Attend the NAMWOLF 2017 Business Meeting – February 12-14 in Fort Lauderdale

The National Association of Minority & Women Owned Law Firms (NAMWOLF), founded in 2001, is a nonprofit trade association comprised of minority and women-owned law firms and other interested parties throughout the United States. Join them for their 2017 Business Meeting in Fort Lauderdale, February 12-14. 

NAMWOLF

The NAMWOLF Business Meeting is a great opportunity to increase your participation and relationships with NAMWOLF Law Firm Members. All attendees further benefit by attending CLE sessions specific to NAMWOLF Member Law Firms’ practice areas, which provides greater insight into each Member Law Firm’s experience and capability to handle complex legal matters. The Business Meeting also provides the opportunity to network with NAMWOLF Leadership, such as the Advisory Council and NAMWOLF Board of Directors. If you have never been to a NAMWOLF event, the Business Meeting is the place to start!

Where: Marriott Harbor Beach, Fort Lauderdale, FL

When: February 12-14, 2017

Register today!

5 Killer Online Marketing Strategies for Law Firms

Certainly by now we can all agree that the Internet has transformed the legal industry, from how you market your law firm to how legal services are delivered. Still, for many lawyers, the Internet is a confusing place with so many options that can either make you or break you. So let me help simplify things for you. Here are five online marketing strategies that are gold when it comes to delivering leads and boosting your brand:

Laptop on a desk, Online MarketingNarrow your choices. Unless you have an unlimited marketing budget, you can’t do it all — SEO, social media, pay-per-click, content marketing, email marketing, etc. If you throw a little bit at everything — the shotgun approach — you are wasting your money. Instead, focus on two things: (1) where your potential clients are, and (2) what you can measure. You have to be able to measure your success (or failure) to discover what works for your area of practice and to be able to build on the successes.

Use Facebook ads. There are 1.4 billion monthly Facebook users and half of those log in every day. One of the most powerful features of Facebook is ad targeting, the ability to layer targeting options on top of one another to create a highly specific audience. This enables you to target locally and get your ads in front of people who need your services now. Facebook ads are low-cost, so you can experiment to see what resonates with your potential clients and then repeat what works.

Capture leads with what you know. There is a vast amount of basic information you know that prospects want. And there are a number of tools available for you to disseminate this information to them, including blogs, eBooks and free reports. Offer these in exchange for contact information as added value and the leads will follow.

Think mobile. If your law firm website is not already optimized for mobile, make that happen fast. Mobile-friendly sites perform better in search results and also provide a better user experience for prospects.

Automate your lead conversion. A comprehensive law firm marketing program that embraces multiple marketing tools – SEO, PPC, ads, email marketing, social media, blogs, etc. – means leads come in from many different sources. If you don’t have an automated way to deal with them, leads will slip through the cracks and all that hard work and financial investment will be for nothing. Small law firms lose tens to hundreds of thousands of dollars every year because they aren’t tracking their leads and quickly following up with them. Mid-sized law firms are losing millions. Lost leads also hurt your reputation with your referral sources if they supplied the referral and your team doesn’t follow through on the lead.

© The Rainmaker Institute, All Rights Reserved

2016 Cybersecurity Year in Review, and Data Privacy Trends to Watch in 2017

cybersecurity data privacyWith 2016 in the rear-view mirror, we have been reflecting on the many data privacy and cybersecurity legal developments of the past year, both in the U.S. and internationally, as well as focusing on trends to watch in the new year. With best wishes for a Happy New Year from all of us, we present a number of highlights from 2016, and suggest a few areas to watch in 2017.

U.S. Courts Wrestle With Law Enforcement Access to Data

Debate over law enforcement access to data stored by technology companies was perhaps the most visible privacy and cybersecurity issue of 2016, with far-reaching implications in both the U.S. and abroad. In July, the Second Circuit issued a decision in Microsoft’s challenge to a warrant issued under the Electronic Communications Privacy Act (ECPA), seeking email content stored in Ireland. The Second Circuit unanimously held that ECPA warrants cannot compel U.S. providers to disclose the contents of customer communications stored on foreign servers. In 2017, we expect that decision to have significant implications for U.S. technology companies, as well as consumers and companies that store data with U.S.-based providers. The government has sought rehearing en banc, and also has indicated that it intends to submit legislation to Congress to address the implications of the decision.  Congress has considered related issues in the International Communications Privacy Act.

