Category: Corporate Social Responsibility

Financial Innovation for Clean Energy Deployment: Congress Considers Expanding Master Limited Partnerships for Clean Energy

Mintz Logo

Technological innovation is driving renewable energy towards a future where it is cost competitive without subsidies and provides a growing share of America’s energy. But for all the technical progress made by the clean energy industry, financial innovation is not keeping pace: access to low-cost capital continues to be fleeting, and the industry has yet to tap institutional and retail investors through the capital markets. This is why a bipartisan group in Congress has proposed extending master limited partnerships (MLPs), a financial mechanism that has long driven investment in traditional energy projects, to the clean energy industry.

Last month Senators Chris Coons (D-DE) and Jerry Moran (R-KS) introduced the Master Limited Parity Act (S. 795); Representatives Ted Poe (R-TX), Mike Thompson (D-CA), and Peter Welch (D-VT) introduced companion legislation (H.R. 1696) in the House of Representatives. The bills would allow MLP treatment for renewable energy projects currently eligible for the Sec. 45 production tax credit (PTC) or 48 investment tax credit (ITC) (solar, wind, geothermal, biomass, hydropower, combined heat and power, fuel cells) as well as biofuels, renewable chemicals, energy efficient buildings, electricity storage, carbon capture and storage, and waste-heat-to-power projects. The bill would not change the eligibility of projects that currently qualify as MLPs such as upstream oil and gas activities related to exploration and processing or midstream oil and gas infrastructure investments.

MLPs have been successfully utilized for traditional fossil-fuel projects because they offer an efficient means to raise inexpensive capital. The current total market capitalization of all energy-related MLPs exceeds $400 billion, on par with the market value of the world’s largest publicly traded companies. Ownership interests for MLPs are traded like corporate stock on a market. In exchange for restrictions on the kinds of income it can generate and a requirement to distribute almost all earnings to shareholders (called unitholders), MLPs are taxed like a partnership, meaning that income from MLPs is taxed only at the unitholder level. The absence of corporate-level taxation means that the MLP has more money to distribute to unitholders, thus making the shares more valuable. The asset classes in which MLPs currently invest lend themselves to stable, dividend-oriented performance for a tax-deferred investment; renewable energy projects with long-term off-take agreements could also offer similar stability to investors. And since MLPs are publicly traded, the universe of potential investors in renewable projects would be opened to retail investors.

The paperwork for MLP investors can be complicated, however. Also, investors are subject to rules which limit their ability to offset active income or other passive investments with the tax benefits of an MLP investment. Despite the inherent restrictions on some aspects of MLPs, the opportunities afforded by the business structure are generating increasing interest and support for the MLP Parity Act.

Proponents of the MLP Parity Act envision the bill as a way to help renewable energy companies access lower cost capital and overcome some of the limitations of the current regime of tax credits. Federal tax incentives for renewable energy consist primarily of two limited tools: tax credits and accelerated depreciation rates. Unless they have sizeable revenue streams, the tax credits are difficult for renewable project developers to directly use. The reality is only large, profitable companies can utilize these credits as a means to offset their income. For a developer who must secure financing though a complicated, expensive financing structure, including tax equity investors can be an expensive means to an end with a cost of capital sometimes approaching 30%. Tax credits are a known commodity, and developers are now familiar with structuring tax equity deals, but the structure is far from ideal. And as renewable energy advocates know all too well, the current suite of tax credits need to be extended every year. MLP treatment, on the other hand, does not expire.

Some supporters have noted that clean energy MLPs would “democratize” the industry because private retail investors today have no means to invest in to any meaningful degree in clean energy projects. Having the American populace take a personal, financial interest in the success of the clean energy industry is not trivial. The initial success of ‘crowd-funded” solar projects also provides some indication that there is an appetite for investment in clean energy projects which provide both economic and environmental benefits.

