Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Article By Matthew H. Hawes & Patrick Rehfield of Morgan, Lewis & Bockius LLP
Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Lawsuit Challenges FDA Approval of Genetically Engineered Salmon

BullmonLast November, we posted that the Food and Drug Administration (FDA) had approved a genetically engineered (GE) salmon: AquaBounty Techonologies’ AquAdvantage Salmon. This approval marked the first time that the FDA authorized selling a genetically engineered animal for human consumption.

Immediate backlash followed the FDA’s November 19, 2015 announcement from environmental and consumer advocacy groups. On March 31, 2016, environmental and food safety groups, as well as fisherman trade associations, sued the FDA and related agencies in federal court in California. The suit seeks to reverse the FDA’s approval of the fish for human consumption.

The complaint alleges that the FDA failed in its statutory duty to take a “hard look” at how GE salmon will impact the environment. The plaintiffs warn that the FDA did not appreciate the risk that the farmed salmon would inevitably escape, “interbreed with wild endangered salmon, compete with them for food and space, or pass on infectious disease . . . .”

The plaintiffs also take aim at the FDA’s authority to regulate GE animals under the Federal Food, Drug, and Cosmetic Act (FFDCA), arguing that, back in 1938, Congress did not expect the FDA to regulate genetically engineered animals for human consumption: “GE animals present enormously different risks and impacts than drugs, requiring different expertise, analyses, and regulation than were contemplated when Congress enacted the FFDCA.”

Whether additional lawsuits will follow this one remains to be seen. In our November post, we predicted that consumers could sue to challenge the labeling of the GE fish. Although the FDA initially determined that AquaBounty would not need to label its salmon as GE, a provision in December’s 2016 Omnibus Appropriations Bill required the FDA to ban GE salmon imports until it published labeling guidelines for the fish. In February, the FDA issued that ban and announced its plans to establish labeling guidelines.

Even if AquaBounty puts FDA-approved labeling on its product, consumers still may sue under failure to warn and related legal theories. The food industry has had some success defending state law food labeling claims based on federal preemption. But the federal Nutrition Labeling and Education Act exempts claims based on the adequacy of safety warnings unless the FDA has actually considered a risk and determined that no warning is necessary. So, the key question in any consumer personal injury suit involving GE salmon likely will be whether the FDA considered the risk of the alleged harm in implementing its new labeling guidelines.

Article By Amy M. Rubenstein & Katia Asche of Schiff Hardin LLP

© 2016 Schiff Hardin LLP

U.S. Air Force Testing BioBased Vehicle Oil Created From Canola Seed, Soybean, And Synthetic Petroleum

OilOn March 22, 2016, a team visited Malmstrom Air Force Base to test a new biobased synthetic oil in the base’s vehicles. The testing is sponsored by the Defense Logistics Agency (DLA) and the Office of the Secretary of Defense, with four bases chosen to use the plant based synthetic oil in vehicles. The Department of Homeland Security’s Law Enforcement Training Center has also begun testing the oil and will be monitoring the impacts on vehicle performance and engine quality over the next 12-18 months. George Handy, the project manager, stated that the use of biobased oil is not expected to result in “any change in the performance of any of the vehicles because they are already running on synthetic fuels.” If the testing goes well, the biobased oil will be available to purchase through normal channels, improving national security through the use of a domestically produced sustainable product.

Article By Kathleen M. Roberts of Bergeson & Campbell, P.C.

©2016 Bergeson & Campbell, P.C.

DOJ Issues New FCPA Guidance and Launches Self-Reporting Pilot Program

The US Department of Justice has announced the creation of a one-year pilot program intended to encourage companies to self-report bribery violations and provide extensive cooperation in exchange for reduced penalties, ranging from reductions in fines to declinations.

On April 5, the Fraud Section of the US Department of Justice (DOJ) issued its “Foreign Corrupt Practices Act Enforcement Plan and Guidance” (Guidance) outlining the following “three steps in [its] enhanced FCPA enforcement strategy”:

  1. The intensification of its investigative and prosecutorial efforts by substantially increasing its FCPA law enforcement resources.

  2. The strengthening of its coordination with foreign law enforcement.

  3. Its implementation of an “FCPA enforcement pilot program” to encourage voluntary disclosure, cooperation, and remediation.[1]

While the first two steps have been championed in prior DOJ press releases and speeches, the third step—the creation of the FCPA enforcement pilot program—is an important development that has the potential to change the voluntarily disclosure calculus in connection with FCPA matters.