Apple also engaged in a high-profile court battle with the government early in 2016 when the company refused the FBI’s request to unlock a terror suspect’s iPhone, though the dispute ended in March without a court decision when the FBI announced it had accessed the device without Apple’s assistance.  Congress continues to grapple with the consequences of that case to include considering several encryption-related legislative proposals.

U.S. Supreme Court Addresses Privacy Standing in Spokeo

The U.S. Supreme Court issued its highly anticipated decision in Spokeo in May, addressing whether plaintiffs have standing to pursue statutory damages even in the absence of harm under the Fair Credit Reporting Act (FCRA). The Court reaffirmed that constitutional standing in federal court requires “concrete” (i.e., actual) harm and offered several guiding principles to assist lower courts in determining whether standing requirements have been met.  Although the case specifically dealt with the FCRA, Spokeo has significant implications in privacy and data breach litigation because numerous federal privacy laws have been construed to allow statutory damages even in the absence of actual harm.  Lower courts have begun applying the decision in data breach cases, including a recent district court ruling that a named plaintiff’s allegations that stolen personal information was used to file a false tax return were sufficient to impart standing under Spokeo.  In 2017, we expect this process to continue, as lower courts continue to interpret the Supreme Court’s decision.

A New Framework for EU-U.S. Data Transfers

The EU-U.S. Privacy Shield, a new framework for the transfer of personal data between the EU and the U.S., was announced in February and finalized in July.  Negotiators in the EU and U.S. worked on an accelerated timeline following the invalidation of the Safe Harbor in late 2015 resulting in the Privacy Shield—a significantly more stringent framework than its predecessor.  Companies began self-certifying adherence to the Privacy Shield in August, and as of this post more than 1,300 companies have signed up at the Department of Commerce’s website.  In 2017, we see continued uncertainty in this area.  The Privacy Shield faces a legal challenge in the European Court of Justice, and another cross-border mechanism—standard contractual clauses—also is subject to an EU court action.  The Privacy Shield itself was based, in part, on an exchange of letters between the Obama Administration and the European Commission relating to mass surveillance, and it remains to be seen if the Trump Administration will continue the commitments made in those letters.  Relatedly, the European Parliament approved the EU-U.S. Umbrella Agreement in December—a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.

Sweeping New Data Protection Laws Approved in Europe

The European Parliament passed into law the General Data Protection Regulation (GDPR) in April, a sweeping new set of privacy and data security rules that will take effect in mid-2018.  Unlike the EU Data Protection Directive which it replaces, the GDPR for the most part will have direct effect throughout the EU without requiring national implementation legislation.  Companies doing business in (or with companies operating in) the EU have begun preparing for compliance with the new requirements, and the Article 29 Working Party released the first set of guidance on the GDPR in December.  In 2017, we expect the Article 29 Working Party to continue to fill in some of the blanks left in the GDPR, and we also expect companies to intensify their preparation for the mid-2018 effective date of this landmark legislation.

FTC’s Data Security Authority Tested (Again) in LabMD

 Following the Third Circuit’s decision affirming the FTC’s authority to regulate corporate data security in Wyndham last year, the FTC sought to further bolster its data security authority in LabMD.  In July, the Commission unanimously vacated a prior Administrative Law Judge decision and found that LabMD’s actions were “unfair” under Section 5 of the FTC Act.  In November, however, the Eleventh Circuit stayed enforcement of the FTC’s LabMD order, finding that LabMD was likely to succeed on the merits because the FTC’s interpretations of aspects of the FTC Act relating to its data security authority were likely not reasonable. The case will now proceed on the merits, but the grant of the stay suggests that the Eleventh Circuit may be receptive to LabMD’s arguments for ultimate reversal of the LabMD order.  This could produce a circuit split between the Eleventh Circuit and the Third Circuit (which decided the Wyndham case), and thereby provide a basis for an attempt to secure Supreme Court review of the FTC’s jurisdiction.  Moreover, this case could provide a vehicle for a new FTC, with a Republican majority, to reconsider the agency’s current aggressive approach on “unfairness” as applied to data security.

Newly Established Cybersecurity Requirements and Guidelines

A number of U.S. states and standard-setting organizations issued broadly applicable cybersecurity requirements and guidelines in 2016.  In February, as part of the release of its 2016 Data Breach Report, the Office of the Attorney General for California established a de facto standard that companies doing business in California must, at a minimum, adopt twenty specific security controls established by the Center for Internet Security in order to have “reasonable” security practices in California.  And New York State proposed first-in-the-nation cybersecurity regulations that contain several mandatory security requirements for financial services institutions—those institutions that are regulated by New York banking, insurance, or financial services laws—which are currently being revised following industry comments and are scheduled to take effect in March 2017.

