Our panel is composed of accomplished arbitrators and mediators–attorneys, former federal and state judges, and business owners specializing in a diverse range of domestic and international subjects. Each brings a lifetime of experience in fields including healthcare, cyber-security, IP, aerospace, energy and more. When resolving your dispute requires industry expertise, trust the American Arbitration Association®
Gillam
Anyone who is responsible for cybersecurity at a business or involved in the legal aftermath of a data breach must dread looking at the numbers. The average cost of these attacks set an all time high this year of $4.45 million per breach, according to a report issued recently by IBM. Cyber insurance premiums rose 28 percent in Q4 2022. The Federation of European Risk Management Associations warned that cyber insurance was in danger of becoming “an unviable product.” It’s a grim picture, but in this issue of Today’s General Counsel, Brian Gillam writes that there is a silver lining for small and medium businesses. He notes that the average costs of a data breach are skewed because they factor in the kind of hefty losses by large businesses that smaller ones are not likely to suffer. He also has some interesting numbers of his own pertaining to the appropriate amount to spend on cyber-attack prevention, and how that affects insurance.
In an interview, Nick Vandivere of Thomson Reuters discusses how best to integrate functional AI into legal department processes in a way that helps with specific tasks. In other articles, Matthew Grady writes about handling intellectual property if we encounter economic down-times, and co-authors Corinne Spencer and Jonathan Brown examine the compliance obligations that a new California regulation, SB 1162, imposes on employers.
Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com
EDITOR-IN-CHIEF
Robert Nienhouse
SENIOR MANAGING EDITOR
Amanda Kaiser EXECUTIVE EDITOR
Bruce Rubenstein
CHIEF OPERATING OFFICER
Stephen Lincoln
DIGITAL EDITOR
Catherine Lindsey Nienhouse
SENIOR EDITOR
Barbara Camm
MANAGING DIRECTOR OF CLIENT PARTNERSHIPS & INITIATIVES
Lainie Geary
WEB EDITOR
Jessica Bajorinas
ART DIRECTION & PHOTO ILLUSTRATION MPower Ideation, LLC
FEATURES EDITOR
Jim Gill
ACCOUNT EXECUTIVE
Stella Valdez
DATABASE MANAGER
Patricia McGuinness
Jonathan J. Brown
Brian Gillam
Matthew Grady
Corinne D. Spencer
Nick Vandivere
SUBSCRIPTION Subscription rate per year: $199
For subscription requests, email subscriptions@todaysgc.com
Dennis Block GREENBERG TRAURIG, LLP
Thomas Brunner WILEY REIN
Peter Bulmer JACKSON LEWIS
Mark A. Carter DINSMORE & SHOHL
James Christie BLAKE CASSELS & GRAYDON
Adam Cohen FTI CONSULTING
Jeffery Cross SMITH, GAMBRELL & RUSSELL, LLP
REPRINTS
For reprint requests, email Lisa Payne: lpayne@mossbergco.com Mossberg & Company Inc.
Thomas Frederick WINSTON & STRAWN
Jamie Gorelick WILMERHALE
Robert Haig KELLEY DRYE & WARREN
Robert Heim DECHERT
Joel Henning
JOEL HENNING & ASSOCIATES
Sheila Hollis DUANE MORRIS
David Katz WACHTELL, LIPTON, ROSEN & KATZ
Steven Kittrell MCGUIREWOODS
Nikiforos latrou WEIRFOULDS
Timothy Malloy MCANDREWS, HELD & MALLOY
Steven Molo MOLOLAMKEN
Thurston Moore
HUNTON & WILLIAMS
Robert Profusek
JONES DAY
Art Rosenbloom
CHARLES RIVER ASSOCIATES
George Ruttinger CROWELL & MORING
Jonathan S. Sack MORVILLO, ABRAMOWITZ, GRAND, IASON & ANELLO, P.C.
