her the attorney of choice for her clients’ most challenging legal disputes and most critical legal issues.

S P ECI AL ADV ERTISING SEC T I O N TODAY’S GENERAL COUNSEL JUN/JUL 2016

SUPER LAWYERS

DANIEL J. BEESON

KATHERINE L. FELTON

633 South Concord Street Suite 400 St. Paul, MN 55075 Tel: 651-451-1831 Fax: 651-450-7384 dbeeson@levander.com www.levander.com

701 Millennium Tower 719 Second Avenue Seattle, WA 98104 Tel: 206-985-9770 Fax: 206-985-9790 klf@maflegal.com www.maflegal.com

EMINENT DOMAIN LAND USE/ZONING

ENVIRONMENTAL LITIGATION ENVIRONMENTAL CIVIL LITIGATION: DEFENSE

Daniel J. Beeson brings over 37 years of experience to the successful representation of individuals, corporations, and businesses in eminent domain litigation. He is the chair of the firm’s Eminent Domain Practice Group, a member of the Board of Directors of the Minnesota Eminent Domain Institute, and former chair of the First District Bar Association Ethics Committee. Dan has represented numerous local and national corporations in total and partial condemnation takings, which have involved complex multimillion-dollar severance damage claims, including access takings, changes in highest and best use, and adverse impacts to present and future use and development. He has successfully litigated and secured loss-of-going-concern, business-value-damage awards and settlements.

Katherine Felton is a founding partner of Murphy Armstrong & Felton LLP. She represents institutions, industry and individuals throughout the Pacific Northwest in a variety of litigated matters, federal and state agency enforcement actions, and regulatory compliance matters involving hazardous waste; environmental contamination, remediation, cost-recovery, contribution, and natural resources damages claims (CERCLA, MTCA, Oregon Superfund Act); and consent decree litigation. She also represents clients in litigation involving fiduciary liability, products liability, employer liability, the Fair Debt Collection and Fair Credit Reporting Acts, and the Federal Debt Collection Procedures Act. She is admitted to practice in Washington, the United States District Court for the Western District of Washington, and the Ninth Circuit Court of Appeals.

LEVANDER, GILLEN & MILLER, P.A.

MURPHY ARMSTRONG & FELTON LLP

Jun /Jul 20 16 today’s gener al counsel

Cybersecurity

Don’t Let “Shadow IT” Take Hold in the Legal Department By Wafik Guirgis and Steve Falkin

iven the proliferation of cloud apps and web-based collaboration tools, it’s no wonder that the rules of the IT road are now being tested. Solutions that would have taken months of planning and a defined budget are now just a download away, as employees become more tech savvy. Employees are now becoming empowered to take workplace technology adoption into their own hands. This ease of access is presenting a challenge for IT departments. A 2016 Cisco research report found that “Shadow IT” – the use of unauthorized software by employees – has grown nearly 70 percent in less than a year. These rogue implementations can even be celebrated, as departments praise the ingenuity of those who find better ways to organize their information and increase collaboration. As a result, it’s not uncommon to see consumer-grade tools like Google Drive, Dropbox and Evernote implemented as personal or departmental solutions without ever getting the green light from IT departments. Shadow IT isn’t isolated to marketing, operations or HR teams. It’s also finding its way into law departments.

For a number of reasons, legal professionals are saving corporate files on unprotected devices, and procuring their own apps for document sharing and storage. Because law department employees handle some of their organizations’ most sensitive and confidential data, their rogue IT behavior creates alarming risks that organizations cannot afford to ignore. Law department leaders must partner with IT groups to address the root causes of this end-user behavior, protect their most sensitive information and foster secure collaboration within corporate law departments. What drives rogue habits? Business unit technology needs are becoming more sophisticated, requiring increased IT attention, but often revenue-generating functions – such as sales, marketing and product development – command more IT attention than do the “nonrevenue generating” functions, such as law departments. As a result, proactive law departments have started to create embedded IT roles within their team structure or emphasize hiring candidates with technical expertise. Still, many remain

beholden to a central IT group. Without the necessary support from IT leaders, a handful of possible scenarios may play out: • Law departments resort to decentralized platforms for collaboration. For legal teams that aren’t using enterprise matter management or document management solutions, associates are left to fend for themselves to share and store critical information and files. In some instances, employees may track this information in spreadsheets, a method that is prone to inaccuracies, more susceptible to file corruption and often less secure Similarly, legal professionals may use their email as a repository for classifying different projects, a relatively harmless habit for personal organization, but one that doesn’t lend itself to efficient cross-team collaboration. • IT implemented solutions are viewed as less than effective. When IT leaders don’t consult with law departments before rolling out a software program or cloud app, the

today’s gener al counsel Jun /Jul 20 16

Cybersecurity

chance of a botched implementation rises. If a new, corporate sanctioned technology detracts from legal professionals’ productivity, for example by integrating poorly with existing tools, they’re more likely to stop using it. When technology drives process and not the other way around, employees turn to more familiar solutions that they can readily customize, like Google Drive or Basecamp. Often, these solutions haven’t been vetted by IT with regard to information privacy, server locations or other jurisdiction-specific considerations Even if employees don’t switch to consumer-grade alternatives, they may still revert to saving files locally on laptops, desktops or in personal network drives. This undermines data security and lacks the organizational capability of robust enterprise document management platforms. • Sanctioned tools fail to meet the law department needs. Marketing, operations and sales departments may value the ability to customize a program like SharePoint for cross-company collaboration, but that same accessibility might not appeal to legal professionals who must maintain their assertions of confidentiality and/or privilege. As a result, the perceived lack of security can cause legal professionals to limit what they store in SharePoint repositories to non-sensitive items. Under any of these scenarios, law department employees tend to fend for themselves, either by ignoring sanctioned technology or implementing unsanctioned tools. They then become blind spots that IT teams can’t maintain, monitor or support. How can IT departments promote secure, strategic technology use in the law department? It begins with implementing solutions that are designed around the way legal professionals work. This isn’t a simple tactical adjustment, but rather a company wide change-management initiative. This roadmap should properly balance legal needs for process efficiency and corporate IT mandates.

There are a number of things that law and IT department leaders must do together to provide unique tech solutions, including: • Arrive at a clear understanding regarding the needs of legal professionals. To encourage adoption of approved solutions, IT departments have to consider tools that truly support the needs of the law department. General counsel should work closely with IT leadership prior to a large roll-out to ensure all department needs are met. • Establish representative project teams. IT teams should not lead application or software implementations in a vacuum. Organizations should appoint project committees with stakeholders from IT, the law department, the executive team and even outside counsel (if they’ll have access to the tool). With an inclusive group overseeing the initiative, end users’ needs are more likely to stay top of mind. • Set thoughtful, realistic timelines. Determining the timeframe for any technology rollout depends on multiple factors, including the complexity of the tool and the size of the organization, as well as proper phasing and how many people are going to be using it. Project teams also must consider the effort required to migrate existing data or documents from disparate systems into the new platform. When implementing a new document management solution, for instance, most organizations will want to build in time for an effective document migration so users aren’t forced to start with a less-meaningful blank slate. • Develop a long-term program. Change management doesn’t stop at implementation. Law department leaders should collaborate with IT and the C-suite on methods to foster ongoing employee awareness of sanctioned technologies, reward staff for adoption, and create processes to

identify gaps between what employees need and the tools provided. Organizations must also define clear metrics in order to quantify how existing enterprise systems are being used and which teams or practice areas use them most. Constantly measuring these variables increases the likelihood of sustaining safe IT habits. Shadow IT in law departments is almost never about intentionally risky behavior or uninformed staff. Rather, it’s the byproduct of the deeper issue of ineffective partnerships between IT teams and the law department end users they serve. Today, law department and IT leaders have an opportunity to champion overdue transformation within their teams by enhancing collaboration between legal and IT and approaching gaps from a strategic rather than tactical perspective. The result will be law departments that can better ensure the security of their data without sacrificing efficiency. ■

Wafik Guirgis is a senior director in HBR’s Law Department Consulting Practice. He has nearly 17 years of legal operations consulting and corporate experience, and has held positions at Huron Consulting Group, Merrill Lynch, Deloitte and PwC. WGuirgis@hbrconsulting.com

Steve Falkin is a managing director for HBR Consulting. He has over 25 years experience in technology consulting and project management. He currently works in a broad range of practice areas including IT Strategy, Planning & Assessment, Mission Critical Infrastructure and Tech Facilities. SFalkin@hbrconsulting.com

Jun /Jul 20 16 today’s gener al counsel

Cybersecurity

Standing is Key Issue in Cyber Lawsuits By Mackenzie S. Wallace and Jennifer R. Ecklund

ll businesses regardless of size or industry need to be aware of evolving cybersecurity threats, as well as the developing law and regulation. The rise in cyber attacks and breaches has spanned all industries, from retail to health care. Particularly since the high-profile data breaches of the 2013 holiday season, notably at Target and Neiman Marcus, business and legal communities have carefully watched what the courts would do with the data breach lawsuits that followed. THE rigHT To bE HEard

Standing is the legal term for the ability of a party to demonstrate to the court sufficient connection to and harm from the law or action being challenged to support that party’s participation in the case. It refers to the party’s link to the

tive of the theft frequently is confidential business information, and more often than not there is no indication the breach resulted in any misuse of the personal information. Plaintiffs tried many theories to justify recovery, but courts generally dismissed them. Courts would dismiss contractrelated claims, for example, because user agreements rarely imposed data security obligations. Negligence claims were typically ineffective because negligence plaintiffs can only recover for personal or property damage, while most data breach victims allege only economic loss, and invasion of privacy is compensable only if private information is published. Regardless of the approach, databreach plaintiffs could not allege that their information had been stolen or their data misused in a way that showed the

the risk of future identity theft – is too speculative to support standing for a lawsuit. The Clapper case itself was not a data breach case, but rather involved the United States Foreign Intelligence Surveillance Act. In Clapper, journalists sued to invalidate amendments concerning surveillance of non-United States persons located abroad. The Supreme Court concluded that the threat of potential surveillance was not imminent and that the journalists who filed suit suffered no actual harm. Thus, the case suggests that plaintiffs cannot manufacture standing based on their fears of a hypothetical future harm. Until recently, Clapper was invoked to routinely dismiss data breach cases. However, two recent cases applying Clapper, involving Target and Neiman Marcus, have not been dismissed.