Sen. Coons has assembled a broad bipartisan coalition, including Senate Finance Energy Subcommittee Chair Debbie Stabenow (D-MI) and Senate Energy and Natural Resources Ranking Member Lisa Murkowski (R-AK). Republican and Democratic cosponsors agree that this legislation would help accomplish the now-familiar “all-of-the-above” approach to energy policy.

However, some renewable energy companies that depend on tax credits and accelerated depreciation are concerned that Republican supporters of the legislation will support the bill as an immediate replacement for the existing (but expiring) suite of renewable energy tax credits. Sen. Coons does not envision MLP parity as a replacement for the current production tax credits and investment tax credits but rather as additional policy tool that can address, to some degree, the persistent shortcomings of current financing arrangements. In this way, MLPs could provide a landing pad for mature renewable projects as the existing regime of credits is phased out over time, perhaps as part of tax reform.

So would the clean energy industry utilize MLP structures if Congress enacts the MLP Parity Act? The immediate impact may be hard to predict, and some in renewable energy finance fear MLP status will be less valuable than the current tax provisions. This is in part because the average retail investor would not be able to use the full share of accompanying PTCs, ITCs, or depreciation unless Congress were also to change what are known as the “at-risk” and “passive activity loss and tax credit” rules. These rules were imposed to crack down on perceived abuse of partnership tax shelters and have tax implications beyond the energy industry. Modifying these rules is highly unlikely and would jeopardize the bipartisan support the bill has attracted so far. But other renewable energy companies believe they can make the structure work for them now, and industries without tax credits — like renewable chemicals, for instance — would not have the same concerns with “at-risk” and “passive activity loss” rules. Furthermore, over the long term, industry seems increasingly confident the structure would be worthwhile. Existing renewable projects that have fully realized their tax benefits and have cleared the recapture period could be rolled up into existing MLPs. Existing MLP infrastructure projects could deploy renewable energy assets to help support the actual infrastructure. Supporters of the legislation see the change as a starting point, and the ingenuity of the market will find ways to work within the rules to deliver the maximum benefit.

The future of the MLP Parity Act will be linked to the larger conversation in Congress regarding tax reform measures. The MLP Parity Act is not expected to pass as a stand-alone bill; if it were to be enacted, it would most likely be included as part of this larger tax-reform package. Congress currently is looking at ways to lower overall tax rates and modify or streamline technology-specific energy provisions. This has many renewable energy advocates on edge: while reform provides an opportunity to enact long-term policies (instead of one-year extensions) that could provide some level of stability, it also represents a chance for opponents of renewable energy to exact tough concessions or eliminate existing incentives. As these discussions continue in earnest this year, the reintroduction of the MLP Parity Act has already begun to generate discussions and mentions in policy white papers at both the House Ways and Means Committee and the Senate Finance Committee. Whether a highly partisan Congress can actually achieve such an ambitious goal as tax reform this year remains uncertain. But because of its bipartisan support, the MLP Parity Act certainly will be one of the many potential reforms Congress will consider seriously.

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.

1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

The Libor Scandal: What’s Next? Re: London Interbank Offered Rate

GT Law

The London Interbank Offered Rate (Libor) is calculated daily by the British Banking Association (BBA) and published by Thomson Reuters. The rates are calculated by surveying the interbank borrowing costs of a panel of banks and averaging them to create an index of 15 separate Libor rates for different maturities (ranging from overnight to one year) and currencies. The Libor rate is used to calculate interest rates in an estimated $350 trillion worth of transactions worldwide.

The Libor Scandal

The surveyed banks are not required to provide actual borrowing costs. Rather, they are asked only for estimates of how much peer financial institutions would charge them to borrow on a given day. Because they are not required to substantiate their estimates, banks have been accused of Libor “fixing,” or manipulating the Libor rate by submitting estimates that are exaggeratedly higher or lower than their true borrowing costs. This scandal has resulted in the firing and even arrest of bank employees.