Victor Schwartz SHOOK, HARDY & BACON
Jonathan Schiller BOIES, SCHILLER & FLEXNER
Robert Zahler
PILLSBURY WINTHROP SHAW PITTMAN
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, without the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients.
Today’s General Counsel (ISSN 2326-5000) is published ten times per year by Nienhouse Group Inc., 110 N. Wacker Drive, Suite 2500, Chicago, Illinois 60606. Image source: iStockphoto | Copyright © 2023 Nienhouse Group Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information.
Nick Vandivere is Vice President, Product, at Thomson Reuters, and leads the product and go-to-market strategy for Document Intelligence, the latest Artificial Intelligence solution in the Thomson Reuters Legal Technology portfolio. Prior to joining Thomson Reuters, he served as CEO of ThoughtTrace, where he oversaw the company’s transformation into a leader in the application of applied artificial intelligence and machine learning. Today’s General Counsel recently interviewed Mr. Vandivere.
Let’s start with your take on how the market and technology have evolved since you first started working in the legal industry.
So, if we zoom out a bit and take a broader look, I’ve noticed two major changes in the market in the last 5-10 years. Back in 2016 and 2017, when we created the Document Intelligence platform, it was quite a challenge to convince people that our AI technology could actually read contracts and assist them in their jobs. Some folks were downright skeptical, and some even thought it was all just smoke and mirrors. We had to work hard to show them that, yes, this was absolutely possible, and no, it wasn’t going to replace them.
Functional AI, going forward, is going to be very much with humans in the loop. I think the market has come a long way on that. Now, when we meet with clients (and I’m guessing this holds true for other vendors too), the focus has shifted. It’s no longer about proving that AI is a real thing that works. That battle has been won. The question now is whether our specific product, our AI, can meet their needs effectively.
That’s a big shift and I think it’s one that portends very, very good things for legal tech going forward. We’re past the phase of mass skepticism of the general market and
Nick Vandivere Vice President, Product, at Thomson Reuters nick.vandivere@thomsonreuters.com
we’re into the phase of, “How can this product actually meet my needs?” Which is a big change.
What are some of the mistakes you see organizations making when it comes to AI?
I think the biggest mistake someone can make is to blindly commit to a specific technology without fully understanding if it will truly solve their problems. I’m not suggesting that everyone should spend six months testing out a technology before making a decision. That’s not realistic for either side, to be honest. However, I do believe that everyone needs to focus their AI implementations — or any innovation goal for that matter — on solving what needs to be fixed or improved. So begin with that end in mind, not the technology itself, despite the hype or latest trends.
Once that is clear, and you find a partner you trust with a solution that works for you, focus on achieving real success, not just in terms of what the AI can do, but also in terms of people actually using and embracing it.
Another common mistake I have seen is when companies expect their legal teams to train the AI models to fit their organizational requirements themselves. You see, AI requires a substantial amount of data, and that large volume of data also must be diverse to build scalable and accurate models. Often, when companies try to train their own models, after six months, they find themselves stuck with minimal progress and a long way from seeing any return on investment or value. Most legal teams aren’t experts in training AI models, so my advice would be to partner with someone you trust, with a history rooted in innovation, and who specializes in that area.
So how have the recent generative AI developments that have taken 2023 by storm impacted your customers?
I think the really cool thing is the immense buzz in conversation about the impact of AI in the short and long term. It’s really raising awareness and urgency among organizations to figure out AI. ChatGPT has played a huge role in that. It’s had a much bigger impact than anything else I can think of, except maybe when IBM Watson won Jeopardy. That created a lot of buzz, but it was less practical compared to Large Language Models (LLM) like ChatGPT. With ChatGPT, I can actually ask it to generate an assignment provision for me as a legal professional, and it’ll give me something that sounds good. The only issue is that it may not always be accurate or aligned with the company’s drafting playbook or risk tolerance, presenting a challenge that can be addressed by integrating LLM-enabled technology with expert legal content and oversight. However, this buzz has led to two things: organizations, like law firms and corporations, that are early adopters of technology are moving faster to gain an advantage. It’s a smart move. Right now, we can see that they’re acting with a greater sense of urgency. On the other hand, there are those who prefer a wait-and-see approach in the broader market. They also feel the urgency, but they want to see what actually works and who the winners will be before they make their decisions. Moving quickly has its advantages for organizations if done well, although it carries some risks. But there’s definitely risk and loss in moving slowly as well. People tend to overlook the downsides of waiting. So, the key thing to me is to move quickly but in a smart way where you manage your risk.
