WINTER 202 0 VOLUME 1 6 / NUMBER 4 TODAYSGENER ALCOUNSEL.COM
CARS THAT: Drive themselves Monitor your pulse Check if you’re stoned or drunk Remind you to shop for dinner Sell your personal data Compliance Reboot at the Antitrust Division AI and the GC Legal Holds and Attorney-Client Privilege
Changes in Canada’s labor and patent laws Questions about the CCPA What a survey says about corporate investigations Litigation analytics $199 SUBSCRIPTION RATE PER YEAR ISSN: 2326-5000 VIEW OUR DIGITAL EDITION: ISSUU.COM/TODAYSGC
AT THE HEART OF BUSINESS® Uncommon value for clients who shape our everyday lives.
ATLANTA CALIFORNIA CHICAGO DELAWARE INDIANA MICHIGAN MINNEAPOLIS OHIO TEXAS WASHINGTON, D.C. BTLAW.COM
TODAY’S GENER AL COUNSEL WINTER 2020
Editor’s Desk
The EU’s data practice regulations and California’s new data privacy rules aren’t in the rearview mirror yet, but there is a new regulatory agenda looming already and it’s getting underway in the same piecemeal fashion that those more generalized data privacy rules took shape. In this issue of Today’s General Counsel, Paul Keller writes about the scattershot regulation of biometric technologies — already in use in many industries, but lacking uniformity. The potential for litigation in this area is huge. Illinois and Texas are two states where meaningful statutes concerning collection, disclosure and destruction of biometric information are already on the books. Multiple class actions have been filed based on those laws, and self-driving cars, where biometrics will be employed intensely, aren’t here yet. Before autonomous vehicles do hit the road there are some big patent battles to be fought. In their article, Rubén H. Muñoz, Jenna Marie Pellecchia and John Wittenzellner describe how the amicable business relationships that have governed licensing protocols in the auto industry will probably give way to high stakes litigation once Smartphone technology becomes standard equipment in cars. Michael J. Riela discusses the Small Business Reorganization Act of 2019, designed to make restructuring of small businesses easier. After it takes effect in February, debtors will need to choose whether to proceed under the new or existing rules, and Riela warns that it is a complicated calculation. Meanwhile, Canada has amended its patent, and labor and employment laws. The patent changes were made in anticipation of NAFTA revisions and, as Benjamin Mak and Filip Boskovic explain, they are intended to better align patent prosecution in Canada with its major trading partners, including the United States. Shane Todd’s article discusses significant changes to Canada’s labor standards, including new accessibility legislation, and new workplace violence and harassment obligations. Corporate investigations continue and compliance teams expect more of the same. Sheila Mackay cites a survey from her firm in which half of respondents said their companies face more than 50 potential investigations per year. She advocates having a plan in place to reduce reaction time and facilitate a more efficient response.
Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com
1
WINTER 202 0 TODAY’S GENER AL COUNSEL
Contents 1
|
Editor’s Desk
7 | Executive Summaries
COLUMNS
50 | Workplace Issues AI and Automation Pose Challenges for General Counsel Assess, plan, mitigate. By Michael J. Lotito and Jim Paretti
2
52 | The Antitrust Litigator Compliance Reboot at the Antitrust Division More leniency in the leniency program. By Jeffery M. Cross 54 | Privilege Place Privilege and Legal Holds Don’t assume it applies to the notification. By Todd Presnell 64 | Back Page Front Burner Global Warming in the Workplace Workers feeling the heat. By David Perecman
54
FEATURES
27 | Four Questions to Answer About New Privacy Regulations New consumer rights, new obligations for business. By Rebecca Perry 39 | Corporate Investigations: What a New Survey Tells Us. Electronic information is critical. By Sheila Mackay 56 | Small Business Reorganization Act a Valuable Alternative. New sub-chapter of Chapter 11 could be a lifesaver. By Michael J. Riela 60 | Litigation Analytics A big advantage for in-house counsel. By Rachel Bailey
Confused by the internal investigations process?
Gain the clarity and tools you need for success
2020 Internal Investigations Workshops January 22 – 24 • San Francisco, CA (CLE approved) June 8 – 10 • Lake Buena Vista, FL (CLE approved) June 18 – 19 • London, UK October 8 – 9 • Singapore Receive comprehensive instruction, from initial allegation to the final report, from experienced presenters. Participate in interactive sessions to help you solidify your investigation skills. Register online corporatecompliance.org/2020investigations
EDITOR-IN-CHIEF Robert Nienhouse
MANAGING EDITOR David Rubenstein
EXECUTIVE EDITOR Bruce Rubenstein
SENIOR EDITOR Barbara Camm
CHIEF FINANCIAL OFFICER Amy L. Ceisel
CHIEF OPERATING OFFICER Stephen Lincoln
DIGITAL EDITOR Catherine Lindsey Nienhouse
DATABASE MANAGER Patricia McGuinness
ART DIRECTION & PHOTO ILLUSTRATION MPower Ideation, LLC
CONTRIBUTING EDITORS AND WRITERS
4
Tracy Bacigalupo Rachel Bailey Filip Boskovic Jeffery M. Cross Tiffany Fidler Michael Holmes Paul Keller Peter Lando Michael J. Lotito Sheila Mackay Benjamin Mak Kathleen McDermott Stefanie Major McGregor
Dmitry Milikovsky Rubén H. Muñoz Jim Paretti Pamela Passman Jenna Marie Pellecchia David Perecman Rebecca Perry Todd Presnell Michael J. Riela Martin Schallbruch Shane D. Todd Michael Turner John Wittenzellner
EDITORIAL ADVISORY BOARD Dennis Block GREENBERG TRAURIG, LLP
Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com
DECHERT
Robert Profusek JONES DAY
Thomas Brunner
Joel Henning
Art Rosenbloom
WILEY REIN
JOEL HENNING & ASSOCIATES
CHARLES RIVER ASSOCIATES
Peter Bulmer JACKSON LEWIS
Sheila Hollis
George Ruttinger
Mark A. Carter
DUANE MORRIS
CROWELL & MORING
David Katz
Jonathan S. Sack
DINSMORE & SHOHL
James Christie BLAKE CASSELS & GRAYDON
Adam Cohen
WACHTELL, LIPTON, ROSEN & KATZ
Steven Kittrell MCGUIREWOODS
FTI CONSULTING
Nikiforos latrou
Jeffery Cross
WEIRFOULDS
FREEBORN & PETERS
Thomas Frederick WINSTON & STRAWN
Jamie Gorelick
SUBSCRIPTION
Robert Heim
WILMERHALE
Robert Haig KELLEY DRYE & WARREN
Timothy Malloy Mc ANDREWS, HELD & MALLOY
Steven Molo MOLOLAMKEN
MORVILLO, ABRAMOWITZ, GRAND, IASON & ANELLO, P.C.
Victor Schwartz SHOOK, HARDY & BACON
Jonathan Schiller BOIES, SCHILLER & FLEXNER
Robert Zahler PILLSBURY WINTHROP SHAW PITTMAN
Thurston Moore HUNTON & WILLIAMS
REPRINTS For reprint requests, email jkaletha@mossbergco.com Jill Kaletha, Foster Printing at Mossberg & Co
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, witho ut the written permission of the publisher. Articles published in are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published quarterly by Nienhouse Media, Inc., 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2020 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Computer Fulfillment, PO Box 185, Lowell, MA 01853-0185 Periodical postage paid at Oak Brook, Illinois, and additional mailing offices.
TODAY’S GENER AL COUNSEL WINTER 202 0
Contents
L ABOR & EMPLOYMENT
12 | Changes in Canada’s Labor and Employment Laws Worker-friendly legislation across the board. By Shane D. Todd
INTELLEC TUAL PROPERT Y
13 | New Canadian Patent Laws More Aligned With U.S. But note that differences remain. By Benjamin Mak and Filip Boskovic 18 | Connected Cars and the Clash of Two Patent Regimes IP litigation poised to invade the auto industry. By Rubén H. Muñoz, Jenna Marie Pellecchia and John Wittenzellner 19 | Scattershot Regulation of Biometrics New data creates new privacy concerns. By Paul Keller 24 | Design Patent Law After Curver Luxembourg, SARL v. Home Expressions Inc. What is an “article of manufacture?” By Michael Turner and Tiffany Fidler
18 5 CYBERSECURIT Y
COMPLIANCE
30 | Cybersecurity and Trade Secret Protection If you didn’t secure it, it can’t be a secret. By Peter Lando and Dmitry Milikovsky
42 | Eleventh Circuit Ruling Will Impact FCA Healthcare Investigations “Death is an inexact science.” By Kathleen McDermott
32 | Creating a Healthy Cybersecurity Framework Key questions for your annual checkup. By Stefanie Major McGregor and Michael Holmes 36 | Strengthen Digital Strategy in the Public Sector The case for government involvement. By Martin Schallbruch
44 | Maryland a Leader In Embracing Blockchain Technology Another step on the road to alternative currency. By Tracy Bacigalupo 48 | A Trade Secret Wake-Up Call Stark reminder in the form of a 33-count indictment. By Pamela Passman
Today’s General Counsel is pleased to announce our on-demand educational webinar portal. EFFECTIVE & CONVENIENT CONTINUING EDUCATION We’ve put together thought leading, on-demand webinars to deliver high-quality content and topics that are valuable to increasing your business acumen. Not only can you listen/view at your own pace, you can also download substantive materials related to the topics. Our educational on-demand portal offers the following topics:
Blockchain
Document Review
Legal Holds
Budgeting and Cost Control
eDiscovery (general)
Legal Operations
Contract Management
GDPR, CCPA, Privacy Regulations Investigations
Predictive Coding
LIVE AND ON-DEMAND WEBINARS To register for a live webinar or to download an on-demand webinar, visit: T ODAYS G ENER AL C OUNSEL.COM/ WEBINARS
T O D AY S G E N E R A L C O U N S E L . C O M / I N S T I T U T E @TodaysGC #TGClegalopsBH
linkedin.com/groups/8656444
TODAY’S GENER AL COUNSEL WINTER 202 0
Executive Summaries L ABOR & EMPLOYMENT
INTELLEC TUAL PROPERT Y
PAGE 12
PAGE 13
PAGE 18
Changes in Canada’s Labor and Employment Laws
New Canadian Patent Laws More Aligned With U.S.
Connected Cars and the Clash of Two Patent Regimes
By Shane D. Todd Fasken
By Benjamin Mak and Filip Boskovic Ridout & Maybee LLP
By Rubén H. Muñoz, Jenna Marie Pellecchia and John Wittenzellner Akin Gump Strauss Hauer & Feld
The government of Canada has made significant changes to the labor and employment laws that apply to federally regulated businesses — banks, air transport, telephone, radio and television companies, among others. They touch on everything from job scheduling to breaks, vacations, holiday pay and leaves of absence. There is new accessibility legislation, significant changes to labor standards, and revised workplace violence and harassment obligations. The Accessible Canada Act became law in July 2019. The Act is intended to make Canada’s federal sector barrier-free by January 1, 2040. This year, the government published draft Work Place Harassment and Violence Prevention Regulations to support a recently passed bill. The regulations will replace the current workplace violence obligations in the Canada Occupational Health and Safety Regulations, as well as certain related provisions in the Maritime Occupational Health and Safety Regulations and the On Board Trains Occupational Safety and Health Regulations. Employers will be required to have a workplace violence policy that contains certain required elements, including preventive measures; emergency procedures; a resolution process for receiving, investigating and resolving complaints; and harassment and violence training to new employees. Earlier this year, the federal government established an independent Expert Panel to provide advice and conduct consultations on further modernization of labor standards.
Canada has substantially amended its Patent Act and Patent Rules for the first time in decades. The amendments are intended to better align patent prosecution in Canada with its major trading partners, including the U.S. Two noteworthy advantages of the Canadian system have been retained. Canadian applications do not require payment of excess claims fees — there are no additional fees owing for a patent application based on the number of claims in the application — and examination can be accelerated, or deferred for up to four years (previously five years). Among many other changes, new provisions in the Act provide for “third-party rights,” where third parties who undertake infringing actions in good faith within a certain time are granted a defense against infringement proceedings initiated by a patent holder. The typical Canadian Patent Office action will now require a response within four months, bringing the Canadian standard closer to the U.S. The new changes provide for a more robust prior use defense against infringement proceedings. While the changes to the Act and the Rules do align Canadian patent prosecution more closely with the U.S., Canadian patent prosecution continues to include unique challenges of which U.S. practitioners should be mindful when advising clients. Clients will need more robust and responsive systems to manage the timesensitive, shortened response times, and will need to be aware of the risk of thirdparty rights or prior use rights negating any investments in developing IP.
The auto industry has not experienced rampant patent litigation among key players. Patent litigation takes a backseat to well-entrenched business relationships. Car makers and multiple tiers of suppliers have for decades managed patent rights through licensing agreements. Original equipment manufacturers (OEMs) of cars have traditionally let their suppliers handle the licensing of patents. Thus, royalties are assessed at the component or subassembly level. Smartphone manufacturers, on the other hand, generally pay licensing royalties at the end-product level. When it comes to the connected car using technology originally developed for the Smartphone, the jury is still out as to which of these two patent protocols will prevail. The outcome is important because a royalty assessed as a percentage of the price of a $35,000 car will be significantly different from one assessed as a percentage of a $100 subassembly. The connected car is at a crossroads. Two distinct sets of industry practices have come together by the funneling of technologies into the car of the future. For stakeholders in the nascent connected car industry, the outcome of ongoing litigation — pitting patent owners of cellular technology against car OEMs and their traditional suppliers — may provide some defining guideposts for the industry. The initial licensing agreements executed by these parties also stand to play a role in shaping the future of the industry because, in the world of patent damages, comparable licenses are generally accepted as evidence of industry practice.
7
WINTER 202 0 TODAY’S GENER AL COUNSEL
Executive Summaries INTELLEC TUAL PROPERT Y PAGE 19
PAGE 24
PAGE 30
Scattershot Regulation of Biometrics
Design Patent Law After Curver Luxembourg, SARL v. Home Expressions Inc.
Cybersecurity and Trade Secret Protection
By Paul Keller Norton Rose Fulbright
8
CYBERSECURIT Y
The rapid embrace of biometrics creates significant concerns relating to protecting the privacy of individuals. Biometric technologies are in use in many industries — automotive, travel, security, health care, insurance, banking and other financial services — and across multiple industries in the field of workforce management. Uniformity of regulation is lacking in most states, however. Illinois passed the Biometric Information Privacy Act (BIPA) in 2008. It sets requirements for private entities relating to retention, collection, disclosure and destruction of biometric information. BIPA grants a right of action to individuals harmed by a violation of the law. Multiple class actions have been filed, and companies have taken care to avoid potential liability. Google denied access to its Google Art & Culture mobile application to Illinois residents, and the smart home technology company Nest disables the facial recognition capability in its smart doorbell. In 2009, Texas codified its law requiring notice of collection and consent by individuals before biometric identifiers can be captured and used for commercial purposes. Contrary to BIPA, no written consent is required for the collection of biometric data. Only the attorney general may bring action. The penalty for each violation is capped at $25,000. Washington passed its biometric privacy statute in 2017. The definition of biometric identifiers is broader than those used in the Illinois and Texas statutes. It carves out an exception to providing notice and obtaining consent for security purposes, including preventing shoplifting, fraud, misappropriation or theft.
By Michael Turner and Tiffany Fidler Brooks Kushman P.C.
The design patent bar adjusted its strategies after the broad “article of manufacture” interpretation by the Supreme Court apportioning damages in Samsung Electronics Co. v. Apple Inc. Many practitioners responded by adopting titles specific to an entire product to justify an interpretation that the article of manufacture is the entire product, not just a component. In September the Federal Circuit interpreted the “article of manufacture” narrowly to find non-infringement of a design patent by a similar design in Curver Luxembourg, SARL v. Home Expressions Inc. The rules state that the title of the design must designate the particular article. A design patent is directed to an article of manufacture, which is designated in the title of the design patent. Design practitioners appropriately treat the title as part of the claim, and often pursue design patents with titles that both define an article of manufacture while remaining broad enough to avoid undue limitation of the claim scope. “Article of manufacture” has been a popularly debated topic in design patent law recently. Case law is causing patentees to carefully consider the title of design patent applications to appropriately define the article of manufacture. In light of these decisions, practitioners can ask designers appropriate questions prior to filing. Instead of selecting titles for a single product category, titles can be selected with a list of applicable products. Such strategies can optimize claim scope and damages, while withstanding scrutiny of the USPTO and the courts.
By Peter Lando and Dmitry Milikovsky Lando & Anastasi, LLP
Cybersecurity is a major concern for multiple functions of a company, as well as for compliance with regulatory requirements. IT groups take the lead in crafting and detailing security policies, but involvement by the legal team is helpful for a common understanding of legal requirements for maintaining proprietary information and trade secret protection, and for the legal team to understand the strengths and limitations of the tools available. It also allows the groups to be able to communicate in a shared language and establish cybersecurity procedures that help to effectively protect commercial advantages. The NIST Cybersecurity Framework is a suggested approach to create a cybersecurity process, while ISO 27001 — of the ISO 27000 series of standards — is used by independent auditors to certify that an entity has met a requisite level of protecting sensitive company information through physical, environmental, and human resource security and access control. These are both commonly used approaches for creating and implementing best practices for cybersecurity risk management processes. The information security management processes of the NIST Framework and the ISO 27000 series standards are widespread and leading best practices for cybersecurity, and can be used to create and document measures taken to protect trade secrets and proprietary information. Understanding the NIST Framework and information security guidelines are useful tools that can help counsel to participate in and influence activities and discussions with the teams that develop, manage and implement cybersecurity processes.
TODAY’S GENER AL COUNSEL WINTER 202 0
Executive Summaries COMPLIANCE PAGE 32
PAGE 36
PAGE 42
Creating a Healthy Cybersecurity Framework
Strengthen Digital Strategy in the Public Sector
By Stefanie Major McGregor and Michael Holmes Godwin Bowman PC
By Martin Schallbruch ESMT Berlin’s Digital Society Institute
Eleventh Circuit Decision Will Impact FCA Healthcare Investigations
Cybersecurity in its simplest form is the protection of digital information from compromise through use of electronic systems and protocols to prevent loss or theft. It requires a close working relationship between C-suite, legal and IT personnel to determine what the organization’s valuable digital assets are and how they are being stored. Cybersecurity is an organizationwide risk management issue with broad legal implications. Your initial cybersecurity assessment will serve as a timesaver in creating an incident response plan. Have first responders in place who know who to contact to initiate response procedures. Once the threat has been neutralized, diagnose which systems and data were compromised. Recovery and restoration should only be attempted once the threat has been fully neutralized, the scope of the damage has been ascertained and the system has been secured. Internal and external notification should be handled by legal. One of the most overlooked areas of a healthy cybersecurity framework is ensuring that vendors are also employing best practices. Additionally, most organizations that are cognizant of managing their vendors’ cybersecurity practices still trust far too much in written agreements to enforce the organization’s best practices. When a breach occurs, the organization’s incident response plan must seamlessly guide management to identify, contain, investigate, recover, and notify efficiently and accurately to minimize business interruption. Cyber insurance can further mitigate the damage if adequate coverage is secured. Vendors should be enlisted as partners through continued due diligence and detailed agreements.
Data protection regulation such as the GDPR has exploded, while at the same time data protection has suffered. The abundance of data protection lulls people into a false sense of security. Governments’ digital capabilities make overcoming their digital weakness a complicated and difficult process. However, there are some basic approaches that they could focus on to strengthen their digital strategies. Governments need to outline a new and more generalized civil code for the digital space to replace multiple laws that require updating every few years as technology advances. Governments must acknowledge that global digital platforms create online communities, yet also spread illegal content and commit crimes. The burden of responsibility should not simply be on the platform companies. Digital infrastructure planning must go far beyond just fiber-optic networks and 5G connectivity to ensure there are common offerings across all industries and applications. Finally, there needs to be a re-organization of how digital innovation is viewed in politics. Digital innovation can be extremely beneficial to citizens. It can tackle societal issues that include addressing climate change, providing improved governmental services, or just giving citizens access to safe digital services. But current digital strategies are not strong enough to ensure digital innovation is not also a threat to society. A strong digital state is a prerequisite for freedom, justice and security in an increasingly digital world, which can only be achieved if governments strengthen their digital strategies.
By Kathleen McDermott Morgan, Lewis & Bockius LLP
The Court of Appeals for the Eleventh Circuit issued its much-awaited decision in United States v. AseraCare, Inc., debunking the government’s flawed theory that mere differences in clinical opinion can support punitive False Claims Act liability. The decision is significant for hospice providers and all healthcare providers that have battled government enforcers for the last decade on its theory that evidence of subjective lack of medical necessity is fraud. Although health care providers should feel good that a federal court understood the disputed issues for the hospice benefit and issued a reasoned decision, the AseraCare decision is not a good reason to take the foot off the pedal for strong clinical compliance oversight assuring that services to patients meet eligibility criteria. Sustained compliance oversight by corporate boards is now an expected norm. Compliance programs should be querying data to assess whether there is a questionable pattern of too little or too many services and reporting these findings to the board. AseraCare is an interesting decision and strong precedent in favor of healthcare providers who provide services based on medical necessity or clinical eligibility. But it is one tree in a vast forest. The healthcare community should heed the court’s caveats that documentation should support well-founded physician judgement and assure that its clinical practices can consistently meet this favorable standard. It should strive to use data analytics to identify irregular trends that may reveal issues with physician participation in their programs.