The Guidance applies “to organizations that voluntarily self-disclose or cooperate in FCPA matters during the pilot period, even if the pilot thereafter expires.”[2]

Intensification of DOJ’s Investigative and Prosecutorial Efforts

The Fraud Section plans to more than double the size of its FCPA Unit by “adding 10 more prosecutors to its ranks”[3]—a staffing goal that was previously announced by Assistant Attorney General for the Criminal Division Leslie Caldwell at an FCPA conference in November 2015.[4] The Guidance also cites the FBI’s establishment of “three new squads of special agents devoted to FCPA investigations and prosecutions,” a hiring initiative that was announced approximately a year ago.

Strengthening of DOJ’s Coordination with Foreign Law Enforcement

The second part of the Guidance builds on previous statements by senior DOJ leaders that they “are greatly aided by our foreign partners”[5] and “it is safe to say [in 2013] that we are cooperating with foreign law enforcement on foreign bribery cases more closely today than at any time in history.”[6]

FCPA Enforcement Pilot Program—Eligibility and Potential Benefits

The most important part of the Guidance is the Fraud Section’s announcement of a one-year “FCPA enforcement pilot program,” which provides for “mitigation credit” that takes into consideration three essential factors: (1) voluntary disclosure, (2) full cooperation, and (3) remediation. In cases in which the above three factors are met but a criminal resolution is nonetheless warranted, “mitigation credit” can include “up to a 50% reduction off the bottom end of the Sentencing Guidelines fine range, if a fine is sought” and the avoidance of a third-party compliance monitor.”[7] Moreover, the Guidance states that, in appropriate cases, where the above factors are fully satisfied, DOJ “will consider a declination of prosecution.”[8]

Voluntary Self-Disclosure

A company must voluntarily disclose an FCPA violation to the Fraud Section in order to be eligible for the full mitigation credit. As a preliminary matter, the disclosure must be truly voluntary—a disclosure that the “company is required to make, by law, agreement, or contract” would not constitute voluntary self-disclosure for purposes of this pilot.[9] Second, the disclosure must occur “prior to an imminent threat of disclosure or government investigation” and be “within a reasonably prompt time after becoming aware of the offense,” with the burden on the discloser to demonstrate timeliness.[10] Finally, the disclosure must include “all relevant facts known to [the company], including all relevant facts about the individuals involved in any FCPA violation.”[11]

DOJ’s voluntary disclosure requirement follows a recent announcement by the US Securities and Exchange Commission (SEC) that companies subject to FCPA enforcement actions are required to self-report their potential misconduct to be eligible for deferred prosecution agreements and non-prosecution agreements. Full Cooperation

The Guidance sets forth nearly a dozen requirements for companies seeking cooperation credit under the pilot program.[12] Those requirements can be distilled into the following four categories:

  • Disclosure of Relevant Facts: Companies are expected to disclose “all facts relevant to the wrongdoing at issue” on a timely basis, including “all facts related to involvement in the criminal activity by the corporation’s officers, employees, or agents” and “all facts relevant to potential criminal conduct by all third-part[ies].” Disclosure is expected to be “proactive” rather than “reactive,” and facts relevant to the investigation should be voluntarily provided “even when [companies are] not specifically asked to do so.” In addition, disclosures are expected to include “all relevant facts gathered during a company’s independent investigation.”

  • Preservation and Disclosure of Documents: All relevant documents—as well as “information related to their provenance”—are expected to be collected, preserved, and disclosed. This expectation extends to “overseas documents” and important details about those records such as their location and the individuals who discovered them. In some cases, prosecutors may insist that companies provide translations of foreign-language documents. Finally, it is expected that companies will assist with the “third-party production of documents . . . from foreign jurisdictions.”

  • Making Individuals Available for Interviews: Upon request, companies are expected to “mak[e] available for [DOJ] interviews those company officers and employees who possess relevant information,” including—where appropriate and possible—individuals located overseas, as well as those who no longer work for the company.

  • Conducting Transparent and Coordinated Internal Investigations: Companies are expected to provide timely updates about their internal investigations and, where requested, ensure that such investigations do not conflict with those being conducted by the government.

The Guidance notes that “cooperation comes in many forms,” and that the Fraud Section “does not expect a small company to conduct as expansive an investigation in as short a period of time as a Fortune 100 company.”[13]

Remediation

The final requirement is that of “timely and appropriate remediation,” and the following items generally will be required in order for companies to receive remediation credit:

  • Implementation of an Effective Compliance Program: While the criteria depend on the size and resources of the organization, the following factors are normally considered:

    • Whether the company has established a “culture of compliance”

    • Whether the company has sufficient compliance resources

    • The quality and experience of the compliance personnel

    • The independence of the compliance function

    • Whether the company’s compliance program has performed an effective risk assessment and tailored the compliance program based on that assessment

    • How a company’s compliance personnel are compensated and promoted

    • Auditing of the program to assure its effectiveness

    • The reporting structure of compliance personnel within the company

  • Discipline of Culpable Employees: It is expected not only that companies discipline culpable employees, but that they have systems that provide for the possibility of disciplining others with oversight of the responsible individuals.