I know data security is important when it comes to using new technologies in relation to sensitive corporate and legal data. What are your thoughts on the best approach to this?
This is a big question that needs addressing, and technology providers should have clear answers about what their applications can and cannot do, as well as where potential risks lie. And here’s the thing, risks will be present to some extent in everything. It’s important for those risks to be openly acknowledged. Take generative AI, for example. It involves inputting information and receiving a response that’s not pre-programmed but finely tuned. That, in itself, poses risks in terms of how people actually use that data. So, the number
one priority should be transparency, not just presenting it as a fancy wrapper for widely available technology. There’s a lot to figure out here, but as vendors, we have a responsibility to mitigate a significant portion of those risks. And when risks do exist, we must be completely transparent about them.
It’s taken time for the legal market to become comfortable with supervised learning technologies that help with specific tasks like contract review, and then generative AI arrives and creates uncertainty. Have these recent developments complicated this general view of AI in the legal community? Are customers able to compartmentalize those various offerings and understand where AI can work for them?
Many customers haven’t quite figured out how to handle this properly yet. So, we really need to focus on educating the market. But if you want to make the most of generative AI, you still have to put in a ton of effort in preparing the data and doing it right. It’s no different than supervised AI that excels in document classification, provision extraction, and recognizing similar topics through clustering: you still have to figure out where a certain document is stored, which system to look in, find the relevant version, and understand the meaning behind certain clauses you’re filtering. The same type of preparation is fundamental to getting the best results from generative AI as well.
And this is assuming that for law firms or corporations, their existing content repositories, such as the contracts they’ve already signed, will still hold value in the future. I believe they will, and I don’t think that’s a controversial opinion. If they are valuable, then the organization’s ability to accurately categorize the documents themselves and understand their semantic and contextual meaning becomes crucial. The better you are at that, the more you’ll ultimately benefit from generative AI, regardless of the solution you choose. So, the AI tools that are currently being used, and used well by some, should be more widely adopted because they are a necessary foundation for making the most of generative AI in any organization moving forward.
if you'd like to continue the discussion, please reach out to nick.vandivere@thomsonreuters.com.
Often, when companies try to train their own models, after six months, they find themselves stuck with minimal progress and a long way from seeing any return on investment or value.COMPLIANCE
By CORINNE D. SPENCER AND JONATHAN J. BROWN
California has taken a significant step towards promoting fairness and equality in the workplace by implementing new pay transparency and pay data reporting laws. Senate Bill 1162, which came into effect on January 1, 2023, requires employers to disclose pay scale information to job applicants, and mandates larger businesses to submit annual pay data reports to the California Civil Rights Department. The legislation is a progressive move towards eliminating
wage disparity and unequal pay, and businesses must ensure compliance while maintaining efficiency and profitability.
SB 1162 has two requirements, pay data reporting and pay scale disclosure. Employers with 100 or more employees must submit annual reports that contain the median and mean hourly pay rate, broken down by job category, sex, race, and ethnicity for their employees, including those hired through labor contractors. Failure to comply with this
reporting obligation may result in the Civil Rights Department seeking compliance orders and civil penalties up to $200 per employee for subsequent violations.
The pay scale disclosure component of the law requires employers with 15 or more employees to publish salary or hourly wage ranges they reasonably expect to pay for the position in all job postings. The legislation also requires employers to provide pay scale information to current employees upon request.