At the federal level, in October, the Department of Defense (DoD) finalized its safeguarding and cyber incident reporting obligations, requiring DoD contractors to implement specific security controls for information systems that store, process, or transmit DoD’s data and to report actual or possible cybersecurity incidents involving such data to DoD within 72 hours.  And in the coming year, similar security controls and reporting requirements will likely be required for all government contractors, as a September rule promulgated by the National Archives and Record Administration (NARA) set the stage for a Federal Acquisition Regulation (FAR) clause that will likely mirror DoD’s requirements.  In November, the National Institute of Standards and Technology (NIST) released guidance for small businesses on cybersecurity preparedness, including a list of “recommended practices” that are applicable not just to small businesses, but entities of all sizes.

New Cybersecurity and Privacy Laws and Regulations in China

As expected, authorities in China were active in passing a new Cybersecurity Law and proposing new cybersecurity and privacy regulations in 2016.  In November, the Standing Committee of China’s National People’s Congress passed China’s first Cybersecurity Law (the “Law”), which will take effect starting June 1, 2017.  Described as China’s “fundamental law” in the area of cybersecurity, the new Law articulates the government’s priorities with respect to “cyberspace sovereignty,” consolidates existing network security-related requirements (covering both cyber and physical aspects of networks), and grants government agencies greater power to regulate cyber activities.  It is the first Chinese law that systematically lays out the regulatory requirements on cybersecurity, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny.  At the same time, it seeks to balance the dual goals of enhancing cybersecurity and developing China’s digital economy, which relies heavily on the free flow of data.

China’s National Information Security Standardization Technical Committee (NISSTC) drafted a Personal Information Security Standard, a non-binding standard for data privacy and security practices of companies operating in China.  The NISSTC also released seven draft standards for comment in December, with a public comment period running until February 2, 2017.  The Cyberspace Administration of China (CAC) has also been active in 2016, issuing new rules for mobile apps in July, and draft regulations aimed at protecting minors in cyberspace in October. Finally, in August China’s State Administration of Industry and Commerce (SAIC) released draft regulations for public comment that would amend consumer protection laws to, among other things, supplement existing privacy obligations for companies operating in China.

FCC Releases Broadband Privacy Rules

The FCC’s increasing focus on privacy issues continued in 2016 with the release of broadband privacy rules.  The new rules, which were formally proposed in April, regulate the privacy practices of broadband Internet Service Providers (ISPs), including requirements to obtain consent for certain uses of consumer data and to adhere to certain data security practices.   The rules were adopted by the Commission in a 3-2 party-line vote in October, so their fate is quite uncertain under the incoming Republican administration.  Given that petitions for reconsideration currently are pending before the FCC and will remain so until the change in Administration, these rules could be one of the first areas in which the new FCC makes its mark on the policies of the Obama-era Commission.

Connected Devices and The Internet of Things

2016 saw several developments relating to the Internet of Things (IoT), such as internet-connected refrigerators and thermostats, which present unique opportunities and challenges from a privacy and cybersecurity perspective.  In April, the U.S. Department of Commerce issued a request for public comment on the benefits, challenges, and potential government roles for IoT, and the U.S. Senate Commerce Committee approved a bill (which remains pending) to establish a working group to study and facilitate IoT growth.  Around the same time, the European Commission released a series of industry-related initiatives addressing IoT, among other things.  And in November, NIST released cybersecurity guidance for IoT, and the Broadband Internet Technical Advisory Group released another report detailing the unique security and privacy challenges posed by IoT.  In 2017, we expect the focus on connected devices to escalate, particularly given the emergence of driverless cars and other innovative technologies.

Russia v. USA: Geo Political Cyber Warfare And Your Business

Cyber warfare, Russian Flag HackThe cyber war battlefield has expanded, and your business is now a fighter and a target.

A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.

The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.

On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1

The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.

The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.

As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.

The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.

In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.

DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.

The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.

The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.

As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.

(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)

The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.

Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.

At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.

Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.

A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.

APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.

Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.

The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.

Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.


1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”

2 http://www.wsj.com/articles/behind-russias-cyber-strategy-1483140188

3 http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-an…

Automotive Industry in 2016: Record Sales! But…

Car Shopping, keys As has been reported all over, it looks like the Automotive Industry will set some sales records in 2016 (see here, here, and here for example). As summarized by JD Power, “The full-year sales forecast of 17.5 million units would surpass the total from 2015 by about 5,000 units. Light trucks figure into the upsurge, along with higher incentives—eclipsing $4,000 per vehicle for the first time on record—as automakers clear out 2016 model-year vehicles.” When read that way, this news is less encouraging than it appears on its face.