District Courts have traditionally dismissed consumer suits for data breaches on the grounds that, while stolen data often contains personal consumer information, the primary objective of the theft was confidential business information. dispute and its right to be heard on its claim. A data breach plaintiff is no different from any other federal plaintiff. Standing must be established in order to survive a 12(b)(1) motion to dismiss for lack of subject-matter jurisdiction. District courts have traditionally dismissed consumer suits for data breaches, reasoning that the plaintiffs could not allege or prove actual harm, a requirement of standing. In the consumer context, courts confronting traditional data-breach fact patterns recognized that, while stolen data often contains personal consumer information, the primary objec-

actual harm needed to support standing – and in this kind of litigation, the initial ruling on standing is crucial. Failure to obtain early dismissal significantly raises the settlement value of the case. The legal rule governing dismissal of consumer cases emerged in a line of cases applying the “case” or “controversy” requirement of the Constitution, as interpreted by the Supreme Court in the 2013 decision, Clapper v. Amnesty International USA. Courts applying Clapper to data breach complaints have generally found that the damage frequently pleaded by the plaintiffs –

In the Target matter – In re Target Corporation Customer Data Security Breach Litigation, filed in 2014 – customers brought a class action in a Minnesota federal court against Target after computer hackers stole credit card and debit card information. Target, relying on Clapper, moved to dismiss based on lack of standing. But, deviating from previous Clapper rulings, the court held that the Target customers had sufficiently alleged that they had suffered an injury. Specifically, the trial judge held that the customers had standing to bring the class action because they were temporarily unable to

today’s gener al counsel Jun /Jul 20 16

Cybersecurity

access money in their accounts. Thereafter, Target settled for $10 million. In January of 2016 the settlement survived an appeal to the Eighth Circuit. Neiman Marcus was also sued in 2014, after it had become the target of a malware attack that breached the card data of 1.1 million customers. The consumer-plaintiffs sued on behalf of

350,000 affected customers. Like Target, Neiman Marcus moved to dismiss the complaint, arguing that because the plaintiffs could not allege any present injuries, they lacked standing under Clapper. The plaintiffs alleged various actual injuries, including an increased risk of future fraudulent charges and greater susceptibility to identity theft.

First, the District Court for the Northern District of Illinois agreed with Neiman Marcus and – based on Clapper – dismissed the suit for failure to establish standing. The court did not allow that future injury would suffice. But the Seventh Circuit reversed and did accept standing based on allegations continued on page 39

Jun /Jul 20 16 today’s gener al counsel

Cybersecurity

Lessons from Ransomware Attacks on Healthcare Providers By Scott Lyon

arlier this year, a number of healthcare providers found themselves under siege by targeted ransomware attacks. In February, Hollywood Presbyterian Medical Center in Los Angeles reported they had been the victim of a ransomware attack that crippled their network, forcing employees to resort to handwritten documentation and faxed records. Ultimately, the hospital paid its attackers $17,000 in bitcoins

in order to recover its computer systems. Even after paying the ransom, the recovery of the network proved to be a tedious process, as administrators were forced to manually enter 900 unique unlock codes into the provider’s computer systems in order to decrypt the stored files. In March, three other ransomware attacks were launched on healthcare providers in California alone. Alvarado Hospital Medical Center in San Diego

managed to sustain its operations without paying a ransom. Chino Valley Medical Center and Desert Valley Hospital of Victorville (both members of the Prime Healthcare Services, Inc. network) suffered limited attacks, and also were reportedly able to avoid paying the attackers. Elsewhere, King’s Daughters’ Health Hospital in Madison, Indiana disclosed a ransomware attack in March, though

today’s gener al counsel Jun /Jul 20 16

Cybersecurity

only one system was affected. Methodist Hospital in Henderson, Kentucky was also attacked in March, with the attackers demanding a nominal ransom of 4 bitcoins (approximately $1,600). MedStar Health suffered attacks at its twelve facilities throughout Maryland, which forced it to take e-mail and records databases offline in order to contain the infection. In each instance, the companies were forced to make a difficult choice: Pay the ransom or suffer the consequences. There are many vectors by which ransomware can penetrate a network. One of the most common methods

the technique is over a decade old, the growth of bitcoin payment systems and anonymizing network protocols have allowed attackers to establish more secure payment channels and thereby make ransomware both more profitable and less risky for attackers. Moreover, in order to maximize their returns, modern ransomware is designed to decrypt not only the initial victim’s computer but also to capture other users’ credentials and spread throughout the network. While healthcare providers have been the target of other malicious campaigns focused on breaching the company’s

depending primarily upon the rapidity with which the infection is contained and the availability of uninfected current backups. In light of the costs of business interruption and emergency IT recovery services, it is no wonder that many companies simply pay the lessexpensive ransom in order to get their businesses back. In general, the FBI does not recommend paying ransom to attackers. However, according to Special Agent Chris Stangl, section chief at the FBI’s cyber division, there were 1,838 complaints of ransomware attacks in 2014

Employees should be trained to identify phishing attacks and perform proper authentication of third parties before providing data or access to the network. 37 is through phishing attacks, whereby the attacker sends an infected file as an e-mail attachment with a message designed to provoke the user to open it. The message can be innocuous (“check out this hilarious cat video!”), impersonate a trusted associate (e.g., the president of the company), or feign an emergency requiring immediate action (“your bank account has been compromised – click the attached report for details”). Phishing e-mails can also forgo attachments in favor of links to infected websites that can in turn exploit unpatched vulnerabilities in the user’s web browser. These links can be difficult for the average user to spot. For example, the text could indicate that the user would be redirected to “google.com” when the actual HTML link in the e-mail source is directed to a different website. Ransomware, one type of malware, functions by encrypting a user’s system and then demanding payment of a ransom in order to decrypt the user’s files. In some cases, the ransomware provides a payment deadline, after which the user’s data would be deleted. While

networks, the recent spate of ransomware attacks may signal a recognition of the particular vulnerability of these businesses. As a necessary part of their business, healthcare companies store a vast amount of data, from patient medical records to insurance and billing information, in addition to ordinary operating data. Under HIPAA, the problem has been exacerbated, as providers are increasingly focused on regulatory compliance and maintaining patient privacy, though they may be neglecting the security of their networks as a consequence. Furthermore, in the HIPAA-professed preference for electronic recordkeeping, providers are being pushed to create and maintain more electronic records in lieu of paper records. When a ransomware attack strikes, these companies are then cut off from the very electronic information necessary to provide services. Unable to consult medical records or check for allergy or drug interactions, providers are forced to turn away patients until services are restored. Often, recovery is a cumbersome process,

alone, resulting in reported losses of approximately $23.7 million. In 2015, there were 2,453 reported ransomware attacks with corresponding losses of $24.1 million. These figures reflect only attacks reported to the FBI. Companies may not report attacks in order to avoid damage to their reputations. Overall, law enforcement has struggled with how to go after attackers, whose use of anonymization protocols and secure payment systems like bitcoin make them difficult to identify. However, several attackers have been identified as criminal syndicates operating from the relative safety of Eastern Europe. These attackers know how to stay out of the reach of U.S. law enforcement, while simultaneously flying under the radar in their home countries. In the case of the Maktub ransomware variant, the malware will not infect systems with the Russian keyboard locale, in order to avoid drawing negative attention from local law enforcement. Now lawmakers are wading into the fray. California state senator Robert Hertzberg of Van Nuys has sponsored

Jun /Jul 20 16 today’s gener al counsel

Cybersecurity

California Senate Bill 1137, which would punish attackers who infect systems with ransomware with prison sentences of up to four years and a $10,000 fine. Critics have noted that, in addition to the difficulty of actually enforcing such laws against criminals residing in countries potentially outside of the extradition authority of the United States, the fact is the propagation of ransomware could already be prosecuted under existing state and federal extortion

attack the entire network. While patches have existed for years to address the vulnerabilities in JBoss, there remain a substantial number of unpatched systems, some of which have been left intentionally unpatched in order to support legacy software products. Talos warns that this practice could potentially expose other vulnerable networks, such as schools and government facilities, whose outdated IT infrastructure and use of unsupported third party software make

the ransom. In such instances, it’s critical that backups are stored offsite, as backups stored on an infected server will be encrypted along with all other affected data. In order to properly respond in the event of a ransomware or other cybersecurity incident, organizations must prepare, implement and routinely test incident response plans. Management should be familiar with these policies, which ideally would also identify the

It’s critical that backups are stored offsite, as backups stored on an infected server will be encrypted along with all other affected data.

laws. Unlike cases where the law has struggled to keep pace with evolving technologies, in the case of ransomware, the problem lies with the logistics of enforcement and not the underlying legal structure. As if the news wasn’t bad enough for healthcare providers, recent attacks have also revealed a new attack vector: compromised servers. In March, Cisco’s Talos security team reported on a widespread campaign seeking to leverage the SamSam ransomware variant. According to Talos, “[u]nlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.” The SamSam variant exploits a known vulnerability in JBoss middleware, an enterprise application development and support tool. Using the JexBoss security testing tool, the attackers are able to establish a foothold in the victim’s network, then use that access to

them easy targets, though without the healthcare providers’ resources to pay ransoms. So what should an organization do to shield itself against ransomware attacks? As with many things, prevention is the key. In general when it comes to cybersecurity, an organization’s weakest links include its employees, who are vulnerable to social engineering and phishing attacks. Employees should be trained to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network. Organizations should also closely monitor access controls, implementing the principle of least privilege (i.e., granting users only the minimal amount of access and systems permissions necessary to do their jobs). This can help contain initial infections. Rapid identification of potential infections with intrusion detection systems can allow a business to swiftly isolate infected servers or endpoints, further preventing the initial spread. Once contained, a robust and wellimplemented policy maintaining incremental offsite backups can provide a business with alternatives to paying

legal, emergency IT, forensics, insurance, public relations and law enforcement contacts that should be called when an incident is discovered. Rapid identification, isolation, and mitigation of threats can mean the difference between a temporary disruption of service and a substantial and potentially unrecoverable business loss. ■

Scott Lyon is a partner in the Irvine, CA, office of Sedgwick LLP. He focuses his practice on technology, cybersecurity and data privacy, including the evaluation and implementation of information security practices, as well as responding in the event of breach. He also counsels on complex transactions, litigates state and federal commercial cases, and assists clients with audits and investigations. scott.lyon@sedgwicklaw.com

today’s gener al counsel Jun /Jul 20 16

Cybersecurity

Standing

continued from page 35 of future injuries. Those future injuries, according to the court, included loss of time and money spent to protect against future identity theft and fraudulent charges. The Target and Neiman Marcus rulings make it far easier for consumerplaintiffs in data breach matters to sue and succeed at the dismissal stage, thereby potentially raising the price of settlement. STATUTORY DAMAGES?

The question of standing for future injuries under Clapper is only one of the important threshold class action lawsuit issues circulating right now. Another is whether Congress may confer standing on a plaintiff who has suffered no specific harm but who alleges a violation of a federal statute. The circuit courts were split as to whether statutory damages are enough to establish standing or whether actual damages must be present. In November of 2015 the Supreme Court heard oral argument in Spokeo v. Robins, a case which the Seventh Circuit expressly distinguished from Neiman Marcus. Although not specifically a data security case, Spokeo may further affect the ability of data breach consumers to prevail at the dismissal stage. In Spokeo, plaintiff Robins alleged that Spokeo violated the Fair Credit Reporting Act by portraying him as wealthy, married, and a graduate degree recipient – when in fact he was unemployed and struggling financially. The question before the Supreme Court was whether a statutory violation of the FCRA provided standing where the only damages were statutory. Essentially, can consumers sue a company for a technical statutory violation without any allegations of actual harm or injury? During argument, the Court’s more liberal arm seemed to insist that a right granted by Congress is enough to confer standing on the plaintiff to sue for a statutory violation. However, the conservative justices implied that there must also be an actual injury aside from statutory damages.

