Raising money for your startup can be hard. Not every entrepreneur can walk into Silicon Valley with a business idea and walk out with multiple VC term sheets in hand. Sometimes the only path to financing your startup is through the hard work of pitching and cobbling together a group of angels and other individual investors. But that path takes time and can be frustrating. Potential investors may hesitate to commit or, even worse, give you the dreaded “you’re-too-early-for-us” response. The offer from a “finder” to introduce you to investors with cash sounds attractive. Why not, right? What’s the downside?
You can use a finder if their role is limited and their compensation is structured properly. But you can cause major problems for yourself and the finder if they’re too involved and paid commissions on the money raised. These are activities that only registered broker-dealers (persons or firms engaged in the business of buying and selling securities for themselves or others) can engage in. If your company uses a finder acting as a broker-dealer, you might find your fundraising round unraveling, and your finder might find themselves in trouble with the Securities and Exchange Commission (SEC).
A “true” finder
A “true” finder can be OK if they limit their role to making introductions, receive a flat or hourly consulting fee that is not contingent on the success of the offering, and avoid any active role in negotiating and completing the investment. Finders acting in this very limited capacity are not considered broker-dealers. As a result, true finders are largely unregulated under the securities laws and need not be registered with the state or federal government as broker-dealers. This area is murky, however, because there are not clear regulations and the rules of the road have been developed in court cases and case-by-case “no-action” letters from the SEC.
The real problem is that many finders do not limit their activities to mere introductions. These finders end up assisting in structuring and negotiating the offering, providing advice regarding the offering and investment, and even encouraging and inducing investors to invest. These activities make them a “broker” under the securities laws, and federal and state governments require that brokers be registered. Often the finder is not registered as a broker.
Finders also prefer success-based compensation, calculated as a percentage of the funds raised by the company, and companies prefer to pay finders only if and when they’re successful in helping to raise capital. Both courts and the SEC, however, take the position that such success-based compensation (also referred to as transaction-based compensation) is the telltale factor indicating whether a finder is acting as an unregistered broker-dealer.
So, what’s the risk?
For the company, using an unregistered broker-dealer to assist with an offering could create a rescission right in favor of the investors. If investors succeed in rescinding their investments, the company must return their money. For the finder acting as an unregistered broker-dealer, they could be subject to severe SEC sanctions and the company could void the finder’s engagement agreement, requiring return of the finder’s compensation. Moreover, even if a finder’s activities and compensation are perfectly legal, the relationship alone can still give rise to problems for the company. Any financial relationship with a finder must be disclosed to investors and listed on the company’s Form D filed with the SEC and state securities departments. Disclosure of such a relationship, again, even if perfectly legal, may nevertheless prompt some states to initiate an investigation.
The situation in Michigan, however, is even murkier. In the recent case Pransky v. Falcon Group, the Michigan Court of Appeals held that a “finder” as defined in the Michigan Uniform Securities Act, was not required to be registered with and regulated by the State of Michigan, even where the company agreed to pay success-based compensation. Michigan companies and finders, however, should not take the opinion as a green light to engage in a finder relationship, structured with success-based compensation, without fear of regulatory oversight. The trial court initially dismissed the case on summary judgment, and as a result there was no evidence in the record of whether or not the finder’s activities went beyond mere introductions. In addition, some commentators have criticized the court’s decision. Perhaps sensing such impending criticism, the Court of Appeals, in a footnote, cautioned that the “better course of action would be for finders acting pursuant to similar contracts to protect themselves by registering, at the very least, as broker-dealers; the line between a finder’s activities and that of a broker-dealer…is a thin one and persons acting under such contracts without being registered are inviting litigation.”
The bottom line
Using finders for raising capital is not the easy solution it appears to be at first glance. Worse yet, it can lead to significant problems. As the saying goes, nothing worth having is easy. If you don’t have a VC-backable business, you may have an even harder time raising capital than most. Regardless, when it comes to raising money for your startup, be your own “finder”. Network, hustle, and tell your story. No one is more effective than you at explaining your business and the investment opportunity.
For more legal analysis check out the National Law Review.
Data privacy and cybersecurity issues are ongoing concerns for companies in today’s world. It is nothing new to hear. By now, every company is aware of the existence of cybersecurity threats and the need to try to protect itself. There are almost daily reports of data breaches and/or ransomware attacks. Companies spend substantial resources to try to ensure the security of their confidential information, as well as the personal and confidential information of their customers, employees and business partners. As part of those efforts, companies are faced with managing and understanding their various legal and regulatory obligations governing the protection, disclosure and/or sharing of data – depending on their specific industry and the type of data they handle – as well as meeting the expectations of their customers to avoid reputational harm.