Setting sales records is almost never bad. However, if they are set with huge incentives, discounts, and an intention to clear out inventory, that is obviously not any reason to anticipate further growth in 2017. In fact, a deeper dive into the numbers shows some slightly less favorable statistics. For example, the Wall Street Journal reports that “Retail sales, which strip out sales to fleet buyers, such as rental-car companies, were expected to reach 14.1 million units for the year, a 1.2% decline from 14.2 million units in 2015.”

What will 2017 bring?

There is no reason to think that sales will set another record. The Automotive industry is very cyclical and higher incentives, higher inventories and deeper discounts may sell more vehicles in the short run, but often leads to educed profitability and lower sales in the long run. Is your company planning for potential slower sales in 2017? What have you done with your supply chain and customers? If you have not already planned for the second half of 2017, or even that start of 2018, you are likely already behind.

© 2016 Foley & Lardner LLP

President Obama Authorizes Additional Sanctions on Russian Individuals and Entities: Executive Order 13964

Originally, EO 13964 focused on cyber-enabled malicious activities that harmed or significantly compromised the provision of services by entities in a critical infrastructure sector. This included significant disruptions to the availability of a computer or network of computers, or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

In light of Russia’s recent use of cyber means to undermine democratic processes, the president has amended the EO to cover additional activities, authorizing sanctions on individuals/entities who tamper with, alter, or cause misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. Under this authority, the president has sanctioned nine entities and individuals, including two Russian intelligence services (the GRU and the FSB), four individual officers of the GRU and three companies that provided material support to GRU’s cyber operations.

These new sanctions highlight the importance of regular and diligent screening of transactions, as well as the need to periodically review existing screening practices to ensure that they are up to date. It is critical to remember that an individual who may have been an acceptable business partner one day may be on a sanctions list the next.

©2016 Drinker Biddle & Reath LLP. All Rights Reserved

2016 Tax Court Opinions – A Year In Review

tax court opinionsSeveral notable tax court opinions were issued 2016 dealing with a variety of substantive and procedural matters. In our previous post –  Year in Review: Court Procedure and Privilege – we discussed some of these matters. This post addresses some additional cases decided by the court during the year and highlights some other cases still in the pipeline.

Transfer Pricing

Transfer pricing remains a hot topic in litigation. As discussed here, here and here the Tax Court accepted and rejected taxpayer arguments in several high-profile cases.

We have also written frequently on the 3M case, which involves whether the Internal Revenue Service’s (IRS) blocked income regulations are valid. That case has been submitted fully stipulated to the Tax Court and all briefs have been filed. For prior coverage, see here, here, and here.

Point: Transfer pricing is a point of emphasis with the IRS. Given that slight changes to a taxpayer’s transfer pricing methodologies can produce substantial adjustments, taxpayers need to continue to monitor judicial developments in the area. This includes not only how courts view the arm’s length standard, but also taxpayer challenges to the IRS’s rulemaking authority.

The Administrative Procedures Act and Deference to IRS Interpretations

Following the Supreme Court’s 2011 Mayo opinion, taxpayers have increasingly turned to the Administrative Procedures Act (APA) to challenge IRS actions. In addition to the posts linked above regarding APA challenges in transfer pricing cases, we have written about the QinitiQ and Ax cases dealing with whether an explanation provided in a notice of deficiency is insufficient under the APA. See here and here]. Additionally, the Supreme Court provided guidance in a non-tax case regarding the proper application of the APA in the analysis of the validity of agency regulations.

Another area we have frequently posted on is the level of deference afforded to IRS interpretations. Discussions of general deference principles and cases decided in 2016 can be found here, here, here, here, and here]. Additionally, as we noted here, the Supreme Court recently granted certiorari to decide the limits of Auer deference.

Practice point: Whether the IRS’s position in published or unpublished guidance is afforded deference, and, if so, the appropriate level of deference, is important to taxpayers both in planning their transactions and defending them before the IRS and the courts. This area continues to evolve, particularly in the area of Auer deference, and taxpayers need to be aware of new developments.

Information Reporting Requirements

The IRS’s Offshore Voluntary Disclosure Program remains a tool for noncompliant taxpayers to come to the IRS to resolve outstanding tax reporting matters. For an update on this subject, see here. The release of the Panama Paper in April 2016, which we wrote about here received considerable attention. A recent opinion out of a district court in California also provided more guidance on the willful standard for failure to file foreign information reporting forms. See here.