  • Acceptance of Responsibility and Implementation of Reforms: Companies are expected to recognize the seriousness of the misconduct, accept responsibility for it, and implement reforms to identify and reduce the risk of similar violations.[14]

Credit

Where the above conditions are met but a criminal resolution is warranted, the Fraud Section’s FCPA Unit (1) may accord up to a 50% reduction off the “bottom end” of the Sentencing Guidelines fine range, if a fine is sought; and (2) generally should not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program.

Furthermore, where the same conditions are met, the Fraud Section’s FCPA Unit will consider a declination of prosecution. In doing so, prosecutors must balance the importance of encouraging disclosure against the seriousness of the offense. In assessing the seriousness of the offense, prosecutors are to consider the involvement by executive management in the FCPA misconduct, the size of the ill-gotten gains in relation to the overall revenue of the company, a history of noncompliance by the company, and any prior resolutions by the company with DOJ within the past five years.

Finally, if the company cooperates and remediates, but has not voluntarily disclosed, the Fraud Section’s FCPA Unit may provide partial mitigation credit, but will agree to no more than a 25% reduction off the bottom of the Sentencing Guidelines fine range.[15]

Implications

This Guidance comes after what has been a growing perception that voluntary disclosures have slowed significantly due to a lack of transparency, consistency, and clarity as to what the benefits are, if any, to self-disclosing. Whether the pilot program succeeds in encouraging self-disclosures will likely depend on the perception of companies and defense counsel of the fairness and openness of the application of the criteria in the Guidance.

[1] US Dep’t of Justice, Memorandum from Andrew Weissmann titled “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance” (Apr. 5, 2016) (Guidance)

[2] Guidance at 3.

[3] Id. at 1.

[4] Stephen Dockery, “US Justice Dept. Boosting Foreign Corruption Staff,” Wall Street Journal (Nov. 17, 2015)

[5] US Dep’t of Justice, “Assistant Attorney General Leslie R. Caldwell Speaks at American Conference Institute’s 31st International Conference on the Foreign Corrupt Practices Act” (Nov. 19, 2014)

[6] See id.; see also US Dep’t of Justice, “Acting Assistant Attorney General Mythili Raman Delivers Keynote Address at the Global Anti-Corruption Congress” (June 17, 2013)

[7] Guidance at 8.

[8] Id. at 9.

[9] Id. at 4.

[10] Id.

[11] Id.

[12] Id. at 5-6.

[13] Id. at 6.

[14] Id. at 7-8.

[15] Id. at 8-9.

Trade Secrets Bill with Controversial Civil Seizure Provision Passes Senate

Recently, Congress and the courts in the United States have been active in reining in what many have seen as patent system that has run amuck. In the process, they have placed a number of limits on patent holders’ ability to effectively and successfully enforce patents. But as opportunities to enforce intellectual property through patent suits have been narrowed, another IP door appears to be opening.

For several years, Congress has been working on legislation that would, in effect, federalize what until now has been a state-by-state system of trade secret law. The current version, the Defend Trade Secrets Act of 2016 (S. 1890) (“DTSA”), was approved by the Senate on April 4, 2016 with bipartisan support.

The DTSA would operate to expand the existing Economic Espionage Act by, among other things, adopting much of the framework of the Uniform Trade Secrets Act (“UTSA”) and permitting private parties to bring civil trade secret misappropriation actions. UTSA-derived provisions are already in effect in 48 of the 50 states. Thus, while there are some differences between the DTSA and the UTSA, it is unclear whether the DTSA would represent a meaningful departure from existing trade secrets law, at least substantively. There are differing views.

The DTSA’s Civil Seizure Provision

What would almost certainly represent a significant new development is the DTSA’s civil seizure procedure, which is not contemplated under the UTSA. Under the proposed law, upon application by a party asserting theft of trade secrets, a federal court would have the authority to order law enforcement officials to enter land and seize property “necessary to prevent the propagation or dissemination of the trade secret that is the subject of the action.” Most strikingly, the bill envisions an ex parteprocess under which seizures would be authorized and executed without any notice to the relevant property owner(s), including third parties—a process that naturally raises due process and Fourth Amendment concerns.