9
WINTER 202 0 TODAY’S GENER AL COUNSEL
Executive Summaries COMPLIANCE PAGE 44
PAGE 48
PAGE 27
Maryland a Leader In Embracing Blockchain Technology
A Trade Secret Wake-Up Call
Four Questions to Answer About New Privacy Regulations
By Tracy Bacigalupo Morrison & Foerster
10
FEATURES
In April 2019, Governor Hogan signed a bill providing explicit statutory authority for Maryland companies to use electronic networks or databases, including distributed ledgers and blockchain technology, for the creation and maintenance of corporate records. The new legislation recognizes that a stock ledger does not need to be maintained directly by a company through an individual, but may be administered “on its behalf,” creating a path forward to use blockchain technology for corporate records. Many companies are harnessing this new technology in small, incremental steps by first working to develop and use blockchain technology internally. Recording shares on a blockchain would also enable stockholders and corporations to interact directly, thereby decreasing and even eliminating the need for intermediaries, including brokers, custodians and clearinghouses. Blockchains are structured to be public, permissioned or private, as determined by a given project’s objectives. In today’s environment of chronic data security attacks, blockchain technology’s trusted system allows companies to share, store and record sensitive data through a protected, participant-visible and unchangeable network. Blockchain is thus a valuable and necessary tool, especially with respect to corporate record keeping and stockholder notices. Given the quickly evolving use of blockchain for corporate record keeping, stockholder communications and share transfers, it is recommended that newly formed companies include authorization to use blockchain technology in their governing documents. This will preserve the opportunity to adopt this technology.
By Pamela Passman Center for Responsible Enterprise and Trade
Anthony Levandowski was the co-founder and technical leader of Google’s Waymo project, which produced Google’s selfdriving car. A U.S. federal grand jury in California has issued a 33-count criminal indictment against Levandowski, charging him with theft and attempted theft of Google’s self-driving car trade secrets. According to the indictment, Levandowski downloaded numerous engineering, manufacturing and business files concerning Google’s technology. Those claims seem to appear on a regular basis in trade secret litigation. They raise questions faced by most companies: How can they maintain a trusting and collegial ethos but still protect the technologies and other trade secrets that represent the bulk of their value? Think in terms of areas of management system protections related to people, processes and technology that can help an organization manage, mitigate and measure its trade secret risks. These include implementing relevant policies, procedures, records and training to help staff understand, manage and document what is done with trade secrets. Having an assigned cross-functional team manage the company’s confidential information and managing suppliers’ and other relevant third-parties’ access and use of such information, are also vital. Additionally, a clear understanding of what the company’s “crown jewels” are — where they are located, and how they are used internally and externally — and conducting systematic risk assessments to help determine the most useful and costeffective ways of protecting such information are needed to keep a company’s technical, physical and other protections at their most effective.
By Rebecca Perry Jordan Lawrence, an Exterro Company
The United States is introducing new privacy laws that apply to businesses that collect and store consumer and employees’ personal data. The California Consumer Privacy Act, set to go into effect on January 1, 2020, essentially creates new consumer rights, and therefore new obligations for businesses. There are four important questions that in-house counsel can ask to help determine their readiness for complying with the CCPA and other pending privacy regulations. Do we really know our data? Effective and defensible compliance begins with a data inventory — developing it if you don’t have one, organizing it if you do. How you develop your data inventory will directly impact your ability to meet your obligations, demonstrate diligence with regulators and defend your compliance efforts against plaintiffs’ attorneys. Can we respond to data subject access request? Under the CCPA, companies have 45 days to respond to fulfill and manage a DSAR. Nearly 60 percent of data breaches are caused by third parties. Many companies don’t have a handle on who their vendors are and what data they own. Part of your data inventory should include an understanding of who those third parties are, and to what company data they have access. Are we keeping data longer than necessary? Personal data you don’t have cannot be breached. A clear way to mitigate a lot of organizational risk is to get rid of data that has met your business, legal and regulatory obligations.
TODAY’S GENER AL COUNSEL WINTER 202 0
Executive Summaries PAGE 39
PAGE 56
PAGE 60
Corporate Investigations: What a New Survey Tells Us
Small Business Reorganization Act Is a Valuable Alternative
Litigation Analytics: An Advantage for In-House Counsel
By Sheila Mackay H5
By Michael J. Riela Tannenbaum Helpern Syracuse & Hirschtritt LLP
By Rachel Bailey Lex Machina
In a recent survey of more than 315 corporate professionals conducted by H5 and Above the Law, 63 percent believe that investigations will increase at their companies over the next three years. The survey, conducted in July and August of 2019, sought insights from legal and compliance professionals whose roles directly relate to various aspects of corporate investigations. The drivers of investigations are intensifying. Companies are becoming more engaged in addressing employee behavior that breeds misconduct, leading to an increase in what survey respondents say is the most frequent investigation type: workplace investigations. Nearly half of respondents said their companies face more than 50 potential investigations per year — 22 percent said more than 100 — with larger companies facing even more. A continued increase can only put more strain on both legal and compliance teams. Having a plan in place in advance of a potential incident reduces reaction time and sets the stage for a more efficient response. Documented policies and protocols, along with appropriate training of both employees and response teams are crucial components. And, depending on the industry and types of data stored by a corporation, the ability to adhere to a variety of new data privacy regulations — such as the EU General Data Protection Regulation, California Consumer Privacy Act and Biometric Information Privacy Act — is also key. Identifying where sensitive data resides is necessary under the new privacy regulations and is helpful in a cyber incident.
The Small Business Reorganization Act (SBRA) of 2019 will become effective in February 2020. It is designed to foster successful restructurings of small businesses. Among other things, it adds a new Subchapter V to Chapter 11 of the Bankruptcy Code, containing new tools to increase a small business debtor’s chances for a successful reorganization. Once the SBRA takes effect, a small business debtor that files Chapter 11 may proceed under either the existing small business debtor rules or the new Subchapter V. The SBRA requires the appointment of a trustee who will have various oversight responsibilities in every Subchapter V case. Management normally will remain in place. Benefits to choosing Subchapter V include that it provides more opportunity for existing equity owners to retain their ownership interests under a Chapter 11 plan, without the need to invest new money; only the debtor will be permitted to propose a Chapter 11 plan; there will be no requirement that an impaired class of creditors accept the Chapter 11 plan. Drawbacks are a trustee will automatically be appointed, and a debtor’s management can be removed even after a Chapter 11 plan under Subchapter V is confirmed. When the SBRA becomes effective, debtors will need to choose whether to proceed under Subchapter V or the existing small business debtor rules. Because every debtor’s situation is different, prospective debtors should carefully consider the benefits and drawbacks of each option with their bankruptcy attorney.
When a contract dispute arises, in-house attorneys are often tasked with deciding whether litigation is worth the time, cost and human resources to take on the case. Often this decision is based on a combination of experience, anecdotal information and instinct, but that’s hardly an exact science. Legal analytics help in-house counsel make strategic decisions by illuminating big-picture trends and relevant cases to predict outcomes, create a plan of action, and coordinate with outside counsel or other business leaders. A key advantage of legal analytics is the ability to quickly find and compare relevant cases. Millions of cases have been filed in federal district court in the last 10 years, so being able to quickly sort through and analyze only those cases with similar, relevant claims is extremely valuable for strategizing. Deciding whether to engage outside counsel and when are strategic decisions that can benefit from data-driven research. No organization enters into a contract anticipating that it will fail, but litigation data used for due diligence can be extremely helpful in identifying the potential legal risk of working with a particular supplier or party even before the contract is signed. Whether you decide to negotiate a settlement based on real punitive damages awards in your district or take the case all the way to trial, legal analytics delivers data-driven insights to help in-house counsel be more competitive, make better informed decisions more quickly and report valuable information to stakeholders.
11
WINTER 202 0 TODAY’S GENER AL COUNSEL
Labor & Employment
Changes in Canada’s Labor and Employment Laws By Shane D. Todd
12
T
he government of Canada has made significant recent changes to the labor and employment laws that apply to federally regulated businesses — banks, air transport, telephone, radio and television companies, among others. There is new accessibility legislation, changes to labor standards, and revised workplace violence and harassment obligations, among other
things. This article summarizes some of these changes and looks at what is on the horizon for Canada’s federally regulated employers. On September 1, 2019, the government proclaimed amendments to bills that made significant changes to the Canada Labour Code, the legislation that establishes the collective bargaining, health and safety, and
labor standards rights and responsibilities for the estimated 18,000 federally regulated employers and 900,000 federally regulated employees across Canada. The amendments apply to the labor standards in Part III of the Code. They touch on everything from job scheduling to breaks, vacations, holiday pay continued on page 16
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property
New Canadian Patent Laws More Aligned With U.S. By Benjamin Mak and Filip Boskovic
13
C
anada has substantially amended its Patent Act and Patent Rules for the first time in decades. The amendments to the Rules, which came into force on October 30, 2019, and the Act, which came into force on December 13, 2018, are intended to better align patent prosecution in Canada with its major trading partners, including the United States.
Two noteworthy advantages of the Canadian system relative to the United States have been retained: (1) Canadian applications do not require payment of excess claims fees (there are no additional fees owing for a patent application based on the number of claims in the application); (2) examination can be accelerated, or deferred for up to four years (previously five years).
The following is a brief overview of the new Canadian patent prosecution regime and the existing procedures in the United States. It is intended to inform the reader of significant differences and similarities between the two jurisdictions. THIRD-PARTY RIGHTS
Whereas previously Canada had required payment of the filing fee to secure a filing
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property
14
date, the new Act and Rules allow a filing fee to be paid up to three months after a notice from the Canadian Intellectual Property Office (CIPO) that a filing fee has not been paid. A filing date can be secured in Canada by reference to a previously filed application. This brings the Canadian procedures into line with current United States practice. New provisions introduced into the Act provide for “third-party rights,” where third parties who undertake infringing actions in good faith within a certain time are granted a defense against infringement proceedings initiated by a patent holder. Third-party rights arise where a patent applicant allows an application to go abandoned for failing to pay a maintenance fee, or for failing to request examination within four years of the filing date, or where a patent holder allows an issued patent to lapse as a result of failing to pay a maintenance fee. The third-party infringer may not only be granted protection from infringement of the patent holder’s rights during the period the patent application was abandoned or where the issued patent had lapsed but can also possibly be protected from the patent holder subsequent to the patent being
United States’ typical response times of three months. Both jurisdictions provide for extensions of time up to six months. Reviving an abandoned application for failure to respond to an Office Action can be requested within 12 months of the abandonment accompanied with a full response to the Office Action, and is available as of right (with a fee). The new Act and Rules leave in place established Canadian law with respect to double patenting. United States counsel should be cognizant that voluntary divisional applications, a Canadian vehicle similar to continuation applications in the United States, do not enjoy the benefit of terminal disclaimers. A United States-style continuation application practice of seeking broader claims in a continuation application upon issuance of a parent patent application is not an effective strategy, as the voluntary divisional application in Canada is required to be patentably distinct (novel and not obvious) over the parent application. However, if the patent claims are presented such that an examiner can raise a “unity” objection, where the application is alleged to pertain to more than one invention, a divisional application filed in response to the objection does not have the risk of double patent-
allow the use of submissions made during prosecution of a patent application to impact its subsequent claim construction. File wrapper estoppel has now been codified in Canada, which coincides with United States claim construction principles. As patent prosecution is increasingly done pursuant to budgetary constraints, counsel should be mindful that submissions during a prosecution can now substantially limit the scope of a patent and have a new importance in Canada. PRIOR USE DEFENSE
The new changes to the Act provide for a more robust prior use defense against infringement proceedings. In contrast to the United States, the Canadian prior use defense does not expressly require the prior use to have been ongoing for one year prior to the first filing of the subject patent. Where detection of infringement is difficult, counsel should consider whether patent protection is the most effective avenue of protecting IP. Conversely, securing as early a filing date as possible becomes even more important to pre-empt any prior use defenses. The new Canadian regime has as an organizing principle that an applicant
Seeking broader claims in a continuation application upon issuance of a parent patent application is not an effective strategy in Canada. reinstated solely based on actions taken during the period in which a patent or patent application was abandoned. To this author’s knowledge, there is no similar concept currently enacted in the United States. RESPONSE TIME
Previously, Canadian Patent Office actions afforded an applicant six months to respond to an allegation that the application lacked novelty or was obvious in light of prior art. The typical Patent Office action will now require a response within four months, bringing the Canadian standard closer to the
ing in view of the parent application. Because Canadian patent applications do not require excess claim fees, as stated above, best practice in Canada typically involves including all desired claims in a single application. CIPO will no longer require witnessed assignments to record patent rights. Similar to the United States practice, assignments recorded with CIPO are not dispositive of the issue of ownership. Best practice should include a system whereby title of ownership is clearly documented and recorded with CIPO. Generally, prior to the changes to the Act, the Canadian courts did not
will not lose substantive rights without being notified beforehand by CIPO. Although the deadlines to respond to the notices vary, an applicant can rely on the statutory requirements for notices to be provided prior to a final loss of rights in most instances. However, applicants should be mindful that where notices are not responded to in a timely fashion, the new Rules require that the applicant show that failure to respond was either unintentional or occurred despite the exercise of “due care,” depending on the type of notice. It is important that a cohesive system be put into place to monitor timelines. Otherwise, substantive rights
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property can be permanently lost as a result of timekeeping issues. Reinstatement of an abandoned application in Canada for failing to pay a maintenance fee, or failing to request an examination, will require a statement that the abandonment occurred despite the exercise of “due care.” This is consid-
Under the new Rules, national phase entry in Canada is still allowable up to 42 months from the priority date of the PCT application, but the applicant will have to submit a statement to CIPO that failure to enter the national phase by the 30-month deadline was “unintentional.” The reasons for the failure could be disputed should the application be litigated. These requirements bring Canadian practice into alignment with United States practice of permitting late entry in restrictive circumstances. Under the new Rules, for a new application, a certified copy of the priority document must be submitted or made available in a digital library. The changes bring the Canadian patent regime closer to the current United States practice. However, in Canada, if the certified copy is not submitted, a notice will be sent that has an additional two-month deadline. The United States requires that the certified copy be submitted within the later of four months from the actual filing date of the application, or 16 months from the filing date of the prior foreign application. In Canada, the certified copy must be submitted prior to requesting early publication. Counsel in the United States should note that early publication is a mandatory part of expedited examination, which is a common strategy employed by United States entities filing in Canada. When entering the national phase, a patent application in a foreign language is required to file a translation of the specification in English or French. Where the translation is not provided with the application, the Applicant must provide the translation within three months of receiving a corresponding notice from CIPO or the application will become abandoned. The new regime provides that the translated specification replace the existing specification. Any subsequent amendment must be reasonably inferred from the translated specification. It is therefore important
Securing as early a filing date as possible becomes even more important to pre-empt any prior use defenses. ered a more difficult threshold as compared to the “unintentional” standard used in the United States. Abandonment resulting from other circumstances will require showing that it was “unintentional,” in line with current practice. The new Rules provide that a final fee may be paid within four months of the Notice of Allowance, whereas United States practice requires the issue fee be paid within three months. Previously in Canada, in order to make substantive amendments to the claims following a notice of allowance, an applicant had to allow the application to go abandoned and reinstate it, resulting in the application being reintroduced into examination. The new Rules provide for a much simpler mechanism whereby an applicant can request that a notice of allowance be withdrawn, after which amendments to the claims can be entered pursuant to examination. This brings Canadian patent practice into close alignment with United States practice, where substantive amendments after allowance are treated in a manner similar to a final rejection. CHANGES TO PATENT COOPERATION TREATY
Most countries have limited or no extensions to the national phase entry deadline under the Patent Cooperation Treaty (PCT). Canada has been traditionally used as a fallback jurisdiction when late national phase entries are desired after the national phase entry deadline.
to ensure accurate translations. While the above changes to the Act and the Rules do align Canadian patent prosecution more closely with the United States, Canadian patent prosecution continues to include unique challenges of which United States practitioners should be mindful when advising clients. Clients will need more robust and responsive systems to manage the time-sensitive, shortened response times, and will need to be aware of the risk of third-party rights or prior use rights negating any investments in developing IP.
Benjamin Mak is a partner at Ridout & Maybee LLP. His practice is principally directed towards patent drafting and prosecution, with an emphasis on electrical, mechanical, biomedical and computer-related technology. bmak@ridoutmaybee.com Filip Boskovic is an associate at Ridout & Maybee LLP. His practice is principally directed towards the preparation and prosecution of patent applications in Canada, the United States and internationally. fboskovic@ridoutmaybee.com
15
WINTER 202 0 TODAY’S GENER AL COUNSEL
Labor & Employment Canada’s L&E
continued from page 12 and leaves of absence. Some of the more significant changes include:
16
• Subject to a narrow exemption for emergencies, employers must now provide 24 hours’ written notice of any change or addition to a work period or shift. • Subject to a narrow exemption for emergencies, employees will have the right to refuse overtime in order to carry out certain family responsibilities. • Employers must provide 96 hours’ notice in writing of an employee’s work schedule. Employees may refuse to work any shift that starts less than 96 hours after the schedule is received. • Employees may take any unpaid breaks necessary for medical reasons. • Employers will be required to provide their employees with an unpaid break of at least 30 minutes within every period of five consecutive hours of work. • Employees must be granted a rest period of at least eight consecutive hours between work periods or shifts. • After six consecutive months of employment, employees will have the right to request a change to hours, work schedule, location, and other terms and conditions that may be specified in new regulations or legislation. An employer may refuse such a request only on certain grounds. • Aboriginal employees who have completed at least three consecutive months of continuous employment may take up to five days of unpaid leave each calendar year to participate in traditional Aboriginal practices. • Employees will be entitled to a new personal leave of up to five days per calendar year, including three days with pay, after three consecutive months of continuous employment. • Employees will be entitled to a new leave of up to 10 days each calendar year if an employee or their child is a
victim of family violence. For employees with at least three consecutive months of continuous employment, the first five days are paid. • Vacation entitlements after a year’s employment will be unchanged at two weeks and four per cent vacation pay. That will now go to three weeks and six per cent after five years, rather than the current six. And there is a new entitlement of four weeks and eight per cent vacation pay after 10 years. • The 30-day length of service requirement for entitlement to holiday pay will be eliminated. All employees will now be entitled to holiday pay. There are additional amendments to the Code that have been enacted but not yet proclaimed in force, including significant changes to termination and severance obligations. There is no known timeline for when those may commence. NEW ACCESSIBILITY LEGISLATION
The Accessible Canada Act became law in July 2019. The Act is intended to make Canada’s federal sector barrierfree by January 1, 2040. It contains different standards for broadcasters, telecommunication companies, transportation companies and other regulated entities. Although the standards are different for each group, the Act generally requires regulated entities to: • Create plans to identify, remove and prevent accessibility barriers in policies, programs, practices and services. Plans must be created in consultation with persons with disabilities and representatives of the regulated entity. • Set up tools to receive feedback about how the regulated entity is implementing its accessibility plan, and the barriers encountered by employees and customers. The regulated entity must publish a description of its feedback process. • Publish reports on the progress of implementing an accessibility plan. The regulated entity must consult with persons with disabilities in preparing the report and explain how it
consulted persons with disabilities in the report. These reports must also describe the feedback received and how it was addressed. The Act gives the Accessibility Commissioner broad enforcement powers, including the ability to conduct inspection and compliance audits, make orders, investigate accessibility complaints, and issue violation notices and impose fines, among other things. Additional duties will likely be set out in the regulations that are made under the Act. These regulations will be developed in collaboration with the newly formed Canadian Accessibility Standards Development Organization, an organization whose directors include individuals who are representative of the diversity of disabilities faced by Canadians. The additional duties will apply in the areas of employment; the built environment; information and communication technologies (e.g., websites); communication (other than information and communication technologies, but excluding broadcasting); procurement of goods, services, and facilities; the design and delivery of programs and services; and transportation (air, rail, ferry and bus carriers that operate across provincial or international borders). WORKPLACE VIOLENCE
Bill C-65 was enacted in 2018 to expand the obligations of federally regulated employers, particularly in relation to workplace harassment and violence. This year, the government published draft Work Place Harassment and Violence Prevention Regulations to support a recently passed bill. The regulations will replace the current workplace violence obligations in the Canada Occupational Health and Safety Regulations, as well as certain related provisions in the Maritime Occupational Health and Safety Regulations and the On Board Trains Occupational Safety and Health Regulations. It is expected that the regulations are to be implemented some time in 2020. If implemented as originally drafted, they will require, among other things, that the employer — jointly with the policy
TODAY’S GENER AL COUNSEL WINTER 202 0
Labor & Employment committee or, if there is no policy committee, with the workplace committee or health and safety representative — will do the following: • Develop, make available and update a workplace violence policy that contains certain required elements. • Conduct, monitor and update a workplace assessment of harassment and violence in the workplace, and develop and implement preventive measures. • Develop and make available emergency procedures to be implemented if a harassment and violence occurrence poses an immediate danger to the health and safety of employees or when there is a threat of such an occurrence. • Develop and deliver harassment and violence training to new employees
within three months and again at least every three years. • Follow a new and detailed resolution process for receiving, investigating and resolving complaints of violence or harassment. • Send semi-annual reports about violence and harassment to the internal policy committee, workplace committee, or health and safety representative, and annual reports to the Minister of Labour. Earlier this year, the federal government established an independent Expert Panel to provide advice and conduct consultations on further modernization of labor standards in Part III of the Code. It is unclear what if anything will be done with the panel’s recommendations. We can reasonably expect that the recently re-elected government
will press forward with some or all its changes to federal labor and employment laws, including the possible implementation of additional recommendations by the Expert Panel and bringing into force pending changes to the Code. However, it has already suggested that it may exempt some employers from the new labor standards discussed above.