Despite the many steps involved in developing wide-ranging cybersecurity protocols – such as establishing a security incident response plan, designating someone to be responsible for cybersecurity and data privacy, training and retraining employees, and requiring passwords to be changed regularly – it is not enough merely to manage risks internal to the company. Companies are subject to third-party factors not within their immediate control, in particular vendors and employee BYOD (Bring Your Own Device). If those cybersecurity challenges are not afforded sufficient oversight, they will expose a company to significant risks that will undo all of the company’s hard work trying to secure and defend its data from unauthorized disclosures or cyberattacks. Although companies may afford some consideration to vendor management and BYOD policies, absent rigorous follow up, a company may too easily leave a gaping hole in its cybersecurity protections.
To accomplish business functions and objectives and to improve services, companies regularly rely on third-party service providers and vendors. To that end, vendors may get access to and get control over confidential or personal information to perform the contracted services. That information may belong to the company, employees of the company, the clients of the company and/or business partners of the company.
When information is placed into the hands of a vendor and/or onto its computer systems, stored in its facilities, or handled by its employees or business partners, the information is subject to unknown risks based on what could happen to the information while with the third-party. The possibility of a security breach or the unauthorized use or access to the information still exists but a company cannot be sure what the vendor will do to protect against or address those dangers if they arise. A company cannot rely on its vendors to maintain necessary security protocols and instead must be vigilant by exercising reasonable due diligence over its vendors and instituting appropriate protections. To achieve this task, a company needs to consider the type of information involved, the level of protection required, the risks at issue and how those risks can be managed and mitigated.
A company must perform due diligence over the vendor and the services to be provided and should consider, among other things, supplying a questionnaire to the vendor to answer a host of cybersecurity related questions including:
> What services will the vendor provide? Gain an understanding of the services being provided by the vendor, including whether the vendor only gains access to, or actually takes possession of, any information. There is an important difference between a vendor (i) having access to a company’s network to implement a third-party solution or provide a thirdparty service and (ii) taking possession of and/or storing information on its network or even the network of its own third-party vendors.
> Who will have access to the information? A company should know who at the vendor will have access to the information. Which employees? Will the vendor need assistance from other third-parties to provide the contracted-for services? Does the vendor perform background checks of its employees? Do protocols exist to prevent employees who are not authorized from having access to the information?
> What security controls does the vendor have in place? A company should review the vendor’s controls and procedures to make sure they comply not only with applicable legal and regulatory requirements but also with the company’s own standards. Does the vendor have the financial wherewithal to manage cybersecurity risks? Does the vendor have cybersecurity insurance? Does the vendor have a security incident response plan? To what extent has the vendor trained with or used the plan? Has the vendor suffered a cyberattack? If so, it actually may be a good thing depending on how the vendor responded to the attack and what, if anything, it did to improve its security following the attack. What training is in place for the vendor’s employees? How is the vendor monitoring itself to ensure compliance with its own procedures?
A company should seek to include strong contractual language to obligate the vendor to exercise its own cybersecurity management and to cooperate with the company to ensure protection of the company’s data. There are multiple provisions to consider when engaging vendors and drafting or updating contracts to afford the company appropriate protections. A one-size-fits-all approach for vendors will not work and clauses will need to be modified to take account of, among other things:
> The sensitivity of the information at issue – Does the information include only strictly confidential information, such as trade secrets or news of a potential merger? Does the information include personal information, such as names, signatures, addresses, email addresses, or telephone numbers? Does the information include what is considered more highly sensitive personal information, such as SSNs, financial account information, credit card information, tax information, or medical data?
> The standard of care and obligations for the treatment of information – A company should want its vendors to meet the same standards the company demands of itself. Vendors should be required to acknowledge that they will have access to or will take possession of information and that they will use reasonable care to perform their services, including the collection, access, use, storage, disposal, transmission and disclosure of information, as applicable. This can, and often should, include: limiting access to only necessary employees; securing business facilities, data centers, paper files, servers and back-up systems; implementing database security protocols, including authentication and access controls; encrypting highly sensitive personal information; and providing privacy security training to employees. Contracts also should provide that vendors are responsible for any unauthorized receipt, transmission, storage, disposal, use, or disclosure of information, including the actions and/or omissions of their employees and/or relevant third-parties who the vendors retain.
> Expectations in the event of a security breach at the company – A company should include a provision requiring a vendor’s reasonable cooperation if the company experiences a breach. A company should have a contact at each of its vendors, who is available 24/7 to help resolve a security breach. Compliance with a company’s own obligations to deal with a breach (including notification or remediation) could be delayed if a vendor refuses to timely provide necessary information or copies of relevant documents. A company also can negotiate to include an indemnification provision requiring a vendor to reimburse the company for reasonable costs incurred in responding to and mitigating damages caused by any security breach related to the work performed by the vendor.