On May 16, 2016, the Court held that a plaintiff must show that an injury is both concrete and particular to have standing under Article III of the Constitution. Spokeo makes clear that simply alleging a violation of a statute is not enough to establish standing. Although the issue in Spokeo is technically limited to whether Congress may confer standing upon a plaintiff based on the defendant’s bare violation of federal statute, many hoped the Supreme Court’s decision would clarify some of the “speculative” and “hypothetical” issues discussed in Clapper. The Court’s opinion does not provide such clarity, but instead balances the need to filter our potentially frivolous lawsuits while preserving the flexibility for Congress to address serious, intangible harms related to cybersecurity. The majority opinion defined a concrete injury as “de facto,” but emphasized that concrete does not mean tangible, stating that “[a]lthough tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.” The Court identifies two factors that should guide the determination of whether an intangible harm confers standing. First, history – whether such an intangible harm resembles traditional common-law grounds for a lawsuit. And, second, the judgment of Congress – whether Congress has elevated the intangible harm to the level of a statutory right. The ruling in Spokeo that a concrete injury is required for standing is expected to have far-reaching effects on the question of standing across a broad range of federal litigation, including data-breach litigation. Although decisions like Target and Neiman Marcus may be driven by a perception that data theft is a growing problem that requires judicial redress – even in the absence of out-of-pocket losses resulting from a data breach – these cases both arguably expanded the standing doctrine to allow victims of data breach to allege harm even when they were not yet technically damaged. These decisions may indicate that there has been a shift in the courts’ application

of Clapper and their willingness to quickly dismiss data breach cases brought by consumers. Although data breach cases will likely continue to turn on particular facts, companies should be aware of this shift so that when breaches occur and lawsuits follow, they are prepared to consider their options. General counsel can use the above framework to (1) show executives and boards how the law is changing and potentially creating more liability exposure for data breaches (specifically, in the retail industry) and (2) to justify the expansion of cybersecurity protections and/or response programs. ■

Mackenzie S. Wallace is an attorney in the Dallas office of Thompson & Knight. She focuses her practice on federal and state trial actions involving securities, financial institutions, and general business and commercial litigation, and she serves on the firm’s cross-functional Data Privacy and Cybersecurity team. She also represents clients in corporate and shareholder rights, director and officer, merger, and white collar litigation. Mackenzie.Wallace@tklaw.com

Jennifer R. Ecklund is a partner in the Dallas office of Thompson & Knight. She focuses her practice on litigation and dispute resolution, representing clients before state and federal trial courts. She practices primarily in the healthcare, complex commercial litigation and white collar litigation sections, handling fraud cases involving securities, healthcare and mortgages, as well as matters related to Ponzi schemes and resulting receiverships. Jennifer.Ecklund@tklaw.com

Jun /Jul 20 16 todayâ&#x20AC;&#x2122;s gener al counsel

Cybersecurity

Limits of Cyber Insurance Being Tested in Litigation By Thomas Rohback and Patricia Carreiro

today’s gener al counsel Jun /Jul 20 16

Cybersecurity

s the risks increase and associated regulatory standards multiply, corporations are seeking insurance coverage for the economic losses associated with cyber attacks. Companies have turned to various kinds of policies, including Commercial Crime, Director and Officer (D&O), Errors and Omissions (E&O), Commercial General Liability (CGL), and increasingly to specialized cyber insurance policies. The results have been mixed, but the scope of cyber coverage and exclusions has barely been tested. As additional insurance coverage cases are litigated, companies and insurers will gain more insight into the extent and limits of their coverage. Some of the first cases relating to a cyber attack or data breach relied upon

to electronic data or software with a computer system.” Although the court found that the attack fell within First Bank’s Electronic Risk Liability coverage, it also found the event to fall within the policy’s fraud exclusion for losses based on fraudulent activity. The court, however, refused to respect the exclusion, reasoning that every unauthorized use or access to the insured’s electronic data or software would almost necessarily involve fraud, and thus such an exclusion would render the electronic risk coverage illusory. Accordingly, First Bank received coverage for its losses under its D&O policy. Traditional CGL insurance is another potential coverage option for cyber incidents, and courts have found varying policy language to either cover or

The question of whether courts will respect exclusions for failures to adhere to proper cybersecurity practices was left unanswered.

traditional forms of insurance that contained some specific coverages relating to electronic data. For example, in its October 2013 decision in First Bank of Delaware, Inc. v. Fidelity and Deposit Co. of Maryland, a Delaware Superior Court analyzed CGL coverage for a case where First Bank of Delaware, Inc. had subcontracted its credit card payment processing to Fidelity and Deposit Co. of Maryland, which had a relationship with a company that had access to Visa and MasterCard networks. Following a hack, First Bank was liable for millions of dollars in unauthorized withdrawals and sought insurance coverage of its losses under two sections of its D&O Select Plus Insurance Policy: “Electronic Risk Liability” and “Entity Liability.” The Electronic Risk Liability section of the policy covered “any unauthorized use of, or unauthorized access

exclude privacy claims resulting from the disclosure of personally identifiable information (PII). In a decidedly low tech data breach fact pattern, the Connecticut Supreme Court, in its 2015 decision in Recall Total Information Management Inc. v. Federal Insurance Co., denied coverage of losses resulting when tapes containing employee PII were lost during transit. The tapes fell out of the back of a truck and were picked up by an unknown person. Recall, the data privacy company responsible for transporting and storing the PII, settled the matter and sought coverage under its CGL policy’s coverage for personal injuries “caused by . . . publication of material that . . . violates a person’s right to privacy.” There was no evidence, however, that the PII on the tapes was ever accessed – much less used or published – and the

court found that simply losing the tapes was not the “publication” required by the policy’s terms. In its 2014 decision in Travelers Indemnity vs. Portal Health Care Solutions LLC, a district court in the Eastern District of Virginia, however, held that a CGL policy did cover the insured’s losses from a data breach. In Portal Health, the insured was a company that safeguarded healthcare data. Patients discovered that the records kept by Portal Health were available online via simple internet searches. Portal Health sought coverage under its CGL policy’s coverage for injuries arising from “electronic publication of material” disclosing private information, and the court agreed. An insurer argued for the opposite result in a 2015 case, in the Central District of California. In Columbia Casualty Company v. Cottage Health System, the patient records at Cottage Health System had been made available online via simple internet searches. Patients sued Cottage Health, and the matter settled for $4.125 million. Cottage Health’s insurer then argued that it was not responsible for the settlement because the policy excluded coverage for losses resulting from Cottage Health’s “failure to follow minimum required practices.” Furthermore, it argued, Cottage Health had misrepresented its cybersecurity practices when applying for insurance, and thus its insurer was not obligated to provide coverage. Thus, even though Cottage Health System had a cyber insurance policy, its insurer argued that its losses were not covered because it had not appropriately represented its cybersecurity practices and the protections it did have failed to meet its policy’s required data protection standard. However, at least one commentator (Roberta Anderson, “Five Tips for Success in Cyber Insurance Litigation,” in The D&O Diary) has argued that the “minimum required practices” exclusion found in Columbia Casualty should not be respected because it vitiates the policy’s essential purpose. But the case was dismissed without prejudice on other grounds, and the question

Jun /Jul 20 16 today’s gener al counsel

Cybersecurity

of whether courts will respect such exclusions for failures to adhere to proper cybersecurity practices was left unanswered. In a 2015 case decided by a District of Utah court, Travelers Property Casualty Co. of America v. Federal Recovery Services Inc., a data processing and storage company, Federal Recovery Services Inc., sought coverage for losses resulting from Federal’s refusal to return some of its client’s data unless the client made certain payments. Federal’s cyber insurer sought a declaratory judgment that it did not have a duty to defend Federal for its intentional acts. Not surprisingly, the court agreed. The only notable aspect of this case was that in later litigation, although the court found that the insurer did not have a duty to defend, it declined a motion for summary judgment on whether the insurer had breached its implied duty of good faith and fair dealing by requiring the insured to receive suit papers before initiating a claim, and allegedly failing to “’diligently investigate, fairly evaluate, and promptly and reasonably communicate with [insured] since the claim was initially tendered.” Although the subject of the case was cyber insurance, the issues addressed

Insured property by Computer Fraud.” The insurer, however, argued that the loss fell within the policy’s exclusion for “loss of proprietary information. . . or other confidential information of any kind.” The court disagreed and found that the exclusion dealt only with the plaintiff’s own confidential information regarding how it operates its business, not consumers’ information. Accordingly, the court found the settlement to be within the insured’s Commercial Crime policy. In the 2013 case of Hartford Casualty Insurance Company v. Corcino & Associates, the court similarly found coverage despite an insurer’s argument that the loss was within an exclusion. In this case, a hospital had given a job applicant patient data and instructed the applicant to perform certain tasks with the data as part of his employment application. The applicant posted the data on an online “homework help” website, and patients sued claiming violations of their constitutional right of privacy, common law privacy, and the California Confidentiality of Medical Information Act (CMIA). The hospital sought coverage under its policy’s provision for losses from “electronic publication of material that violates a person’s right of privacy.” The

Unauthorized use or access to the insured’s electronic data or software would almost necessarily involve fraud.

rights, but rather codif[ied] existing rights and create[d] effective remedies.” The scope of cyber insurance is a work-in-progress. Cyber attacks and data breaches are getting more frequent, hackers more sophisticated, and litigation seeking redress more prevalent. Cyber insurance policies have proliferated, arguably without sufficient data for comprehensive underwriting. As the lawsuits and damages increase, cyber insurance litigation may be a bet-thecompany issue for many companies, as well as their insurers. ■

Thomas Rohback, an appellate and class action lawyer, is a partner at Axinn, Veltrop & Harkrider LLP. His cases have involved areas of the law ranging from antitrust to anti-terrorism litigation. The industries in which he has represented clients include manufacturing, financial services, insurance, utilities and telecommunications. trohback@axinn.com

Patricia Carreiro were fundamental insurance issues which could have applied to any type of policy. In 2012, the Sixth Circuit considered the case of Retail Ventures, Inc. v. National Union Fire Insurance Company of Pittsburgh. The plaintiff, Retail Ventures, Inc., sought coverage for its settlement with a credit card processor arising from a retail hack under a Commercial Crime policy covering losses “resulting directly from . . . the theft of any

insurer pointed to the policy’s exclusion for injuries “arising out of the violation of a person’s right to privacy created by any state or federal act.” That exclusion, however, stated that it did “not apply to liability for damages that the insured would have in absence of such state or federal act,” and the court found coverage for all of the claims, including statutory claims under the CMIA because the CMIA did “not create new privacy

practices in Axinn Veltrop & Harkrider’s Litigation Group, and has appeared before both courts and administrative agencies. She has experience in a broad range of civil litigation, including commercial, employment and insurance disputes. pcarreiro@axinn.com

Database Marketing for Lead Generation With over 300,000 names, the TGC database enables marketers an unmatched array of choices to send out co-branded emails with content of their own choosing to several desirable segments within the database.