Shane Todd is a partner in the Labour and Employment practice in the Toronto office of the law firm Fasken. He advises employers on workplace issues and represents them in legal proceedings. He is also a frequent writer on human resources law development. stodd@fasken.com
17
V I S I T T O D A Y S G E N E R A L C O U N S E L . C O M F O R T H E L AT E S T N E W S , A N A LY S I S , C O M M E N TA R Y FOR GCs A ND OTHER IN-HOUSE COUNSEL . PLUS, R ECENT JOB OPENINGS & CA R EER OPPOR T UNIT IES.
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property
Connected Cars and the Clash of Two Patent Regimes By Rubén H. Muñoz, Jenna Marie Pellecchia and John Wittenzellner
18
I
n the early 1900s, Henry Ford found himself embroiled in a decade-long patent battle with George Selden that would end up shaping the auto industry for more than a century. Though this protracted fight played out in federal court and in the court of public opinion — with Ford and Selden trading blows as America and the world watched — the feud has largely remained the only high-stakes patent battle that the industry has seen. Unlike other technology sectors, the auto industry has not experienced rampant patent litigation among key players. Patent litigation takes a backseat to well-entrenched business relationships. For decades, carmakers and multiple tiers of suppliers have managed patent rights through licensing agreements.
The car has come a long way since Ford and Selden did battle. Not only can a buyer purchase a car in any color (not just the black that Ford once famously offered), but in various power-train versions, with multiple connectivity features and the promise of eventual self-driving capability. It is connectivity that introduces a slew of new players into the auto industry, many of whom have also been key stakeholders in the smartphone sector. However, the management of patent rights for smartphone technology, characterized by the smartphone patent wars, stands in stark contrast to the management of patent rights for automotive technology. Original equipment manufacturers (OEMs) of cars have traditionally let their suppliers handle the licensing of
patents. Thus, royalties are assessed at the component or subassembly level. Smartphone manufacturers, on the other hand, generally pay licensing royalties at the end-product level. When it comes to the connected car, the jury is still out as to which of these two patent protocols will prevail. The outcome is important because a royalty assessed as a percentage of the price of a $35,000 car will be significantly different from one assessed as a percentage of a $100 subassembly. When it comes to the connected car, the technology that will be adopted to enable vehicle-to-everything (V2X) connectivity is still in a state of flux. Enter the world of standardization. Standards bodies have long played an important continued on page 22
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property
Scattershot Regulation of Biometrics By Paul Keller
19
B
iometric technologies are in use in many industries — travel, security, health care, automobile insurance, banking and other financial services — and across multiple industries in the field of workforce management, but the automotive industry is arguably the most advanced in its use of biometrics. Voice recognition technology is now a relatively common feature in automobiles, and the industry is rapidly adopting gesture recognition for in-car controls. Face and iris recognition technology will soon be widely used in verification of identity for vehicle entry. That same technology, with the addition of a camera directed at the driver, can be used to detect fatigue or drowsiness; and if it were incorporated
in an autonomous vehicle, it could take over operation if the driver shows signs of drowsiness. Biometrics to monitor the health of the driver have also been proposed. At the 2018 New York International Auto Show, Hyundai’s Genesis division introduced the Essentia Concept car, which incorporated fingerprint and facial recognition technology for vehicle entry. Unfortunately, the incorporation of a fingerprint recognition system does not guarantee that the vehicle cannot be stolen. In 2005, car thieves in Malaysia bypassed the fingerprint security measure by cutting off the end of the car owner’s index finger and using it to start the car. Currently, several insurance companies offer programs in which drivers
agree to install monitors in their cars in exchange for potentially lower insurance rates. The monitors track data to determine how safely the car has been operated by extrapolating the drivers’ behaviors from the performance of their vehicles. In contrast, biometric technologies give insurers the opportunity to monitor the drivers themselves. Biometric data can help determine who is operating a vehicle and that person’s physical or emotional state. For instance, State Farm has obtained patents for systems to assess a driver’s impairment, such as anxiety, intoxication, illness or injury. The rapid embrace of biometrics creates significant concerns relating to protecting the privacy of individuals. But uniformity of regulation is lacking
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property in most states, and biometric data can be collected and shared by businesses. Illinois, Washington and Texas have enacted specific biometric privacy laws, and several states have included biometric data in their data breach notification laws. In the European Union, member states are required under the General
suits have been filed alleging improper collection of facial geometry or fingerprints, and companies have taken care to avoid potential liability. For example, Google denied access to its Google Art & Culture mobile application to Illinois residents, and the smart home technology company Nest disables the
The Washington statute carves out a security exception to providing notice and obtaining consent. Data Protection Regulation to prohibit biometric data from being shared with a third party without consent, subject to a few exceptions. STATE STATUTES
20
In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), regulating the collection and storage of biometric information. The statute limits the definition of “biometric identifier” to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Biometric information protected by BIPA would include any data or templates that result from the conversion of the captured biometric identifiers. It sets requirements for private entities relating to retention, collection, disclosure and destruction of an individual’s biometric identifiers or information. Private entities must have written retention and destruction schedules in place and available to the public. They must obtain an individual’s written consent to collect their biometric data. They cannot profit off the data in any way. They cannot disclose or disseminate the data without the individual’s consent and must take reasonable measures to protect it. BIPA grants a right of action to any individual harmed by a violation of the law, and each violation can incur penalties ranging from $1,000 to $5,000 (or actual damages) depending on whether the violation was a result of negligence, or an intentional or reckless action on the part of the private entity. As a result of this provision, multiple class action
facial recognition capability in its smart doorbell in Illinois. In 2009, Texas codified its law requiring notice of collection and consent by individuals before biometric identifiers can be captured and used for commercial purposes. Similar to the Illinois statute, biometric identifiers were defined as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” Notice and consent are required prior to the capture of any biometric identifiers. Moreover, companies or individuals cannot profit by selling or leasing the collected biometric data and cannot disclose the biometric identifiers to a third party. Mirroring BIPA requirements, the storage, transmission and protection from disclosure of biometric identifiers requires that reasonable care to be taken. Contrary to BIPA, no written consent is required for the collection of biometric data; and the data must be destroyed “within a reasonable time, but no later than the first anniversary of the date the purpose for collecting the identifier expires.” There is also no private right of action for individuals against private entities that violate the law. Only the Texas attorney general may bring action. The penalty for each violation is capped at $25,000. Washington passed its biometric privacy statute in 2017. It requires businesses to give notice to and acquire consent from an individual prior to “enrolling or changing the use of that
individual’s biometric identifiers in a database.” The definition of biometric identifier is broader than those used in the Illinois and Texas laws, but does not include “a physical or digital photograph, video or audio recording or data generated therefrom.” As with the Texas statute, Washington’s differs from the Illinois law by not requiring written consent prior to the collection of the biometric data. The Washington statute states that biometric identifiers can be retained “no longer than is reasonably necessary” to provide the services for which the biometric identifier was collected, or to protect against or prevent fraud or criminal activity. Only the Washington attorney general is empowered to enforce the law, and it does not include language with respect to monetary penalties for each violation of the law. Interestingly, the Washington statute carves out a security exception to providing notice and obtaining consent. A security purpose would include preventing shoplifting, fraud, misappropriation or theft of a thing of value, and “other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person.” THE CCPA
The California Consumer Privacy Act (CCPA), enacted in 2018, protects personal information — broadly defined to encompass biometric information — of California residents that is collected or transmitted by businesses. The CCPA’s definition of biometric information is more comprehensive and broader than other biometric statutes. As defined by CCPA, biometric information means an individual’s physiology, which can be used to establish identity. Consumers have the right to know what personal information is being collected; whether personal information is being sold or disclosed, and to whom; the right to opt out and prevent sales; and the right to request that a business delete any personal information collected. Businesses are forbidden from discriminating against consumers who exercise their rights under the CCPA,
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property including charging different prices or rates or providing a different level or quality of goods and services. The regulations are applicable to any business that “does business in the State of California,” collects consumers’ personal information and meets at least one of the following thresholds:
for such breaches, and generally do not require any proactive steps to be taken to protect the information itself. The Fast Identity Online (FIDO) Alliance, a non-profit industry consortium that was formed to standardize security specifications for strong authentication across devices, launched a
Other states have data breach notification statutes that include biometric data as protected personal information. has annual gross revenues in excess of $25,000,000; annually buys, receives for commercial purposes, sells, or shares the personal information of 50,000 or more consumers, households or devices; or derives 50 percent or more of its annual revenues from selling consumers’ personal information. Businesses located outside California that meet the above criteria are subject to the CCPA. The statute authorizes a private right of action if there is a data breach of unredacted or unencrypted personal information, and the company failed to implement and maintain reasonable security measures. The civil damages would be between $100 and $750 per consumer per incident, or the actual damages incurred. Additionally, the California attorney general is authorized to file suit with civil penalties of $2,500 for each violation or $7,500 for each intentional violation. Businesses are provided with 30 days to cure any alleged violation after receiving notice of noncompliance. Other states have data breach notification statutes that include biometric data as protected personal information. For example, in 2017, Delaware addressed the issue of biometric data by amending its data breach disclosure law to expand the definition of protected personal information to include “unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.” These data breach notification statutes merely require disclosure of the data breach to affected parties, with varying penalties
Biometrics Certification Program in September 2018. The Alliance membership consists of hundreds of global technology companies, including Google, Intel and Microsoft, but does not currently include any of the major automotive manufacturers. The Biometrics Certification Program is intended to certify that biometric subcomponents meet globally recognized performance standards for biometric recognition performance and Presentation Attack Detection (PAD), and are fit for commercial use. This standardization of biometric technology security specifications, if universally adopted, should assure consumers and manufacturers that the biometric components in their products are secure and can repel attempts to bypass the biometric systems.
Paul Keller leads Norton Rose Fulbright’s New York Intellectual Property Disputes Group. His key technical focuses are in the automotive industry, specifically the autonomous vehicle field, and the FinTech space (distributed ledger, smart contract and crypto-currency technologies). paul.keller@nortonrosefulbright.com
21
SUBSCRIBE Today’s General Counsel magazine delivered to your door Today’s General Counsel digital edition in your inbox and more!
SUBSCRIBE NOW TODAYSGENERALCOUNSEL.COM/ SUBSCRIBE
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property Connected Cars
continued from page 18
22
role in the development of technology. In the automotive industry, the Society of Automotive Engineers (now SAE International) was formed in the early 1900s to streamline production and reduce costs, among other things. Early efforts included standardization of lock washers and steel tubing used by automakers. In the wireless realm, standardization has allowed interoperability of products from different manufacturers. Mobile phones have been subject to successive wireless standards — from first generation, 1G, through the current fourth generation, 4G Long-Term Evolution (LTE). Still under development is the 5G, the successor to LTE. Conceptually, carriers and smartphone manufacturers benefit by spreading development costs across members of the standards body, while consumers benefit through the competition and choice afforded by interoperability of equipment from different manufacturers. THE ROYALTY STACK
Inherent to interoperability is the fact that, at some level, standard-compliant devices operate in the same way. As a result, these devices may be susceptible
to as the “royalty stack,” which has been estimated to cost as much as the physical components that make up a smartphone. In theory, the royalty stack needed to sell a smartphone free of claims for patent infringement can become economically unfeasible if the stack grows beyond the profits derived from the sale of the device. The structure of licensing obligations for patents that are encompassed in a technical standard, the so-called standard-essential patents (SEPs), can take several forms. Under one scenario, patented technology may be incorporated into a standard on the condition that the patent owner grant a royaltyfree license to standards-body members. The Bluetooth Special Interest Group, a standard setting organization (SSO), requires its members to enter into a patent license agreement that grants other members a royalty-free license to any patent claims that are infringed by implementing the Bluetooth standard. As members of the Bluetooth SSO, auto manufacturers and their suppliers receive such a license. Under another scenario, patented technology may be incorporated into a standard with the agreement from the patent holders to offer a license to the patented technology to would-be implementers on fair, reasonable and
(ALAM). In exchange for royalties, certain automobile manufacturers joined the ALAM, but Ford was excluded. Rather than exit the industry, Ford fought the ALAM in several litigations and won. The ALAM fizzled out shortly thereafter. Today, there are many successful private entities licensing patent rights adopted under a given standard. For example, MPEG LA administers patents related to video standards MPEG-2 and AVC. MPEG LA charges a fixed fee (with certain volume adjustments) for each device that implements those standards. Licenses are available to suppliers (e.g., chip makers) and, under the doctrine of patent exhaustion, those licenses cover manufacturers of end products. This seems to parallel the model that the automotive industry has generally followed. Licenses are available to the component supplier; and royalties are assessed on the price of the component, not the price of the end product (the car). Licensing of standardized wireless technology, as evidenced by smartphone litigation, has followed a different path. LTE was developed by the 3rd Generation Partnership Project (3GPP) and promulgated by the European Telecommunications Standards Institute (ETSI) — the same entities that are currently developing 5G technology and
When it comes to the connected car, the technology that will be adopted to enable vehicle-to-everything (V2X) connectivity is still in a state of flux. to the assertion of patents that claim the standardized technology that they embody. By comporting to a standard, standard-compliant devices necessarily infringe patent claims that cover the standard. For years, manufacturers of smartphones — handheld devices housing myriad technologies — have faced licensing obligations and lawsuits related to the different standards they embody, including 3G, LTE, and video standards. The aggregate cost to license the patented technologies from patent owners is often referred
non-discriminatory (FRAND) terms. Much has been written and litigated on the meaning of FRAND terms, but there has been little uniformity in how courts and standards bodies have addressed the issue. Under the auspices of industry players, private entities may be formed to manage the licensing of patent rights. In the early 1900s, Selden — himself a patent lawyer holding a patent to an automobile — did so during his feud with Ford by forming the Association of Licensed Automobile Manufacturers
who stand to play a role in the world of connected and autonomous vehicles. The ETSI Intellectual Property Rights Policy requires that licenses be made available on a FRAND basis but does not require that licenses be made available to component suppliers or that the royalty be assessed at the component level. Smartphone litigation has often involved arguments over whether it is proper to assess a royalty for wireless communications on the value of the entire smartphone — or whether, instead, on the value of a component
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property or a subset of components, such as the modem and baseband processor — that provides a given functionality. CLASH OF LICENSING REGIMES
Establishing a licensing regime in a given industry may not be as simple as having an SSO promulgate licensing policies and expect industry players to follow along. For instance, the Institute of Electrical and Electronics Engineers (IEEE) is responsible for promulgating various standards, including the
States statutorily entitles a patent owner to no less than a “reasonable royalty.” And in litigation, parties are generally required to apportion the royalty to the value of the patented invention. In fact, some case law suggests that royalty calculations should be based on the smallest saleable patent practicing unit (SSPPU) and further apportioned as appropriate. But, as exemplified in the smartphone patent wars, royalty calculations may also be based on comparable licenses, which
By comporting to a standard, standardcompliant devices necessarily infringe patent claims that cover the standard. 802.11p standard, which is projected by some to be a key enabler in V2X data communications. The recently revised IEEE-SA Standards Board Bylaws recite certain considerations for determining a “reasonable rate” under FRAND. These considerations appear to be aimed at more closely tying the FRAND rate to the components that implement the standard, rather than to the vehicle as a whole. But an early read on patent owners’ willingness to license their patents under these terms indicates that the revised bylaws may be unpopular among patent owners who appear reticent to pledge to license their patents under the new terms. As the auto industry enters a new technology phase, where connectivity appears poised to take center stage, some stakeholders have started to take action in European and American courts. On one side, patent owners of cellular technology have commenced patent infringement lawsuits in German courts against car OEMs. On the other, at least one supplier has filed a lawsuit in U.S. federal court for breach of contract against patent owners of cellular technology for failure to license those patents under FRAND terms. The stakes in these ongoing litigations are high, as their outcomes may help shape the future of the industry. Patent infringement in the United
have become a proxy to SSPPU-based apportionment. If the SSPPU is the starting point, the royalty base will typically be a component of the smartphone. Conversely, if comparable licenses are the starting point, the royalty base is often the price of the entire smartphone, since realworld licenses are often tied to the end product manufactured by the licensee. These two starting points may result in significantly different patent damages awards. Thus, the importance of the initial litigation outcomes and the initial deals struck by patent owners and implementers of V2X technology should not be underestimated. They have the potential to set not only legal precedent but also a new direction in industry practice. The connected car is at a crossroads. Two distinct sets of industry practices have come together by the funneling of technologies into the car of the future. For stakeholders in the nascent connected car industry, the outcome of ongoing litigation — pitting patent owners of cellular technology against car OEMs and their traditional suppliers — may provide some defining guideposts for the industry. The initial licensing agreements executed by these parties also stand to play a role in shaping the future of the industry because, in the world of patent dam-
ages, comparable licenses are generally accepted as evidence of industry practice.
Rubén H. Muñoz is a partner at Akin Gump Strauss Hauer & Feld. He practices intellectual property law with an emphasis on patent infringement litigation. He has also worked as an engineer on the development of advanced engine technologies. rmunoz@akingump.com Jenna Marie Pellecchia is a counsel at Akin Gump Strauss Hauer & Feld. Her practice concentrates on intellectual property, with an emphasis on patent infringement litigation. jpellecchia@akingump.com John Wittenzellner is a counsel at Akin Gump Strauss Hauer & Feld. He focuses his practice on complex patent litigation and intellectual property transactions. Prior to law school, he worked as an engineer at National Semiconductor, Motorola, Photronics and Micron Technology. jwittenzellner@akingump.com
23
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property
Design Patent Law After Curver Luxembourg, SARL v. Home Expressions Inc. By Michael Turner and Tiffany Fidler
T 24
he design patent bar adjusted its strategies after the broad “article of manufacture” interpretation by the Supreme Court that apportioned damages in Samsung Electronics Co. v. Apple Inc. Our challenge, as practitioners, is how do we procure design patent protection that satisfies the “article of manufacture” requirement without limiting damages or infringement? In other words, how do we define or name the “article of manufacture” without being too broad or too narrow? On September 12, 2019, the Federal Circuit interpreted the “article of manufacture” narrowly to find non-infringement of a design patent by a similar design in Curver Luxembourg, SARL v. Home Expressions Inc. Many patent practitioners responded to the Supreme Court’s holding by adopting titles that were specific to an entire product to justify an interpreta-
as shown, or as shown and described. A design patent is directed to an article of manufacture, which is designated in the title of the design patent. Likewise, the claim also specifies the name of the article of manufacture. Design practitioners appropriately treat the title as part of the claim, and often pursue design patents with titles that define an article of manufacture while remaining broad enough to avoid undue limitation of the claim scope. AFTER SAMSUNG V. APPLE
The Supreme Court in Samsung v. Apple interpreted that a broadly titled article of manufacture can be a component of a product instead of the entire product, thereby permitting apportionment of the damages. The damages statute specific to design patents is directed to an infringement by an article of manufacture. The Court found that the phrase “article of manufacture” is consistent in the design patent statute and the design patent damages statute. In Samsung v. Apple, the titles of the asserted Apple design patents were “Electronic Device” and “Graphical User Interface.” Each of Apple’s asserted patents depicted a smartphone, with one component of the smartphone claimed in solid lines and the remainder of the smartphone disclaimed in broken lines. The Federal Circuit Court of Appeals interpreted the article of manufacture as the entire smartphone. The Supreme Court held, in the context of a multi-component
By using the same product title for both embodiments, a reasonable interpretation of the title should be the entire product. tion that the article of manufacture is the entire product. Procedurally, the rules state that the title of the design must designate the particular article. No description, other than a reference to the drawing, is ordinarily required. The claim shall be in formal terms to the ornamental design for the article (specifying name)
product, “the term ‘article of manufacture’ is broad enough to embrace both a product sold to a consumer and a component of that product, whether sold separately or not.” Under this interpretation, a broad article of manufacture title can be interpreted as a component of the product, not the entire product, thereby permitting apportionment of damages, and a possible limiting of damages. The Supreme Court declined to define an article of manufacture test. Many patent practitioners responded to the Supreme Court’s holding by adopting titles that were specific to an entire product to justify an interpretation that the article of manufacture is the entire product, not just component of the product. For example, a narrower design patent title, such as the product name (e.g., smartphone) is now preferred over a broader product category (e.g., electronic device). Another reaction of the design patent bar is to file design patent applications with multiple embodiments ranging in claim scope to support that the entire product is the claimed article of manufacture. For example, if a design patent application is directed to an ornamental design with a portion or component of the product claimed and another portion or other components disclaimed in a broader embodiment, then another narrower embodiment is added with the entire product claimed. By using the same product title for both embodiments, a reasonable interpretation of the title should be the entire product. However, if the patent application is subjected to a restriction requirement
TODAY’S GENER AL COUNSEL WINTER 202 0
Intellectual Property
25
WINTER 202 0 TODAY’S GENER AL COUNSEL
Intellectual Property and election, the article of manufacture interpretation of the broader embodiment may be limited to a claimed component of the product. Until the courts adopt a test, such strategies and reactions to the case law are expected to preserve arguments that the article of manufacture is the entire product. CURVER LUXEMBOURG, SARL V. HOME EXPRESSIONS INC.