> Expectations in the event of a security breach at the vendor – A company should demand reasonable notification if the vendor experiences a security breach and require the vendor to take reasonable steps and use best efforts to remediate the breach and to try to prevent future breaches. A company should negotiate for a provision permitting the company to audit the vendor’s security procedures and perhaps even to physically inspect the vendor’s servers and data storage facilities if the data at issue is particularly sensitive.
Due diligence and contractual provisions are necessary steps in managing the cybersecurity risks that a vendor presents, but absent consistent and proactive monitoring of the vendor relationship, including periodic audits and updates to vendor contracts, all prior efforts to protect the company in this respect will be undermined. Determining who within the company is responsible for the relationship – HR? Procurement? Legal? – is critical to help manage the vendor relationship.
> Schedule annual or semi-annual reviews of the vendor relationship – A company not only should confirm that the vendor is following its cybersecurity protocols but also should inquire if any material changes to those protocols have been instituted that impact the manner in which the vendor handles the company’s data. Depending on the level of sensitivity of the data being handled by the vendor, a company may consider retaining a third-party reviewer to evaluate the vendor.
> Update the vendor contract, as necessary – A company employee should be responsible to review vendor contracts annually to determine if any changes are necessary in view of cybersecurity concerns.
Ransomware – where a hacker demands a ransom to unencrypt a company’s data caused by malicious software that the hacker deposited onto the company’s network to hold it hostage – certainly is a heightened concern for all companies. It is the fastest growing malware targeting all industries, with more than 50% growth in recent years. Every company is wary of ransomware and is trying to do as much as possible to protect itself from hackers. The best practices against ransomware are to (i) periodically train and retrain your employees to be on the lookout for ransomware; (ii) constantly backup you data systems; and (iii) split up the locations where data is maintained to limit the damage in the event some servers fall victim to ransomware. One thing that easily is overlooked, however, or is afforded more limited consideration, is a company’s BYOD policy and enforcement of that policy.
Permitting a company’s employees to use their own personal electronic devices to work remotely will lower overhead costs and improve efficiency but will bring a host of security and compliance concerns. The cybersecurity and privacy protocols that the company established and vigorously pursues inside the company must also be followed by its employees when using their personal devices – home computers, tablets, smartphones – outside the company. Employees likely are more interested, however, in the ease of access to work remotely than in ensuring that proper cybersecurity measures are followed with respect to their personal devices. Are the employees using sophisticated passwords on their personal devices or any passwords at all? Do the employees’ personal devices have automatic locks? Are the employees using the most current software and installing security updates?
These concerns are real. In May of 2017, the Wannacry ransomware attack infected more than 200,000 computers in over 100 countries, incapacitating companies and hospitals. Hackers took advantage of the failure to install a patch to Microsoft Windows, which Microsoft had issued weeks earlier. Even worse, it was discovered that some infected computers were using outdated versions of Microsoft Windows for which the patch would not have worked regardless. Companies cannot risk pouring significant resources into establishing a comprehensive security program only to suffer a ransomware attack or otherwise to have its efforts undercut by an employee working remotely who failed to install appropriate security protocols on his/her personal devices.
The dangers to be wary of include, among others: > Personal devices may not automatically lock or have a timeout function. > Employees may not use sophisticated passwords to protect their personal devices. > Employees may use unsecured Wi-Fi hotspots to access the company’s systems, subjecting the company to heightened risk. > Employees may access the company’s systems using outdated software that is vulnerable to cyberattacks.
Combatting the Dangers
To address the added risks that accompany allowing BYOD, a company must develop, disseminate and institute a comprehensive BYOD policy. That policy should identify the necessary security protocols that the employee must follow to use a personal device to work remotely, including, among other things:
> Sophisticated passwords
> Automatic locks
> Encryption of data
> Installation of updated software and security apps
> Remote access from secure WiFi only
> Reporting procedures for lost/stolen devices
A company also should use mobile device management technology to permit the company to remotely access the personal devices of its employees to install any necessary software updates or to limit access to company systems. Of course, the employee must be given notice that the company may use such technology and the capabilities of that technology. Among other things, mobile device management technology can:
> Create a virtual partition separating work data and personal data
> Limit an employee’s access to work data
> Allow a company to push security updates onto an employee’s personal device
Similar to vendor management, the cybersecurity efforts undertaken by having a robust BYOD policy in place, or even using mobile management technology, are significantly weakened unless a company enforces the policy it has instituted.
> A BYOD policy should be a prominent part of any employee cybersecurity training.
> The company should inform the employee of the company’s right to access/monitor/delete information from an employee’s personal device in the event of, among other things, litigation and e-discovery requests, internal investigations, or the employee’s termination.
Implementing the above recommendations will not guarantee a company will not suffer a breach but will stem the threats created by third-party aspects of its cybersecurity program. Even if a company ultimately suffers a breach, having had these protections in place to administer the risks associated with vendor management and BYOD certainly will help safeguard the company from the scrutiny of regulators or the criticism of their customers, which would be worse!