T O D AY S G E N E R A L C O U N S E L . C O M /A D V E R T I S E

Jun /Jul 20 16 today’s gener al counsel

Compliance

Difficult Due Diligence on Overseas Intermediaries By Alexandra Wrage

e all know how important it is to conduct meaningful due diligence on third-party intermediaries. While these parties can perform crucial functions for companies seeking to expand their worldwide presence – opening up new markets, providing access to decision-makers, helping to identify opportunities and trends – they can also subject companies

to serious financial liability and reputational harm. As compliance officers know well, under the Foreign Corrupt Practices Act (FCPA) if the agent of a company pays or offers to pay a bribe to a foreign official in order to help the company secure business, the company itself can be held responsible, whether or not it authorized or even knew about the bribe. Given the magnitude of the

potential liability – settlements for FCPA violations can run into tens of millions of dollars – it is crucial to know something about the background of the person or entity that’s being considered to represent the company abroad. Sometimes the information discovered through a due-diligence inquiry will be a clear deal-breaker – a prior bribery conviction, for example. Very rarely will

today’s gener al counsel Jun /Jul 20 16

Compliance

the candidate have the track record of a boy scout. But there is a vast middle ground. A potential intermediary’s record may be not be spotless, but still may not be disqualifying. Consider the following scenarios: • A criminal-record review shows that the sole owner of an entity you are considering to represent your company was convicted of drunk driving ten years ago.

of the partner’s connections, does that give rise to worries about his willingness to game the system?

say, 70 percent of small businesses in the Philippines had taken advantage of the amnesty?

• A channel partner fighting to get your business tells you that your current partner is “widely known” to pay kickbacks to government officials. This time, the allegations are directly on-point. They cannot be ignored. However, the competitor has no proof of misconduct and a very clear interest in

These scenarios all raise red flags, some more worrying than others. They are typical of the kinds of constant, low-grade issues that arise in the course of due diligence. Given the scale of the penalties involved if a company intermediary is involved in bribery, one might imagine adopting a policy under

A red flag tells you there could be a problem and closer scrutiny might be warranted. No company can devote unlimited resources to such scrutiny and at some point a decision has to be made.

The principal’s drunk-driving conviction certainly affects her reputation, but does it make her more likely to pay a bribe? What if her representation of your company requires near-constant driving to meetings at which she’ll represent the company? Does that exacerbate the problem? What about the fact that the conviction was ten years ago? Is that long enough to allow her a clear slate? Does it matter whether she was in her early 20s at the time? In her early 40s? • A similar review shows that one of four equal partners in a potential intermediary was charged with assault five years ago. He is very well-connected and the charges were later dropped. There is an obvious reputational issue here, along with possible questions about the partner’s judgment. On the other hand, there was never any conviction. Are you expected to investigate allegations of misconduct that were made and dropped five years earlier? At the same time, in jurisdictions with questionable judicial systems, there may be questions about the reason the charges were dropped. If it was because

discrediting the current partner. How far do you have to look for evidence that would support the competitor’s claim, to “prove the negative”? Can you rest easy if you don’t find anything, or do you need to take additional steps to assure yourself regarding the competitor’s business practices? • During a general tax amnesty in the Philippines last year, your sales representative came forward, admitted to five years of unpaid taxes and paid the outstanding balance, with interest and penalties. Tax evasion is a significant red flag, and the misconduct here is both admitted and recent. The sales representative has corrected the misconduct, which is a positive sign, but what was the motive for doing so? Was she taking advantage of the amnesty to assuage a fear of getting caught? Does it matter, or is it even possible to determine, whether there was a genuine change of heart? If one year in the past is too recent, how many additional years of impeccable conduct would be sufficient? Would it make any difference if the representative’s situation was a common one? If,

which any red flag is disqualifying. In some markets, though, you might find it difficult to find anyone you could approve under that sort of zero-tolerance standard. But how much is too much? None of the above scenarios provides a clear indication that the individual or entity in question is going to cause problems for your company. All a red flag tells you is that there could be a problem and closer scrutiny might be warranted. No company can devote unlimited resources to such scrutiny. At some point, a decision has to be made. You don’t have unlimited time to make that decision, either. The world moves fast, and opportunities can be lost. A company’s compliance team can be under significant pressure not to hold things up on the business end. On the one hand, you don’t want to rush things when you believe there is genuine cause for concern. On the other hand, you don’t want to unduly delay matters by fretting over things that may not matter all that much. At what point should you let yourself sign off on the engagement? Here is something that is important continued on page 49

Jun /Jul 20 16 today’s gener al counsel

Compliance

From Europe’s Privacy Regulators, Big Penalties But No Rules By Kevin J. Grande

oogle, Amazon, Microsoft and Facebook: If you’ve been following the news about Europe’s privacy regulations since the Safe Harbor Agreement was invalidated last year you might think it impacts only those businesses along the high-tech axis between Silicon Valley and Seattle. That could be a costly assumption. Europeans and their lawmakers are getting stricter about their data privacy, and it is impacting a broad range of American businesses. With the current state of European privacy regulations, American firms

transatlantic digital commerce accounts for more than $6 trillion in trade, and supports more than 15 million jobs on both continents. All it takes to be affected is the possession of an email address and corresponding name of a European in one of your business databases. The definition of “personal data” was made intentionally broad to capture anything that can identify a specific individual. Who could be impacted? Almost anyone doing business with Europeans – U.S. companies involved in electronic

Safe Harbor protocols did so to process exactly this type of employee data. But it doesn’t stop there. Consider a U.S. headquartered corporate training company with European clients. If the training company needs to email class updates or even a PDF checklist to its European participants, then they are subject to European privacy laws too. The same goes for consulting firms, or for that matter any business using an e-commerce portal for European clients or consumers. It’s worth repeating: If your company has the name and email

If your company has the name and email address of a European in any kind of business database, then your company is impacted and could be at risk. must make additional efforts with their contracts and guarantees of personal data protections to satisfy their European customers. A vast majority of previous deals were completed within the context of the Safe Harbor, and now that it’s been invalidated the fear of fines and investigations from regulators is spurring American vendors to rapidly update agreements. It was last October when a European high court invalidated this longstanding agreement that allowed U.S. businesses to self-certify their protocols and protections for handling Europeans’ personal data in accord with EU standards. Agreements had been done within this setting for 15 years, and the U.S. Chamber of Commerce estimates that more than 4,400 American firms host, process and analyze Europeans’ data in some, way, shape or form. This

marketing to Europeans, software vendors with European customers, and any other company receiving personal data without the relevant person’s personal consent. Also included are organizations outside of high tech. Think about U.S. automakers that sell millions of cars to European consumers. These manufacturers use vehicle identification numbers to reach car owners in the event of critical updates or recalls, and if those VIN numbers are stored in the United States then the automakers are liable to European privacy laws. Any American-owned company with operations in Europe could be impacted. If European employees’ HR data is processed in the United States, then the company is impacted by European data-protection laws. According to the Information Technology Industry Council, 51 percent of companies that used

address of a European in any kind of business database, then your company is impacted and could be at risk. ANGER AFTER SNOWDEN

How did we get here? Most accounts suggest that it was Edward Snowden and his leaked information regarding the National Security Agency that tipped the first domino. Back in May of 2013, Snowden – then a contractor at the NSA – revealed that the U.S. intelligence community was vacuuming up vast amounts of personal data from Americans, Europeans and others around the world. It’s likely that many people likely had already assumed information was being collected, but to others the scope was unfathomable. Among the most jarring revelations was that the U.S. intelligence community had access to giant data-server farms

today’s gener al counsel Jun /Jul 20 16

Compliance

belonging to Google, Yahoo! and other high-tech firms. This enabled American data spies to monitor much of the world’s Internet traffic. U.S. intelligence agencies were also collecting more than 200 million text messages every day.

Perhaps the most uncomfortable revelation was that the United States was spying on world leaders. German Chancellor Angela Merkel, officials at the French Foreign Ministry and elected leaders attending global economic

summits were all targets. It also came out that the U.S. government had bugged the European Union offices located in the United States. The government’s data collection secrets were exposed to the world, and

Jun /Jul 20 16 today’s gener al counsel

Compliance

American companies are paying a price for it. An Austrian activist made clear he did not “like” what the U.S. government was doing by filing suit in Europe, arguing that the U.S. government’s unfettered access to Facebook’s U.S.-based data servers infringed on his privacy rights. In October of last year, the European Court of Justice agreed, thereby invalidating the long-standing Safe Harbor agreement. That sent U.S. and European officials scrambling to hammer out a replacement agreement. The now proposed E.U.-U.S. Privacy Shield was submitted in February. AVALANCHE OF CONTRACT UPDATES

As currently written, the Privacy Shield would require companies to have an established policy that commits the organization to the principles of the agreement. For general counsel, however, it will also require modifying, updating or creating contracts with any third-party that will come into contact with a European’s data. The contracts must stipulate how the data will be used and protected under the provisions of the Privacy Shield, and summaries of those contracts must also be made available to regulators. The problem is that the agreement has yet to be ratified by each of Europe’s 28 data-protection agencies, and these regulators don’t seem inclined to agree with many of the Privacy Shield’s provisions. In April, France’s powerful dataprotection regulator said the Privacy Shield did not go far enough. Europe’s privacy regulators are cracking down during this intermediate period. Several news agencies recently reported that a German data-protection authority was preparing legal action against multinational firms who were still using Safe Harbor guidelines when handling German citizens’ data. This environment is compelling action. PROTECT YOUR BUSINESS.

While the Europeans sort out how or if they are going to ratify the provisions of the Privacy Shield, U.S. firms are still housing and processing data on millions of European employees, clients and consumers. This means

that today U.S. companies must look to other available options, like rules of each country’s data-privacy regulator or the adoption of the so-called Model Clauses (Standard Contractual Clauses) as a form of legal protection. The Model Clauses were issued by the European Union more than 20 years ago to protect European citizens’ data if it moved outside their home country. Incorporating the Model Clauses into agreements from the past 15-20 years can be quite an undertaking. Nonetheless it seems that most organizations will go through the process of adopting them one-by-one, to bring old and new agreements into accord with EU regulation. Managing this process means updating agreements with every vendor or subsidiary that handles or just stores data of European clients, consumers or employees. That means many companies are facing the challenge of updating hundreds, sometimes thousands of contracts. At some point, almost every contract with a European counterpart will need to be updated, and as things continue to evolve, further updates and actions may be required. After incorporation, for example, in order to be in compliance certain additional steps are required, such as information and sub-agreement sharing. It’s a very real possibility that in a few months European Union officials will come up with a new regulatory regime. Contract management software can help organizations maintain and control their own repository of approved Model Clauses and related jurisdictional agreements, track actions for compliance, and help to create efficiency and eliminate human error and contract inconsistency. It’s a tough task to find a balance between protection of personal data and free commerce, but expect progress to be made in 2016. Even after the dust settles and Europe’s legislators and regulators formally weigh in and ratify the Privacy Shield, there will be more changes coming down the line for in-house attorneys charged with protecting their companies from costly legal and regulatory action. In April, the European

Parliament approved a new General Data Protection Regulation that will go into force in 2018. This includes even more stringent protections for Europeans’ data. It also includes the so-called “right to be forgotten” provision requiring companies to delete data of Europeans who request anonymity. Each country’s data-protection authority will be empowered to fine companies up to four percent of annual revenue. To put that in perspective, a privacy breach from a $50-million-dollar company could lead to a $2 million dollar fine – and that’s from just one of Europe’s privacy agencies. For many companies that four percent represents the profit margin for a year. For companies in possession of Europeans’ data, contracts in sync and in compliance should start to feel more like an investment than a cost. ■