26
The Federal Circuit recently ruled that a design patent titled “Pattern for a Chair” did not cover a similar pattern on a basket in Curver Luxembourg v. Home Expressions. The court held that “claim language can limit the scope of a design patent where claim language supplies the only instance of an article of manufacture that appears nowhere in the figures.” The asserted design patent does not illustrate a chair. The design patent only includes a portion of the pattern and was filed with the title FURNITURE (PART OF-), which was later amended to a Pattern for a Chair. Although the claimed pattern is very similar to the pattern on the accused basket, the Federal Circuit held that the title is part of the claim language and therefore limits the scope. The patentee adopted the common approach of pursuing a broad title — FURNITURE, which perhaps is a class of articles, not just an individual article of manufacture. Examination resulted in amendment and selection of one article by name, which resulted in too narrow an interpretation to find infringement.
While preparing a patent application for a pattern, the inventors can provide a list of all of the applicable products, and the patent application can include the list disjunctively. For example, a title of Pattern for a Chair or Basket may have avoided the outcome in this case. Additionally, drawings of each product example may be included. Use of “or” in the title and, consequently, the associated claim — as well as multiple environmental views of the different articles — may be subject to a restriction requirement and/or indefiniteness rejection. However, in both situations, the practitioner can pursue each article of manufacture as a separate embodiment by filing a continuation and/or divisional design patent application. In other situations, a design may be embodied in various articles of manufacture. For example, a design for a product may also be embodied as a toy replica. In order to avoid noninfringement under Curver Luxembourg v. Home Expressions, a patentee could include each article of manufacture in the title — a design patent application title for a car may be “vehicle or toy vehicle.” “Article of manufacture” has been a popularly debated topic in design patent law in recent years. The case law is causing patentees to carefully consider the title of design patent applications to appropriately define the article of manufacture. However, in light of these decisions, practitio-
View our digital edition for instant access on your tablet or desktop IS S UU. C O M / T O D AY S G C
ners can ask the designers appropriate questions prior to filing, to select titles with products in mind. Instead of selecting titles for a single product category, titles can be selected with a list of applicable products. Such strategies can optimize claim scope and damages, while withstanding the scrutiny of the United States Patent and Trademark Office and the federal courts.
Michael Turner is a shareholder at Brooks Kushman P.C. He focuses his practice on domestic and foreign patent prosecution for mechanical and electro-mechanical matters, systems, business methods and designs. He is also actively involved in postgrant proceedings before the United States Patent and Trademark Office and represents clients in Inter Partes Review proceedings and reexaminations. Mturner@brookskushman.com Tiffany Fidler is a shareholder and Co-Chair of Patent Prosecution at Brooks Kushman P.C. Her practice focuses on procuring domestic and foreign patents in mechanical and electro-mechanical matters, and coordinating international patent portfolios. She also has extensive experience in design patent prosecution. Tfidler@brookskushman.com
SPONSORED SECTION
Four Questions to Answer About New Privacy Regulations By Rebecca Perry
The CCPA essentially creates new consumer rights, and therefore new obligations for businesses. The CCPA grants consumers: • The right to know what data was collected on them, and for what purpose. • The right to access their data. • The right to request that their data be deleted. • The right to know which third parties hold their data. • The right to consent to collection, sharing and use of their data. • The right to opt out of their data’s use. • The right to equal treatment. All of this means that consumers have more control over their personal data held by businesses, which creates the following challenges: Do businesses have their arms around their data? Do they understand where it lives within their organization, and where it is shared? Along with those internal management issues lie additional issues pertaining to handling consumer requests. How do you give California consumers a portal to request their information? How do you validate that it is truly that individual requesting the information? And how do you respond and maintain records of those responses going forward? Here are four important questions that in-house counsel can ask their teams to help determine their readiness for complying with the CCPA and other pending privacy regulations.
N
ews about data privacy is everywhere. From politics to congressional hearings to new laws restricting how personal data can be used, it’s a topic that every general counsel must have top of mind. Following our friends in the European Union’s General Data Practices Regulation, the United States is introducing new privacy laws that apply to businesses that collect and store consumer and employees’ personal data. An example is the California
Consumer Privacy Act (CCPA), which is set to go into effect on January 1, 2020. The scope of the CCPA is pretty broad, but it doesn’t apply to all organizations. Most non-profits are exempt, and a business must have gross revenue in excess of $25 million while collecting the personal information of more than 50,000 customers. But if a business gets at least 50 percent of their revenue from selling California residents’ information, they’ll be required to comply.
Question 1: Do we really know our data?
Organizational expectations of data management and information governance rarely line up with reality. Effective and defensible compliance begins with a data inventory — developing it if you don’t have one, organizing it if you do. In order to do that, you have to engage with key business people across your organization and find out what data they’re using, how they’re using it, and how they’re storing it. How you develop your data inventory is
27
SPONSORED SECTION
28
going to directly impact your ability to meet your obligations, demonstrate diligence with regulators and defend your compliance efforts against plaintiffs’ attorneys. But what are the elements of an effective and actionable data inventory? First, identifying and understanding all of the data types, subjects, and personal data that you maintain on those data types and subjects. As the definition of personal data continues to expand, it’s important that your data inventory be kept up-to-date and actively managed. Second, understanding your retention obligations and how long you’re required to hold information will help keep your data clean, because the less data you hold that serves no business function, the better. Finally, understanding which third parties have access to which data is instrumental in getting a grip on your organization’s data. It’s hard to protect your data if you don’t know where it is, so your data inventory — and really knowing your data — should be a top priority for your organization. Question 2: Can we respond to DSARs?
Under the CCPA, companies have 45 days to respond in order to fulfill and manage a data subject access request (DSAR). If they don’t have an effective, organized and streamlined process to manage DSARs, they’ll struggle to comply. There are six capabilities to think through: 1. How are you going to accept the DSAR? You have to be positioned to accept varying types of requests from individuals. A dynamic portal, structured in a way that will accept and route the request automatically, is essential to making the process cost-effective. 2. How are you going to authenticate the requestor? Authentication is an often-overlooked but important aspect of DSARs. Potential lawsuits aside, it would be extremely unfortunate to give a bad actor someone else’s personal information. 3. How will you manage workflows associated with the requests? Managers should be outlining various types of DSAR
THE DEFINITION OF PERSONAL DATA CONTINUES TO EXPAND. scenarios they might receive, and develop workflows and documented processes to route, manage and fulfill those requests. 4. How are you going to collect data across disparate sources within your organization? If you have it, you have to produce it. This goes back to the importance of having an up-to-date, lean and actively managed data inventory. Otherwise, you have to search, collect and produce personal data from across individual sources, which include email, information on shared drives and other applications — or even paper records. 5. How are you going to review and redact information? A step toward your own defensibility includes a process of reviewing and redacting personal information before handing it over to data subjects. That way, if a defensible authentication process fails, you aren’t causing a breach by inadvertently including someone’s personal information on her or his report. It’s one of the more time-consuming components of fulfilling a DSAR. 6. How are you going to harmonize this process with your legal holds and retention process? Before you fulfill any deletion request, verify that the information isn’t under an active legal hold or other retention obligation that would require you to reject that deletion request. Question 3: What third parties have our data?
A startling amount of information that companies have actually resides within third parties. A 2018 Ponemon Institute study found that nearly 60 percent of data breaches are caused by third parties, yet many companies don’t have a good handle on who their vendors are and what data they own, let alone their data-related obligations. Part of your data inventory should include an understanding of who those third parties are, and to what company data they have access. If needed, update your contracts to include data protection clauses to ensure that additional processes are in place to protect consumer data.
Question 4: Are we keeping data longer than necessary?
Put bluntly, personal data you don’t have cannot be breached. A clear way to mitigate a lot of organizational risk is to get rid of data that has met your business, legal and regulatory obligations. It’s an unnecessary added liability to over-retain personal data that serves no business purpose. It is essential to get buy-in from executives and senior management. Operationalizing this mindset and building it into the culture of the business can be a great opportunity to rethink how your entire organization handles privacy. You can start by minimizing your company’s data with a simple process: • Develop: retention schedules, scheduling logic, policies, deletion strategies and hold processes. • Implement: program training, attestation, email, file sharing, structured data and paper records. • Maintain: audit training, documentation, policies, program monitoring, program updates and annual review. Preparing for the CCPA starts with a quality data inventory, and ensuring reasonable data protection measures. From there, you can build out and automate your DSAR processes, and review and update your cybersecurity measures. Then, revisit the four questions above, along with this one: Is your organization ready for the CCPA? REBECCA PERRY is the Director of Strategic Alliances at Jordan Lawrence, an Exterro Company. She manages the Alliance Partnership with the Association of Corporate Counsel and builds strategic relationships with leading law firms. She is a Certified Information Privacy Professional and frequent speaker in the legal and privacy communities. rperry@jordanlawrence.com
Complete DSAR solution
Legal Hold
Data Inventory
Collection, Processing, Review, Production
Data Minimization/ Defensible Disposition
Legal Project Management
3rd Party Risk Profiling
Identification/File Analysis
(including collection, review, redaction)
WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
Cybersecurity and Trade Secret Protection By Peter Lando and Dmitry Milikovsky
30
T
rade secrets and proprietary information can drive key differentiation and time-to-market in competitive markets. However, the problem in our hyper-connected world is that information, no matter how confidential, is easy to copy and transmit at essentially zero cost. This leads to heightened risk for misappropriation and theft of proprietary information and trade secrets. Trade secret theft and misappropriation risk is predominantly from people who are either inside or doing business with your company. Statistics show that
the more than 90 percent of defendants in trade secret litigation are employees or business partners of the trade secret holders. Technology and an understanding of security standards become very important in trade secret protection due to the continual evolution of the legal definitions of “reasonable steps” or “reasonable efforts,” which are required to be undertaken by a trade secret owner to protect and enforce these rights against misappropriation. Cybersecurity is a major concern for multiple functions of a company as
well as for compliance with regulatory requirements in many areas. Generally, IT groups take the lead in crafting and detailing the security policies that protect the critical infrastructure and information of companies. Issues that are often addressed in creating cybersecurity systems include key risk identification, access controls, data handling policies and security tool selection. Early and continuous involvement by the legal team is helpful for a common understanding of legal requirements for maintaining proprietary information
TODAY’S GENER AL COUNSEL WINTER 202 0
Cybersecurity
and trade secret protection, and for the legal team to understand the strengths and limitations of the tools available in the market. It also allows the groups to be able to communicate in a shared language and establish cybersecurity procedures that help to effectively protect commercial advantages. Currently, there are several cybersecurity frameworks and standards that
and influence the processes to protect trade secrets and confidential information according to the appropriate legal and regulatory standards. Further, it helps legal practitioners understand the issues and trade-offs in creating viable cybersecurity processes. The NIST Cybersecurity Framework has five functions, each with several categories and subcategories, which may
Involvement by the legal team is helpful for a common understanding of legal requirements for maintaining proprietary information and trade secret protection. facilitate the creation of information and cybersecurity processes that are used by industry. CYBERSECURITY FRAMEWORKS AND STANDARDS
Key frameworks for building and maintaining cybersecurity include the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the International Organization Standardization (ISO) 27000 series standards. The NIST Cybersecurity Framework is a suggested approach to create a cybersecurity process, while ISO 27001 — of the ISO 27000 series — is used by independent auditors to certify that an entity has met a requisite level of protecting sensitive company information through physical, environmental, and human resource security and access control. These are both commonly used approaches for creating and implementing best practices for cybersecurity risk management processes. For example, some surveys have found that 84 percent of organizations across a wide range of sizes and industries already leverage some type of security framework. A recent survey by ISO reported that over 31,000 entities had obtained ISO 27001 certification for their information security management system and control processes. An understanding of the cybersecurity framework and information security guidelines allows legal practitioners to communicate with cybersecurity teams
be used to create and manage cybersecurity processes. The Framework includes activities that may be used to address protection of confidential and proprietary information. It also refers to other standards, including ISO 27001, on how to address those activities that should be part of a given category. A high-level definition of each of the five functions is as follows: • Identify: Develop an understanding of the cybersecurity risks to be able to manage the systems, people, assets, data and capabilities. • Protect: Develop and implement appropriate safeguards to ensure delivery of critical services and protection of key information to address identified risks. • Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event, using the tools, processes and systems that have been implemented to address the identified risks. • Respond: Develop and implement appropriate actions, including involving all the appropriate internal and external stakeholders, regarding a detected cybersecurity incident. • Recover: Develop and implement appropriate activities to restore any capabilities or services that were impaired due to a cybersecurity incident, and that improve existing safeguard processes and tools.
Part of risk identification includes creating cybersecurity governance, which addresses support for compliance with legal and regulatory requirements. This references sections of ISO 27001 that support addressing intellectual property rights protection of both internal and third-party information, and the use of non-disclosure and confidentiality agreements as examples of items that are reviewed to obtain certification under the standard. In addition, the ISO 27001 standard requires review as to how information is protected from unauthorized access and release. For counsel working with management, a useful initial step would be to work with the IT, business and technical teams to create a process to identify proprietary information and potential trade secrets. There are tools, such as data security platforms, that search files for specific information used for data classification. They are available as part of cloud provider offerings, and can be used to identify proprietary and trade secret information, especially if application for privacy compliance has already been made. These tools classify documents by searching for key words and using machine learning approaches to improve over time. They can be used to identify items, for example, documents and files — such as those with customer information, technical terminology and confidentiality labels — as confidential, proprietary and potentially trade secret. THIRD-PARTY RISK
Another important part of the risk identification is to understand and categorize suppliers and third-party partner information systems. The objective is to ensure protection of assets that are accessible by suppliers and partners. As is common practice, confidentiality provisions should be included in supply, evaluation, development and similar agreements. However, access to proprietary electronic information should be addressed both from a contractual and an electronic security standpoint. There are number of technologies that can provide this functionality. Procontinued on page 35
31
WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
Creating a Healthy Cybersecurity Framework By Stefanie Major McGregor and Michael Holmes
C
32
ybersecurity continues to be a hot topic in business, and a proper framework may determine the long-term health of your organization. Although cybersecurity may seem a daunting topic to address, it can be managed in the same way you manage your personal health. Here are some diagnostic questions for your organization to consider when approaching a healthy cybersecurity framework: Do you have a detailed incident response plan for a data breach? Have you conducted a test run? Do you have a cyber insurance policy that adequately protects your organization? Do you understand its terms and
IT or CIO issue — with broad legal implications. Once digital assets have been identified and located, the organization should determine all access points and those with access. Armed with this knowledge, an organization should be able to design a security risk management framework that will mitigate the likelihood of intrusion. Establishing metrics for your framework will result in better controls and improvements over time, including monitoring the types of cyberattacks the organization is receiving — distributed denial of service (DDoS), network intrusions, data tampering/theft — and what types of endpoint monitoring and
One common mistake is not including a vendor’s subcontractors in cybersecurity best practices considerations. requirements? Have you incorporated cybersecurity expectations into your third-party vendor agreements? Have you conducted a security audit of those vendors to determine if they are following your cybersecurity practices? Much like going to your physician for your annual checkup, it is vital for any organization to conduct regular cybersecurity assessments. Cybersecurity in its simplest form is the protection of digital information from compromise through use of electronic systems and protocols to prevent loss or theft. Far more than passwords and firewalls, cybersecurity requires a close working relationship between C-suite, legal, and IT personnel to determine what the organization’s valuable digital assets are and how they are being stored. Cybersecurity is an organization-wide risk management issue — not just an
protection the organization is implementing, e.g., encryption coverage, regular patches, anti-virus/anti-malware. Training employees and organizational partners is the most critical component, as your framework is only as strong as your least security-conscious employee or vendor. INCIDENT RESPONSE
Your initial cybersecurity assessment will serve as a crucial timesaver in creating an incident response plan. Organizations should establish policies and procedures, as well as roles and responsibilities, for all members in response to cyber incidents. Common incidents — such as DDoS attacks, network intrusions, malware infections, corrupted data or loss of customer personal information — should have very well-rehearsed response procedures that can be per-
formed without consulting the manual. For less common cyber incidents, a wellcrafted response plan should model a medical emergency plan and include the following:
1
First Response: The first step should never be to determine whom to call. Have first responders and systems in place who know whom to contact to initiate response procedures. Stop the Bleeding: Once the threat is identified and the team is mobilized, stopping the bleeding is essential before post-intrusion measures can be taken. Given the sophistication of some intrusions, a thorough evaluation of whether any other remaining threats were overlooked can save the organization from having to restart the response and notification process. Diagnosis: Once the threat has been neutralized, the response team needs to diagnose which systems and data were compromised. This is an essential step, not just for the recovery process but also for legal to determine who must be notified and what must be communicated. The balance between over- and under-communication in response to an intrusion, particularly with the public, is a difficult decision and should be made with the input of all leadership. Treatment: This step is typically dependent upon established data redundancies. As with any type of medical treatment, recovery and restoration should only be attempted once the threat has been fully neutralized, the investigation and scope of the damage has been ascertained, and the system has been secured. Best practices would also suggest detailed documentation of the systems and data that were compromised in case of subsequent legal or administrative action against the organization.
2
3
4
TODAY’S GENER AL COUNSEL WINTER 202 0
Cybersecurity
33
5
Informing the Patient and Family: Internal notification to the board should be carefully tailored, considering that it could become part of legal or administrative action. Notification to stakeholders should be crafted by legal to ensure strict compliance with various federal and state statutes and regulations, especially if consumer personal information was involved.
For example, as of January 1, 2020, Texas and several other states with similar statutes and regulations will require that the Attorney General be notified of a breach within 60 days if at least 250 Texas residents were affected. This notice must include a detailed description of the nature and circumstances of the breach, the number of Texas residents affected, the measures
that have already been taken and are planned to be taken, and whether law enforcement is investigating. If the data breach impacted more than 10,000 persons at one time, the organization must notify all consumer-reporting agencies as well. All of this must occur without unreasonable delay, and no later than the 60th day after the breach was discovered. So given the numerous
WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
tasks, short deadlines and strict reporting requirements, a detailed and practiced incident response plan is imperative. CYBER INSURANCE
34
As with medical insurance coverage, cyber insurance can be an effective tool to transfer some of the risk of a breach. Risk analysis should be conducted once a year at a minimum in response to the organization acquiring new digital assets, uncovering new threats or reevaluating the financial impact of a breach. Organizations should lean heavily on their general counsel — as experts on their insurance policies — to determine if existing policies cover cybersecurity events and to what limits. Many recent policies include at least some language either covering or excluding cyber incidents. If stand-alone cyber insurance or additional coverage to the organization’s existing policies are obtained, legal should still ensure that the policy would cover the most common intrusions. Cyber insurance can provide a healthy safety net but should never be the organization’s only defense. One of the most overlooked areas of a healthy cybersecurity framework is ensuring that vendors are also employing best practices. Additionally, most organizations that are cognizant of managing their vendors’ cybersecurity practices still trust far too much in written agreements to enforce the organization’s best practices. Before an agreement is reached with the vendor — much like seeking information on your physician’s credentials — due diligence should be conducted to learn their cybersecurity track record. Ask for references and documentation, and do not be afraid to reject a vendor if their cybersecurity knowledge is outdated. Money saved by going with a low-cost vendor who ignores best cybersecurity practices will be eclipsed by the damages from a cybersecurity breach. Your due diligence conversations with vendors should be direct and open about any potential security weaknesses, and what it will take to meet your organization’s standards should the parties
work together. Ensuring that the vendor also has adequate insurance to cover cyber incidents adds another layer of risk mitigation for all involved. Once adequate due diligence has been performed and a vendor selected, craft terms of the agreement that account for the sensitivity of the information the organization has in its possession, as well as the vendor’s access to that information. The terms should include the organization’s best cybersecurity practices, not just for the term of the contractual relationship but also for when the relationship ends. Including provisions that allow the organization to conduct periodic audits of the vendor’s cybersecurity performance can help identify and remediate problems before they arise. Common considerations should include non-disclosure and confidentiality provisions that account for sensitive data, data storage, retention and delivery schedules, and breach notification responsibilities between both the vendor and the organization. Legal is on the right track if the agreement requires at least as much cybersecurity as the organization is itself practicing, but further consideration should be given to the vendor’s unique use of, or exposure to, the organization’s data. One very common mistake is not including a vendor’s subcontractors in cybersecurity best practices considerations. The agreement should also address the destruction or return of any data the vendor possessed, the secure removal and deletion of all the organization’s data from the vendor’s system, and the restriction of the vendor’s access after the end of the relationship. Detailed documentation is very important in the event of a post-termination breach; and only when all the organization’s data is removed and all access is terminated, should the vendor be removed from the organization’s risk management and audit processes. Much like a physician’s recommended medical plan, the best cybersecurity practices look like a spider web of policies and procedures all working together as an integrated and synergistic organizational framework. The initial cybersecurity assessment is paramount to the success of the rest of the frame-
work, but an organization’s analysis cannot stop there. Based on the assessment, an organization must implement policies and procedures tailored to the company’s assets, threats and risk appetite. When a breach occurs, the organization’s incident response plan must seamlessly guide management to identify, contain, investigate, recover, and notify efficiently and accurately to minimize business interruption. Cyber insurance can further mitigate the damage if adequate coverage is secured. Vendors should be enlisted as partners through continued due diligence and detailed agreements. Keep improving the organization’s cybersecurity protections. Hackers don’t sleep, and the long-term health of your organization depends upon your efforts.