The next time you visit a construction site, look up. You may see a drone in flight. The explosion of interest in the unmanned aircraft systems (UAS) industry is driven by their potential for data collection because of the ability to carry many different onboard sensors. In the construction industry, drones are used for inspections, security and surveillance, material delivery, securing investment, augmented reality, and to identify safety issues.
Drones can also be used to improve day-to-day operations by creating time lapses, job-site monitoring, and thermal imaging. Other examples of ways drones can be used in the construction industry include: design, engineering, planning, marketing, volumetrics, asbuilts, construction progress, and site logistics.
Prior to August 2016, there were many legal prohibitions that limited the use of commercial drones. However, 14 CFR § 107 (Part 107) revolutionized the operation of UAS weighing less than 55 pounds and operating for commercial purposes. This regulation affords commercial operators with the opportunity to fly UAS without prior case-by-case approval from the Federal Aviation Administration (FAA), as long as they comply with certain restrictions. Some of the key operating restrictions include maintaining a visual-line-of-sight, operating only during the daytime or twilight hours, not flying over people not directly participating in the drone mission, and maximum speed and altitude limits. Transport Canada, which is responsible for transportation policies and programs in that country, has also recommended similar guidelines, including keeping the drone in visual line of sight and operating the drone during daylight hours. Additionally, there are extensive requirements for commercial operations under Special Flight Operating Certificate (SFOC), but Transport Canada is in the process of revisiting these rules.
Most of the restrictions under Part 107 are waivable, if granted permission from the FAA through an online application process. The Part 107 waiver process incorporates significant flexibility into the regulations. The waiver process is a tool that the construction industry can utilize to maximize the value and use of UAS. Possible areas to request a waiver include nighttime operations, simultaneous operation of multiple aircraft, operation over people, and operation in restricted airspace.
Use of UAVs in the United States is subject to the enforcement authority of the FAA. The FAA has broad enforcement authority and investigatory powers, which require it to regulate aircraft operations in the National Airspace System (NAS) in order to ensure the safety of persons, property, and manned aircraft. The FAA may take enforcement action against anyone who conducts an unauthorized UAS operation or operates a UAS in a way that endangers the safety of the NAS. The FAA works with local and state law enforcement to explain the legal framework surrounding UAS and to seek help in identifying unlawful UAS operators. Specifically, UAS must comply with safety requirements of Part 107. In addition, those who “endanger the safety of the national airspace system” may face penalties, including warning notices, letters of correction, and civil penalties. With regard to the FAA’s investigatory power, it needs only a “reasonable ground” to show a violation of a statute or regulation to initiate an investigation.
Transport Canada overall has conducted minimal enforcement of drone operations. In 2016, it undertook a large educational effort with regard to the safe operation of drones. It does have an online enforcement tool that provides information about “dos and don’ts” for flying drones, as well as details about regulations.
The increased prevalence of UAVs has prompted the courts to review the unsettled area of airspace law. One issue is the private versus public control of airspace. On one hand is the common law principle of property ownership that states that one controls the airspace above their privately owned land. On the other hand are FAA regulations, which claim jurisdiction over all U.S. airspace. Additionally, increased state legislation aimed at drone regulation has created preemption concerns, particularly when the state laws are in conflict with federal laws.
Another risk is that liability arising from drones is not covered in typical commercial liability insurance policies. However, it can be added to both property and liability coverage, which generally protects the insured against damage done by or to its drone. Some regulators propose requiring certain drone users to purchase liability insurance.
In order to keep up with the growth and changing needs of drone use, rulemaking for drone usage will likely continue and expand over the coming months.
Read more legal analysis here.
California’s Equal Restroom Access Act, which requires some establishments with single-occupancy restrooms to display signs indicating that the restroom is gender-neutral, has been in effect since March 1, 2017. Assembly Bill No. 1732 (AB 1732), which Governor Jerry Brown signed on September 29, 2016, requires these restrooms “to be identified as all-gender toilet facilities” and that the signs used to designate these restrooms comply with Title 24 of the California Code of Regulations.
1. Which Restrooms Are Covered?
The new law applies to “[a]ll single-user toilet facilities in any business establishment, place of public accommodation, or state or local government agency.” AB 1732 defines “single-user toilet facility” as “a toilet facility with no more than one water closet and one urinal with a locking mechanism controlled by the user.”
2. What Does the Law Require?
The law simply requires businesses, agencies, and places of public accommodation to use the proper signage—i.e., gender-neutral signage—on any single-user restrooms that they have.