Practice point: OVDP remains open, but it could be closed by the IRS at any time. Noncompliant taxpayers need to consider all options in this area, and should consider which option might be best depending on their specific situation.

Penalties

The IRS has been increasingly asserting penalties in cases. We recently discussed here some of the penalty procedural rules at issue in the Graev case. We also discussed the substantial authority defense, as applied by the Fifth Circuit in Chemtech Royalty Associates. See here.

Point: Taxpayers who are facing penalty determinations and assessments should consider whether they may have any procedural challenges to the IRS’s method of approval and assessment of penalties, in addition to considering the more standard, substantive defenses like reasonable cause and substantial authority. It is important to adequately document your position prior to taking a tax return position to avoid any initial assertion of penalties by the IRS.

Golden Leash Rule, Say-on-Pay, Form 10-K Summaries: Proxy Season Guide to 2017

SEC proxy seasonAs another year comes to a close, it is time for public companies to become acquainted with the securities law and business developments of the past year to position themselves for success in 2017. Below is a summary of current and anticipated changes that may impact reporting requirements and disclosure regulations for the upcoming 2017 proxy season, along with a review of the 2016 proxy season.

NEW FOR 2017

Frequency Votes for Say-on-Pay

After Jan. 21, 2011, public companies were required to hold an advisory vote regarding the frequency of which say-on-pay votes would occur, which could not be in excess of every six years. Therefore in 2017, many companies will need to include an agenda item for the frequency vote at their annual meeting. Following the vote, companies will need to include the results of the frequency for which say-on-pay votes will be held in their Form 8-K under Item 5.07(b).

SEC Approves NASDAQ’s “Golden Leash Rule”

In July 2016, the SEC approved NASDAQ’s “Golden Leash Rule.” This rule requires listed companies to disclose material terms of any agreement between a director or director nominee and any entity or person other than the company, regarding any amount of compensation or payment related to the director’s service on the board or the director nominee’s candidacy. The “Golden Leash Rule” requires annual disclosure in the companies’ proxy or on its website. The “Golden Leash Rule” became effective Aug. 1, 2016.

Form 10-K Summaries

In July 2016, the SEC issued an interim final amendment to the Fixing America’s Surface Transportation Act, creating Item 16 on Form 10-K allowing companies the option to include a summary of the information included in the Form 10-K. While no previous rule prohibited summaries, most issuers simply included a table of contents with hyperlinks to items in their reports. This rule provides issuers some flexibility when preparing the Form 10-K.

CEO Pay Ratio Disclosure Rule

For the first fiscal year beginning on or after Jan. 1, 2017, companies will need to comply with the SEC’s long-anticipated final rule implementing Section 953(b) of the Dodd-Frank Act, which requires all public companies to disclose the pay ratio between their CEO’s annual total compensation and the annual total compensation of the companies’ “median” employee. However, companies will not be required to include pay ratio disclosures in their proxy statements until 2018. With the exception of smaller reporting companies, emerging growth companies, foreign private issuers, and registered investment companies, all reporting companies will have to disclose their pay ratio. The pay ratio disclosure must be included in any filing that requires executive compensation disclosure under Item 402 of Regulation S-K, which includes registration statements, proxy and information statements, and annual reports on Form 10-K. Even though uncertainty may loom around the viability of Dodd-Frank with President-elect Donald Trump’s transition underway, companies should continue to prepare pay ratio disclosures in anticipation for the 2018 proxy season. The Final Pay Ratio Disclosure Rule is available here.

PROXY ADVISORY FIRM UPDATES

Glass Lewis Updates

Glass, Lewis & Co. (Glass Lewis) recently published its 2017 Proxy Season Guidelines. The guidelines include a number of changes, a summary of which is outlined below.

Director Overboarding. Beginning February 2017, Glass Lewis will implement its policy regarding director board commitments. Glass Lewis will issue negative recommendations for directors that serve on more than five public company boards and company executives that serve on a total of two public company boards, including his or her own.

Governance for Newly Public Companies. For newly public companies, Glass Lewis will recommend against directors and members of governance committees who adopt provisions causing shareholders’ rights to become “severely restricted indefinitely.” Provisions such as anti-takeover mechanisms, including poison pills or classified boards, along with exclusive forum and fee-shifting provisions will all be considered for such recommendations.