Stefanie Major McGregor is a shareholder at Godwin Bowman PC. Her practice is focused on commercial litigation. She represents clients in both prosecution and defense of cases before state and federal courts. SMcGregor@GodwinBowman.com Michael Holmes is a senior business and technology attorney at Godwin Bowman PC, focused on all aspects of corporate transactions and complex dispute resolution. MHolmes@GodwinBowman.com
TODAY’S GENER AL COUNSEL WINTER 202 0
Cybersecurity
Trade Secret Protection continued from page 31
viding these requirements to the cybersecurity personnel can lead to the best tools and process for the organization. These solutions, which are also part of data protection platforms, provide partner access and employee access
take many forms. These include employee role-based access control; creating categorical levels of access to certain information, which requires different approvers at each level; having separate read, write, copy and execute permissions; and wholesale limitation to the ability to copy and transmit certain files or documents. The culture and business processes of an organization are impor-
The culture and business processes of an organization are important factors in how user access is granted and changed. controls, and track access to applications, documents, files and directories by employees and contractors. The protect function includes activities to develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. One of the requirements of this function is having and maintaining access control systems. It provides references to portions of the ISO 27001 standard that require creating a detailed and documented access control policy, which is to be periodically reviewed. The access control policy addresses assigning or revoking access rights for all users to all systems and services available based on business requirements. In creating an access control policy, it is useful to review both the information identified as being proprietary during risk identification and additional information that is later identified by a data security platform or otherwise. Specifically, thought should be put into: (1) which users have access to proprietary information; (2) whether users that have access to proprietary information should be able to access it remotely or via personal devices; (3) how to grant access to proprietary information on an ongoing basis; and (4) how to grant access to proprietary information in third-party discussions, for example, triggering legal or NDA approval for sharing information that is identified as proprietary. User access control frameworks can
tant factors in how user access is granted and changed. In addition, both the NIST Framework and ISO 27001 require that all employees and contractors receive appropriate awareness training, which should include regular updates of the relevant policies and procedures. This training is a great tool for informing employees of their obligations for proprietary information and obtaining feedback to improve the process and find information that may have been missed or that may be problematic in being maintained as confidential. Further, it can be used as evidence that notice of protection of trade secrets and confidential information was communicated and shared with company personnel. Both the NIST Framework and ISO 27001 require that log records are determined, documented, implemented and reviewed periodically according to a detailed process. These logs can be used to determine when proprietary information may have been transmitted inappropriately and allow expeditious action to be taken. Further, the documented processes and log records can be used to bolster a showing that reasonable measures have been taken to protect proprietary information. Additionally, ISO 27001 requires that managers regularly review the compliance of information processing and procedures within their area of responsibility with appropriate security policy standards. It would be useful for
legal counsel to evaluate access logs to proprietary and potentially trade secret information as part of the periodic review. This allows for understanding frequency of use and determining whether there are issues that need to be identified. Further, if machine learning is used for anomaly detection, labeling any events as problematic, non-problematic or with additional categories can speed up improvement of these machine learning algorithms. The information security management processes of the NIST Framework and the ISO 27000 series standards are widespread and leading best practices for cybersecurity, and can be used to create and document measures taken to protect trade secrets and proprietary information. Understanding that the NIST Framework and information security guidelines are useful tools that can help counsel to participate in and influence activities and discussions with the teams that develop, manage and implement cybersecurity processes.
Peter Lando is a founding partner of Lando & Anastasi, LLP, an intellectual property boutique law firm. His practice involves all areas of intellectual property and related transactions. Plando@LaLaw.com Dmitry Milikovsky has over 20 years of legal and business development experience in the consumer electronics, telecommunications and software industries, including as Vice President, Business Development and Licensing at Qualcomm. dmitry@milikovsky.com
35
WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
Strengthen Digital Strategy in the Public Sector By Martin Schallbruch
B
36
eginning in May 2018, inboxes of EU citizens were bombarded with emails from companies asking for permission to use their data as the new General Data Protection Regulation (GDPR) took effect across the European Union. GDPR is a large and complex law applicable to any company or organization that processes the data of an EU citizen. Any company processing data without legal basis faces huge fines. It aims to give people more rights to the information about them that organizations possess. The implementation of this new regulation suggests that politics is beginning to successfully understand digitization and tackle an important area of digital risks. Although GDPR is a huge step forward in data protection, it isn’t as effective as it should be in ensuring the safety of the digital space for all. Data protection law has exploded, while data protection has suffered. In practice, the small-scale approach is no longer capable of protecting citizens effectively, comprehensively and transparently from the actual hazards of data processing. There are now so
digitally access our accounts, transfer money and check payments through our phones. However, the app developer, banks, smartphone manufacturer, mobile phone provider and operating system developer all have access to our data and are subject to different data protection regulations and supervisory authorities. This means that providing consumers with a complete description of all data processing operations, participating institutions and legal regulations is almost impossible. Data protection isn’t the only area of digitization where the public sector should be implementing strategies and regulation. Unfortunately, the public sector has generally been weak at implementing digital strategies and protecting its citizens in the digital space, with governments struggling to keep up with increased digitization. The public sector is struggling when it comes to the security of our everyday digital life. Households are now filled with a whole host of digital devices that are connected to the internet — mobile phones, laptops, smart TVs, e-books, even smart light bulbs. Data is stored on all of these de-
Global digital platforms create online communities, yet also spread illegal content and commit crimes. many different data regulations and guidelines that it is difficult to provide clear and detailed descriptions of them all. In fact, the abundance of data protection lulls people into a false sense of security and almost encourages them to handle their data carelessly. For example, banking has increasingly been made available through our smartphones via banking apps: we can
vices in the form of texts, photos, music, videos, emails, personal details — some of which may have been forgotten about or are no longer in use. Every program and digital device has vulnerabilities requiring regular maintenance, installation of data protection updates and configuration of security settings. There is no overarching approach to protecting the security of the networked home.
Governments’ digital capabilities make overcoming their digital weakness a complicated and difficult process. However, there are five basic approaches that governments could focus on to strengthen their digital strategies.
1
New Generalized Laws Governments need to outline a new, less detailed, and more generalized digital law — a civil code for the digital space. At present, digital law is focused on specific applications and phenomena of digital technology — for example, autonomous driving or tech fraud — but this cannot be applied to digitization in general. New laws must include basic rules for responsibility in the digital realm, such as a minimumsecurity obligation for manufacturers of networked devices, leading to the development of a more comprehensive, overarching digital law outlining responsibility in the digital space. This would replace the current model of multiple individual laws that need to be updated every few years as technology advances.
2
Increased State Responsibility Digital innovation in traditionally state-run sectors, such as education and healthcare, is being dominated by private companies and large tech firms. Now that almost all areas of our lives are digitized — healthcare, energy, arts, logistics — more is expected from our governments. However, poor progress is being made in digitizing government actions. The public sector is not leading digital innovation and has become reliant on private companies providing new and innovative technology. Using healthcare as an example, health apps have become far more widespread than digital offerings from public health services. Large platform providers com-
TODAY’S GENER AL COUNSEL WINTER 202 0
Cybersecurity
37
pete with the state across many areas of public services, which advances digitization but poses a risk to society. These private providers are largely unregulated by parliaments and governments with transport, health, education and other digitized sectors increasingly evading public control. We can no longer live without the digital services private companies offer, but these digital spaces cannot remain
unregulated. Governments must acknowledge that global digital platforms, such as Google and Facebook, create online communities where individuals can communicate and cooperate, yet also spread illegal content and commit crimes. The burden of responsibility should not simply be on the platform companies. Digital platforms should be designed in such a way that governments can assume responsibility for the
online community, protection of security and freedom, and the enforcement of laws — even in the digital world. Government investment into digital innovation needs to be increased, with more funding made available for every traditionally state-run sector. This will prevent state-run services from being reliant on the private sector and give control and responsibility over these services back to the public sector, while
WINTER 202 0 TODAY’S GENER AL COUNSEL
Cybersecurity
also allowing states to improve their digital innovation.
3
Increased Independence at Lower Levels Individual institutions should be allowed to act on their own, without coordinating each step in developing a digital strategy. Currently, if a government wants to develop and implement a digital strategy it must be done at a countrywide level, with policies requiring the approval of
easier and less time-consuming for countries such as Estonia, which have built a comprehensive and serviceoriented ICT architecture.
5
Digitalization and Politics Finally, there needs to be a reorganization of how digital innovation is viewed in politics. Digitalization is affecting every industry and can drastically increase the speed of change for many issues a country is facing, such as climate change and energy crises. Though recently there has been a stronger focus on digitalization in politics (for example, the EU Commission has appointed an Executive Vice President for the Digital Age), there must be more integration of digital innovation in all sectors — economic, legal, national security and finance. The best way to introduce digitalization in all departments of government would be to create a Ministry of Digital Affairs to ensure that there is horizontal digital support for all departments. Digital innovation can be extremely beneficial to citizens. It can tackle societal issues that include addressing climate change, providing improved governmental services, or just giving citizens access to safe digital services. But current digital strategies are not strong enough to ensure digital innovation is not also a threat to society. A strong digital state is a prerequisite for freedom, justice and security in an increasingly digital world, which can only be achieved if governments strengthen their digital strategies.
Data protection law has exploded, while data protection has suffered.
38
BEYOND PRINT TODAYSGENERALCOUNSEL. COM
IN YOUR INBOX ISSUU.COM/TODAYSGC
THE EXCHANGE FORUMS TODAYSGENERALCOUNSEL. COM/INSTITUTE
FIND OUT MORE AT TODAYSGENERALCOUNSEL.COM
many different lower level institutions first. This is a lengthy, slow and complicated process, with overwhelming approval of new strategies being extremely difficult to obtain. Governments should give greater autonomy and independence to lower levels of government, such as local councils or states, so they can devise and implement their own digital strategies. This will lead to faster implementation of digital strategies, which can be reviewed and updated by local authorities when necessary.
4
Infrastructure Advancement In most countries, digital infrastructure planning is not sufficient to ensure all citizens have access to and benefit from digital innovation. Digital infrastructure planning must go far beyond just fiber-optic networks and 5G connectivity to ensure there are common offerings across all industries and applications. Though not always provided by the state, it is the government’s responsibility to ensure that all citizens have access to digital innovation, with access to cross-sector basic services such as digital identity and trustworthy cloud services. Countries with a long-standing information communications technology (ICT) legacy in the public sector will find this far more difficult, as there will be greater investments necessary to update digital infrastructures. This process will be
Martin Schallbruch is Deputy Director of ESMT Berlin’s Digital Society Institute and a Senior Researcher of Cyber Innovation and Cyber Regulation. As a long-time Director General for Information Technology, Digital Society and Cyber Security in the German Federal Ministry of the Interior, he largely designed the digital agenda of the federal government. Martin.schallbruch@esmt.org
SPONSORED SECTION
Corporate Investigations WHAT A NEW SURVEY TELLS US By Sheila Mackay
C
orporate investigations are usually resource-intensive—not to mention costly—events that can both disrupt business and thrust an enterprise into an unwelcome spotlight. Although most companies strive to create a business environment with appropriate and enforceable compliance policies and procedures that will keep investigatory incidents to a minimum, they are nonetheless a fact of corporate life. As today’s social, ethical and communications landscape grows more complex, the ripples roll into the corporate realm with increasing consequence and frequency. Growing regulatory demands, heightened concerns about employee behavior, massive data quantities to protect from breach, more loopholes for bad actors to exploit—each of these realities increases the probability of a corporate investigation. INVESTIGATIONS ON THE RISE
Those on the front lines of corporate investigations believe the situation will only get worse. In a recent Corporate Investigations
Increase or Decrease in Investigations? 63% 60% 50% 40% 30% 30% 20% 8%
10% 0% Increase
Stay the Same
Decrease
survey of more than 315 corporate professionals conducted by H5 and Above the Law, 63% believe that investigations will increase at their companies over the next three years (the number was higher for non-U.S companies, at 72%). The survey, conducted in July and August of 2019, sought insights from legal and compliance professionals whose roles directly relate to various aspects of corporate investigations. INVESTIGATIONS DRIVERS EMERGING ON SEVERAL FRONTS
The anticipated increase reported by the survey is not surprising. The drivers of investigations are intensifying on several fronts. For one thing, given the rise in cultural sensitivity to harassment and discrimination (think #MeToo, for example), companies are becoming more engaged in addressing employee behavior that breeds misconduct, leading to an increase in what survey respondents say is their companies’ most frequent investigation type: workplace investigations. In fact, a recent Proskauer survey about workplace investigations cites an increase in harassment claims, discrimination complaints, and other workplace misconduct that is not likely to abate any time soon. External pressures that increase investigation risk for companies are on the rise as well. The H5 survey cited regulatory/ governmental investigations as the next most frequent type of investigation; and judging by statistics issuing from other arenas—from the SEC whistleblower program to anti-money laundering enforcement actions, to white collar incidents, to healthcare investigations—the number of investigatory incidents driven by regulatory pressures will continue to climb for the foreseeable future.
A WAKE-UP CALL
For companies who say they are already experiencing a cost and resource drain from their investigations burden, this is a wake-up call: Things are likely to get worse. In the H5 survey, nearly half of respondents said their companies face more than 50 potential investigations per year—22% said more than 100—with larger companies facing even more. Although a majority (64%) do report having a department or team specifically dedicated to investigations, generally reporting to legal, a continued increase can only put more strain on both legal and compliance teams who strive to stay ahead of potentially damaging situations before they become tomorrow’s headlines. COSTS AND RISKS
Aside from the risk of reputational damage, which can be devastating to any company (a concern highest for workplace and white collar investigations, according to the survey), investigations spend can be precipitously high, encompassing lineitems similar to those incurred by corporate litigation. Although 27% of survey respondents did not know the all-in cost of investigations in their companies, those who did reported as highest the spend related to outside counsel (86%) and analytics technology (59%), with eDiscovery provider costs and contract review costs
39
SPONSORED SECTION
pretty much tied for third (at 53% and 52%, respectively). Costs vary by type of investigation, as different investigation types may have very different requirements. Regulatory and employee investigations, for example, tend to implicate more electronic data, which can raise costs as collection and review efforts to identify key documents add to the bottom line. ELECTRONIC INFORMATION IS A CRITICAL FACTOR
40
To be sure, today’s untamed data volume and complexity complicates both investigatory and litigation efforts in major ways, requiring both effective and efficient processes that challenge even the most forward-thinking companies. In the survey, 59% said that for the investigation type their companies face most often, collected data volumes top 100GB, with 14% saying more than 1TB. Despite any corporate efforts to the contrary, data volumes tend to grow, not decrease, over time; and tackling the data-wrangling aspects involved in such incidents takes more than just organizational and technical knowledge. A hybrid approach that effectively blends personnel and technology is required with full-on company commitment to a defined process, best-of-breed tools, and the ongoing cultivation of appropriate skill sets to handle the challenge. This is especially true when it comes to finding key documents. In an investigation or litigation, it is, after all, the evidence that tells the tale, and finding the information quickly that will unearth the pertinent facts
Methods Used to Identify Key Documents 60% 50% 40% 30%
31% 28% 17%
20% 12%
10% 0%
Keyword search
Manual review
TAR/CAL
12%
Analytics AI technology technology
is an important part of the process. Survey respondents reported keyword search (31%) and manual review as the usual approach (28%), although more advanced technologies are available these days that would likely provide a more accurate and cost-effective method for homing in on key information. Generally, there is room for improvement here. The survey showed that satisfaction levels with finding key documents are mediocre, with lowest levels related to the speed at which key documents are identified. BEING PROACTIVE: PREPAREDNESS AND THE PROPER TOOLS
In fact, it is the ongoing development of technological tools that may have the greatest impact on the cost and risk of investigations as time goes on; the increasing use of analytics and AI technology to both process and proactively monitor data could make a significant difference. As it is, 67% said their companies proactively monitor electronic data (e.g., email review or network monitoring) to identify potential wrongdoing, notably much higher in the finance/banking sector (94%). Proactive Monitoring
67% YES
33% NO
The growing use of technology for investigations appears to be a cross-border phenomenon. The survey showed no difference in U.S. vs. non-U.S. responses and anecdotal evidence attests to the efforts outside the U.S. to leverage more advanced solutions. In the UK, for example, Lisa Osofsky, Director of the Serious Fraud Office (SFO), indicated that AI robots were used to check for privileged material in the Rolls Royce case, leading to an 80% savings in the area where it was used. Further, she said that machine learning and AI-based technology-assisted review features would soon be used in investigations to create greater efficiencies and shorten decision-making timelines.
Although using advanced technologies can provide efficiencies across the board, the proactive angle is key: A reactive approach to any problem always tends to be more costly (and riskier), and the ability to address a worrisome situation before it gets out of hand can mean the difference between an internal reprimand and a visit from the DOJ. Part of being proactive, too, is being well prepared. Having a plan in place in advance of a potential incident reduces reaction time and sets the stage for a more efficient response. Documented policies and protocols along with the appropriate training of both employees and response teams are crucial components. And, depending on the industry and types of data stored by a corporation, the ability to adhere to a variety of new data privacy regulations, such as the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Biometric Information Privacy Act (BIPA), is also key. Identifying where sensitive data resides is necessary under the new privacy regulations and is helpful in a cyber incident. Although the investigations landscape may be a bit rugged these days, no one seems to have their head in the sand. Acknowledging today’s challenging realities is half the battle; the rest depends on the commitment and energy devoted to the proactive and innovative thinking that will lay the proper groundwork for success.
SHEILA MACKAY is Managing Director of eDiscovery at H5. She has more than 25 years of experience in the legal services industry including product development, professional services, operations, management and business development. An advocate of the use of technology to drive efficiency, Sheila works hand in hand with H5’s client services, infrastructure and technical services teams to develop and deploy custom solutions for global and domestic companies and law firms. smackay@h5.com
WINTER 202 0 TODAY’S GENER AL COUNSEL
Compliance
Eleventh Circuit Decision Will Impact FCA Healthcare Investigations By Kathleen McDermott
42
T
he U.S. Court of Appeals for the Eleventh Circuit issued its muchawaited decision in United States v. AseraCare, Inc., powerfully debunking the government’s flawed theory that mere differences in clinical opinion can support punitive False Claims Act (FCA) liability. The decision is significant for hospice providers, but also for all healthcare providers that have battled government enforcers for the last decade on its theory that evidence of subjective lack of medical necessity is fraud. The decision should be a bellwether for the Department of Justice (DOJ), as well as an opportunity for
the DOJ to revisit its enforcement initiatives related to medical necessity. The healthcare industry should not misunderstand, however, the import of AseraCare and assume that hospice eligibility or medical necessity challenges for other health services cannot morph into big health care fraud investigations or audits. One good judicial decision does not allow for complacency in clinical oversight of key services to patients — whether those services are hospice, therapy or interventional. Rejecting DOJ’s signature theory of liability — that falsity may be established by mere clinical disagreement
divined from a cold retroactive review of the record — the court held that the trial court was right to grant a new trial to AseraCare. Its decision was based on erroneous jury instructions that allowed mere clinical disagreement to be the only evidence of falsity to find punitive FCA liability against the national hospice provider. The district court had granted a new trial on the basis that the instructions were wrong, and the Eleventh Circuit agreed. The court further held that the summary judgment subsequently granted to AseraCare should be vacated and reconsidered to give the government an opportunity to present any other
TODAY’S GENER AL COUNSEL WINTER 202 0
Compliance
falsity evidence related to the sample claims, if the government has such actual evidence. So, procedurally, the case stays alive, but is on thin ice at best. The court noted that the trial record was devoid of any evidence that physicians had lied regarding their certifications of eligibility or that hospice services were not provided to the patient, and pointed out that much of the evidence showed AseraCare’s compliance with Medicare’s hospice regulatory scheme. The opinion noted that CMS and the Medicare contractor at trial supported the view that the Medicare hospice benefit was structured to consider good faith, subjective clinical opinions based on the common sense reality that death is an inexact science, and that two physicians
claims. General anecdotal information of business practices untethered to the proffered false claims is not evidence of falsity for FCA purposes. • Medical record documentation does not have to prove the validity of physician’s judgement. Documentation must support the physician’s judgment and is sufficient so long as it represents a reasonable interpretation of the relevant medical records. The medical record is not intended to prove the veracity of clinical judgment in an after-the-fact review. CMS’s own word choice — “support” instead of “prove” or “demonstrate” — shows that the level of support is not to the degree of certitude that the DOJ asserts.