3. What Must the Sign Look Like?
The signs on single-user restrooms must comply with Title 24 of the California Code of Regulations. This means that each covered single-user restroom must, at minimum, have the following signage:
- A sign with a geometric symbol of a triangle superimposed on a circle
- A designation tactile (i.e., capable of being read by touch) sign that indicates that the facility is a restroom
4. Does the Law Require That Specific Language Be Used?
The law does not require any specific wording on the signs as long as the wording used is gender neutral. For example, the sign may state “Restroom,” “All-Gender Restroom,” “Gender-Neutral,” “Unisex,” or “All Welcome.” Similarly, language written in raised letters and/or Braille must also be gender-neutral.
Note that the City of San Francisco has more restrictive laws in place regarding the wording and images on restroom signs.
5. How Will the Law Be Enforced?
The law permits inspectors, building officials, and other local officials who are “responsible for code enforcement” to inspect a restroom for compliance with this section during “any inspection of a business or a place of public accommodation.”
Affected employers with single-occupancy restrooms on their premises should ensure that the signs on the single-user restrooms are in compliance with Title 24 of the California Code of Regulations. Employers should also take this opportunity to review the Fair Employment and Housing Council’s gender identity regulations that went into effect on July 1, 2017. The regulations’ restroom access provisions require an employer to allow an employee to use the restroom facility that corresponds to the employee’s gender identity or gender expression, regardless of the employee’s sex assigned at birth.
For more analysis check out The National Law Review.
Reassigned numbers have been at the center of the surge in litigation under the Telephone Consumer Protection Act (“TCPA”) during the last few years. By now the story is well known to businesses that actively communicate with their customers: the customer consents to receive telemarketing and/or informational robocalls at a wireless telephone number, but months or years later the customer changes his or her wireless telephone number and—unbeknownst to the business—the telephone number is reassigned to a different person. When the recipient of the reassigned number starts receiving calls or messages from the business, a lawsuit often ensues under the TCPA because that party has not consented to receive such calls. The FCC adopted on July 13 a Second Notice of Inquiry (“Second NOI”) that promises to address this problem in a meaningful way. Specifically, the Second NOI focuses on the feasibility of “using numbering information to create a comprehensive resource that businesses can use to identify telephone numbers that have been reassigned from a consumer who has consented to receiving calls to a consumer who has not.”
Background on the Reassigned Number Problem
Under the current regime, the North American Numbering Plan (NANP) Administrator generally provides telephone numbers to voice service providers—including those who supply interconnected voice—in blocks of 1000. The voice service providers recycle those numbers in and out of service, such that, after a number has been dropped, the number goes into a pool for a short period and then is brought out of the pool and reassigned to a different consumer.
The “reassigned number problem” occurs when a consumer consents to receive robocalls (telemarketing and/or informational), but then terminates service to the relevant wireless number without informing the businesses the consumer previously gave consent to make the robocalls. Businesses that find themselves making robocalls to numbers that (unbeknownst to them) had been reassigned to a different consumer increasingly find themselves subject to lawsuits under the TCPA—this even though it has been widely acknowledged that (1) customers often switch telephone numbers without providing notice to businesses and (2) there is no public directory of reassigned wireless numbers that businesses can rely on to identify and scrub reassigned numbers. When various industry groups and business entities asked the FCC to intervene, the FCC clarified that businesses making robocalls needed the consent of “the actual party who receives a call,” not of the intended recipient of the robocall. FCC created a so-called “safe harbor” that afforded little protection in practice: a business could make a single call to a reassigned number without triggering liability under the TCPA, but the business would then be imputed with “constructive” knowledge that the number had been reassigned even if the single call did not yield actual confirmation that the number had been reassigned. The FCC did so even as it admitted that the tools available to identify reassigned numbers “will not in every case identify numbers that have been reassigned” and that the steps it was taking “may not solve the problem in its entirety” even “where the caller is taking ongoing steps reasonably designed to discover reassignments and to cease calls.”
The Second NOI
The Second NOI promises to more meaningfully address the reassigned number problem by suggesting the creation of a reliable, complete list of reassigned numbers that service providers would be required to update. In pertinent part, the Second NOI addresses a number of other topics, including, but not limited to, possible reporting alternatives, compensation schemes, frequency of updates, and fees and eligibility requirements for accessing reassigned number data. It also asks a number of logistical questions, including, but not limited to:
(1) What are the ways in which voice service providers could report the information in an accurate and timely way?
(2) Would the reporting—into a database or other platform—“substantially improve robocallers’ ability to identify reassigned numbers?”
(3) What information should voice service providers report?
(4) In what ways might the information reported raise concerns regarding the disclosure of private, proprietary, or commercially sensitive information?
(5) Should reassignment of toll-free numbers also be reported?
(6) What is the quantity of numbers reassigned and the benefits of reducing unwanted calls to these numbers?