Board Self-Assessment. Glass Lewis has updated its views regarding board evaluations to account for director skills and how those skills align with company strategy, as opposed to merely relying on tenure and age. Glass Lewis has further taken the stance that shareholders are better equipped to measure the board’s composition and approach to corporate governance.

Gender Pay Disclosure. Glass Lewis issued a new policy for reviewing companies’ gender pay equity, on a case-by-case basis. Upon review, Glass Lewis will generally recommend proposals requesting greater disclosure where inattention and inadequate policies expose the company to risk.

In its update, Glass Lewis also noted its support for proxy access and the management of environmental and social risks.

A copy of the full Glass Lewis Proxy Season Guidelines is available here.

ISS Updates

Institutional Shareholder Services (ISS) also updated its proxy voting policy guidelines for 2017, which will affect shareholder meetings taking place after Feb. 1, 2017. The guidelines set forth a number of updates:

Director Overboarding. Similarly to Glass Lewis, ISS will also implement its policy regarding director overboarding, establishing the threshold for overboarding to five public boards for directors who are not company executives. The policy for overboarding of company executives threshold will remain at three total boards, including his or her own.

Undue Restrictions. A new ISS policy recognizes shareholders’ ability to amend bylaws as a fundamental right. Under the policy, ISS will vote against or withhold recommendation for members of the governance committee if the company’s charter imposes “undue restrictions” on shareholders’ rights to amend the bylaws. ISS also recognized complete prohibitions on binding shareholder proposals and share ownership requirements beyond the requirements of Rule 14a-8 as being undue restrictions on shareholders’ rights. ISS will generally recommend against governance committee members whose company has any of these provisions in its charter as well.

Unilateral Governance Changes. ISS updated its policy for governance of newly public companies to include consideration for any reasonable sunset provision when issuing recommendations against directors who have adopted charter or bylaw amendments that ISS views as materially adverse to shareholder rights or that implement a multi-class capital structure affording unequal voting rights prior to or in connection with an IPO.

Shareholder Ratification of Non-Employee Director Pay Program. As a result of recent highly publicized lawsuits involving excessive non-employee director compensation, ISS will consider qualitative factors such as the presence of problematic pay practices relating to director compensation and the quality of disclosures surrounding director compensation, when evaluating whether to recommend ratification programs regarding non-employee director compensation.

A copy of the full ISS 2017 Proxy Voting Guidelines is available here.

2016 IN REVIEW

During the 2016 proxy season, proxy access remained the predominant topic for the second consecutive year. In fact, shareholders submitted over 200 proxy access resolutions during the 2016 proxy season. The SEC’s 2010 proxy access rule, Rule 14a-11, provided that a shareholder was eligible to nominate proxy access candidates if the shareholder held at least 3 percent of the voting power for at least three years and was not prohibited from proposing a candidate under law or the company’s governing documents. Although this rule was vacated by the U.S. Court of Appeals for the D.C. Circuit in 2011 for being arbitrary, many shareholder proposals are still based on both Rule 14a-11 and the SEC’s amendments to Rule 14a-8. At the end of June 2016, over 250 companies, with 190 S&P 500 firms, established proxy access rights through voluntary adoptions and negotiated withdrawals. As a result, proxy access proposals continue to drive change and mold standard market terms.

As companies grew in 2016, so did the need to properly assess, implement and maintain internal controls over financial reporting (ICFR) pursuant to Rule 13a-15. ICFR is the process by which public companies provide reasonable assurance to the public that its financial statements are prepared in accordance with GAAP and are ultimately reliable. To comply, the SEC requires an annual management report of the company’s ICFR effectiveness, including disclosure of any material weakness that may create a possibility for the company to be unable to promptly detect or prevent a material misstatement on its financial statements, in Form 10-K. Companies should implement accounting controls designed to mitigate financial reporting risk and regularly evaluate any deficiencies. This is particularly important in light of revenue reporting rules issued by the Financial Accounting Standards Board becoming effective for public companies in 2018 and as new accounting standards are issued.

The comment periods have expired for other proposed changes to incentive-based compensation arrangements, the securities transaction settlement cycle, disclosure of payments by resource extraction issuers, pay-for-performance, hedging disclosure, and clawbacks. These changes have not been finalized. At this time, there is no anticipated date for implementation of these policies, so there will be no effect on 2017 filings.