Supporters of the bill point to analogous ex parte seizure provisions contained in the Lanham Act1 (authorizing ex parteseizures of counterfeit goods) and the Copyright Act2 (authorizing ex parte impoundments of documents and things related to copyright infringement)—provisions that have survived constitutional scrutiny.

Moreover, Rule 64 of the Federal Rules of Civil Procedure authorizes prejudgment seizures of property under applicable state law (e.g., writs of replevin or sequestration remedies), and ex parte seizures under such state law provisions have likewise been upheld under many circumstances. Courts have also justified ex parte seizures under the All Writs Act.3 Thus, there is precedent for these types of procedures.

It is also worth noting that ex parte seizure procedures are used in intellectual property cases in numerous jurisdictions outside of the United States. For example, in the United Kingdom, so-called “Anton Piller” orders have been utilized for many years to secure documents and things on an ex parte basis, in exceptional circumstances.

Significant Controversy

Nevertheless, the prospect of ex parte seizures in the trade secrets context has generated significant controversy in the United States. One major source of concern is the fact-intensive nature and overall complexity of trade secrets disputes. What exactly is the information at issue and does it qualify as a trade secret? How, if at all, has it been maintained in secrecy? Does the target of the seizure really have the information in his or her possession, and if so, how was the information obtained? Was reverse engineering involved? And so on.

Even on a preliminary basis, the complex factual issues involved in trade secret disputes may not lend themselves to fair resolution through expedited and non-adversarial ex parte procedures. Indeed, it does not take much imagination to conceive how, in the wrong hands, one-sided ex parte seizure proceedings might be used for improper purposes.

For example, in one Lanham Act counterfeit goods case, the plaintiff’s attorney “ran roughshod over the applicable statutes and rules,” submitting an inaccurate and misleading affidavit and convincing the lower court to authorize a private investigator to conduct the seizure and hand the seized property to the attorney.4 In another, the district court described a scheme in which the plaintiffs obtained seizure orders in a succession of counterfeiting cases, only to dismiss each case approximately one year after seizing the goods, without having ever established that the goods were, in fact, counterfeit.5

Rigorous Procedural Safeguards

In an effort to eliminate potential mischief, and to ensure that the new DTSA scheme passes constitutional muster, the bill’s sponsors have included a number of key procedural safeguards:

  • Ex parte seizures would be reserved for “extraordinary circumstances” only;

  • A seizure order would only issue upon the plaintiff’s filing of an affidavit or verified complaint that sets forth “specific facts” establishing, among other things: (1) immediate and irreparable injury if seizure is not ordered; (2) a likelihood of success on the merits of the trade secret claim; (3) the balance of harms favors the applicant; (4) the identity and location of the material to be seized, with reasonable particularity; and (5) more ordinary procedures (such as a TRO motion under Rule 65) would be ineffective because the seizure target would evade the order or destroy the evidence;

  • The applicant would be required to post a bond sufficient to cover damages should the seizure turn out to be wrongful or excessive;

  • Any seizure order would “provide for the narrowest seizure of property necessary” and would be executed by law enforcement officials;

  • The court would be required to provide specific guidance to the officials executing the seizure that “clearly delineates” the scope of their authority and details how the seizure must be conducted;

  • The court would also be required to schedule an adversarial hearing for the earliest possible time after the seizure was executed, at which hearing the applicant would bear the burden of proof of establishing that the seizure order was proper; and

  • The bill provides for a civil action for damages based on a wrongful or excessive seizure.

Taken together, these safeguards are significant and may reduce the likelihood of erroneous seizure orders and/or abuse of the system. In fact, it is possible that the obstacles to securing a seizure order would be so significant that, as a practical matter, they would eliminate the seizure remedy as an alternative in all but the most egregious scenarios. That appears to be an intended result.

In any event, having navigated the Senate, the DTSA will now pass to the House of Representatives for further consideration. A companion bill to S. 1890, H.R. 3326, was introduced in July 2015 and has enjoyed broad bipartisan support. In an era of partisan rancor, the DTSA may yet be one instance—the ex parte seizure provision notwithstanding—in which legislators find ways to work together across the aisle to achieve results.

1See 15 U.S.C. § 1116(d).
2See 17 U.S.C. § 503(a).
328 U.S.C. § 1651.
4Warner Brothers v. Dae Rim Trading, Inc., 877 F.2d 1120 (2d Cir. 1989).
5NASCAR v. Doe, 584 F. Supp. 2d 824 (W.D.N.C. 2008).

Announcement of “Privacy Shield” Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

Announcement of "Privacy Shield" Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser

Managing Client Needs with Cross-Generational Leadership

Everyone knows the generational stereotypes: Baby boomers are loyal and hardworking, people who believe in putting your nose to the grindstone and getting work done but who may have a difficult time working the latest mobile technology. Gen Xers are independent and skeptical, while millennials are tech-savvy, Instagram EVERYTHING, and are aggressively interested in collaboration and work-life balance.