There must a robust and regular review of physician participation and competence in a program. could hold different views of a patient’s terminal prognosis and eligibility. Even the government’s expert changed his mind on patient eligibility over time — an incredible situation given that his testimony was the sole evidence to support the jury’s verdict and punitive liability in excess of $200 million. KEY TAKEAWAYS
There are many gems in this wellreasoned and scholarly opinion — the first at the appellate level to consider the government’s FCA theory. Some key takeaways for FCA practitioners include the following: • To properly state a claim alleging hospice fraud under the FCA, the government must show facts surrounding a physician’s certification of eligibility that are inconsistent with the proper exercise of a physician’s clinical judgment. Mere differences of reasonable opinion concerning a patient’s likely longevity are not sufficient to allege FCA liability. • Falsity evidence must be linked to the government’s actual samples of false
• The Medicare regulatory scheme intends to give well-founded physician judgment deference, and wide latitude to make informed judgments without fear that such judgments will be second-guessed years later by laymen in liability proceedings. DOJ’s medical necessity initiatives over the last several years have focused on hospice and therapy providers with virtually the same playbook in every case — medical record retrospective review, often by a nurse reviewer, to allege falsity based on alleged inadequate documentation conclusions as to clinical eligibility. There is often no evidence of actual fraud or material noncompliance. Often, the physicians who certify eligibility are not even interviewed regarding their certifications before catastrophic punitive liability is asserted. DOJ’s theory of liability does not require developing evidence of falsity, only evidence of clinical disagreement. Many of these investigation matters are founded on clinical disagreement, lightly sprinkled with general anecdotal complaints regarding business practices, or with C-suite emails that look bad
but had no influence on the physician’s certification or were even known to the clinicians caring for the patient. The opinion also lays bare the reality that government enforcement practices sometimes ignore the regulations and rationale for the regulatory scheme at issue in order to fashion a more pliable account of how regulations are intended to work — even if that account is contrary to what has been legislated by Congress and implemented by the regulatory agency. In AseraCare, the government enforcers ignored the regulatory scheme as explained by its own Medicare agency witnesses to assert punitive liability under the FCA. This has a chilling and negative effect on all hospice providers, which is the exact opposite of what is right for the patients and their families who need this important benefit. In developing the hospice benefit, CMS went to great lengths to assure physicians needed for the hospice program that their judgments would not be recklessly questioned or second-guessed in making clinical decisions on terminal prognosis. This promise was upended by FCA investigations that asserted liability based on a very flawed theory in contravention of Medicare regulations, as the AseraCare decision shows. Despite all good intentions, this enforcement approach does not foster a climate where physicians will want to participate in the hospice program. Lawyers defending healthcare providers love the AseraCare decision. They will make good use of it in the conference room and courtrooms across the country in numerous pending investigations. Although health care providers should feel good that a federal court understood the disputed issues for the hospice benefit and issued a reasoned decision, the AseraCare decision is not a good reason to take the foot off the pedal for strong clinical compliance oversight assuring that services to patients meet eligibility criteria. Healthcare providers need to assure that their employed and contracted physicians and nurse practitioners meet their obligations to sufficiently document the clinical continued on page 47
43
WINTER 202 0 TODAY’S GENER AL COUNSEL
Compliance
Maryland a Leader in Embracing Blockchain Technology By Tracy Bacigalupo
T
here is widespread consensus that blockchain is the technology with the most disruptive potential since the Internet, with broad applications that could transform businesses and government. The World Economic Forum estimated that 10 percent of global gross domestic product would be stored on blockchain technology by 2027. Goldman Sachs stated, “From
44
This new legislation provides Maryland companies with the statutory framework to migrate to a blockchainenabled platform, reinforcing Maryland as a “go to” state for those seeking a pro-business, pro-future statutory framework for their companies. These amendments to the Maryland General Corporation Law (MGCL) went into effect on October 1, 2019. The new legislation also specifically permits Maryland companies to transmit communications, such as stockholder notices, using blockchain technology. Additional amendments clarify that corporate written consents and requests may be provided by “electronic transmission,” including through blockchain technology. The amendments to the MGCL benefit Maryland corporations in many significant ways:
Delaware has adopted similar amendments, and California allows privately held companies to use blockchain technology for certain corporate records. Silicon Valley to Wall Street, technologists and investors alike are buzzing about the potential for the Blockchain to revolutionize …well, everything.” The State of Maryland is now at the forefront of this development. On April 30, 2019, Maryland Governor Hogan signed Senate Bill 136, which provides explicit statutory authority for Maryland companies to use electronic networks or databases, including distributed ledgers and blockchain technology, for the creation and maintenance of corporate records, including a company’s stock ledger. The new legislation also recognizes that a stock ledger does not need to be maintained directly by a company through an individual, such as a corporate officer or a transfer agent (as was previously required by the statute). Instead, it may be administered “on its behalf,” again creating a path forward to use blockchain technology for corporate records.
holders to interact directly with each other, the need for third-party intermediaries — such as brokers, custodians and clearinghouses — along with their related costs, may be reduced or eliminated. As Maryland is the forum of choice for investment companies, it should be noted that asset managers, in particular, may implement blockchain technology to: • Reduce costs across front, middle and back-office activities through a reduction in data management and manual intervention; • Streamline the client on-boarding process by reducing the time normally required to collect and verify data; • Increase the speed of settlement of trades; • Offer clients real-time reporting; and • Offer advanced solutions with respect to AML or KYC. TECH ADVANTAGES
• Maryland corporations are now able to issue and track shares electronically on a real-time basis, meaning that delays, inconsistencies and uncertainty caused by manually recording an issuance or a transfer of shares may be reduced or eliminated. • The distinction between record holder and beneficial owner may be eliminated. Consequently, the complexities, confusion and ensuing inefficiencies caused by the nominee system may be eliminated. • Transactions may be settled instantaneously, especially when coupled with smart contracts; • Transaction costs may be reduced or eliminated. • Maryland corporations may communicate directly with investors. By allowing both issuers and stock-
Many companies are harnessing this new technology in small, incremental steps by first working to develop and use blockchain technology internally. Blockchain provides a shared, immutable record — or an unchangeable record that is written once and can only be read — of any currency or asset, including tangible assets like real estate. It includes a tamper-proof audit trail of the transfer of any such asset without relying on a traditional, trusted third party. With blockchain, companies can share, store and record valuable data through a secure chain of time-stamped and connected blocks of data. A blockchain is operated in a peerto-peer network of unaffiliated parties that use the Internet as a network for connecting the individual data records
TODAY’S GENER AL COUNSEL WINTER 202 0
Compliance
45
through predefined consensus mechanisms, and by employing cryptography in order to prevent editing or tampering with the recorded information. Information is permanently stored and can be tracked or authenticated by anyone with access to the data. Technologies involved in blockchain include cryptography, distributed network (also called peer-to-peer ledger systems), and incentive mechanisms to
provide a value proposition to service the network. Examples are transaction fee-setting mechanisms or rewards for miners who secure and extend the blockchain. Blockchains are structured to be public, permissioned or private, as determined by a given project’s objectives. Public blockchains are large, distributed networks based on open-source code that is developed and maintained by
their respective communities. They are open to everyone to participate at any level to read or validate (i.e., mine) a transaction, or write data in exchange for cryptocurrency without identification or permission. Anyone can audit the public blockchain ecosystem. Critical to a blockchain’s infrastructure are nodes, such as computers or servers, which store blocks of data comprising a blockchain and are
WINTER 202 0 TODAY’S GENER AL COUNSEL
Compliance
46
connected to other nodes with which they exchange the most current data and authenticate a block’s legitimacy. Permissioned blockchains are built so they require permission to read the blockchain or limit the parties that transact on the blockchain. They may or may not be based on open-source code. These may operate under a known entity that determines the role that given nodes will play in a network. They may or may not use cryptocurrencies as incentives for participants to serve the network. Private blockchains are smaller, limited-membership, centralized networks controlled and operated by a single entity or enterprise where cryptocurrency is not warranted. Only permissioned users are allowed to read, write or audit a private blockchain. The private blockchain owner can override or delete commands on a blockchain at any time. Consequently, private blockchains are not a decentralized software architecture but a distributed database with cryptography to secure it. In fact, cryptography validates these systems and helps protect information and communications from being accessed by unauthorized users through encryption. Thus, they allow only the sender and intended recipient to view or decrypt the contents of a message. Blockchain specifically uses asymmetric cryptography, also known as public key cryptography, which always uses two complementary keys — sometimes referred to as a public key and a private key. One might encrypt a message, while the opposite key can be used to decrypt the other key’s encoded text, and vice versa. In other words, the key that was used to create the ciphered text cannot decrypt it. Only its complement can. HEIGHTENED DATA SECURITY
In today’s environment of chronic data security attacks, blockchain technology’s trusted system allows companies to share, store and record sensitive data through a protected, participant-visible and unchangeable network. Blockchain is thus a valuable and necessary tool, especially with respect to corporate record keeping and stockholder notices.
Being able to look up an audit trail of a given asset or data with certainty verifies the accuracy of the data. Maryland’s new statutory amendments will allow Maryland corporations to maintain more accurate records. Stock ledgers in smaller, closely held corporations are often maintained in a spreadsheet. Individuals tasked with updating the ledgers often fail to consistently do so in a timely manner and may sometimes make mistakes in data entry, leading to inaccurate stockholder records. An automated stock ledger recorded and verified in a distributed ledger would enable these companies to easily maintain an up-todate stock ledger. Recording shares on a blockchain would also enable stockholders and corporations to interact directly, thereby decreasing and even eliminating the need for intermediaries, including brokers, custodians and clearinghouses. Eliminating the need to register shares in “street names” and, instead, allowing shares to be registered to the actual beneficial owners could improve stockholder voting practices and prevent mistakes made by intermediaries, whether due to misunderstood stockholder instructions or inaccurate stockholder records. In addition, corporations can also use distributed ledgers and digital tokens, representing voting power, to form an electronic platform for stockholder voting. This could help improve the ease of voting, and the accuracy and speed of vote counts, thus incentivizing greater stockholder participation in corporate actions. The new amendments specifically permit Maryland companies to transmit communications using blockchain technology. This could allow for quicker, more secure and more transparent transactions and stockholder communication. Maryland is not the only state to allow companies to use blockchain technology for corporate record keeping. For example, Delaware has adopted similar amendments, and California allows privately held companies and social purpose organizations to use blockchain technology for certain corporate records. As companies take advantage of the new legislation, some challenges and
complexities are to be expected. For example, when companies experiment with issuing and transferring shares using blockchain technology, compliance with applicable securities laws will be necessary and new issues will need to be addressed in the process. In addition, even though a blockchain can share records and transfers more securely, its security often depends on the actual application of the technology. For example, Maryland’s new amendments do not restrict the distributed electronic network and database to public blockchains, so corporations may choose to encrypt data in a private blockchain network and set permissions as they desire. The level of security will depend on the permissions set, which need to be balanced with other factors such as the company’s need for privacy and ease of use. Given the quickly evolving use of blockchain for corporate record keeping, stockholder communications and share transfers, it is recommended that newly formed companies include authorization to use blockchain technology in their governing documents. This will preserve the opportunity to adopt this technology when the company is ready to embrace all that it can offer in our rapidly changing economy.
Tracy A. Bacigalupo is a partner with Morrison & Foerster. She advises clients in the areas of mergers and acquisitions, real estate investment trust and investment company law, and venture capital transactions. As a member of the Maryland State Bar Association’s Committee on Corporate Laws, she helped draft blockchain legislation. tbacigalupo@mofo.com
TODAY’S GENER AL COUNSEL WINTER 202 0
Compliance
FCA Healthcare Fraud continued from page 43
decision-making that supports their certifications. Lack of medical necessity or clinical eligibility may still be the basis for a whistleblower complaint, Medicare audit or other investigation that can be catastrophic for a healthcare company. THE BOARD’S ROLE
The key player in managing risk is often viewed as the compliance officer, and there is much guidance and commentary now on what may comprise an effective compliance program. The real player, however, is the Board of Directors. The Board calls the shots. Sustained compliance oversight by boards is now an expected norm. Compliance programs should be querying data to assess whether there is a questionable pattern of too little or too many services, and reporting these findings to the board to keep abreast of trends that may show irregularities for further review. Boards should expect management and the compliance program to develop metrics to assess and manage these risk areas and to develop prompt action plans to address irregularities. Every dollar spent on managing risk will save many dollars in the future related to voluntary audits, Medicare audits or DOJ investigations. Significant long stays in hospice, or high live patient discharges, may suggest that the physician interactions are not robust enough to manage company risk; and the Interdisciplinary Group (IDG) process may be ineffective. Because many services are dependent on physician’s certifications, there must be a robust and regular review of physician participation and competence in a program. Is the physician timely seeing patients and documenting clinical findings that support eligibility? Does the physician effectively manage and participate in IDG meetings? Does the nursing team find the hospice physician accessible and helpful? Problems in these areas will show in the company’s data as well as in other data, such as Pepper reports. This
is the best place for a company to start assessing risk to their programs. For therapy providers, there is a new payment system (PDPM), effective October 2019, which will change incentives in the provision of therapy and potentially create new risks of underutilization or data integrity issues. This new payment system, however, does not wipe out the potential for investigations and audits on practices going back several years on potential manipulation of Resource Utilization Groups (RUGs) levels. Going forward under the new therapy system, the questions will be the same: Did the patient get the right therapy at the right time in the right amount? AseraCare is an interesting decision and strong precedent in favor of the healthcare providers who provide services based on medical necessity or clinical eligibility. But it is one tree in a vast forest. The healthcare community should heed the court’s caveats that documentation should support wellfounded physician judgement and assure that its clinical practices can consistently meet this favorable standard. It should strive to use data analytics to identify irregular trends that may reveal issues with physician participation in their programs.
Kathleen McDermott is a partner in the Washington, D.C., office of Morgan, Lewis & Bockius LLP. A former Assistant U.S. Attorney and Department of Justice Healthcare Fraud Coordinator, she represents healthcare and life sciences clients in government investigations and litigation matters relating to criminal, civil and administrative allegations. kathleen.mcdermott@morganlewis.com
SUBSCRIBE TO
47
“Informative and worth reading.”
“I refer to the magazine often and the information is useful in my daily work.”
“Very useful publication.”
SUBSCRIBE NOW TODAYSGENERALCOUNSEL.COM/ SUBSCRIBE
WINTER 202 0 TODAY’S GENER AL COUNSEL
Compliance
A Trade Secret Wake-Up Call By Pamela Passman
48
T
he recent criminal indictment of a prominent self-driving car expert for alleged theft of trade secrets serves as a stark reminder for companies large and small that effective protections for their company’s most valuable technologies are vital for ensuring success, and for avoiding damaging losses and lawsuits. Anthony Levandowski was the co-founder and technical leader of Google’s Waymo project, which produced Google’s self-driving car.
A U.S. federal grand jury in California has issued a 33-count criminal indictment against Levandowski, charging him with theft and attempted theft of Google’s self-driving car trade secrets. Levandowski denies all the charges. The charges are based on the civil litigation in which Waymo sued Uber for the same incidents alleged in the criminal case. Google and Waymo settled with Uber a few days into the trial, but not before the judge, Judge Alsup, referred allegations involving
Levandowski to the U. S. Attorney’s Office for investigation. Levandowski claims that he did not make use of the information; but the Economic Espionage Act, under which he is charged, only requires that a trade be misappropriated “without authorization.” Levandowski left Waymo in 2016 to form a new company to develop self-driving truck kits, a company that was soon bought by Uber and led to Levandowski also running Uber’s selfdriving car operation.
TODAY’S GENER AL COUNSEL WINTER 202 0
Compliance
Waymo brought a lawsuit against Uber soon afterwards, claiming theft of Waymo’s self-driving car trade secrets and technology, a suit that Uber settled in February last year for an equity pay-out to Google worth about $245 million. Waymo also brought arbitration claims against Levandowski and colleague Lior Ron. In the latest development, the criminal indictment against Levandowski contains some interesting claims about how the trade secret theft allegedly occurred — claims that often are made in trade secrets cases: “The indictment alleges that in the months before his departure, Levandowski downloaded from secure Google repositories numerous engineering, manufacturing, and business files related to Google’s … technology. The files downloaded included circuit board schematics, instructions for installing and testing [the technology], and an internal tracking document.”
or theft systematically and comprehensively in the organization’s management systems, in ways that are well understood and that function routinely among management and staff at every level. This includes not just technological protections of the sort that could isolate sensitive data and identify unauthorized copying and transmission but also management systems to help deal with the human factors and company processes that can pose risks to trade secrets. Think in terms of eight areas of management system protections related to people, processes and technology that can help an organization manage, mitigate and measure its trade secret risks. These include implementing relevant policies, procedures, records and training to help staff understand, manage and document what is done with trade secrets. Having an assigned cross-functional team manage the company’s confidential information and managing suppliers’ and other relevant third-parties’ access and use of such information, are also vital. The technology and other security protections needed should not be underestimated. Neither can the response plans and corrective actions needed in case a problem arises. Many companies are spending significant resources right now putting these in place. At a more basic level, having a clear understanding of what the company’s “crown jewels” are — where they are located and how they are used internally and externally — and conducting systematic risk assessments
How can a company maintain a trusting and collegial ethos but still protect the trade secrets that represent the bulk of its value? These claims, and those raised in similar trade secrets cases that seem to appear on a regular basis, do put a fine focus on the questions faced by most companies: How can a company maintain a trusting and collegial ethos but still protect the technologies, business information and other trade secrets that represent the bulk of its value? Best practices in this area call for addressing the risks of trade secret loss
to help determine the most useful and cost-effective ways of protecting such information are also needed to keep a company’s technical, physical and other protections at their most effective. Finally, protecting trade secrets is not a one-shot operation. Given the evolving nature of technology and trade secret theft, a company’s systems need to be monitored, measured, and maintained and improved on an ongoing basis so that they continue to function seamlessly and effectively. Regardless of what happens with the pending criminal case against Levandowski, it should serve as a wake-up call for companies of any size to implement effective protections for their trade secrets. In the words of the U.S. House Judiciary Committee when it proposed national trade secret protections in 2014, “The devastating reality is that theft of trade secrets costs the American economy billions of dollars per year.” The Committee’s reminder: “Trade secret owners, take reasonable measures to keep this information out of the public eye because once it is disclosed, its protection is gone forever.”
Pamela Passman is founder and President of the Center for Responsible Enterprise and Trade (CREATe. org), and Vice Chair of the Ethisphere Institute, entities with a common mission to promote practices to manage governance, compliance and risks for companies and their global supply chains. ppassman@create.org
49
WINTER 202 0 TODAY’S GENER AL COUNSEL
WORKPLACE ISSUES
AI and Automation Pose Challenges for General Counsel By Michael J. Lotito and Jim Paretti
I 50
t is impossible to scan your inbox each morning without seeing a report, study or article predicting the impact of artificial intelligence in the workplace. Whether it’s the way AI and automation will transform the workplace by displacing millions of jobs and creating millions of others; the increased use of AI in areas such as hiring and recruitment, and the potential legal ramifications; or the impact of AI and automation on industry sectors that even five years ago might have seemed impervious to automation, the message is clear: A revolution is happening. With respect to general counsel, what does that mean for you and your company, and how can you best position yourself and your organization to face what we have termed the
Michael Lotito is a shareholder with Littler Mendelson and Co-Chair of the firm’s Workplace Policy Institute. He advises on emerging workplace issues, new legislation and shifting regulation. mlotito@littler.com Jim Paretti is a member of Littler’s Workplace Policy Institute. Prior to joining Littler, Paretti was Chief of Staff and senior counsel to the acting chair of the Equal Employment Opportunity Commission. jparetti@littler.com
coming TIDE™, or technology-induced displacement of employment? A report issued this summer by Oxford Economics estimated that up to 20 million manufacturing jobs may be replaced by robots — roughly 8.5 percent of the global manufacturing workforce. But it’s not only manufacturing and production jobs (or low-skill positions) that are likely to be displaced by AI. Banks, accounting firms, law firms and health care providers are all seeing their industries change.