OTHER SECURITIES LAW DEVELOPMENTS

Exemptions to Facilitate Intrastate and Regional Securities Sales and Offerings

In October 2016, the SEC adopted its final rule modernizing the existing intrastate offering framework by implementing amendments to Rule 147 under the Securities Act of 1933. The SEC’s amended Rule 147 provides a safe harbor under Section 3(a)(11) for issuers organized and principally doing business within a single state to offer and make sales of securities to resident purchasers of the same state. The amendments allow companies to raise money from investors within their state without simultaneously registering the offer and sale at the federal level.

The SEC’s new Rule 147A will expand the safe harbor to issuers that maintain a principal place of business in a different state from where it is incorporated and permit issuers to offer and make sales to residents in the state where it operates. Under Rule 147A, issuers will also be able to make offers across state lines, but sales remain limited to residents of the state.

The final rule also repealed Rule 505 and expanded Rule 504 of Regulation D, by increasing the aggregate amount of securities that may be offered and sold in any 12-month period from $1 million to $5 million. Additionally, the final rule disqualifies certain bad actors from participation in offerings under Rule 504. Through these amendments, the SEC sought to facilitate issuers’ capital raising efforts and provide additional investor protections.

Rule 147 and new Rule 147A will be effective on April 20, 2017. The amendments to Rule 504 will be effective on January 20, 2017. The removal of Rule 505 will be effective on May 22, 2017. All other amendments will be effective on May 22, 2017. The final rules are available here.

Supreme Court Decides First Insider Trading Case in Decades: Salman v. United States

In December 2016, after 20 years without a decision regarding the scope of insider trading, the Supreme Court held that even when no financial or tangible benefit is received, insider trading may arise when a tipper makes a “gift” of confidential information to a friend or relative, in Salman v. United States, No. 15-628 (U.S. Dec. 6, 2016). Although the tipper received no physical benefit from providing the information to the tippee, the Supreme Court found that the personal benefit received from bestowing a “gift” of confidential information to a family member or friend was enough for conviction, thus paving a smoother path for prosecutors seeking conviction.

The Supreme Court relied on the “personal benefit test” established in the seminal 1983 case Dirks v. SEC, 463 U.S. 646 (1983) but declined to clarify the scope of the “personal benefit test.” Additionally, the Supreme Court expressly rejected the Second Circuit’s decision in United States v. Newman, 773 F.3d 438 (2d Cir. 2014), which held that the government must prove that a tippee knew an insider received a personal benefit in exchange for disclosing confidential information, and any benefit received must be sufficiently consequential. While the Supreme Court only narrowly expanded the “personal benefit test” in Salman, it rejected the government’s argument that a gift to “anyone” satisfies the “personal benefit test” potentially providing for a distinction between disclosures to friends and family and those to market professionals. The Salman opinion can be found here.

Mutual Funds/Investment Companies: Rule 22e-4 and Swing Pricing

In October 2016, the SEC adopted its final Rule 22e-4. This new rule requires mutual funds and registered open-end management investment companies, including open-end exchange-traded funds (ETFs) to create a liquidity risk management program, in order to reduce the risks associated with fund redemption obligations. The liquidity risk management program must include periodic review of a fund’s liquidity risk, classification of the liquidity of fund portfolio investments, determination of a highly liquid investment minimum, a limitation on illiquid investments, and board oversight. The rule also permits open-end funds, excluding ETFs and money market funds to use swing pricing, which allows funds to adjust their net asset value per share in order to pass on the costs associated with trading activity to purchasing and redeeming shareholders. The rule requires board approval and periodic review of the funds’ swing factor upper limit and swing threshold. Companies will need to comply with the new Rule 22e-4 beginning on or after Jan. 17, 2017 and access to swing pricing will become available Nov. 19, 2018. The final rule is available here.

Investment Company Reporting Modernization

In October 2016, the SEC adopted new forms and amendments to modernize the reporting and disclosure requirements for registered investment companies. Form N-PORT, a new monthly reporting form requires registered funds other than money market funds to provide portfolio-wide and position-level holdings data. Reporting requirements include data related to the pricing of portfolio securities, information regarding repurchase agreements, securities lending activities, counterparty exposure, terms of derivatives contracts, and portfolio level and position level risk measures, to the SEC on a monthly basis. Form N-CEN will require registered investment companies to annually report certain census-type information as well. Finally, the SEC is adopting amendments to Forms N-1A, N-3 and N-CSR to require certain disclosures regarding securities lending activities. Collectively, these amendments will enhance investors’ ability to use and analyze data to ultimately make more informed investment decisions. The rule becomes effective Jan. 17, 2017, and most funds will be required to begin filing new Forms N-PORT and N-CEN after June 1, 2018. The final rule is available here.