(7) Should there be a safe harbor from TCPA violations for robocallers who use the new reassigned number resource? What would be the advantages and disadvantages?
(8) How can the FCC incentivize robocallers to use the reassigned number resource?
In addition, the Second NOI seeks comment on whether the notification requirement should apply to all voice service providers or just providers of wireless services, and how to “balance the reporting burden placed on voice service providers against consumers’ privacy interests and robocallers’ interest in learning of reassignments.” The item also seeks comment on which entity should be responsible for notification in circumstances when a voice service provider does not receive numbers directly from NANP, but instead obtains numbers “indirectly” from carrier partners.
The Commission claims it has the authority under Sections 227(b) and 251(e) of the Communications Act of 1934, as amended—which give the FCC control over the US portion of NANP and incorporate the TCPA—to require entities that obtain numbers from NANP to also report reassignments. In fact, the Commission claims that doing so may further the statutory goals underlying the TCPA, which generally prohibits unwanted robocalls.
Although many details remain to be discussed and addressed by the FCC, the creation of the list that the FCC is proposing would address one of the main challenges faced by businesses that want to comply with the TCPA: how to gather reliable and complete information regarding which wireless telephone numbers have been reassigned. The possibility of such a list working similar to that available to identify telephone numbers in the Do Not Call List is particularly promising, especially if it comes accompanied by safe harbor provisions similar to those attached to the Do Not Call List obligations in the FCC’s rules.
Comments are due August 28, 2017 and Reply Comments September 26, 2017.
 For purposes of this post “robocalls” refers to both calls made using an automatic telephone dialing system or using an artificial voice or pre-recorded message.
Acting US Attorney Joel Levin says the new dedicated unit aims to bring “even greater focus, efficiency, and impact to our efforts in this important area.”
The US Attorney’s Office for the Northern District of Illinois recently announced the creation of a Health Care Fraud Unit—a team of five assistant US attorneys devoted to prosecuting all types of healthcare fraud cases, including fraudulent billing schemes and diversion of controlled substances.
The announcement came just days after the largest US Department of Justice national healthcare fraud enforcement “takedown” action against 412 defendants across 41 federal districts for the alleged participation in schemes involving over $1 billion in fraudulent healthcare billing. Fifteen individuals, including two Chicago-area licensed physicians, are facing federal criminal charges and potential Office of Inspector General (OIG) exclusion as a result of this action.
Nationwide, US Attorney offices have a major role in healthcare fraud enforcement. In Fiscal Year 2016 alone, US Attorney offices opened 975 new criminal healthcare fraud investigations and 930 new civil healthcare fraud investigations.
While the US Attorney’s Office for the Northern District of Illinois has a long history of prosecuting healthcare fraud cases, the creation of a dedicated unit within the office may have a number of quantifiable effects, including the following:
Rise in Criminal Investigations and Prosecutions. The dedicated unit, comprised of criminal prosecutors, will focus on the criminal prosecution of entities and individuals when the alleged healthcare fraud rises to the level of criminal culpability. As such, there likely will be a rise in investigative activity that includes attempted interviews of potential targets, subjects, or witnesses by government agents; the issuance of grand jury subpoenas; and the execution of search warrants.
In addition, the criminal prosecutors undoubtedly will work closely with government attorneys assigned to the civil division and—to the extent permitted in accordance with grand jury secrecy rules—share certain information with civil division attorneys.
Rise in Enforcement Investigations and Actions. With increased focus, resources, and the sharing of information obtained from criminal investigations, there also may be a rise in the number of civil investigative demands issued to companies in the healthcare industry that are suspected of fraud, waste, and abuse. The US Attorney’s Office for the Northern District of Illinois may become more proactive in its efforts—alongside the OIG—to increase the collection of civil penalties against healthcare organizations and executives.
Rise in Qui Tam Suits. With a dedicated Health Care Fraud Unit, the Northern District of Illinois may become a more attractive venue for whistleblowers seeking to recover under the False Claims Act for alleged fraud, waste, and abuse.
The new Health Care Fraud Unit will operate within the criminal division of the US Attorney’s Office for the Northern District of Illinois. Assistant US Attorney Heather McShain will lead the unit, and Assistant US Attorney Stephen Chahn Lee will serve as senior counsel.
For more Health Care news go to the National Law Review.
 See The Department of Health and Human Services and The Department of Justice Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2016.
The fourth edition of Government Contract Law is a comprehensive, step by step guide through all aspects of federal government contracting and incorporates numerous significant changes in procurement since the Third Edition was published.
To purchase, click here.
Based on the Contract Attorney’s course of The Judge Advocate General’s Law Center and School, this valuable deskbook is designed to help you safely navigate the entire federal contracting process — from pre-bidding through award, and on to protest and litigation — with the least risk to your client or company.