Kevin J. Grande is a corporate attorney serving as associate general counsel for Determine, Inc., a NASDAQ-listed provider of SaaS enterprise contract lifecycle management, strategic sourcing, supplier management and procure-to-pay solutions. His responsibilities include managing commercial contracts to ensure compliance with EU regulation following the invalidation of the EU-U.S. “Safe Harbor Agreement,” through incorporation of the EU’s socalled Model Clauses, relevant regional requirements or other options. kgrande@determine.com

today’s gener al counsel Jun /Jul 20 16

Compliance

Overseas Due Diligence continued from page 45

to keep in mind: Although the process of conducting due diligence is somewhat mechanical, the process of acting on that due diligence should not be. Even if it were possible, say, to assign a point-value to each type of red flag that might arise, it would be unwise for a

issues as whether other candidates were considered, whether there are employees in-country who could fulfill the same role, and the expertise and resources the intermediary has to carry out the task. The bribery-related issues pertinent to the task and region should be highlighted, issues such as how much contact the intermediary will have with government officials; how much business the

but also the balance between your company’s tolerance for risk, the urgency of the project, and the possibility of alternative courses of action. This is where real judgment comes into play, and you want the protocols you establish to give you the best opportunity to exercise and document that judgment. You may decide that it’s necessary to hold back a project

Protocols with clear standards for review, reporting and escalation should ensure that each decision regarding an intermediary is adequately documented. company to base its decisions regarding intermediaries solely on whether their total flag-points exceed a certain threshold. Such a system would not adequately take into account the context in which a given intermediary will be operating and the ways in which the flagged circumstances may or may not be relevant in that context. You want to minimize the risk of non-compliant behavior by intermediaries, not just maximize the speed with which you make your approval decisions. Of course, depending on the size of your company and its operations, you’re probably not going to be able to personally conduct a full evaluation of each potential intermediary you may engage. You can’t get by without protocols and standards for review, reporting and escalation. Establishing and justifying such protocols can itself be a crucial element in showing enforcement agencies that your company has a well-considered compliance program in place in the event that something does go wrong down the road. The aim of such protocols should be to ensure that each decision regarding an intermediary is adequately documented. The documentation should include the nature of the work the intermediary will be performing and the business justification for engaging this intermediary in the first place. This would include such

company does in the region; whether the intermediary has exclusive rights to market the company’s products in that territory; and the value of any contract or concession being sought from a government agency. Other factors include how much the intermediary will be paid, whether the payment will be a flat fee or a contingency, and whether the intermediary has represented your company in other countries. This sort of information can help clarify the degree of due diligence warranted in each case. Can it reasonably be limited to collecting basic personal information and references, conducting a media search, and reviewing prohibitedparties databases, or is a more searching investigation called for? It can also provide the backdrop against which to evaluate any red flags that do appear. If no likely danger is evident, you will have a record showing that to be the case. If potential issues do appear, the information gathered can serve as a basis for reasoned consideration at higher levels of review within your organization. At the highest level of review, where the issues are no longer routine or straightforward, you need to be able to base your decision on a full assessment of the relevant circumstances, taking into consideration not only the nature of the assignment and the history of the potential intermediary,

to allow further scrutiny, or you may decide that the situation warrants going forward even in the face of the risks you have identified, but with a rigorous post-contract protocol in place. Either way, faced with a difficult decision, you will know – and will be able to show – that you are acting in an informed, circumspect and deliberate manner, which is all anybody can ask of you. ■

Alexandra Wrage is president and founder of TRACE, a provider of antibribery and third party compliance support. She is the author of Bribery and Extortion: Undermining Business, Governments and Security, co-editor of How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes, and host of an anti-corruption training video produced by NBC. Prior to founding TRACE, she was international counsel at Northrop Grumman. wrage@TRACEinternational.org

Jun /Jul 20 16 today’s gener al counsel

work pl ace issues

Plaintiffs Twist Meaning of Fair Credit Reporting Act By rod M. Fliegel

et’s be frank: for corporate defendants, there is nothing very fair about the Fair Credit Reporting Act right now. Why not? Because some courts seem to fundamentally misunderstand the U.S. Supreme Court’s 2007 holding in Safeco Ins. Co. of Am v. Burr: that in order for there to be “willful” FCRA violations – the hot ticket to class-wide statutory damages – the defendant’s conduct must be “objectively unreasonable” and violate “clearly established” law. These courts have unleashed a torrent of nationwide FCRA class actions against businesses in pretty much every industry based on hyper-technical, “no-harm” and oftentimes fictional violations. The ballooning number of seven and even some eight-figure settlements is cause for real concern. It is also a call to action. Take just one example. Employers cannot run background checks without first disclosing the fact of the background check to the subject (e.g., job applicant)

rod M. Fliegel is co-chair of the Privacy and Background Checks practice at Littler Mendelson. He has broad subject matter experience and expertise in class action defense and the intersection of the federal and state background check laws, such as Title VII and the Fair Credit Reporting Act, and their state law equivalents. rfliegel@littler.com

and getting consent. Simple enough, right? Actually, no. The plaintiff’s bar has managed to weaponize the FCRA’s form and manner requirements for the disclosure based on the requirement to make it “in a document that consists solely of the disclosure.” These class actions allege that even a single extra sentence, no matter how brief, has a cash value for each class member of between $100 to $1,000 (the statutory damages range), plus attorney’s fees. The dollar numbers can get really big really fast for a business that has even a modest-sized workforce and the usual annual attrition. Oh, and the plaintiff’s bar argues the statute of limitations is up to five years for the class claims.

Most of the cases involve the inclusion of a so-called “liability-release,” a sentence stating that the applicant gives up the right to sue over the background check. The plaintiff’s bar is suing over any extra words, including even information about how the applicant has rights not only under the FCRA, but also under state law. Let’s put aside how unlikely it is that Congress intended a windfall for applicants who get more rather than less information about their rights. The judges allowing these cases to proceed, and proceed as nationwide class actions, are just plain wrong on the law under Safeco. The FCRA affords remedies for negligent and willful violations, but statutory

TODAY’S GENER AL COUNSEL JUN /JUL 2016

and punitive damages are available only for the latter. Safeco, which involved a different FCRA section, holds that a violation is willful where knowing or reckless. In so holding, the Supreme Court explained that these enhanced remedies can be recovered only where the defendant’s conduct was “objectively unreasonable” and violated “clearly established” law. Reversing the Ninth Circuit, the Court ruled against the plaintiffs on willfulness, emphasizing that the defendant insurer’s reading of the FCRA’s uncertain terms was persuasive enough to convince the trial court (i.e., one judge) that it was right. In particular, the Court noted the absence of guidance from the courts of appeal and of authoritative guidance from the Federal Trade Commission.

The missed point is that the very fact of this disagreement between federal judges, apart from who has the better argument, defeats any finding of willfulness under Safeco’s plain reasoning. The circuit courts will now start to opine on the question of what disclosure satisfies the statute. The Ninth Circuit has such a case now, an appeal from an order granting the defendant’s motion to dismiss. Here are some things you should consider doing in the meantime (at the direction of in-house or outside counsel to protect privilege, unless setting up an advice and counsel defense): • Investigate the particulars of when and how the background check disclosure is made to applicants and employees. Increasingly this is in an on-line

The plaintiff’s bar is suing over any extra words, including even information about how

BEYOND PRINT

TodaysGeneralCounsel.com

the applicant has rights not only under the FCRA, but also under state law.

The Court dismissed an option letter from a Commission staff attorney because the letter said it was merely an informal staff opinion and not binding on the Commission. Unfortunately, this point – that the law is not clear if reasonable minds disagree on what it requires – seems lost on many trial courts. Put aside the fact that the Federal Trade Commission’s advisory guidance has created distinct uncertainty about how to lawfully frame background check disclosures. Federal judges disagree on that question, and they disagree even on the most controversial extra sentence, the liability-release. And not just in one district court, but in states including Georgia, Texas, Florida, and even California.

format, but not always. And it is not always made by the employer itself, because some companies outsource the disclosure to their background report vendor. There also may be some combination in the field of on-line and hard copy disclosures. • Review the disclosure, however it’s made, and scrutinize any wording other than the bare minimum statement that the company will conduct a background check in connection with the individual’s application process or continued employment. • Determine whether stray statements elsewhere in related communications should be revised or eliminated, such as the liability-release that is all too common in on-line and hard copy job applications. ■

IN YOUR INBOX

Digital.TodaysGeneral Counsel.com

E-DISCOVERY CONFERENCES

TodaysGeneralCounsel.com/ Institute

TODAYSGENERALCOUNSEL.COM

Jun /Jul 20 16 today’s gener al counsel

T H E A N T I T R U S T L I T I G AT O R

Antitrust Issues With Joint Ventures By Jeffery M. cross

question often asked by clients is what are the antitrust risks of joint ventures among horizontal competitors? A joint venture is a collaboration among competitors. Often a joint venture is formed because each participant brings complementary expertise or resources, enabling synergies or efficiencies not readily available to each participant individually. Joint ventures often increase output, lower price or provide consumers with more choice. For these reasons joint ventures are generally analyzed under the “Rule of Reason” to determine whether there is a violation of Section 1 of the Sherman Act. However, labeling a collaboration a joint venture does not prevent application of the per se rule if the collaboration is a naked agreement to fix prices, reduce output, or allocate markets with no plausible pro-competitive justifications. There are many variations to joint ventures. For example, joint ventures can be formal corporations. They can also be loose, informal arrangements. The participants can assign assets to a joint venture organization, or they can merely join together their economic

Jeffery cross, is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a Partner in the Litigation Practice Group at Freeborn & Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com.

activities. The parties can continue to compete both with the joint venture and with each other, or they can decide to cease competing. Whatever variation, if there are plausible pro-competitive justifications, the Rule of Reason applies. However, there are specific issues that must be considered with some types of joint ventures. In general, one of the most troublesome concerns with joint ventures comes from “spillover.” This issue is especially problematic if the parties are either competitors of the joint venture, or competitors to each other in activities not undertaken by the joint venture. To the extent that the joint venture participants are horizontal competitors, they are now

cooperating with each other in a particular endeavor, but must guard against that cooperation “spilling over” into activities outside of the joint venture. A classic example of a joint venture was one GM and Toyota formed in 1984, to produce cars in the United States. The venture, called New United Motor Manufacturing Inc., provided GM with an opportunity to learn about lean manufacturing from the Japanese company, while Toyota gained an opportunity to operate its manufacturing system with an American labor force, an experience that ultimately enabled it to open plants in the United States. Because both companies continued to compete in the manufacturing of cars