Libor’s reputation came under fire in June 2012 when Barclays PLC agreed to pay over $450 million to settle allegations that some traders fixed their reported rates to increase profits and make the bank appear healthier than it was during the financial crisis. In the wake of this settlement, investigative agencies around the world began to look deeper into Libor rate fixing, leading to a $750 million settlement by the Royal Bank of Scotland and a record-setting $1.5 billion settlement by UBS AG. To date, there have been over $2.5 billion in settlements, with many more investigations ongoing. One investment bank estimates that, in total, legal settlements could amount to as much as $35 billion by the time investigations conclude.

Replacing the Libor

In the wake of the Libor scandal, international and domestic agencies have advocated for its replacement. The BBA, the group responsible for setting Libor since the 1980s, voted to relinquish that authority, and a committee of the UK’s Financial Reporting Council is currently vetting bids from other independent agencies interested in administering the new rate.

The International Organization of Securities Commissions (IOSCO) Task Force on Benchmark Rates, led by the head of the UK Financial Services Authority Martin Wheatley and the US Futures Trading Commission Chairman Gary Gensler, released a report last month saying that the new system should be based on data from actual trades in order to restore creditability. Wheatley and Gensler agree on the need to create a transaction-based rate, but disagree on how to transition from Libor to the new system.

Wheatley proposes that: the estimate-based Libor system be kept in place while a new transaction based rate is introduced to run alongside it under a “dual-track” system (so as to avoid disrupting existing transactions), and that the decision as to if and when to abandon Libor be left to market participants as opposed to regulators.

Gensler proposes a wholesale replacement of Libor as soon as possible and cautions that its continued use undermines market integrity and threatens financial stability.

IOSCO is also pushing for a code of conduct that would hold banks to a higher standard of honesty in reporting and setting index rates, while other agencies, including the Financial Stability Board and the European Union, are working on the development of other potential solutions including stricter regulations and greater penalties for rate-fixing conduct.

The future of Libor is unclear, but it is certain that whomever is chosen to replace the BBA will be under immense pressure and scrutiny from the international financial community.

Recommendations

To stay prepared, parties to financial transactions should view existing and future contracts with an eye towards potential benchmark changes. Parties should perform contractual due diligence to establish the range of Libor definitions and benchmarks to which they are exposed. In addition, parties should review the fallback provisions dealing with change or discontinuance of Libor and other benchmark rates to understand the potential impact of such changes.

Going forward, parties should include fallback provisions in their contracts to allocate risk and set up alternatives to mitigate the uncertainty that could arise in the event of any changes to the Libor system or other relevant benchmarks.

Article By:

 of

Total Settles Foreign Corrupt Practices Act (FCPA) Bribery Claims for $398M

Katten Muchin

On May 29, French oil and gas company, Total SA, agreed to pay $398 million to settle US civil and criminal allegations that it paid bribes to win oil and gas contracts in Iran in violation of the Foreign Corrupt Practices Act (FCPA). Notably, the criminal penalty is the fourth-largest under the FCPA and the case marks the first coordinated action by French and US law enforcement agencies in a major foreign bribery case.

In a scheme that allegedly began nearly 20 years ago in 1995 and continued until 2004, Total allegedly paid approximately $60 million in bribes to induce an intermediary, designated by an Iranian government official, to help the company win contracts with National Iranian Oil Co. The contracts gave Total the right to develop three oil and gas fields and included a portion of South Parys, the world’s largest gas field. Total allegedly characterized the bribes as “business development expenses” in its books and records.

The DOJ filed a three-count criminal investigation charging Total with FCPA conspiracy and internal controls and books-and-records violations. Total agreed to resolve the FCPA charges by paying a $245.2 million criminal penalty, which was at the bottom of the $235.2 to $470.4 million range of fines available under the US Sentencing Guidelines. The company also settled a related civil case with the US Securities and Exchange Commission for $153 million in disgorgement of its profits in the scheme. The criminal case will be dismissed after three years if Total complies with the deferred prosecution agreement, which requires Total to (i) retain a corporate compliance monitor, who will conduct annual reviews; (ii) cooperate with authorities and (iii) implement an enhanced compliance program designed to prevent and detect FCPA violations. The compliance program requires, among other things, that Total’s Board of Directors and senior management “provide, strong, explicit and visible support and commitment” to the company’s anti-corruption policy and that they appoint a senior executive to oversee the program and report directly to an independent authority, such as internal audit, the Board or a committee thereof. Total’s problems, however, are not over. French prosecutors have recommended that the company and its chief executive officer be brought to trial on violations of French law, including France’s foreign bribery law.