It is almost certain that your company has a strategic plan, a plan for marketing, a disaster plan. Consider looking at automation the same way. Start thinking now about how your workplace may be changed. Review positions, consider skill sets and ask yourself, how likely is it that some or all of the skills needed or tasks performed in a given job may be automated? With respect to the workers in those positions, consider the following: Are we identifying these workers? What are we as a
TODAY’S GENER AL COUNSEL WINTER 2020
company doing to prepare them for this transition? Do we have a plan for up-skilling, retraining or identifying new opportunities for them? The settlement of the month-long strike at General Motors provides an example of how the issues relating to
Consider the role AI plays in the management of litigation and the transactional side of your company’s legal department. automation are playing out in the workforce. Among the provisions that settled the strike was the company’s recognition that automation continues to change their industry. The company reaffirmed its commitment that automation would not move work out of the bargaining unit, and that workers will be able to retain higher skilled work associated with new technology. GM and the union formed a committee representing management and labor equally to assess the impact of future technologies on its workplace. Whether yours is a unionized or non-unionized workplace, be prepared. LEGAL QUESTIONS
Of course, one of the key roles of the general counsel’s office is to assess, plan for and mitigate risk. Unfortunately, the use of AI in the workplace often raises more questions than it answers. In recruiting and making hiring decisions, AI and algorithms are being used with increasing frequency to screen resumes or determine whether a candidate is a good fit for the company. These
tools range from personality assessments to biometric analyses — looking at a candidate’s facial expression, body language, inflection and other signals to determine his or her fate. Supporters of AI argue that it will eliminate subjective assessments, such as implicit bias in employment decision making. Detractors argue that “the computer did it” creates a black box where even the employer cannot ascertain what criteria have been used to make a hiring decision. This is all occurring against a regulatory landscape that is literally mired in the 20th century. The Equal Employment Opportunity Commission, which in recent years has begun to dig more deeply into the civil rights issues raised by AI and automation, still relies on guidance issued in the 1970s in assessing an employer’s use of screening tools and tests in hiring. As counsel, we should ask how we are using AI in our decision-making processes, what we are doing to validate the effectiveness of the decisions, and, if challenged, whether we can “unpack” a decision we’ve made using AI to justify its legality. MANAGING LEGAL AND COMPLIANCE OBLIGATIONS
Finally, consider the role AI plays in both the management of litigation and
the transactional side of your company’s legal department. Increasingly, routine legal work — document review, due diligence, contract assessment, and even basic legal research — is being outsourced to AI. This reduces the human time spent on these tasks, which may be freed up for higher level and more productive work. But, as with the use of AI in hiring decisions, there are perils. If yours is an industry that is heavily regulated and where an audit paper trail may someday be important, ask yourself if your systems are maintained so that bases for transactions and decisions can be evaluated and justified, perhaps years down the road. The C-suite relies on the general counsel’s office in almost every decision it makes. While automation and AI can increase efficiencies and decrease costs, it is imperative to understand how AI works, train legal staff in both the advantages and potential downside of AI-driven legal practice, and remain fully engaged to ensure that the general counsel’s office does not become over reliant on technology. With the technological and legal landscapes changing at a faster rate every year, it is critical to keep abreast of legal developments, examine and challenge the risks and benefits of AI and automation, and prepare for the coming TIDE.
“Informative and worth reading.”
SUBSCRIBE TO
“I refer to the magazine often and the information is useful in my daily work.”
SUBSCRIBE NOW TODAYSGENER ALCOUNSEL.COM/SUBSCRIBE
51
WINTER 202 0 TODAY’S GENER AL COUNSEL
THE ANTITRUST LITIGATOR
Compliance Reboot at the Antitrust Division By Jeffery M. Cross
I 52
n my column in the June/July 2014 issue of Today’s General Counsel Magazine, I called on the Antitrust Division to eliminate the antitrust exception to overall DOJ guidelines that take into account the existence of a compliance program when considering whether to charge a corporation with a federal crime. This exception was “codified” when the DOJ’s corporate charging guidelines were updated in 2008 and placed in the DOJ’s manual for prosecutors. The manual contained two express statements that compliance programs would not be taken into account when considerations were being made to charge a corporation with an antitrust violation. At a public forum held in Washington, D.C., some time prior to my column, I had confronted the Deputy Assistant Attorney General for Criminal Enforcement in the Antitrust Division about the Division’s attitude towards compliance. His response was that allowing antitrust prosecutors to consider the existence and effectiveness of a compliance program would weaken the Antitrust Division’s leniency program.
Jeffery Cross is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a partner in the Litigation Practice Group at Freeborn & Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com
At another public forum in April 2015, I again raised the antitrust exception with his successor, who explained that it was his belief that an antitrust violation is rarely committed by a rogue employee and instead typically involved senior management. To the Antitrust Division, timely uncovering the violation and winning the race to qualify for leniency was the ultimate benefit of an effective compliance program. POLICY REVERSED
However, in July of this year, the Antitrust Division reversed this policy. In a
speech in New York, the Assistant Attorney General for the Antitrust Division, Makan Delrahim, announced that the DOJ would eliminate the exceptions to considering compliance programs in updated guidelines for prosecutors. He also announced the release of a document providing guidance as prosecutors consider compliance programs as part of their decision whether to charge a corporation with an antitrust violation. The Antitrust Division’s guidance emphasizes that the goal of an effective compliance program is to prevent and detect violations of the antitrust laws.
TODAY’S GENER AL COUNSEL WINTER 2020
But the Division recognizes that no compliance program can ever prevent all unlawful activity. The leniency program is still a key focus of the compliance guidance. Indeed, the guidance expressly states that prosecutors must consider the Division’s leniency policy along with the principles set forth in the Justice Manual when deciding whether and to what extent to bring criminal charges against a corporation. This focus includes consideration of whether the compliance program detected the violation enabling the
pating in trade association meetings or standard-setting bodies. Because both types of organizations involve competitors, there is a risk of collusion as to prices or exclusion of rivals. Internal controls might require employees who want to attend such meetings to submit a memo to upper management detailing the purpose of the meeting, the agenda and any antitrust compliance protections instituted by the association or standard-setting body. Integration of antitrust compliance with those internal controls might require both the
communications could be facilitating an antitrust violation unless they are part of a joint venture, or other procompetitive or competitively neutral collaboration. The guidance also refers to training for employees involved with joint ventures to be sensitive to the idea that an exchange of data and information beyond what is needed for the legitimate purposes of the joint venture may create an antitrust issue. The Antitrust Division’s reboot regarding compliance and charging a
Internal controls might require employees who want to attend trade association meetings to submit a memo to upper management detailing the purpose of attending. company to promptly report it, and whether senior management was involved. Many of the factors that are to be considered by Antitrust Division prosecutors in evaluating a compliance program are similar to those set forth by the DOJ’s Criminal Division in the updated compliance guide issued this past April. In that regard, an overarching concept in the guidance from both the Criminal Division and the Antitrust Division is whether the compliance program is merely a program on paper or whether it is a proactive and robust program designed and implemented to be effective. FACTORS IN PROSECUTORS’ DECISIONS
There are several factors specific to antitrust compliance programs that are worth mentioning. Under the Antitrust Division’s compliance guidance, prosecutors will consider ways that antitrust compliance policies and procedures are integrated into the company’s business practices and reinforced through the company’s internal controls. An example would be compliance policies and procedures concerning the antitrust risks of employees partici-
supervisor and the employee to undergo antitrust training specifically tailored for such programs. Another example is guidance for prosecutors evaluating whether the antitrust program is a paper-only program or involves monitoring and auditing. The Antitrust Division’s guidance indicates that prosecutors should examine what monitoring and auditing mechanisms the company has in place to detect violations. And, quite aggressively, it suggests that a company should be undertaking a periodic review of documents and communications of specific employees and undertaking statistical testing to identify antitrust violations. A third example comes in the guidance pertaining to both risk assessment and training. Division prosecutors will examine whether the company has a methodology to identify antitrust risks. Prosecutors will assess whether the company has designed its compliance training program to account for such risks. For example, does the compliance program identify and adequately train employees who have frequent contact with competitors? The guidance provides specific examples of training that should teach employees that competitor
corporation with an antitrust violation is significant. If a company does not win the race for leniency from the Division, it still may avoid being charged with a crime if it has in place a robust and proactive compliance program. Furthermore, if Antitrust Division prosecutors do decide to charge the company, the existence of such a program may result in benefits at the sentencing phase, including a decision by the Division not to ask the court to impose a compliance monitor on the company.
53
WINTER 202 0 TODAY’S GENER AL COUNSEL
PRIVILEGE PLACE
Privilege and Legal Holds Todd Presnell
W
54
hen a company receives a government subpoena, decides to initiate a lawsuit or reasonably anticipates a claim against it, in-house litigation counsel often leads the evidence preservation effort, including disseminating legal hold notices to employees possessing relevant documents and information. All legal holds contain a preservation instruction but may vary otherwise. Some, for example, provide detailed information about the investigation, while others simply outline the legal preservation duty. Some notices mandate confidentiality while others assume it. When litigation later erupts, it is foreseeable that the company’s adversary will challenge the company’s evidence preservation efforts. And in this litigation-about-the-litigation phase, the adversary routinely moves to compel production of counsel’s legal hold notices. The question then arises, does the attorney-client privilege or workproduct doctrine protect the in-house lawyer’s legal hold communications to company employees from discovery? The answer depends on the content of the legal hold communication and its application to the fundamental
Todd Presnell is a partner in Bradley’s Nashville office. He is a trial lawyer, and creator and author of the legal blog Presnell on Privileges (www. presnellonprivileges. com). He provides internal investigation and privilege consulting services to in-house legal departments. tpresnell@bradley.com
elements of the privilege and workproduct doctrine in the corporate context. The corporate attorney-client privilege protects from compelled disclosure communications between a company’s lawyer and its employees that were confidential when made, intended to remain confidential thereafter and made for legal-advice purposes. Once established, the privilege is absolute, absent narrowly tailored exceptions such as the crime–fraud exception. The work product doctrine, by contrast, is not a privilege, but a procedural, rule-based doctrine that precludes a party from obtaining documents containing opinions and mental impressions that an opposing party or its attorney prepared in an anticipation of litigation. The doctrine is broader than the privilege because it covers non-communications, but not as airtight because its gives way upon an adversary’s showing of substantial need and the inability to obtain the information elsewhere. On the surface, legal hold communications appear to fit squarely within the confines of privilege and work product. They are documents and communica-
tions that (should) remain confidential, and likely discuss legal aspects of the adversarial proceeding. The Southern District of New York recently ruled that the attorney–client privilege may protect legal hold notices “just like any other communication with counsel,” but there is no per se protection. In that case, the court upheld the privilege and work product protections because the in-house lawyer marked the legal hold memorandum “privileged and confidential.” The memo’s description of preservation obligations was legal advice and its description of information to preserve constituted work product. PROOF REQUIRED
In other words, in-house lawyers must prove that the privilege applies just as he or she would for other employee communications. But courts do not always apply these elements consistently and with the expected rigor. In-house counsel, therefore, should know the parameters and draft legal hold notices with care. Several federal district courts hold (and presume) that the attorney–client
TODAY’S GENER AL COUNSEL WINTER 2020
privilege or work product doctrine protects legal hold notices from discovery unless the adversary makes a prima facie showing of evidence spoliation. If the adversary meets that threshold, then courts find that the privilege evaporates and order the notice’s production. The privilege generally does not protect other legal hold information, such as identifications of the notice’s recipients, the categories of information preserved and measures the company took to prevent evidence deletion. A federal district court in New Jersey, for instance, ordered production of the defendant governmental entity’s legal hold notices because it found that the plaintiff made a preliminary showing of spoliation of archived emails. The court noted that, generally, the privilege and work product doctrine protect legal hold notices. But it followed the “prevailing rule” that notices are discoverable when spoliation occurs. Unfortunately, many courts do not provide a satisfactory analysis of why the privilege — which is absolute once established — expires upon a prima-facie showing of spoliation where the spoliation allegations fall short of invoking the privilege’s crime-fraud exception. Some commentators posit that the at-issue waiver doctrine removes the privilege because the in-house counsel’s spoliation prevention actions are relevant, but otherwise the reasoning is inconsistent. To be sure, some companies may choose to waive the privilege and produce the legal hold notice to demonstrate robust compliance with evidence-preservation requirements. But if a company wants to protect its privileged notice, even in the face of a spoliation challenge, it should have the better side of the argument. RELEVANT COURT DECISIONS
Regardless of the courts’ bases, one can argue that this privilege and work product treatment is indeed the “prevailing rule.” But that concept may provide false comfort. Other courts apply the privilege analysis more critically by comparing the notice’s specific content to the privilege
and work product’s foundational elements. An opinion from Connecticut’s federal district court, for example, focused on the privilege’s legal advice element. In that employment discrimination case, the defendant’s in-house attorney sent 65 employees a legal hold notice that identified the plaintiff, a summary of her claims and an instruction to preserve, and not delete, information related to the matter. The plaintiff believed that the defendant failed to preserve relevant evidence and moved to compel production of the defendant’s legal hold notices. The defendant — citing the prevailing rule — argued that the privilege and work product doctrine protected the notices from discovery and that, in any event, the plaintiff must first prove that evidence spoliation occurred before obtaining privileged notices. Noting that the defendant’s privilege argument “was a stretch,” the court’s analysis began and ended with the privilege’s elements. Here, the court focused on the legal-advice element, ruling that the defendant must prove that the legal hold notice’s predominant purpose was to render or solicit legal advice. The court reviewed the notice and found that its predominant purpose was to give the recipients “forceful instructions” about what to do rather than legal advice about what they might do. And the court quickly dismissed the work product protection, simply stating that the notice did not reveal the in-house lawyer’s mental impressions. Similarly, the D.C. federal district court, in an admittedly “close decision,” ordered production of an in-house lawyer’s legal hold notice—marked “privileged and confidential” — because it did not meet the privilege and work product elements. In this qui tam case, the defendant company’s CEO and VP of the Legal Department sent a legal hold notice to a large group of employees. Counsel’s follow-up notices to an equally broad group contained instructions to share the notices with others. The court stated that the “privileged
and confidential” moniker did not end the privilege analysis; rather, the company had to prove that the notice met the privilege’s elements. Here, the court ruled that the privilege’s confidentiality element requires companies to limit distribution of privileged information to those necessary to implement the legal advice or, stated differently, to those who need to know. Although calling the question here a “close one,” the court found that the notice’s broad dissemination and instruction to share the notice further failed the confidentiality test. And with no confidentiality, no privilege. The court’s work product analysis presented an even closer call. In reviewing the notice, the court found that it simply relayed the company’s document-retention practice and did not contain the in-house lawyer’s thoughts and opinions developed in preparing for the litigation. The takeaway is that courts are generally receptive to the concept that the attorney-client privilege and/or the work product doctrine protect an inhouse lawyer’s legal hold notice from discovery, but one should not assume protection. Rather, counsel should ensure that their legal hold notices meet the privilege’s elements in the first instance. To increase the chances of securing protection, counsel should mark them as “privileged and confidential,” send them to necessary custodians (but only those custodians), and instruct recipients not to disseminate or discuss the notice’s content without counsel’s authorization. The notice should explain the company’s evidence-preservation duties in legal advice terms rather than as a directive without a purpose. Counsel must remain cognizant that, despite taking these protections, a court may order the notice’s production if an adversary shows spoliation of evidence. If the legal hold notice becomes relevant to an adversary’s spoliation challenge, seek redaction of privileged language even if a court orders production of the remaining content.
55
WINTER 2020 TODAY’S GENER AL COUNSEL
Small Business Reorganization Act a Valuable Alternative By Michael J. Riela
S 56
mall and mid-sized companies often find it difficult to use Chapter 11 to successfully reorganize. Chapter 11 cases typically require the expenditure of significant professional fees, and the United States Bankruptcy Code imposes numerous administrative burdens. In addition, if an official committee is appointed, the debtor must pay the court-approved fees and expenses of the committee’s professionals. As such, Chapter 11 may not be a viable restructuring alternative for many distressed companies. Even if Chapter 11 is feasible, the Bankruptcy Code’s “absolute priority rule” often requires existing equity owners either to relinquish their ownership interests, or to invest new money to retain their Michael J. Riela is ownership stakes. a partner at the law Because of firm of Tannenbaum Chapter 11’s shortHelpern Syracuse comings, small & Hirschtritt LLP in and mid-sized New York City. He regularly advises discompanies may tressed companies, choose alternative boards of directors, restructuring proprofessional services cesses instead of firms, private equity bankruptcy. Some firms and shareholders in bankruptcy companies may be cases, restructurings, forced to liquidate, distressed M&A resulting in job transactions and losses and destrucinsolvency-related tion of enterprise litigation. Riela@thsh.com value.
The Bankruptcy Code currently provides that a “small business debtor” may proceed in Chapter 11 under modified rules. However, these rules do not materially reduce the costs and burdens of Chapter 11, nor do they increase the likelihood that existing equity owners can retain ownership of the business. Additionally, there are rules specific to small business cases that may make it more difficult for a debtor to successfully reorganize under existing law. For example, a Chapter 11 plan must be filed within 300 days of the bankruptcy. This deadline may prove insurmountable if the case is complex, or if there are significant disputes. Moreover, small business debtors are subject to heightened oversight from the Office of the United States Trustee; and small business debtors that file multiple bankruptcy cases might not benefit from the automatic stay.
NEW CHAPTER 11 TOOLS Into this breach steps the Small Business Reorganization Act (SBRA) of 2019, which will become effective in February 2020. The SBRA is designed to foster successful restructurings of small businesses. Among other things, it adds a new Subchapter V to Chapter 11 of the Bankruptcy Code, containing new tools to increase a small business debtor’s chances for a successful reorganization. Once the SBRA takes effect, a small business debtor that files Chapter 11 may proceed under either the existing small business debtor rules or the new
57
WINTER 2020 TODAY’S GENER AL COUNSEL
Subchapter V. The key features of Subchapter V are described below.
EQUITY OWNERS HAVE A BETTER CHANCE TO RETAIN THEIR OWNERSHIP OF THE DEBTOR
58
A small business debtor proceeding under Subchapter V may have its proposed Chapter 11 plan confirmed over the rejection of one or more classes of creditors if the plan provides that all of the debtor’s projected disposable income during the following three-tofive-year period will be used to pay creditors. Alternatively, the debtor may propose a Chapter 11 plan that provides for the distribution of some or all of its property to creditors, as long as the property is not less than the projected disposable income of the debtor. Importantly, the term “disposable income” means income that the debtor receives that is not reasonably necessary to be expended for the continuation, preservation or operation of the debtor’s business. This means that the debtor can fund a Chapter 11 plan under Subchapter V with just its projected profits, making it more likely that a debtor can afford its Chapter 11 plan. As long as the debtor’s Chapter 11 plan under Subchapter V does not “discriminate unfairly,” is “fair and equitable,” and the debtor successfully performs under its Chapter 11 plan, equity owners may retain their ownership of the debtor. This is a considerable departure from the traditional “absolute priority rule” in Chapter 11 cases, which usually requires existing equity owners to relinquish their ownership interests, or to invest new money to retain their ownership stake.
AUTOMATIC APPOINTMENT OF A TRUSTEE The SBRA requires the appointment of a trustee in every Subchapter V case. Although management normally will remain in place as in other Chapter 11 cases, the Subchapter V trustee will have various oversight responsibilities. For
example, a Subchapter V trustee will review the debtor’s financial condition and business operations, report any fraud or misconduct to the court, and supervise the debtor to ensure that distributions are made in accordance with the Chapter 11 plan. The trustee’s service will ordinarily terminate once a Chapter 11 plan is substantially consummated. The debtor must pay the trustee’s fees and expenses.
ONLY THE DEBTOR MAY FILE A CHAPTER 11 PLAN Only the debtor in a Subchapter V case may file a Chapter 11 plan. This is a valuable tool for debtors. The initial exclusivity period under the existing small business debtor rules is 180 days, which can be extended or shortened. Once the exclusivity period expires under normal Chapter 11 procedures, any party may file a plan. Under Subchapter V, on the other hand, only the debtor will be permitted to file a plan. Under the existing small business debtor rules, a plan must be filed within 300 days of the order for relief. The SBRA, however, provides that in a Subchapter V case, the debtor must file
its obligations under a confirmed Chapter 11 plan, the bankruptcy court may remove the debtor’s management and appoint a trustee. This is a departure from normal Chapter 11 practice.
PRESUMPTION AGAINST REQUIRING DISCLOSURE STATEMENTS In Chapter 11 cases, a proposed plan must be accompanied by a disclosure statement — a lengthy document that describes the debtor’s business operations, discusses the terms of the proposed plan and provides other information. Obtaining disclosure statement approval requires significant time and professional fees, and the approval process delays a debtor’s exit from bankruptcy. Under the existing small business debtor rules, disclosure statements are required unless the court orders otherwise. Under Subchapter V, however, the presumption is reversed. Disclosure statements will not be required unless the court orders otherwise. This can save significant time and money. Additionally, under the SBRA, there will be a presumption that an official unsecured creditors’ committee will not
Small and mid-sized companies may choose alternative restructuring processes instead of bankruptcy. a plan within 90 days after the order for relief, unless the court extends that period after determining that the “need for the extension is attributable to circumstances for which the debtor should not justly be held accountable.” Thus, under Subchapter V, a debtor will have significantly less time to file a Chapter 11 plan than it would have under the existing small business debtor rules.
POSSIBILITY OF REMOVAL OF MANAGEMENT With SBRA’s establishment of Subchapter V, if the debtor is unable to perform
be appointed either under the existing Chapter 11 small business debtor rules or under the new Subchapter V. Because the debtor must pay the courtapproved fees of the professionals of official committees, all small business debtors (regardless of option chosen) will benefit from this.
BENEFITS AND DRAWBACKS Qualifying debtors must choose whether to proceed under Subchapter V or under the existing small business debtor rules when the SBRA becomes effective next year. A debtor must consider several
TODAY’S GENER AL COUNSEL WINTER 2020
tradeoffs in determining which option to take. The benefits to choosing Subchapter V over the existing small business debtor rules are as follows: • Subchapter V provides more opportunity for existing equity owners to retain their ownership interests under a Chapter 11 plan, without the need to invest new money. • Only the debtor will be permitted to propose a Chapter 11 plan. • There will be no requirement that an impaired class of creditors accept the Chapter 11 plan. • The debtor will not be required to pay post-petition administrative expenses in full and in cash on the effective date of the plan (instead, these expenses may be paid over a period of time). • It will be easier to modify a Chapter 11 plan after it is confirmed.