Since the last edition, there have been many changes in government contract law. The executive branch has implemented several policy initiatives through the power of federal contracting, including revised labor policies. Similarly, Congress has implemented changes, including regulation of contractor business systems, trafficking in persons, and provisions addressing problems that have been identified in the past decade such as perceived misuse of commercial items. What has not changed is the basic system of acquiring goods and services.
This fourth edition of the ABA’s revisions to the Judge Advocate General’s Legal Center and School’s Contract Law Deskbook, includes updates to references, new chapters (which do not appear in the JAG School’s version) as well as chapter revisions that include material that is useful to contractor attorneys and the private bar. This edition has been expanded and can be used by military attorneys as well as practitioners who are not a part of the military.
This Deskbook has been cited by the U.S. Supreme Court, served as a foundation for numerous continuing legal education materials, and is used daily by hundreds of attorneys.
The Departments of Labor, Treasury and Health and Human Services (Departments) continue to issue FAQs addressing the implementation of the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA), as amended by the Affordable Care Act and the 21st Century Cures Act (Cures Act). The MHPAEA prohibits group health plans from imposing financial requirements and treatment limitations on mental health and substance use disorder benefits that are more restrictive than the requirements imposed on medical and surgical benefits. The Cures Act requires the Departments to solicit public feedback regarding how to improve required disclosures under the MHPAEA. The FAQs in Part 38 contain the same request for public comment that was in Implementation Part 34, and provide a draft model form that can be used by participants to request information from a health plan regarding nonquantitative treatment limitations (NQTL) that may affect their mental health and substance use disorder benefits, or to obtain documentation after an adverse benefit determination involving these benefits.
In addition, the FAQs provide guidance regarding eating disorder coverage. If a plan provides these benefits, FAQ-1 in Part 38 confirms that the coverage must comply with the MHPAEA. The guidance indicates that “eating disorders are mental health conditions and therefore treatment of an eating disorder is a ‘mental health benefit’ within the meaning of that term as defined by MHPAEA.” Plans should be reviewed to determine whether financial requirements and treatment limitations placed on eating disorder treatment comply with the parity requirements under the MHPAEA.
For more legal analysis check out the National Law Review.
In remarks to the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton outlined eight guiding principles for his chairmanship and identified certain areas in which such principles could be put into practice. Chairman Clayton’s remarks – his first public speech as SEC Chairman – indicated his interest in, among other things, creating a Fixed Income Market Structure Advisory Committee to give advice to the SEC on regulatory issues impacting fixed income markets and coordinating with the U.S. Department of Labor (DoL) to bring “clarity and consistency” to the issue of standards of conduct for investment professionals, noting the DoL’s Fiduciary Rule is now partially in effect.
Clayton stated that the following principles will guide his SEC chairmanship:
• Principle 1: “The SEC’s mission is our touchstone.” Chairman Clayton stated that each tenet of the SEC’s three-part mission – (1) to protect investors, (2) to maintain fair, orderly, and efficient markets, and (3) to facilitate capital formation – is critical.
• Principle 2: “Our analysis starts and ends with the long-term interests of the Main Street investor.” According to the Chairman, an assessment of whether the SEC is abiding by its threepart mission must focus on the impact of its actions on “Mr. and Ms. 401(k)” and whether the SEC’s actions further the long-term interests of such investors.
• Principle 3: “The SEC’s historic approach to regulation is sound.” The SEC’s regulatory approach, focusing on disclosure and materiality, and using the SEC’s “extensive enforcement capabilities” as a “back-stop” to disclosure rules and oversight systems, is sound. In expressing his support for disclosure-based rules, Clayton asserted that informed decision-making by investors supports more accurate valuations of securities and more efficient allocation of capital. As to the “back-stop,” the anti-fraud regime established by Congress and the SEC, Clayton noted the government’s “extensive enforcement capabilities on those who try to circumvent established investor protections or otherwise engage in deceptive or manipulative acts in the markets.” Taking the foregoing into account, Chairman Clayton maintained that “wholesale changes” to the SEC’s fundamental regulatory approach would “not make sense.”
• Principle 4: “Regulatory actions drive change, and change can have lasting effects.” Although Chairman Clayton endorsed the disclosure-based regime of the SEC, he cautioned that the incremental impact of regulatory changes to this regime has included a significantly expanded scope of required disclosures “beyond the core concept of materiality.” He cited increased disclosure as among the factors that may make alternatives for raising capital increasingly attractive for small and medium-sized companies. Chairman Clayton added that fewer small and mediumsized public companies may mean less liquid trading markets for those that remain public and, to the extent companies are not raising capital in public markets, “the vast majority of Main Street investors will be unable to participate in their growth.”