U.S. v. Total SA, 13-cr-239 (E.D. VA. May 29, 2013).

Article By:

 of

NetSpend: Delaware Chancery Criticizes Single-Buyer Negotiating, Use of DADW & Revlon Process, But Denies Injunction

GT Law

In a nutshell, plaintiff’s motion to enjoin Total System Services’s $16 per share/$1.4 billion (cash) acquisition of Netspend Holdings was denied because the balance of the equities tipped in favor of the defendants (i.e., the court’s perceived risk to the target’s stockholders of a deal that might fail in the face of a MAC or breach when it was the only deal on the table) even though Vice Chancellor Glasscock concluded that it was reasonably likely that at trial the plaintiff would successfully establish that the Netspend board did not conduct a reasonable Revlon value maximizing process.

The key facts and observations in the case included, among others:

– A single-buyer negotiating strategy employed by the Netspend Board with no formal pre-sign check (although a go-shop was asked for several times in the negotiations and repeatedly rejected by the buyer, the repeated asks appear to have helped obtain the $16 per share price.

– An unaffected 45% premium without giving effect to an immediate pre-sign, positive earnings release by Netspend).

– Netspend had prior bad experience with collapsed sale processes and, therefore, it was queasy about undertaking another formal or elongated process.

– Netspend was not “for sale” and responded to Total System’s initial IOI and commenced discussions mainly because Netspend’s 31% stockholder and 16% stockholder wanted to exit an illiquid and volatile stock (Netspend was content to execute management’s stand-alone operating strategy absent a compelling price).

– Appraisal rights are available under DGCL 262; Vice Chancellor Glasscock questioned whether Netspend’s directors had a “reliable body of evidence” and “impeccable knowledge” of the company’s intrinsic value in the absence of a pre-sign market check and despite Netspend’s prior failed sale processes some years before.

– The fairness opinion obtained by the Netspend board was “weak” under all of the circumstances (putting more pressure on the directors’ understanding of the company’s intrinsic value).

– No interloper surfaced even after the transaction litigation delays (putting maximum pressure on plaintiff’s demand for an injunction); the deal protection package was pretty plain vanilla (the break up fee was in the “northern sector” of the range at 3.9% of total equity value, but certainly not preclusive or coercive; matching rights and other buyer protections were customary).

– A reasonable arms-length negotiating strategy was employed to obtain the $16 per share.

– Netspend’s CEO (who led the negotiations with appropriate Board participation and oversight) was not conflicted (in fact, he was found to be aligned with the non-affiliate stockholders in several respects).

– The nominees of Netspend’s 31% stockholder and 16% stockholder constituted a majority of the Netspend Board (but Vice Chancellor Glasscock found that their interests were aligned with the non-affiliate shareholders).

– Two private equity firms had conducted diligence and looked at buying a significant stake in the company from Netspend’s 31% stockholder and 16% stockholder at a materially lower price than Total System’s initial (and final) bid, but they never indicated a desire to buy 100% of Netspend.

– The support agreements entered into between Total Systems and each of the two large stockholders were coterminous with the merger agreement (but were not terminable upon the Netspend Board’s withdrawal of its declaration of advisability of the merger agreement).

In a noteworthy passage, Vice Chancellor Glasscock faulted the decision of the Netspend Board not to waive the “don’t ask-don’t waive” clauses in the confi-standstills with the two private equity firms at the time discussions commenced with Total Systems and, in the case of any post-sign unsolicited “superior offers” that might arise, he noted the ineffectual fiduciary out to the no-shop covenant in the merger agreement which required Netspend to enforce and not waive pre-existing standstills (thus, the private equity firms were precluded from lobbing in a post-sign jumping bid).