TODAY’S GENER AL COUNSEL JUN /JUL 2016

outside of the joint venture, they had to be particularly concerned about spillover. Spillover can take the form of explicit collusion, such as agreeing to set prices, restrict output, or allocate markets in the areas where the parties compete among themselves or compete with the joint venture. Or it can take the form of an exchange of information about activity outside of the joint venture that could facilitate such collusion. To deal with the potential for spillover, I often counsel clients that if the participant companies have executives

joint venture between DuPont and the Canadian mining companies Noranda and Falconbridge was a sham designed to distribute sulfuric acid in the United States, because the parties had transferred very few assets to the joint venture. Judge Posner rejected that argument. He stated that even if there was no organized joint venture with hard assets contributed by any of the companies involved, there would still be no per se violation because there would be legitimate pro-competitive business reasons for the collaboration. To my mind, the integration of assets

In this regard, exclusionary conduct by the joint venture may trigger Section 2. For example, suppose that a competitor was able to obtain an essential input from one of the parties to the joint venture prior to its formation. After the formation of the joint venture the competitor may be excluded from access to that input. Such exclusionary conduct may be a violation of Section 2, especially if there is no plausible pro-competitive justification for the exclusion. Finally, formation of certain joint ventures may be deemed a merger or an acquisition that would be subject to

Formation of certain joint ventures may be deemed a merger or an acquisition that would be subject to Section 7 of the Clayton Act.

on the board of the joint venture, these executives should not be involved in the day-to-day pricing and output decisions of the participants. In respect to joint venture participants communicating with the joint venture, persons involved in the pricing and output decisions of the participants should not be communicating with persons making such decisions at the joint venture. One question that often arises is whether the parties need to contribute assets to the joint venture. The plaintiffs in In re: Sulfuric Acid Antitrust Litigation, Seventh Circuit, argued that the

into a joint venture is an evidentiary fact. It establishes that the participants are confident that the joint venture will produce synergies and efficiencies because they are willing to put “skin in the game.” Another possible issue with joint ventures is that the size of the venture resulting from the cooperation of two horizontal competitors may implicate Section 2 of the Sherman Act, which prohibits monopolization or attempts to monopolize. Of course, just having a monopoly does not mean there is a violation of Section 2. There must be an anti-competitive act by the monopolist.

View our digital edition D IGI TA L .T O D AY S G E NE R A L C OUN S E L . C O M

Section 7 of the Clayton Act, and also require notification to the antitrust agencies under the Hart Scott Rodino Act. Joint ventures offer opportunities for companies to collaborate to achieve efficiencies or synergies that each company cannot achieve individually. In this regard, joint ventures can be procompetitive – lowering prices, increasing output, or offering consumers greater choices. Care must be taken, however, in organizing and operating a joint venture to make sure that it does not run afoul of the antitrust laws. ■

Jun /Jul 20 16 today’s gener al counsel

I N F O R M AT I O N G O V E R N A N C E O B S E R V E D

The Dangers of Short-Term Thinking on Information By Barclay t. Blair

“We are moving into an era where much of what we know today, much of what is coded and written electronically, will be lost forever. We are, to my mind, living in the midst of digital Dark Ages . . .” – Terry Kuny, “Digital Dark Ages?”

wenty years ago, a nonprofit representing hundreds of universities, national archives, museums and other cultural institutions across the globe produced a landmark examination of the threat that digital transformation represented to our ability to capture, preserve, and provide access to our most important information. The report called for a global effort to design and develop “national information infrastructure to ensure that longevity of information is an explicit goal.” Today, no such global infrastructure exists. Moreover, although significant progress has been made to address the challenge by industry bodies, individual

Barclay t. Blair is the president and founder of ViaLumina and the executive director and founder of the Information Governance Initiative, a cross-disciplinary consortium and think tank. He is an advisor to Fortune 500 companies, technology providers and government institutions, and has written award-winning books on the topic of information governance. Barclay.blair@iginitiative.com

institutions and providers of digital preservation technology, the existential and commercial threat represented by our accelerating and deepening reliance on digital information has only grown exponentially in the intervening 20 years. Archivists, historians and librarians, among many others, have been sounding the alarm about an impending “digital dark age” and taking action to protect their digital information for decades. However, for general counsel at most organizations not explicitly engaged in historical preservation, this threat

largely seems to have been relegated to the domain of academic specialists perceived as isolated from the prosaic demands of everyday commerce. Compounding the problem is the obvious human inclination to simply ignore problems for which there seems to be no easy or immediate solution. However, this concern is neither academic nor theoretical. In fact, it is a problem shared equally by historians, anyone taking a digital photograph, and by general counsel at all organizations large and small who have replaced paper

today’s gener al counsel jun /jul 2016

with digital in their businesses. In short, it is a problem we all share. “We are nonchalantly throwing all of our data into what could become an information black hole without realizing it. We digitize things because we think we will preserve them, but what we don’t understand is that unless we take other steps, those digital versions may not be any better, and may even be worse, than the artifacts that we digitized.” – Vint Cerf, Internet pioneer; chief Internet evangelist at Google; distinguished visiting scientist, NASA Jet Propulsion Laboratory In the specialized world of archives, this problem is known as “long-term digital preservation.” The word “preservation” is used here to denote a set of activities that go beyond simply storing a piece of information, to ensuring that the information remains accessible, trustworthy, secure, and authentic through its entire existence – even if that existence is “forever.”

But, how long is “long-term?” I have yet to see a records retention schedule from a large organization that does not have several “PERMANENT” categories, even if those are just foundational corporate legal and financial documents. But even outside of this permanent category, most organizations have vast amounts of data that must be kept for periods longer than ten years (98 percent of them, in fact, as recent research at our think tank revealed). This begs the question: In the digital world is there a material distinction between the need to keep something permanently and the need to keep something for at least five years? The answer is no. The inherent challenges of digital information (i.e., its ephemeral nature; proprietary data formats; proprietary software; software and hardware obsolescence; short term thinking on IT architecture and infrastructure; storage media longevity; threats arising from complexity and volume – and so on) are essentially the same once you move out even a few years.

How long is “long-term?” The downside to the term “preservation” is that it is one of several in the IG world that causes managers and executives to reflexively gaze down at their mobile device and zone out until that part of the discussion is over. Perhaps the phrase, “long-term protection and access” is better. This puts the focus on activities that are most relatable and top-of-mind for business leaders and GCs. “Protection” resonates because there is clearly a heightened and growing awareness of the need to invest in information security to confront the baseline threat that now exists in the digital world. “Access” is personally relatable to executives who have been on the job for more than a few years and who have experienced the inevitable frustration (and fear) of not being able to locate and use an aging document vital to their job.

So, GCs need to get clarity on what their organization does or is planning to do with this category of digital information. I would even argue there is not much reason to distinguish between “basically forever” and anything longer than five years from a governance perspective. The governance and legal challenges are very similar. In any case, our ability to imagine keeping information for eternity is roughly equivalent to our ability to imagine infinity, i.e., very poor and difficult to act upon. This is an area that we are focusing on at the Information Governance Initiative. We are conducting research about current needs and practices for the governance of records and information that requires protection and access over the long-term. I would love to hear what GCs are doing, or have already done, to address this problem. Drop me a line! ■

subsCribe To

“Informative and worth reading.”

“I refer to the magazine often and the information is useful in my daily work.”

“Very useful publication.”

TodaysGeneralCounsel.Com/ subsCribe

Jun /Jul 20 16 todayâ&#x20AC;&#x2122;s gener al counsel

Environmental Cleanups and Recovery for Fraudulent Transfers By Phil Cha and lindsay Brown

T 56

he Uniform Fraudulent Transfer Act (UFTA), recently renamed the Uniform Voidable Transactions Act, has been described as a robust and effective tool for plaintiffs seeking to recover assets transferred by a debtor in order to avoid paying its debts. But UFTA requires claimants to act promptly. It imposes a strict statute of repose that requires claimants to bring claims for fraudulent transfer within four years after the transfer was made, or in certain circumstances within one year after the transfer was discovered or could reasonably have been discovered by the claimant. This rather short limitations period can pose a significant hurdle to recovery, particularly for claimants dealing with environmental liabilities. In many cases, environmental contamination is not discovered until years, if not decades, after the fact, while the cleanup itself can take an even longer period of time. Complex factual, regulatory and legal issues can consume a claimantâ&#x20AC;&#x2122;s

today’s gener al counsel Jun /Jul 20 16

attention in the early stages of a cleanup, while potentially valuable fraudulent transfer claims are extinguished before they can ever be investigated. This article will provide an overview of the UFTA statute of repose, highlight the potentially problematic application to environmental claims and offer practical advice for avoiding some common pitfalls. ACTUAL AND CONSTRUCTIVE FRAUD The Uniform Fraudulent Conveyance Act was drafted by the Commissioners on Uniform State Laws in 1918 and was amended and renamed the Uniform Fraudulent Transfer Act in 1984. Adopted in some form by 48 jurisdictions, including the District of Columbia and the Virgin Islands, the UFTA prevents debtors from transferring assets in an effort to frustrate creditors’ collection of debts. As one New Jersey appellate court explained the law, its purpose is to “prevent a debtor from placing his or her property beyond a creditor’s reach.” The UFTA protects both present creditors and future creditors, who may bring two types of claims. The first type is often referred to as an “actual fraud” claim. The only relevant factor is whether the debtor made the transfer with “actual intent to hinder, delay, or defraud any creditor of the debtor.” The second type is a “constructive fraud” claim. A UFTA claim for constructive fraud focuses on the solvency of the debtor, and whether the debtor received reasonably equivalent value for the asset that was transferred. Basically, it prevents a financially strapped debtor from transferring its assets for less than fair value. The debtor’s intent is irrelevant in a constructive fraud claim. As originally drafted, the predecessor versions of the UFTA did not include a statute of limitation. The states that had adopted it applied their own limitations periods or no limitations period at all, resulting in uncertainty and confusion for creditors and debtors alike. Therefore the 1984 revisions to the law added Section 8, imposing time limits for bringing actual fraud and constructive fraud claims. Under Section 8, a claim for actual fraud must be brought within four years after the transfer was made, “or, if later, within one year after the transfer . . . was or could reasonably have been discovered by the claimant.” Claims for constructive fraud must be brought “within four years after the transfer was made or the obligation incurred.” Pursuant to this statutory construction, courts will apply a one-year discovery rule to claims for actual fraudulent transfer, but all other claims

are extinguished if not brought within four years after the transfer, whether or not the creditor reasonably could have discovered the transfers. These time limits are strictly imposed. STATUTES OF REPOSE Section 8 of the UFTA is a statute of repose. Statutes of repose extinguish untimely claims and, unlike statutes of limitation, are not subject to equitable tolling. As the United States Supreme Court explained in CTS Corp. v. Waldburger, “[a] statute of repose ... is measured not from the date on which the claim accrues but instead from the date of the last culpable act or omission of the defendant.” The statute bars the claim “even if this period ends before the plaintiff has suffered a resulting injury.” The primary consideration underlying a statute of repose is fairness to the defendant, “the belief that there comes a time when the defendant ‘ought to be secure in his reasonable expectation that the slate has been wiped clean of ancient obligations,’” as the New Jersey Supreme Court stated in R.A.C. v. P.J.S., Jr. In the context of environmental claims, statutes of repose can result in the loss of claims before they have matured. For example, under the Comprehensive Environmental Response, Compensation and Liability Act of 1980 (CERCLA), also known as Superfund, responsible parties are

Clients faced with liability for legacy environmental harms must be aware in the very early stages of their evaluation that claims for fraudulent transfer have a short fuse. jointly and severally liable to the federal government for the costs of cleaning up abandoned hazardous waste sites. To ameliorate the potential unfairness of imposing joint and several liability, CERCLA provides a right of contribution to ensure an equitable sharing of the burden of cleaning up these abandoned sites. However, the amount of time for CERCLA contribution claims to mature can be significantly longer than the limitations periods imposed by the UFTA. A March 1997 report by the Government Accountability Office reported that as of 1996, on average, it took about nine years from the date of discovery to list a site as a Superfund continued on page 61

Jun /Jul 20 16 today’s gener al counsel

Preparing For Low-Probability High-Impact Events By Ben W. Heineman, Jr.