Universal Proxy

In October 2016, the SEC proposed changes to the proxy rules requiring the use of universal proxy cards during a contested election. During a proxy contest, the proposal would require proxy contestants to provide shareholders a proxy card with the names of management and dissident director nominees listed. Similar to voting in person, the proposal would give shareholders the ability to vote for their preferred combination of board candidates through proxy. The proposal aims to remedy shareholders’ current inability to combine nominees to create their own slate during a contested election. The comment period for the proposal ends Jan. 9, 2017.

© 2016 Dinsmore & Shohl LLP. All rights reserved.

Register for the 24th Annual Marketing Partner Forum January 25-27: Client Collaboration & the New Rules of Engagement

In January 2017, Marketing Partner Forum returns to Terranea Resort in Rancho Palos Verdes, CA for a three day summit on law firm marketing and business development set against the breathtaking Southern California shoreline. Marketing Partner Forum will welcome law firm marketing partners, rainmakers, practice group heads, business development leaders and esteemed corporate counsel for a dynamic and vibrant conference designed for the industry’s most experienced professionals.

Call to register: 1-800-308-1700

Or click here to email and we will contact you.

For more information, click here.

Terranea Palos Ranchos Verdes Marketing Partner ForumWhy You Should Attend

Marketing Partner Forum is designed for client development partners, rainmakers, and the senior-most legal marketing and business development professionals across the legal industry. Our content reflects the experience and sophistication of our international audience in terms of rigor, ambition and scope. Attendees can expect to hear from venerable thought leaders both within and outside of the legal industry. Enjoy ample networking opportunities and the stunning scenery, golf course, spa and hiking trails at one of California’s most picturesque resorts. Take advantage of our brand new Marketing Partner Conference Track consisting of several compelling sessions designed specifically for the law firm partnership. Interact directly with senior clients and network for new business. Explore the brand new Marketing Partner Forum Technology Fair. Bring your family to our Thursday night reception and Friday Bloody Mary Brunch. Depart the event with practical takeaways to share with peers and firm leadership.

Fifth Circuit Judge Blocks Rule That Would Ban Arbitration in Nursing Home Disputes

nursing home arbitrationA federal district court recently issued a preliminary injunction barring enforcement of a rule prohibiting the use of pre-dispute arbitration agreements with patients in long-term care facilities that participate in Medicare and Medicaid programs.

The new rule, promulgated by the Centers for Medicare and Medicaid Services (CMS), would have taken effect on November 28, 2016. It would have prohibited (1) entering into pre-dispute arbitration agreements and, (2) requiring the signing of an arbitration agreement as a condition of admission. The injunction was granted by U.S. District Court Judge Michael P. Mills, who sits in the Northern District of Mississippi, at the request of members of the nursing home industry to stop the rule from taking effect while it is being challenged in court. In their lawsuit, the American Health Care Association and four other state and local health care groups are claiming that CMS and the Department of Health and Human Services are overstepping their authority in issuing the rule. Specifically, the plaintiffs contend that Congress has repeatedly rejected legislation to invalidate arbitration agreements, and further argue that the rule isn’t necessary to protect the health and safety of nursing home residents.

In entering his order, Judge Mills did concede that the CMS rule does appear to be based on “sound public policy.” As some residents of nursing homes suffering from ailments such as dementia and the like might not have the capacity to grasp what an arbitration agreement entails, in addition to the fact that there is stress upon nursing home residents and their families that is inherent to the admissions process, it can be argued that arbitration and the nursing home admissions process do not belong together.

However, in granting the injunction, Judge Mills stated that, as sympathetic as the court may be to the public policy considerations that motivated the rule, it is not willing to allow the federal agency to overstep its executive authority and “engage in a rather unprecedented exercise of agency power. The court is unwilling to play a role in countenancing the incremental ‘creep’ of federal agency authority beyond that envisioned by the U.S. Constitution.”

The nursing home industry has said that arbitration offers a less costly alternative to court. Facilitating more lawsuits, the industry has said, could drive up costs, forcing some nursing homes to close. Lawyers representing residents, however, state that people being admitted to nursing homes are often at the most stressful juncture of their lives, and are not equipped or capable of understanding what it is they are being asked to sign. Regardless of whether one believes striking down the rule would help the nursing home industry reduce its legal costs, or that the rule assists the families of nursing home residents in getting justice, it is clear that the court’s grant of the injunction as well as the impending decision in the underlying case will have an impact upon the future of the nursing home industry.

© 2016 Heyl, Royster, Voelker & Allen, P.C