Vice Chancellor Glasscock refers to Vice Chancellor Laster’s In re Genomics decision and to Chancellor Strine’s decision in In re Ancestry pointing up, again, the Court’s sensitivity to, and the highly contextual nature of, DADW provisions in pre-sign confi-standstill agreements and perhaps further underscoring the distinction between using a DADW in a single-buyer negotiating strategy vis a via using one in a formal auction setting or where a full pre-sign market check is conducted.

Article By:

 of

Twitter: Little Statements with Big Consequences for Companies

McBrayer

Twitter is under attack. In recent months, accounts belonging to media giants CBS, BBC, and NPR have all been temporarily taken over by hackers. The Associated Press is the most recent victim. On April 23, 2013, a false statement about explosions at the White House and the President being injured sent shock waves through the Twitter-sphere. The real surprise is the effect the single tweet had in the real world: the Standard & Poor’s 500 Index dropped so sharply moments after the frightening tweet that $136 billion in market value was wiped out. While the hacking of these massive media outlets make headlines, everyday businesses are not safe from the threat, either. In February of this year, a hacker changed the @BurgerKing feed to resemble that of McDonald’s, putting the McDonald’s logo in place of Burger King’s. The hackers posted offensive claims about company employees and practices. If accounts belonging to well-established companies like these are vulnerable, so is yours. If a tweet can have a profound impact on the nation’s stock market, imagine what an ill-contrived tweet could do to your business.

Business owners may have the knee-jerk reaction to delete their Twitter account, but despite the recent blemishes to its security, Twitter remains one of the most important social media sites out there. Just recently, the Securities Exchange Commission made clear that companies could use social media like Twitter when announcing key information in compliance with Regulation Fair Disclosure. Twitter is not just a marketing or PR tool—Twitter is business. And you should never turn your back on existing business. So instead of hanging up your hashtags, consider some steps that can make your Twitter account safer.

Limit Access

Not every employee should have access to the company’s Twitter account. In fact, hardly anyone should, except a few designated employees like the marketing director or business owner. While those with access may never do anything harmful to the account, the more people who have the log-in information, the more likely it is to fall into the wrong hands.

Create a strong password

I know, you already have too many passwords to remember. But a creative password is your best defense against someone seeking to break into your account. Employers should, at minimum, have unique passwords for their most commonly used media sites; please do not use the same word for your Facebook, LinkedIn, and Twitter account. Once a hacker figures it out, they have control of your entire social media presence.

When creating a password, avoid using anything that would be too common. “Password,” “1234,” or the business’s name should never be the only thing standing between you and a hacker. The longer the password, the better. Use a mix of uppercase and lowercase letters, numbers, and symbols.

Article By:

 of

SEC Announces First Non-Prosecution Agreement Involving Foreign Corrupt Practices Act (FCPA) Violations

DrinkerBiddle

On April 22, 2013, the Securities and Exchange Commission (SEC) announced it had entered into a Non-Prosecution Agreement (NPA) with Ralph Lauren Corporation under which the company agreed to disgorge approximately $700,000 in connection with certain unlawful payments made by a foreign subsidiary to government officials in Argentina from 2005 to 2009.  This is the first time the SEC has used a NPA for violations of the Foreign Corrupt Practices Act (FCPA).

According to the NPA, Ralph Lauren Corporation’s Argentine subsidiary paid “bribes,” i.e., payments in violation of the FCPA, to government and customs officials to improperly secure the importation of Ralph Lauren Corporation’s products in Argentina.  The purpose of the unlawful payments, made through a “customs broker,” was to obtain entry of Ralph Lauren Corporation’s products into the country without certain paperwork and to avoid certain inspections by customs officials.  The unlawful payments to Argentine officials totaled $593,000 during a four-year period.