In law firms across America, these groups are comingling and working together to manage client matters and relationships. The panel The Ties that Bind: Building Cross-Generational Leadership at the 23rd Annual Marketing Partner Forum discussed the business imperative of building a diverse, multi-generational client team to fortify legal services. NLR took the opportunity to speak with the moderator Amanda K. Brady, Global Practice Leader at Major, Lindsey & Africa, and Melissa R. Margulies, Client Service Counsel at Ballard Spahr, about generational issues facing law firms.

The first thing to keep in mind is what a general counsel wants from his or her outside counsel. GCs want a team that will work together and get the job done, and the law firm team should represent the business needs and goals of the client. General counsels want attorneys who make their jobs easier, and law firms are expected to meet the needs of the client. Amanda Brady says, “The client doesn’t need to meet everyone working on the matter, but my sense from the GC is that they really appreciate getting to know key attorneys working on their projects so they are more comfortable conducting follow-up communications.”

Every situation is different, and factors must be considered to appropriately handle each client. Open lines of communication that allow clients to communicate their needs to the firm are imperative. Melissa Margulies points out, “We ask the client for feedback about both partners and associates and how the team has helped the client. Additionally, we continually evaluate whether the relationship partner and team members are the right fit, based upon the changing business needs of the client.”

Margulies continues, “What I see and what I encourage are different tiers of client contact and multiple points of contact.” She points out that each generation brings its own strengths, and it’s important to set up a team that can do the work and further relationships. Margulies says, “It’s important that younger lawyers are given opportunities to interact with the younger business people at the client so that those two groups grow up together.”

Traditionally, the senior attorney has the relationship and brings the client to the firm. Junior attorneys do the work, while the partner manages the relationship, allowing the junior attorneys opportunities to interact and meet with the client along the way. Brady says, “The obvious challenge is for the junior attorney. They don’t bring as much experience to the table, so they have to tout the experience of the more senior attorneys and work as a team.” Collaboration is essential, and making sure junior attorneys are brought to the table is an important part of keeping the relationship viable as the years go by.

The question becomes how often and when do you introduce the junior attorneys to the client. Of course, the answer is, “It depends.” What’s important is keeping the client relationship current and making sure you are managing the client’s current needs—as well as any needs that come up in the future. Margulies says, “There is no rule of thumb for how long it takes to develop a relationship.” She points out that if there is a long-standing relationship between the client and the firm, it might not take long to introduce a junior lawyer.  If it’s a brand new client, it could take a little longer. She says, “The longer the relationship, the firm develops an institutional memory of the client and it doesn’t take as long for lawyers to learn and understand the client’s business.”

There are a few strategies that work well in trying to get junior attorneys integrated with clients and to help understand the clients and add value to the relationship. One strategy is allowing junior attorneys opportunities to write, hold webinars, or give presentations on areas of interest to the client. Brady says, anecdotally, “Lawyers [in firms] are more specialists, more current than in-house counsel. They deal with the issues on a regular basis; in-house legal departments don’t necessarily have the education budget, so outside counsel can fill the gap. It’s a way to become dialogue partners as you sort through the information.”

Margulies suggests one way for junior attorneys to gain experience is to work off-site with a client. She says, “If we have chance for a secondment of a lawyer to a client, we will do that, as it presents an amazing opportunity for the young lawyer to go work at a client for a period of time, see what it’s like on the inside, and develop relationships that he/she might not have the opportunity otherwise to do.” Along with the benefits for the attorney and the connections that can be made, it shows a commitment by the firm to the client’s interests and the relationship.

Additionally, pro bono work is a fascinating way to get people together in an unusual context. With the good will inherent in helping others and the out-of-office environment where roles and expectations are shaken up a bit, conversation flows and relationships can advance. Margulies points out, “You can really forge relationships that way—sitting together in a different situation, doing something you might not normally  do—but you’re also working together, solving problems, and building relationships.”

These are great strategies for involving junior attorneys, but at some point, the senior partner moves on and the torch must be passed. Brady says, “Continuity for the client is important for the firm’s well-being, and there is always someone wanting to build a relationship with in-house counsel.” Making sure there are no gaps in the relationship with the client is crucial; however, this transition can be difficult. There are a few important things to remember as the changes are considered. Margulies says, “It’s important to understand that, generally, lawyers are perfectionists; transitioning  a long relationship, for whatever reason, is difficult. It’s very hard to relinquish control.”