A 58

successful corporation must take risks – must be creative and innovative. But it must also bind these risks with discipline. What the balance should be between risk-taking and risk-management (the proverbial “risk appetite”) should turn on a careful, thought-out set of decisions by corporate leaders, with the general counsel and inside lawyers playing a central role. That balance can only occur if the corporation has a robust safety culture with strong safety management processes for prevention and response, and if it has the intellectual breadth, analytical rigor and operational excellence needed to assess constantly the diverse – indeed mind-boggling – set of risks facing a global corporation. Risk management must have broad scope, covering economic and non-economic issues – and issues caused internally by corporate dysfunction and externally by such forces as nature, political upheaval, terrorism or cyber-attacks. Risk management must follow strong organizational principles: a chief corporate risk officer; multiple,

cross-functional risk committees on key issues; and an “independent” risk voice at decision meetings. Risk management must rigorously prioritize threats facing the company, focusing on probability and severity. And risk management must develop and implement systems and processes to prevent, mitigate, detect and respond. Within that framework, one of the hardest and most important risk management problems for businesses is addressing the low probability-high impact event: the catastrophe. One of the most important tools for preventing and responding to such occurrences is a systematic process for “scenario planning” and for “debating disasters” before they occur. This is not morbid thinking or gloom-and-doom prognosticating, but rather a crucial planning feature in a turbulent world. An analysis of the Fukushima nuclear incident will illustrate a striking failure, and the importance of scenario planning and Red Team/Blue Team debate in identifying and preventing disasters in the future. Believed to be one of the largest seismic events in recorded history, the Tohoku earthquake occurred early in the afternoon on Friday, March 11, 2011, off the coast of northern Japan. The quake

today’s gener al counsel Jun /Jul 20 16

caused a tsunami, which swept over the shoreline and caused a loss of on-site and off-site electricity at the Fukushima Daiichi Nuclear Power Station, leaving it without any emergency power for several days. This sustained loss of power led to an inability to cool the reactor cores at three reactors. The ensuing meltdowns and hydrogen explosions caused a release of radioactive materials to the region surrounding the site. This in turn caused a mass evacuation of approximately 300,000 people. Tokyo Electric Power Company (TEPCO) and various regulatory authorities blamed nature for the damage at Fukushima Daiichi. But the official report of The Fukushima Nuclear Accident Independent Investigation Commission concluded bluntly: “The earthquake and tsunami of March 11, 2011 were natural disasters of a magnitude that shocked the entire world. Although triggered by these cataclysmic events, the subsequent accident at the Fukushima Daiichi Nuclear Power Plant cannot be regarded as a natural disaster. It was a profoundly manmade disaster – that could and should have been foreseen and prevented. And its effects could have been mitigated by a more effective human response.” The report was ordered by the Japanese legislature. The commission found that, despite information developed in recent years suggesting an increased risk of a tsunami in the Fukushima region and despite changing world standards on risk assessment, TEPCO failed to take sufficient measures to prevent the possibility of tsunami flood waters destroying the electricity needed for reactor cooling systems: “... researchers repeatedly pointed out the high possibility of tsunami levels reaching beyond the assumptions made at the time of construction, as well as the possibility of core damage in the case of such a tsunami.” The Commission’s findings are echoed in other independent reports on the Fukushima events, which discuss TEPCO’s many failings in design, management, approach to risk, operations and response to the accident. The catastrophic problems at Fukushima vividly demonstrate the need for robust scenarioplanning and for a vigorous debate in corporations and with regulators about safety-critical occurrences. The underlying cause of this human error, according to the Commission report, was, simply stated, a failure to have an honest discussion of emerging problems. Despite the availability to TEPCO of new information about

tsunami risk, the “fundamental causes are found in the ingrained conventions of Japanese culture; our reflexive obedience; our reluctance to question authority; our devotion to ‘sticking with the program’; our groupism; and our insularity.” Said the Commission: we “found ignorance and arrogance unforgiveable for anyone or any organization that deals with nuclear power.” This set of problems applied both inside TEPCO and in the relationship with its regulators, according to the report. But such problems are hardly confined to Japan. Scenario planning requires a group of crossfunctional experts (the “Blue Team”) to construct possible sequences and impacts of potential catastrophic events – earthquake, tsunami, both together – and then, with an understanding of possible scenarios, to recommend preventive and responsive steps and costs to mitigate

Scenario planning and Red Team/Blue team debates need to be at the core of the risk management processes focusing on potential catastrophic events. Business leaders must give strong support and encouragement to the constructive tension created by competing teams. the effects of such events were they to occur. For truly high impact events, an important companion of scenario planning is a “Blue Team/Red Team” debate. Drawing from a military war-game tradition, this involves forming a multi-disciplinary “Red Team” to critique the Blue Team’s scenarios and its prevention and response plans. A recent, riveting example is found in a book by the former Deputy Director of the CIA. He describes the use of a Red Team to scrub a Blue Team intelligence analysis that concluded there was a reasonable probability that Osama bin Laden was hiding in a compound in Abbottabad, Pakistan. This “fact” – a likelihood but not a certainty – was the premise for the President ordering a dangerous special forces night raid which killed bin Laden. Both Blue teams and Red Teams should include operational business leaders as well as

Jun /Jul 20 16 today’s gener al counsel

Ben W. Heineman Jr., General Electric Company’s senior vice president and chief legal officer from 19872005, is a senior fellow at Harvard’s schools of law and government. He teaches and writes frequently on business, law, ethics, risk, public policy and organization in the context of globalization. ben.heineman@gmail. com This article is an adapted excerpt from a book, The Inside Counsel Revolution: Resolving the Partner-Guardian Tension (Ankerwycke, April 2016).

risk-focused technology, policy, compliance, risk and legal experts. Having these distinct perspectives present on both teams helps ensure that the process of point-counterpoint will illuminate hard issues hidden in the shadows of lazy thinking, and insure that the teams are not talking past each other. This debate between Blue and Red Teams should occur in front of top leaders including the general counsel, who should ask hard questions, challenge key assumptions and, perhaps, bring to the table some of the recurring organizational failures exhibited in other catastrophic events analyzed in public reports and books (viz. Challenger, 9/11, Katrina, BP in the Gulf, financial melt-down, Fukushima). Neither the regulators nor TEPCO had had recent debates about international practice, about the development of more modern tools and information about tsunami risk, or about worst-case scenarios involving flooding and sustained loss of power, which is a central danger at a nuclear plant. The plants had been in operation since the 1970s. Had there been a periodic Red Team/Blue Team process to update scientific information and risk assessment techniques as applied to older plants, some fairly obvious alternatives could have been available even for a predictable but very low probability large earthquake, large tsunami, and subsequent flooding. A set of generators, with water-proofed electrical connections, could have been built in more secure buildings away from the affected plants on higher ground. Such generators, in fact, existed at the Fukushima itself for other reactors built later on the site, and those reactors did not lose cooling capacity. Alternatively, the utility could have invested in mobile power units stationed away from the plant, which might have become available by emergency airlift. The expense would have been modest in an absolute sense and miniscule compared to the ultimate cost of the reactor meltdowns due to loss of electrical power. As the Commission report underscores: The reactor damage was a preventable event, given the enhanced knowledge of tsunami risk that had become available to TEPCO over the 15 years preceding the accident. Scenario planning and a Blue Team/Red Team debate could also have revealed the deep flaws in the response plan. These included a jaw-dropping lack of attention to detail: only one stretcher, one satellite phone, no guidelines for getting outside assistance, a single fax machine, inadequate connection to first responders and no large scale drills on emergency events. But, more fundamentally, the command structure within the company and between the company, the regulator and the central

government was, in the early days, dysfunctional. Poor lines of authority and poor communication caused confusion on, among other things, evacuation policy, which was in constant flux, and the public announcements about evacuation, which were bewildering. In fact, the number of deaths actually attributed to the mass evacuation far exceed the number of deaths predicted from any radiation exposure. The problems surrounding another natural disaster, another “predictable surprise,” which had occurred just six years before the Japanese earthquake – Hurricane Katrina – were very similar: failure to do scenario planning or take an identified risk seriously; ill-thought out response plans; blurred public-private responsibilities; a scrambled command structure; inadequate resources; failure to simulate; and confused public statements. Good scenario planning at TEPCO would have included consideration of the problems of prevention and response in a natural disaster in New Orleans, which had occurred just a few years before and was widely reported around the world. In sum, scenario planning and Red Team/Blue team debates need to be at the core of the risk management processes focusing on potential catastrophic events. Business leaders must give strong support and encouragement to the constructive tension created by competing teams. General counsels, experts in finding truth through competing viewpoints, can help structure this process. Without debates about disaster, the risks of inattention, complacency and failure to examine key technical, financial or other assumptions can lead to a corporation being overwhelmed by events. Of course, scenario planning plus a Red Team/Blue Team process is only appropriate for the highest priority concerns. But it is a core “must do,” not a “nice to do,” for those issues. It should, selectively, be part of the annual cycle of risk reviews when the highest impact events, even if low probability, have been identified for assessment. The benefit of hindsight, reflected in commission reports on past disasters, is not sufficient for leaders today trying to make best-efforts judgments on which potential problems or events in the future require current action, and what those preventive and responsive actions should be. Although these lessons from past catastrophes are vitally important, a continuous and robust process for genuine, detailed exploration of future risks by rival teams is necessary, to business and to society. When it comes to catastrophic events, the past is only partly prologue. ■

today’s gener al counsel Jun /Jul 20 16

Environmental Claims continued from page 57

site. After listing, it took on average another 10.6 years to clean up the site. Responsible parties usually, though not always, receive some indication that they may be liable for the cleanup fairly early in the process. Sometimes the U.S. Environmental Protection Agency requests detailed information about the recipient and its potential connection to a Superfund site. Other communications from the EPA may include a General Notice Letter specifically informing the recipient that it is potentially liable for the cleanup at the site, or a Special Notice Letter, which invites the recipient to negotiate with the EPA to either perform the cleanup or otherwise settle the recipient’s liability to the EPA. However, not all potentially responsible parties receive notices at the same time. Often, a readily identifiable party, like the current or former owner or operator of the waste disposal site, receives a notice long before the EPA is able to track down former customers. To be sure, if a savvy owner or operator is aware of potential contamination or liability at a site early in the process, it could engage in strategic asset protection planning, removing valuable assets from the reach of potential future contribution plaintiffs before anyone spends one penny on the cleanup, and before putative contribution plaintiffs even conceive of a claim. Regardless of whether such a transfer actually contravenes the UFTA (which is beyond the scope of this article), given the pace of identification, investigation and site cleanup, any possible claim for constructive fraudulent transfers may be long gone before other responsible parties are even notified. In those cases, a contribution plaintiff would be precluded from relying on the constructive fraud provisions of the UFTA and would have to turn to the discovery rule that applies to claims for intentional fraud. Even then, claims must be brought within one year of when they “could reasonably have been discovered by the claimant.” There is no bright line rule as to when this one-year discovery period is triggered. Rather it is a fact-sensitive analysis. The discovery rule imposes on the plaintiff a duty to investigate its claims, and a plaintiff is charged with what a reasonable investigation would have discovered. In any subsequent claim for fraudulent transfer based on the discovery rule, the plaintiff bears the burden of proving that it was ignorant of the transfer and that it lacked the ability to discover the transfer at an earlier date.