• A debtor in a Subchapter V case may retain professionals that hold claims against the debtor in an amount less than $10,000, which is a departure from the normal rules that require any professional to waive all of its claims against the debtor before it can be retained in the bankruptcy case. This provides more flexibility for debtors to choose the professionals who will represent them during bankruptcy. Drawbacks to choosing Subchapter V include that: • under Subchapter V, a trustee will automatically be appointed; • a debtor’s management can be removed even after a Chapter 11 plan under Subchapter V is confirmed; and • the debtor initially has only a 90-day period to file a Chapter 11 plan,
though the court may extend that period if the need for an extension is “attributable to circumstances for which the debtor should not justly be held accountable.” As noted above, under the existing small business debtor rules, the debtor has an initial 180-day period during which only it may propose a plan. When the SBRA becomes effective next year, debtors will need to choose whether to proceed under Subchapter V or under the existing small business debtor rules. Because every debtor’s situation is different, prospective debtors should carefully consider the benefits and drawbacks of each option with their bankruptcy attorney.
Statement of Ownership. 1. Publication Title: Today’s General Counsel. 2. Publication No.: 1932-9024. 3. Filing Date: 10/1/2019. 4. Issue Frequency: 4X/year. 5. No. of Issues Published Annually: 4. 6. Annual Subscription Price: Free to qualified subscribers/all others $199. 7. Complete Mailing Address of Known Office of Publication: 620 Lakeside Drive, Hinsdale, IL 60521 Contact Person: Robert Nienhouse. Telephone: 800-208-3244. 8. Complete Mailing Address of Headquarters or General Business Office of Publisher: : 620 Lakeside Drive, Hinsdale, IL 60521 9. Full Names and Complete Mailing Addresses of Publisher, Editor and Managing Editor: Publisher: Robert Nienhouse, : 620 Lakeside Drive, Hinsdale, IL 60521. Editor: Bruce Rubenstein, : 620 Lakeside Drive, Hinsdale, IL 60521. Managing Editor: David Rubenstein, : 620 Lakeside Drive, Hinsdale, IL 60521. 10. Owner: Nienhouse Media, Inc., : 620 Lakeside Drive, Hinsdale, IL 60521. 11. Known bondholders, mortgages and other security holders owning or holding 1% or more of total amount of bonds, mortgages or other securities: None. 12. Tax Status: Has not changed in the preceding 12 months. 13. Publication Title: Today’s General Counsel. 14. Issue date for circulation data below: Fall 2019. 15. Extent and nature of circulation: 15a. Total Number of Copies (Net Press run): Avg. No. Copies Each Issue During Preceding 12 Months: 16,882. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 15,217. 5b(1). Legitimate Paid and/or Requested Distribution (By Mail and Outside the Mail): Outside-County Paid/Requested Subscriptions Stated on PS Form 3541 (include direct written request from recipient, telemarketing, and internet requests from recipient, paid subscriptions including nominal rate subscriptions, employer requests, advertiser’s proof copies, and exchange copies.). Avg. No. Copies Each Issue During Preceding 12 Months: 11,872. Copies of Single Issue Published Nearest to Filing Fall 2019: 14,599. 5b(2). Legitimate Paid and/or Requested Distribution (By Mail and Outside the Mail): In-County Paid/Requested Subscriptions Stated on PS Form 3541 (include direct written request from recipient, telemarketing, and internet requests from recipient, paid subscriptions including nominal rate subscriptions, employer requests, advertiser’s proof copies, and exchange copies.). Avg. No. Copies Each Issue During Preceding 12 Months: 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 15b(3). Legitimate Paid and/or Requested Distribution (By Mail and Outside the Mail): Sales Through Dealers and Carriers, Street Vendors, Counter Sales and Other Paid Distribution Outside USPS. Avg. No. Copies Each Issue During Preceding 12 Months : 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 5b(4). Legitimate Paid and/or Requested Distribution (By Mail and Outside the Mail): Requested Copies Distributed by Other Mail Classes Through the USPS (e.g., First-Class Mail). Avg. No. Copies Each Issue During Preceding 12 Months: 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 5c. Total Paid and/or Requested Circulation: Avg. No. Copies Each Issue During Preceding 12 Months: 11,872. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 14,599. 15d(1). Non-requested Distribution: Outside-County Non-requested Copies Stated on PS Form 3541: Avg. No. Copies Each Issue During Preceding 12 Months: 4,148. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 5d(2). Non-requested Distribution (by Mail and Outside the Mail): In-County Non-requested Copies Stated on PS Form 3541. Avg. No. Copies Each Issue During Preceding 12 Months: 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 5d(3). Non-requested Distribution (by Mail and Outside the Mail): Non-requested Copies Distributed Through the USPS by Other Classes of Mail. Avg. No. Copies Each Issue During Preceding 12 Months: 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 5d(4). Non-requested Distribution (by Mail and Outside the Mail): Non-requested Copies Distributed Outside the Mail. Avg. No. Copies Each Issue During Preceding 12 Months: 545. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 405. 15e. Total Non-requested Distribution: Avg. No. Copies Each Issue During Preceding 12 Months: 4,693. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 405. 15f. Total Distribution: Avg. No. Copies Each Issue During Preceding 12 Months: 16,565. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 15,004. 15g. Copies Not Distributed: Avg. No. Copies Each Issue During Preceding 12 Months: 318. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 213. 15h. Total (sum of 15f and 15g): Avg. No. Copies Each Issue During Preceding 12 Months: 16,882. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 15,217. 15i. Percent Paid and/or Requested Circulation: Avg. No. Copies Each Issue During Preceding 12 Months: 72%. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 97%. 16. Electronic Copy Circulation: 16a. Requested and Paid Electronic Copies: Avg. No. Copies Each Issue During Preceding 12 Months: 0. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 0. 16b. Total Requested and Paid Print Copies (Line 15c) + Requested/Paid Electronic Copies: Avg. No. Copies Each Issue During Preceding 12 Months: 11,872. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 14,599. 16c. Total Requested and Copy Distribution: Avg. No. Copies Each Issue During Preceding 12 Months: 11,872. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 14,599. 6d. Percent Paid and/or Requested Circulation (Both Print & Electronic Copies) (16b divided by 16c x 100): Avg. No. Copies Each Issue During Preceding 12 Months: 72%. o. Copies of Single Issue Published Nearest to Filing Fall 2019: 97%.
59
WINTER 2020 TODAY’S GENER AL COUNSEL
LITIGATION ANALYTICS
An Advantage for In-House Counsel By Rachel Bailey
60
C
ontracts are the backbone of business transactions and the lifeblood of many organizations, so when a contract dispute arises, in-house attorneys are often tasked with deciding whether litigation is worth the time, cost and human resources to address the problem. Often this decision is based on a combination of experience, anecdotal information and instinct, but that’s hardly an exact science. When you consider the amount of litigation data that is available to help in-house counsel make decisions, there is no longer any reason for attorneys to guess the best course of action. Legal analytics help in-house counsel make strategic decisions by illuminating big-picture trends and relevant cases to predict outcomes, create a plan of action, and coordinate with outside counsel or other business leaders. Data from similar
cases or about the court, the judge, opposing counsel, timing of key events, findings and likely resolutions can be critical to evaluating all aspects of the case and formulating litigation strategy. Let’s take an example. In-house counsel at a high-end retailer just found out that a supplier didn’t fulfill its contract. There is evidence that the supplier may have lied on purpose to win a more lucrative deal. Counsel needs to decide whether the company should sue the supplier for breach of contract, as well as fraud and tortious interference with contract. Legal analytics help attorneys answer specific questions like:
• How often has this supplier faced litigation, and do they normally settle or litigate? • What is their track record in court when facing contract disputes? • Should we leverage our existing outside counsel or is there another firm with more experience?
• How much time and money would litigation cost? • Is it worth it? Could there be substantial damages?
FIND RELEVANT CASES
Once an attorney has assessed the situation, he or she can take a datadriven report to the relevant departments with the research to back up a decision. The analysis below shows how litigation analytics help attorneys to research relevant cases and answer key strategic questions quickly.
A key advantage of legal analytics is the ability to quickly find and compare relevant cases. In order to decide whether
TODAY’S GENER AL COUNSEL WINTER 2020
a breach of contract claim is worth pursuing, an attorney will want to look at cases that specifically have breach of contract or business tort claims. Millions of cases have been filed in federal district court in the last 10 years, so being able to quickly sort through more than 148,000 contracts cases and analyze only those cases with similar, relevant claims is extremely valuable for strategizing. With legal analytics, attorneys have access to precise information abstracted from these relevant cases about the court, judge and opposing counsel.
Before legal analytics was available, attorneys often would ask around and get anecdotal information about previous litigation, e.g., how long did your case take before Judge X? Legal analytics supplements this research by analyzing a much wider swath of cases and using precise formulas to determine timing trends and delivering more accurate, credible results much faster. With these numbers, inhouse counsel can go to the finance department for litigation funding as well as decide whether to engage outside counsel or use inhouse counsel to litigate. To showcase the power of data, let’s look at timing information for those 148,000 contracts cases, which were taken from Public Access to Court Electronic Records (PACER) and scanned, tagged and organized for insights. The median time to summary judgment is just over 500 days. Cases took a median of more than two years to get to trial (756 days) and a median of 267 days to termination. Attorneys
Litigation data used for due diligence can be extremely helpful in identifying the potential legal risk of working with a particular party even before the contract is signed.
CALCULATING COSTS
When assessing potential litigation, senior management will initially ask key questions such as how long is this going to take, how much is it going to cost and is it worth it? This is important because the time it takes to resolve the case often has a direct bearing on the cost of the litigation — which encompasses legal fees, personnel and other related costs (e.g., production slow-downs, marketing and communications).
can also filter by specific variables — such as by district, judge or other criteria — to get pertinent information specific Rachel Bailey is a to their current Legal Data Expert situation. at Lex Machina, Filtering is where she focuses on data integrity very important and reporting. She because timing earned her JD from varies considerably the University of San depending on the Francisco and a BSM judge, the venue from Tulane Univerand other metrics. sity. She is licensed to practice law in For example, the both California and median time to Louisiana. summary judgment in relevant cases in the Central District of California is only 404 days, whereas it is 599 days in the Northern District of Illinois. Depending on the location of the company, the supplier’s company, and where the contract was executed, timing may be an important metric in strategizing where to file a case. Knowing the likely time to summary judgement in a venue allows attorneys to budget and allocate the resources needed to litigate the issue or settle quickly if it is not worth their time.
FIGURE 1 Summary Timing Law Firms Parties Case Resolutions Damages Remedies Motions Findings Show:
Slider
Labels
View Case List
Outliers 0 days
Summary Judgement
1 year
0
20,457 Cases reached Summary Judgement Median: 500 days
Trial
336
5 years
756
0
6 years
1,999
1,113
267
1,086
121 0 days
4 years 1,331
521
135,807 Terminated Cases Median: 267 days
3 years
734
1
4,011 Cases reached Trial Median: 756 days
Termination
2 years 500
507 1 year
2 years
3 years
4 years
5 years
6 years
61
WINTER 2020 TODAY’S GENER AL COUNSEL
FIGURE 2: NATIONAL LAW FIRMS Summary Timing Law Firms Parties Case Resolutions Damages Remedies Motions Findings
Claimant Win
View Case List
163
22%
Default Judgment
52
7%
Plaintiff Voluntary Dismissal
Consent Judgment
37
5%
0
0%
54
Judgment on the Pleadings Summary Judgment Trial Judgment as Matter of Law Decision on Bankruptcy Appeal
20 0 0
Likely Settlement
464
62%
68
9%
Stipulated Dismissal
396
53%
7%
Procedural Resolution
103
14%
3%
Contested Dismissal
23
3%
0%
Dismissal
45
6%
0%
Consolidation
6
1%
Severance
0
0%
22
3%
Interdistrict Transfer
21
3%
Default Judgment
0
0%
Intradistrict Transfer
4
1%
Consnt Judgment
0
0%
Stay
2
0%
Judgment on the Pleadings
5
1%
Multidistrict Litigation
2
0%
13
2%
Trial
3
0%
No Case Resolution
0
0%
Judgment as a Matter of Law
1
0%
Decision on Bankruptcy Appeal
0
0%
Claim Defendant Win
Summary Judgment
FIGURE 3: LOCAL LAW FIRMS
62 Summary Timing Law Firms Parties Case Resolutions Damages Remedies Motions Findings
View Case List
Claimant Win
7
2%
Likely Settlement
Default Judgment
4
1%
Plaintiff Voluntary Dismissal
Consent Judgment
0
0%
Stipulated Dismissal
Judgment on the Pleadings
0
0%
Summary Judgment
2
1%
Procedural Resolution
Trial
1
0%
Contested Dismissal
Judgment as Matter of Law
0
0%
Dismissal
Decision on Bankruptcy Appeal
0
0%
324
92%
10
3%
314
89%
20
6%
3
1%
12
3%
Consolidation
1
0%
Severance
0
0%
Claim Defendant Win
0
0%
Interdistrict Transfer
4
1%
Default Judgment
0
0%
Intradistrict Transfer
0
0%
Consnt Judgment
0
0%
Stay
0
0%
Judgment on the Pleadings
0
0%
Multidistrict Litigation
0
0%
Summary Judgment
0
0%
Trial
0
0%
No Case Resolution
0
0%
Judgment as a Matter of Law
0
0%
Decision on Bankruptcy Appeal
0
0%
ASSESS OUTSIDE OR OPPOSING COUNSEL Deciding whether to engage outside counsel, and when, are strategic decisions that can benefit from data-driven research. When presented with a potential contract dispute, the first impulse may be to call up current or previous
outside counsel and pay them to assess the situation. However, if the previous firm focuses on M&A or employment issues, they might not be the best fit for this situation. Similarly, if the last firm that represented you in a contract dispute did not do a great job, you might
wish to explore other options. Comparing previous experience and outcomes allows in-house attorneys to assess the situation before paying a retainer to outside counsel. Attorneys can also use analytics to assess an opponent’s track record in similar cases, including their
TODAY’S GENER AL COUNSEL WINTER 2020
FIGURE 4 DAMAGE TYPE
CASES
AMOUNT
Contract Damages
670
$1,526,882,069
Contract Damages
579
$1,324,472,811
8
$876,548
Restitution
11
$15,590,395
as new cases are added to PACER
Tort Compensatory Damages
94
$66,391,424
with new information. This use case
Punitive Damages
29
$27,213,934
Enhanced Damages
6
$13,211,157
Approved Class Action Settlement
6
$79,125,800
The charts in this document are based on data from the Lex Machina
Liquidated Damages
strengths and weaknesses and what law firms they used, and understand how judges in this district have responded to their motions, arguments and legal strategies. Let’s go back to the example. Inhouse counsel wants to assess a local specialized law firm and compare it to a bigger nationally known firm. By aggregating all the firm’s federal cases in one place and then looking specifically at cases with relevant claims where the firm represented the plaintiff, the attorney has a big- picture view of the firm’s pertinent experience. In the figures above, case resolutions for a national big law firm shows that it has experience taking cases to trial, while the local firm files a lot of cases but tends to settle them. By showing this to his or her colleagues, an inhouse attorney may justify the bigger price tag of the more experienced firm.
ing at damages previously awarded in similar cases. In the example, the company may wish to argue for punitive damages for the alleged malicious conduct. Looking specifically at relevant cases in the local district, the attorney can quickly learn that punitive damages have been awarded 29 times. That’s useful to know, and analytics tools allow users to quickly find the dockets for those 29 cases and determine whether they include cases with similar fact patterns. Note that damages information is not always available, especially in instances where cases were settled out of court. But other data can help inform your litigation strategy even in the absence of damages information, such as at which point past cases were terminated and on what grounds — which could illuminate the opposing party’s litigation strategy.
Deciding whether to engage outside counsel, and when, are strategic decisions that can benefit from data-driven research.
WINNING STRATEGY CALCULATE POSSIBLE DAMAGES Another consideration is the possibility of receiving or paying damages. Weighing the cost of litigation against possible damages is easier when look-
No organization enters into a contract anticipating that it will fail, but litigation data used for due diligence can be extremely helpful in identifying the potential legal risk of working with a
legal analytics platform as of September 2019. The platform updates daily, and therefore any aggregate numbers in this use case will change
is meant to provide sample trends and general research information.
supplier or party even before the contract is signed. These are just a few examples of the insights that quality legal analytics tools can provide to in-house counsel — whether they are contemplating litigation, deciding on a strategy or executing that strategy. Legal analytics is all about winning strategies. Whether you decide to negotiate a settlement based on real punitive damages awards in your district or take the case all the way to trial, legal analytics delivers data-driven insights to help in-house counsel be more competitive, make better-informed decisions more quickly and report valuable information to stakeholders.
63
WINTER 202 0 TODAY’S GENER AL COUNSEL
BACK PAGE FRONT BURNER
Global Warming in the Workplace By David Perecman
A
64
ccording to the National Oceanic and Atmospheric Administration, July 2019 was the hottest month on record for the planet; and since 2001, 17 of the 18 hottest years on record have occurred. Steadily increasing global temperatures are having a wide impact, including on American workers. Not only does the Bureau of Labor Statistics count more than 15 million people in the United States with jobs that require some outdoor time but also many indoor workers can suffer serious injuries from heat due to factors such as poor ventilation. Excessive heat can result in serious health risks for employees. In 2015, heat exposure contributed to 37 work-related deaths and 2,830 nonfatal occupational injuries and illnesses, according to the Bureau of Labor Statistics. Heat exposure can lead to accidents including slips, vision impairment and falling objects, as well as burn injuries, toxic exposure and fire hazards. Even when a direct accident is avoided, economist R. Jisung Park reports that worker productivity declines by two percent for every degree Celsius above room temperature. Unsurprisingly, this also creates a risky environment for businesses. The Occupational Safety and Health Administration estimates that just one heatrelated accident can have David Perecman a direct cost of more than is founder and $25,000, with total costs Managing Partner of The Perecman Firm, doubling that amount. P.L.L.C. He concenAdditionally, there is legal trates his practice on risk involved with heat all aspects of perexposure, as OSHA requires sonal injury law, as employers to provide safe well as employment discrimination, false working conditions and to arrest and civil rights take reasonable steps to admatters. He has suc- dress any potential hazards cessfully represented individuals who were that may cause workers harm — including exposure seriously injured. www.perecman.com to hot weather and the sun.
These general rules lay a solid foundation. However, the increasingly high temperatures brought about by climate change are making the issue more prevalent. To address this reality, and the heightened risks that accompany it, specific standards are needed. California, Minnesota, Washington and the United States Military have set standards for heat exposure, and some construction companies have opted to apply California’s standards across their United States operations. Still, no legal action had been taken on the federal level until H.R. 3668, the Asuncion Valdivia Heat Illness and Fatality Prevention Act of 2019, which was introduced in July 2019 by Representative Judy Chu (D-CA). H.R. 3668 requires OSHA to introduce a proposed standard on the prevention of occupational exposure to excessive heat within two years from the date of enactment of the legislation. Named for Asuncion Valdivia, a California farm worker who died of heatstroke in 2004 after picking grapes for 10 straight hours, the bill requires OSHA to develop a standard that provides the same, if not more, protection for employees than the most protective heat prevention standard adopted by a state and approved by the United States Secretary of Labor. Until this or similar legislation is passed to address the issue of excessive heat in the workplace, businesses should make sure that they already have strong protections in place. In addition to ensuring a humane work environment, enforcing breaks, and providing safety and first-aid resources, businesses should encourage employees to stay hydrated, eat healthy and frequent smaller meals, wear sun protection, and exercise heightened caution when operating machinery. The effects of climate change have already provoked a diverse regulatory response — from environmental conservation to renewable energy incentives to infrastructure standards. Protecting employees from excessive heat in the workplace is a prudent and necessary next step in the American response to rising global temperatures.
ATTEND LOCALLY. T WIT TER @TodaysGC
CONNECT GLOBALLY.
LINKEDIN FOLLOW US linkedin.com/ company/ today’s-generalcounsel
TODAY’S GENERAL COUNSEL
delivers best practices via Today’s General Counsel magazine, e-newsletters, webinars, and “The Exchange”.
It all comes together on our Twitter, LinkedIn, and Facebook pages. Follow us today for continued content, exclusive event discounts, and the ability to connect with peers and experts through the educational resource for in-house counsel and the legal community: Today’s General Counsel.
LIKE US facebook.com/ TodaysGeneral Counsel
T O D AY S G E N E R A L C O U N S E L . C O M @TodaysGC
Follow us
Like us
TAKE A CLOSER LOOK AT:
THE ARBITRAL INSTITUTION TRUSTED TO HANDLE MORE CASES THAN ANY OTHER. As the international division of the American Arbitration Association®, the ICDR® has been the world’s leading provider of cross-border dispute resolution services for decades—handling more cases than any other institution. See all the reasons to choose the ICDR at icdr.org.
GLOBAL EXPERTISE Matters. icdr.org
| +1.212.484.4181
©2019 American Arbitration Association, Inc. All rights reserved.