That said, how does the change happen? Many of the strategies mentioned earlier can help ease the transition, Margulies says, pointing out that, “It is easier when lawyers are encouraged to involve younger lawyers early on so it becomes a natural progression. It’s a way to build trust and comfort, and letting go is easier when younger attorneys are involved earlier and the more senior attorneys are comfortable with their knowledge and abilities.”

Baby Boomers, Gen Xers, and Millennials are sharing the work at law firms and taking care of clients’ needs. There are difficulties and no real easy solutions, and the answer to just about every question is “It depends.” But as Brady points out, “Change is going to happen, and everyone is trying to figure out how to make it work.”

Article By Eilene Spear of The National Law Review / The National Law Forum LLC

Attorneys Facing An Uphill Battle In Litigation Should Consider Option Value When Arguing Valuation

Let me tell you a sad story; Joe owned a marketing company and earned a prosperous living for several years. Joe’s business was growing rapidly and all seemed right with the world. Then a trusted employee left Joe’s firm, taking with him half of Joe’s customers in violation of his non-compete agreement. Joe’s business slowly suffered and lost customers until eventually his firm declared bankruptcy.

Joe sued his former employee and asked for damages related to the value of his firm. Joe’s attorney argued to the court for compensation based on the value of Joe’s firm that was destroyed by the employee. Yet the attorney left out one critical question when arguing the case; how should the law account for the fact that Joe’s business was growing rapidly until the employee left?

Perhaps Joe had several big accounts that he might have been able to sign had the employee not engaged in unfair trade practices. Without taking these factors into account, Joe’s attorney is under-representing the value of Joe’s claim and leaving compensation on the table for no reason.

In finance, this idea of the possibilities that could plausibly occur in the future is called an embedded option or a real option and it is extremely useful in a variety of cases from divorce proceedings and business bankruptcies to merger disputes and matters of economic harm. In the scenario above, Joe’s firm had the ability to potentially continue to grow and become even more successful than it was at the time before Joe’s employee left. Hence the damage done to Joe is greater than simply the lost historical value of the firm. He has also lost the possibility of much more value in the future.

The crux of modern asset valuation is based on a concept called the time value of money. Essentially the idea is that because money received in the future is worth less than money received today, we can value assets or a business based on their associated cash flows and an appropriate discount rate. This approach forms the basis of everything from stock valuation on Wall Street to proper methods for computing interest rates in bankruptcy. This facet of valuation is well understood. But what about the future opportunities or chances of cash flows that are uncertain?  That’s what embedded options address.

The concept of embedded options might seem abstract or even too nebulous for many judges to buy into in a court case, but the reality is that real options have significant value and are often a subject of serious financial negotiations. Particularly for small firms, real options are often important and serve as the basis for various types of convertible debt and warrant grants.

As a finance professor and frequent consultant to companies on matters of asset valuation and financial forecasting, I have long taken it for granted that the techniques used in the finance profession were well understood and universally applied across many other industries including the law. I was very surprised to learn when I started doing expert consulting work, this is not the case. Lawyers often neglect to ask for damages based on real options in their cases. This leaves an important tool out of the litigation toolbox.

In discussing real options thus far, it might seem like they are primarily useful for parties alleging damages, yet they can also be useful for defendants as well. In particular, defendants need to understand how real options are valued and also understand the four appropriate metrics for calculating economic harm as it relates to options (compensating variation, equivalent variation, Paasche indices, and Laspeyres indices). I’ll talk more about these in a future column though.

When valuing real options, there are various statistical techniques that can be used. The math is not necessarily important here, but the concepts are. Essentially, real options increase in value in situations where there is greater uncertainty, and when interest rates in the broader economy rise. Those conditions make real options an exciting tool in today’s courts. With the Fed finally starting to raise interest rates, real options should become marginally more valuable. More importantly, situations with significant amounts of uncertainty lead to greater volatility in intrinsic asset prices.

These volatile situations are often the very situations that lead to court cases for attorneys – a business deal that went wrong leads to a bankruptcy but could have led to a hugely successful company, a merger agreement could result in substantial cost savings for both firms or substantial value destruction for investors and is being challenged by shareholders, a wrongful death case for an individual in the prime of their lives leaves so many possible futures unexplored. Thanks to new statistical techniques and greater computing power, these situations and others can be effectively modeled through computer simulations and valued by economists in ways that would have been unimaginable a decade ago.

Representing clients fairly and to the best of one’s ability in court is the foremost duty of an attorney. To do that, attorneys need to understand the tools of business and the cutting-edge techniques being used in asset valuation. Failing to use these tools is not only a disservice to clients, but a severe hindrance to the attorney as well. In a competitive legal market, the Joes of the world will flock to those attorneys that free themselves to position their clients for maximum success in court.