The NPA further notes that the unlawful payments occurred during a period when Ralph Lauren Corporation lacked meaningful anti-corruption compliance and control mechanisms over its Argentine subsidiary.  The company discovered the misconduct in 2010 as a result of measures it adopted to improve its worldwide internal controls and compliance efforts, including implementation of a FCPA compliance training program in Argentina.  The NPA notes that the SEC determined not to charge Ralph Lauren Corporation with violations of the (FCPA) in light of several factors including:  (1) the company’s prompt reporting of the violations on its own initiative, (2) the completeness of the information it provided, and (3) the company’s extensive, thorough, and real-time cooperation with the SEC’s investigation.  According to the SEC, Ralph Lauren Corporation’s cooperation saved the Commission “substantial time and resources.”

In parallel criminal proceedings, the Justice Department also entered into a Non-Prosecution Agreement with Ralph Lauren Corporation under which the company will pay an $882,000 penalty.[1]

NPAs are part of the Enforcement Division’s Cooperation Initiative announced in 2010.  Prior to 2010, the SEC did not have the ability to enter into NPAs or Deferred Prosecution Agreements (DPAs).  The purpose of the Cooperation Initiative was to give the Commission the flexibility to incentivize and reward cooperation while at the same time ensuring that cooperators are held accountable for their misconduct.  Since 2010 and prior to this instance, the Commission has entered into three NPAs[2] and two DPAs[3]  It is likely that the SEC will continue to use DPAs and NPAs particularly in connection with FCPA matters given the factual complexity of the cases and the difficulty in discovering violations, which almost always occur outside the U.S.

The Ralph Lauren NPA provides useful guidance as to what the SEC will consider in assessing corporate cooperation by detailing the significant actions that Ralph Lauren Cooperation took in connection with the parallel investigations.  According to the NPA, Ralph Lauren Corporation:

  • reported preliminary findings of its internal investigation to the staff within two weeks of discovering the illegal payments and gifts:
  • voluntarily and expeditiously produced documents;
  • provided English language translations of documents to the staff;
  • summarized witness interviews that the company’s investigators conducted overseas; and
  • made overseas witnesses available for staff interviews in the U.S.

The NPA also notes that Ralph Lauren Corporation entered into tolling agreements during the staff’s investigation.  The statute of limitations with respect to the 2005 conduct, the earliest conduct charged, would have likely run in 2010, just as the company reported the violations to the SEC.

The Ralph Lauren NPA provides several other takeaways.  First, the Ralph Lauren Corporation agreed to enter into the NPA “without admitting or denying liability.”  While the NPA also contains the standard provision prohibiting the Ralph Lauren Corporation from “denying, directly or indirectly, the factual basis of any aspect of the” NPA, the inclusion of the “without admitting or denying language” seems to run counter to the policy announced by the Enforcement Division in January 2012 to eliminate the use of “neither admit nor deny” language from settlement documents involving parallel (i) criminal convictions or (ii) NPAs or DPAs[4]  This may suggest that the “without admitting or denying liability” language remains negotiable.

Second, under the agreement, the Company must seek the staff’s prior approval of the contents of any press release concerning the NPA.  Third, while the SEC emphasizes the Ralph Lauren Corporation’s enhanced compliance program and successful implementation of the enhancements, it also highlights that the Ralph Lauren Corporation has ceased retail operations in Argentina and is in the process of winding down all operations there.  It is possible Ralph Lauren Corporation’s decision to close operations in Argentina was a significant factor in the SEC’s decision to use a NPA in this circumstance.  Fourth, notably, the NPA does not require the Ralph Lauren Corporation to retain an independent consultant to review its policies and procedures and to prepare a report to the staff regarding any findings.  The financial burden of independent consultant “reviews” is often significant.  The staff’s willingness to forego such an undertaking demonstrates the value of taking quick and full remedial action during an investigation.