• Principle 5: “As markets evolve, so must the SEC.” Noting that technology and innovation are changing the way markets work and investors transact, Chairman Clayton stated that the SEC must take this “dynamic atmosphere” into account and “strive to ensure that our rules and operations reflect the realities of our capital markets.” Further to this point, Clayton remarked that the evolution of capital markets presents opportunities for regulatory improvements and efficiencies and noted that the SEC is “adapting machine learning and artificial intelligence to new functions, such as analyzing regulatory filings.” Chairman Clayton cautioned, however, that implementing regulatory change has costs, including the “significant resources” spent by companies to build compliance systems.
• Principle 6: “Effective rulemaking does not end with rule adoption.” Chairman Clayton stated that the SEC should review its rules “retrospectively,” and listen to investors and others as to areas in which rules are, or are not, functioning as intended.
• Principle 7: “The costs of a rule now often include the cost of demonstrating compliance.” Chairman Clayton noted that the SEC must ensure that, at the time of adoption, the SEC has a “realistic version for how rules will be implemented,” as well as how the SEC will examine for compliance. In this regard, according to Clayton, “[v]aguely worded rules can too easily lead to subpar compliance solutions or an overinvestment in control systems.”
• Principle 8: “Coordination is key.” According to Chairman Clayton, coordination with, between, and among all of the various U.S. federal regulatory bodies, state securities regulators, selfregulatory organizations and various other regulatory players “is essential to a well-functioning regulatory environment.” To illustrate his point, Clayton cited the dual regulatory structure for over the-counter derivatives called for by the Dodd-Frank Act and working with the CFTC in this respect. Chairman Clayton noted that cybersecurity is also an area where coordination is critical, adding that the SEC is working with “fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats.”
Fixed Income Markets
In a portion of his remarks titled, “Putting Principles into Practice,” Chairman Clayton observed that the “time is right for the SEC to broaden its review of market structure to include specifically the efficiency, transparency, and effectiveness of our fixed income markets.” The SEC, according to Clayton, must explore whether fixed income markets “are as efficient and resilient as we expect them to be, scrutinize our regulatory approach, and identify opportunities for improvement.” In this connection, Chairman Clayton stated that he has asked the SEC staff to develop a plan for creating a Fixed Income Market Structure Advisory Committee.
Chairman Clayton also touched upon the DoL’s Fiduciary Rule, noting that he recently issued a statement seeking public input on standards of conduct for investment advisers and broker-dealers. Chairman Clayton expressed hope that the SEC can “act in concert with our colleagues at the [DoL] in a way that best serves the long-term interests of Mr. and Ms. 401(k).” He also noted that “any action will need to be carefully constructed, so that it provides appropriate and meaningful protections but does not result in Main Street investors being deprived of affordable investment advice or products.”
The transcript of Chairman Clayton’s remarks is available at: https://www.sec.gov/news/speech/remarks-economicclub-new-york.
Read more SEC news at the National Law Review.
With the fate of health care reform—and its repeal and/or replacement—up for grabs in Washington, there is a health-related compliance item outside of health care reform that should be on employers’ radars: health savings accounts (HSAs) and the new Employee Retirement Income Security Act (ERISA) fiduciary rule.
We have previously kept you apprised concerning the evolving saga of the ERISA fiduciary rule, the Best Interest Contract Exemption (BICE), and other related exemptions in a series of posts. As you likely know, post-inauguration, this hotly-debated and controversial rule and its exemptions largely became effective June 9, 2017 (with a transition period extending through year-end).
At this stage, most employers and plan sponsors have engaged in dialogue with their retirement plan investment advisors and recordkeepers to understand what is being done to comply with the rule. However, employers offering HSAs, the custodial accounts that can be paired with high deductible health plans (HDHPs) to gain significant tax benefits, should not turn a blind eye to this rule.
Discussing the ERISA fiduciary rule in context of HSAs may seem surprising or bizarre given that HSAs are generally not plans governed by ERISA. These accounts are employee-owned (no “use it or lose it” applies) and not employer-sponsored. That said, the Department of Labor has taken the position that an HSA should be treated like an Individual Retirement Account for purposes of the ERISA fiduciary rule, given that its investment accounts may be used as savings accounts for retiree health care expenses. Depending upon the level of involvement an employer has with the HAS, including whether the employer offers or actively facilitates the provision of investment recommendations/advice on the HSA investments or receives a benefit (including revenue sharing) from an HSA vendor or investment, ERISA’s expanded fiduciary rule could come into effect.
At a minimum, an employer who offers a HDHP and facilitates HSA contributions should consider whether its involvement could trigger ERISA fiduciary status. This undertaking could involve reviewing HSA vendor agreements and related practices touching investments. Even if it is determined that the employer is unlikely to be a fiduciary for its HSA plan, an employer may still benefit from implementing certain features of ERISA best practices to mitigate risk for their organization and employees during this transition time period.
For more legal analysis, go to the National Law Review.