Article By Dr. Michael McDonald of Fairfield University Dolan School of Business

© Fairfield University Dolan School of Business

The Proposed Political Subdivision Regulations: A Puzzling Reference Impacts Legal Framework of Official Legal Signals

Treasury recently issued proposed regulations that tell us whether an entity is a “political subdivision” that can issue tax-exempt bonds on its own behalf. One requirement is that an entity must serve a “governmental purpose” to be a political subdivision. The proposed regulations say that an entity is only organized for a governmental purpose if the entity operates “in a manner that provides a significant public benefit with no more than incidental benefit to private persons.” As support for this statement, the proposed regulations contain this citation: “Cf., Rev. Rul. 90–74 (1990–2 CB 34).”

This year marks the 90th anniversary of The Bluebook: A Uniform System of Citation, and last year, the 20th edition of the text was published. The Bluebook is written by law review editors at several top-tier law schools.  Depending on your perspective, it is either what it purports to be (a uniform system of citation) or a loathsome testament to the “reflex desire of every profession to convince the laity of the inscrutable rigor of its methods.”[1]  (Or both.)  There have been several pretenders to the throne, including the Maroonbook, created at the University of Chicago law school years ago, which has faded away, and the ALWD Citation Manual, created by teachers of legal writing in law school as a more user-friendly alternative. The ALWD manual has been adopted by a few jurisdictions, but the Bluebook still reigns. Each text provides for the usage of “citation signals” that introduce the citation and explain its relevance to the point that the author is making; the “Cf.” signal in the proposed political subdivision regulations is an example.

The signal “cf.” is an abbreviation for the Latin word “confer,” which translates to “compare.” It depends on which edition of The Bluebook you’re reading, but the 18th Edition (we work on a shoestring budget here at The Public Finance Tax Blog), like most modern editions, says this about the “cf.” signal: “Cited authority supports a proposition different from the main proposition but sufficiently analogous to lend support. . . The citation’s relevance will usually be clear to the reader only if it is explained.” Among the signals that an author can use to show that the cited authority supports the position the author asserts, “cf.” is the weakest.

But because the proposed political subdivision regulations offer no other support for the position that an entity cannot provide more than incidental private benefits and remain a political subdivision, one can only believe that Treasury must have meant something entirely different and that, at long last, the lowly “cf.” signal might be taking on new prominence.

And now, members of the legal citation community are scrambling to react to what could be a revolution in citation signal usage.

“Just as Darwin had his finches and Mendel had his peas, we now have these proposed regulations from Treasury,” said one editor of ALWD.  “I guess ‘cataclysm’ is probably too strong of a word to describe it,” she told The Public Finance Tax Blog. “But oh yeah, we definitely noticed.”

She told us that “we at ALWD consider ourselves more describers of ‘what is’ in legal citation practice, rather than dispensers of ‘what ought to be’ like those silverspoons over at The Bluebook.”[2]

“The fact is,” the ALWD editor continued, “the meaning of ‘cf.’ has changed many times over the years, [3] and we may be witnessing the latest evolution of the phrase here. Who says that a government agency can’t be on the cutting edge of social change in important areas like citation policy?”

“It’s certainly true that ‘cf.’ has always been the signal that gives courts and lawyers the hardest time to understand,”[4] another editor told us. “But who says that regulations – particularly tax regulations – are supposed to be easy to understand?”

Over at The Bluebook, the editors were a bit less perturbed. “Look, we make the rules here,” said one editor, swatting away a fair trade soy latte offered up by a cowering 2L line-slugger. “We are mindful of the actual – I SAID NO FOAM! GET IT RIGHT, OR WE’RE CANCELING THE 5-HOUR BLUEBOOK EXAM FOR TOMORROW – usage  of these terms, though,” she said, “and we’re obviously going to resist changing our minds based on a single usage, even if it comes from the federal government.”

“In the past, we’ve resisted changing our minds based on some of the more fatuous uses of the cf. signal,[5] so we want to wait and see whether this is some kind of joke or mistake or just a passing fad, using ‘cf.’ to introduce the sole source of authority for a proposition.” She continued, “but it appears that this might be a good-faith attempt to finally give ‘cf.’ the rightful place it deserves instead of leaving it buried at the bottom of the pile of citation signals that show support.”

“But we’ve really got our hands full with preparations for the 21st edition, and dealing with those maniacs over at Baby Blue ripping off our work to worry about this, though. And no, all you weisenheimers; cf. does not stand for ‘couldn’t find,’ and no you’re not funny.”