Fifth, the NPA also refers to “gifts” such as perfume, dresses and handbags valued at between $400 and $14,000, which were provided to three different government officials during the relevant time.  This underscores the importance of having policies and procedures that extend beyond prohibiting monetary payments to government officials.  Finally, the NPA requires that the Ralph Lauren Corporation “to pay disgorgement obtained or retained as a result of the violations discovered during the investigation.”  In its press release, the SEC notes that Ralph Lauren Corporation will “disgorge” $700,000 in illicit profits and interest.  The disgorgement, however, appears to be the total amount of unlawful payments plus interest made rather than any profit earned as a result of the unlawful payments.  Disgorgement is frequently difficult to calculate, especially in FCPA cases.  It appears that rather than tracing the unlawful payments to profits, the SEC was satisfied to use the amount of unlawful payments as a proxy for disgorgement.  Moreover, the low monetary value of the unlawful payments may have also contributed to the SEC’s decision to enter into a NPA in this instance.

[1]  The agreement with the Justice Department stands as yet another example of DOJ’s position that senior management be intricately involved in anti-corruption compliance efforts.  More specifically, the agreement requires that Ralph Lauren’s “directors and senior management provide strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.”  Further, the agreement requires that the company “assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption compliance code, policies and procedures.” 

[2]  In December 2010, the SEC entered into a NPA with Carters Inc. in connection with a financial fraud perpetrated by a former Executive Vice President of Carters.  The NPA focused on the isolated nature of the misconduct, Carters’ prompt self-reporting, extensive cooperation and remedial actions.  In December 2011, the SEC entered into DPAs with Federal Home Loan Mortgage Corporation (Freddie Mac) and Federal National Mortgage Association (Fannie Mae) in connection with certain misleading statements claiming that the companies had minimal holdings of higher-risk mortgage loans including subprime loans.  The NPA focused on Freddie Mac’s and Fannie’s Mae’s cooperation in connection with the SEC’s litigation against former senior executives.

[3]  In May 2011, the SEC entered into a DPA with Tenaris S.A. in connection with FCPA violations.  The DPA required Tenaris to disgorge approximately $5.4 million.  The DPA focused on Tenaris’ early self-reporting, extensive cooperation and remedial actions.  InJuly 2012, the SEC entered into a DPA with Amish Helping Fund in connection with certain misrepresentations and omissions in offering documents.  Again, the DPA focused on Amish Helping Fund’s immediate and complete cooperation, its willingness to offer investors a right of rescission and its remedial efforts. 

[4]  The Amish Helping Fund DPA entered into on July 18, 2012, does not contain the “without admitting or denying” or “neither admitting nor denying” language.

Article By:

 of

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

“Brogrammers” Giving Silicon Valley a Bad Name?

An article by Emily Holbrook of Risk and Insurance Management Society, Inc. (RIMS) regarding “Brogrammers” recently appeared in The National Law Review:

According to a recent article, Silicon Valley tech firms are using marketing tactics geared more towards fraternity brothers than programming savants. The problem? Not only is it sexist at times, but it is alienating a large chunk of qualified tech professionals. Here are a few examples:

Of course, this is only a snipet of what’s going on as many of the antics are never publicized. Barbaic events like these may not only cost companies money (several businesses pulled their sponsorship from the Sqoot event), but it alienates those who may be talented programmers, but don’t adhere to the frat boy mentality.

There’s also an audience that feels left out of the joke. Women made up 21% of all programmers in 2010, down from 24% in 2000, according to the U.S. Bureau of Labor Statistics. Anything that encourages the perception of tech as being male-dominated is likely to contribute to this decline, says Sara Chipps, founder of Girl Develop It, a series of software development workshops. “This brogramming thing would definitely turn off a lot of women from working” at startups, says Chipps.

But is this really a serious problem in Silicon Valley or just young men being young men? I’ve heard both sides of the argument. Some companies that have taken this seriously, such as Etsy, have decided to do something about it. The e-commerce website is donating $5,000 to at least 10 women in an attempt to lure female coders to New York’s Hacker School this summer.

Whether this is an epidemic that should cause concern or merely programmers acting their age, one thing is for sure — having a working envrionment void of diversity is aiken to siloed idea generation. Silicon Valley should know this.

Risk Management Magazine and Risk Management Monitor