Clients receiving a notice from a governmental agency sometimes focus all their attention on investigating or defending the agency’s claims, trying to locate historical company records (that may no longer exist), and current or former employees who may have relevant information. While conscientious clients often think about potential contribution claims, it’s often not until much later in the process that these claims are investigated. Certainly, performing an asset search within the first year of identifying what could be a long list of potential defendants may not be high on the “to do” list and may not be economically feasible. Nevertheless, under the law, potential contribution plaintiffs should be mindful of facts or circumstances that may trigger their duty to investigate the transactions of potential contribution defendants, even if their efforts are focused on dealing with an initial response to the Agency. LAW FAVORS THE VIGILANT While not aimed specifically at environmental claims, some states (like New Jersey) have taken steps to ease the burden on creditors, revising the uniform language to preserve claims for intentional fraudulent transfers until one year after actual discovery of the transfer. In other instances, courts have devised ways to allow plaintiffs whose claims have a long latency period to avoid the harshness of a strict application of the statute of repose by applying doctrines such as the collapsing doctrine – an equitable doctrine where a multi-step transaction is “collapsed” or viewed as a single transaction such that the limitations period does not begin to run until the last transaction is completed – or by taking a more relaxed view of the discovery rule. But these cases are few and far between. Clients faced with liability for legacy environmental harms must make a critical assessment of their exposure and the potential recovery from other parties, and must be aware in the very early stages of their evaluation that claims for fraudulent transfer have a short fuse. While a full-blown asset search on all potentially responsible parties is not necessary, clients should be mindful of facts and circumstances that may trigger their duty to investigate and discover potentially fraudulent transfers. The takeaway message is clear: The law favors the vigilant, even in areas such as environmental law where claims may take decades to mature. The UFTA can be a powerful and effective tool but only for those who act promptly to preserve their rights. ■

Phil Cha is a partner at Archer & Greiner. He serves as Vice Chair of the Environmental Law Group. His environmental and energy law practice focuses on environmental litigation and regulatory compliance. He also represents clients in the remediation, sale and development of contaminated properties. pcha@archerlaw.com

Lindsay A. Brown is an associate at Archer & Greiner. She has experience in a wide range of areas in environmental law, from providing regulatory advice to representing Fortune 500 companies in complex litigation. lbrown@archerlaw.com

Information governance can make data an asset By Karen Schuler and douglaS herman 62

today’s gener al counsel Jun /Jul 20 16

-discovery is not a new phenomenon. Computers, e-mail, network shared drives and portable USB storage devices have been common sources of preservation and electronically stored information (ESI) collection for years, and for the most part organizations seem to have figured out how to preserve and manage these more traditional electronic sources in a reasonable manner. However, non-standard and unstructured data sets – audio files, images, text messages, or data within Enterprise Resource Planning (ERP) systems – are a different matter and present a growing challenge. Our firm’s recent “Inside E-Discovery” survey found that the volume, variety and velocity of disparate data are a major concern of corporate counsel. Not only is the data universe growing, so are the number of places where data is stored. There is a pressing need, therefore, for sound information governance. Its importance for e-discovery simply cannot be overstated. According to the survey, corporate counsel view understanding the universe of potential evidence early in the case as the most important factor in successfully managing e-discovery. Technologies like predictive coding and data visualization play a significant role in narrowing the scope of data to potentially relevant evidence, but ultimately having that early understanding is contingent on the organization’s information governance program and data preservation strategies. “Data hoarding” of files that provide no business or historical value, duplicative information, or “dead” data that hasn’t been used or accessed in years, doesn’t just increase data security risks. It also makes identifying and accessing relevant information much more time consuming when the discovery process starts. Knowing what enterprise systems are in place and where non-traditional data is located becomes crucial not only because of the technologies involved, but because of the volume of ESI that could potentially be collected and stored. The adage “information is your most valuable asset” is true, but only if it can be found and used, and even then only if it’s been properly preserved. Many organizations mistakenly view information governance and e-discovery as two distinct functions, but in reality they are two sides of the same coin. If data sets are too vast and disorganized, it becomes tedious and costly to process and analyze them – or during the discovery process they could be missed altogether.

FINDING THE “SWEET SPOT” Under the Federal Rules of Civil Procedure, once a party “reasonably anticipates litigation” it has a duty to preserve ESI that may be relevant to a discovery request and place it under a litigation hold, requiring the suspension of routine data deletion or disposition procedures. Failure to preserve relevant data may result in spoliation claims or allegations of a lack of cooperation, leading to court-mandated sanctions. But over-preservation can be just as problematic. In the absence of guidance on what constitutes a “reasonable” legal hold, or how much is enough, most organizations have been taking a “more is more” approach. To avoid discovery sanctions or spoliation claims under FRCP, counsel opts for large-scale preservation designed to ensure that any remotely relevant data sources aren’t inadvertently deleted over the course of the matter. Under this risk-averse approach, the preserved data remains “on ice” for an extended period of time while counsel negotiates the scope of the discovery. Thus only a small portion of this preserved data is relevant, leaving companies with large discovery costs that could have been reduced from the onset of the matter. This all-or-nothing approach increases the burden of e-discovery by essentially turning off information governance policies. Considering that organizations may have multiple litigation holds simultaneously, the scope of e-discovery

The adage “information is your most valuable asset” is true, but only if it can be found and used. becomes exorbitantly expensive, useful ESI doesn’t get identified, and irrelevant ESI doesn’t get defensibly deleted. Implementing a data retention and disposition strategy as part of the ordinary course of business prior to the preservation duty kicking in is essential to reducing data volume to reasonable levels. Recent amendments to FRCP may help organizations better structure their data deletion and de-duplication processes, and enable them to be more aggressive in throwing out data. The most significant amendments are to rules 26(b), defining the scope of discovery based on

Jun /Jul 20 16 today’s gener al counsel

proportionality, and to 37(e), which standardizes the sanctions imposed on litigants who fail to properly preserve ESI. These amendments focus on helping organizations manage their discovery costs, and it is imperative that information governance programs are well-defined to take advantage of them.

Karen Schuler is

consulting managing director at BDO Consulting, and the Information Governance Practice leader. She consults on e-discovery matters, helps organizations evaluate risk and compliance requirements, and serves as an expert witness. kschuler@bdo.com

Douglas Herman is a principal in the Forensic Technology Services practice of BDO Consulting. He specializes in databasedriven applications, pre-litigation planning, e-discovery and digital forensic services. He has also served as expert witness on e-discovery matters and rule 30(b)(6), and he has participated in technical depositions of opposing experts. douglas.herman@ bdo.com

KEY ELEMENTS OF INFORMATION GOVERNANCE We often read about information governance as the new records management, but information governance is far more than that. Organizations should consider the following to build a corporate-wide information governance program: • Due Diligence and Planning. Understand gaps and risks before litigation or investigations arise. Ensure that there is a comprehensive understanding of how data is used, where it’s stored, and that industry or regulatory policies are followed. • Data Quality Standards. Deliver meaningful intelligence to the organization through master data management and data analytics to ensure your ERP systems provide accurate, consistent and clean data to the organization. • Security, Integrity and Privacy. Protect data according to industry standards, regulations and internal requirements, while ensuring that the data is what it purports to be, and that privacy standards are maintained. • Availability and Transparency. Ensure that data is accessible and easy to find to support business initiatives, and that it provides visibility into policies. • Management and Enforcement. Develop policies and procedures to manage data throughout its lifetime. • Alignment. Determine that the use of data is aligned with business functions and employs technologies that are aligned with the organization and its needs. • Governance. Develop policies that reflect the current state of the business, but also provide flexibility to maintain updates and deliver those updates to the organization. These elements drive a comprehensive approach to bringing industry and regulatory standards to the information governance program, and they result in discovery being easier and more cost-effective. While every organization can abide by the ISO 15489 records management standard, one size does not fit all when building an information governance program.

Consider, for example, the information governance needs of a healthcare organization compare compared to that of an oil and gas company. A healthcare organization must consider HIPAA compliance. It must manage, protect and sanitize patient data and enable secure network access for partners and providers. Meanwhile, the oil and gas company must focus on effectively managing its health, safety, and environmental regulations to ensure that data is properly protected and available to authorities. It must also maintain supply chain data consistency, equipment and vendor data standards, all while working within the data management requirements outlined by the World Petroleum Counsel, U.S. Environmental Protection Agency and the International Standards Organization (ISO). Successful information governance programs account for industry, regulatory, business and legal needs.

OPTIMIZING POLICIES Given the new proportionality limitations on e-discovery, now is the time for organizations to revisit their data disposal policies and procedures in the context of their broader information governance program, with an eye toward increasing efficiencies and value. In analyzing the maturity of data governance programs and implementing new elements, organizations should consider the following: • Is there executive level support for the information governance program? • Do you know where “it” is? In other words, can you identify sources of data and information throughout the organization? • Do you understand regulations and laws that are mandated for your company? • Have you assessed whether your vendors comply with the same regulations and are in compliance with your requirements? • Are your internal policies well defined, managed, and enforced? Information governance is both the start and end of the e-discovery cycle, and it directly impacts the success of every e-discovery project. An effective approach to information governance enables the organization to leverage information as an enterprise asset and ensure its security, so that when an e-discovery request does arise, the organization can access the data it needs, when it needs it. ■

TodaysGC Daily Newsletter The daily newsletter is a terrific advertising vehicle to reach 46,000 corporate subscribers. With a high open rate, the newsletter is unmatched as a marketing vehicle within the corporate counsel community.

T O D AY S G E N E R A L C O U N S E L . C O M /A D V E R T I S E

MARK BRIOL. A FIGHTER IN THE COURTROOM. 90+ CASES TRIED TO AWARD OR VERDICT. ACTED AS LEAD COUNSEL IN 27 STATES. BOUTIQUE FIRM, NATIONAL REACH. Complex Commercial Litigation 路 High Asset Marital Dissolutions 路 Securities Litigation Minority Shareholder Disputes 路 Internal Investigations 路 Bet-the-Company Litigation

Briol & Associates, PLLC. Your other outside counsel.

3700 IDS Center, 80 South Eighth Street, Minneapolis, MN 55402

www.briollaw.com

612.756.7777