It’s obviously easy to criticize the furor over the potential elevation of the status of the lowly “cf.” signal to something more as a tempest in the world’s nerdiest teapot. It’s not as though these mundane citation signal questions are literally[6] a matter of life and death.[7]

Calls to Judge Richard Posner, eminent judge of the U.S. Court of Appeals for the Seventh Circuit, and a frequent critic of the inanity of the world of legal citation, were left unreturned, although I think I heard the crackling of a bonfire in the background.

Article By John W. Hutchinson of Squire Patton Boggs (US) LLP
© Copyright 2016 Squire Patton Boggs (US) LLP

[1] Richard Posner, The Bluebook Blues, 120 Yale L. J. 850, 860-61 (2011).

[2] Cf. (not really) Ian Gallacher, Cite Unseen: How Neutral Citation and America’s Law Schools Can Cure our Strange Devotion to Bibliographical Orthodoxy and the Constriction of Open and Equal Access to the Law, 70 Alb. L. Rev. 491, 500, at n. 48 (2007) (citing Alex Glashausser, Citation and Representation, 55 Vand. L. Rev. 59, 78 (2002), as “praising the ALWD Manual as a populist instrument that promulgates citation rules predicated upon a consensus among legal professionals, rather than “the judgment of student editors at elite law schools”).

[3] Ira P. Robbins, Semiotics, Analogical Legal Reasoning, and the Cf. Citation: Getting our Signals Uncrossed, 48 Duke L.J. 1043, 1050 (March 1999) (“The authors of The Bluebook altered its definition – albeit subtly – almost every time the manual was printed between 1947 and 1996.”)

[4] See A. Darby Dickerson, An Un-uniform System of Citation: Surviving with the new Bluebook (Including Compendia of State and Federal Court Rules Concerning Citation Form), 26 Stetson L. Rev. 53, 221, at n. 90 (1996) (citing Chemical Bank v. Arthur Andersen & Co., 726 F.2d 930, 938 n.14 (2d Cir. 1984); Palmigiano v. Houle, 618 F.2d 877, 881 n.5 (1st Cir. 1980); Doleman v. Muncy, 579 F.2d 1258, 1264 (4th Cir. 1978); Gates v. Henderson, 568 F.2d 830, 837-38 (2d Cir. 1977); Local 194, Retail, Wholesale & Dep’t Store Union v. Standard Brands, Inc., 540 F.2d 864, 867 n.4 (7th Cir. 1976); Givens v. United States, 644 A.2d 1373, 1376 (D.C. App. 1994) (Mack, S.J., dissenting); Connell v. Francisco, 89a P.2d 831, 838 (Wash. 1995) (Utter, J., dissenting); see also Givens, 644 A.2d at 1374 n.3 (concerning the “but cf.” signal)). Dickerson goes on: “As one reviewer observed: ‘The introductory signals approved by the Bluebook have been the source of dispositive judicial debate. A single “cf.” signal in a Supreme Court decision fostered extensive scrutiny among the circuits, and, with singular irony, the Bluebook was the source of ultimate authority in settling the legal questions raised in the cases.’ Peter Phillips, Book Note, 32 N.Y.L. SCH. L. REV. 199, 199-200 (1987) (reviewing the Fourteenth Edition) (footnotes omitted). The case at issue was Stone v. Powell, 428 U.S. 465, 494 n.36 (1976). See Phillips, supra, at 200 n.8.”

[5] See, e.g., Peter Lushing, Book Review, 67 Colum. L. Rev. 599, 601 (1967) (providing a review of The Bluebook’s Eleventh Edition) (“Use cf. when you’ve wasted your time reading the case.”); Hohri v. United States, 793 F.2d 304, 312 n.4 (D.C. Cir. 1986) (Bork, J., joined by Scalia, Starr, Silberman, & Buckley, JJ., noting that the use of the cf. signal means that the cited authority is “probably inapposite”).

[6] Oxford English Dictionary, Third Ed., Sept. 2011, item I(1)(a), (b), but not (c). (available online at http://www.oed.com/view/Entry/109061?redirectedFrom=literally).

[7] Gallacher, supra n. 2 at 536, n. 38 (“At least one capital punishment appeal appears to have been decided based on the Supreme Court’s interpretation of a bibliographical signal, “cf.,” and the signal’s meaning in the context of the prisoner’s brief. Lambrix v. Singletary, 520 U.S. 518, 528-29 (1997).”). The language from the Lambrix opinion: “And it introduced that lone citation with a “cf.”–an introductory signal which shows authority that supports the point in dictum or by analogy, not one that “controls” or “dictates” the result.” 520 U.S. at 529.