Non-compliance with this obligation may result in the Labor Commissioner investigating complaints and ordering employers to pay civil penalties up to $10,000 per violation.
Employers need to allocate time and resources towards compliance with SB 1162’s pay data reporting requirements. The first filing deadline was May 10, 2023. Businesses should ensure that processes are in place to collect and store the data by implementing protocols, utilizing software, or outsourcing work.
available to job seekers, SB 1162 creates competition for high-paying jobs, prompting employers to ensure their pay scales are competitive to attract top candidates. Companies can differentiate themselves by evaluating benefits and perks that they can advertise to potential employees. Some businesses may opt to stop advertising jobs and instead utilize other means of filling positions, such as word-of-mouth and internal promotions. Although SB 1162 gives job seekers more bargaining power to negotiate equal pay, employers can also use this knowledge in individual negotiations and may choose not to negotiate at all.
audits, and improving hiring practices, while staying in compliance with the law.
Corinne Spencer is a Senior Employment Counsel and Chair of the Labor and Employment Practice Group at Pearlman, Brown & Wax, LLP. She focuses on counseling clients in employment-related matters including litigation, risk assessment, policy preparation, and training. cds@4pbw.com
Although businesses may be concerned about the potential repercussions of the pay data revealed, they should use the annual reporting obligation as an opportunity to audit their pay data, evaluate their pay practices, and ensure fair and equitable payment for their employees. Employers should correct potential pay disparities once they are identified.
Under SB 1162, employers must publish clear and transparent pay scales in all job postings and must also provide access to pay scale information to current employees. Although businesses may wonder how to define “pay scale,” Labor Code section 432.3’s reasonableness standard appears to give employers some latitude. However, businesses must avoid providing overly broad ranges that may signal a lack of respect for workers and an effort to skirt the intentions of the law.
By making pay scale information
Businesses may be concerned about how the new legislation will impact their workforce’s performance. As employees learn more about what their coworkers earn and what other companies pay for similar work, higher earners may increase productivity as they aim to justify their wages. Conversely, lower earners may feel undervalued and find themselves demotivated. Savvy businesses must stay attuned to productivity and explore areas where they can improve efficiency and profitability. By reviewing internal and external pay scale data, businesses may identify areas to streamline operations, reduce costs, improve employee retention, and reduce turnover costs.
While compliance with Senate Bill 1162 is a daunting legal obligation for employers, it is an excellent opportunity to promote fairness, transparency, and equity in the workplace. Businesses can look to increase competitiveness, profitability, and productivity by establishing clear and transparent pay scales, conducting pay equity
Jonathan J. Brown is a Senior Associate in Pearlman, Brown & Wax, LLP, where he represents employers in all aspects of employment law. He also represents employers and insurance carriers in workers’ compensation claims in California. jjb@4pbw.com
Employers must provide access to pay scale information to current employees.
With the economy facing headwinds and investment harder to come by, preservation of assets, and specifically your intellectual property, is a must for any successful business. While protecting IP is essential, refocusing and targeting your investment in your IP portfolio can ensure your spend is being utilized for strategic targets. It can even free up resources.
By answering a few key questions, a company can shift their strategy to a winning one. For instance, start by answering the following: What technologies drive your revenues? Does your current IP align? Where do you see future growth or development? What are your options regarding IP protection?
The answers to these questions change over time and the economy may constrain your choices. Reviewing
the answers regularly can reveal how your IP strategy should evolve. Just as the initial phases for starting companies require strategic targets and targeted spending, your ongoing IP strategy needs rigorous review and focus. Limited budgets, shrinking revenue streams, and expanding IP costs can be managed. Scheduling routine reviews of your portfolio is a key to success. If you are evaluating your IP regularly, you can
move quickly from an IP expansion mode into a preservation mode of IP protection.
During expansion mode, IP expense is less of a factor, and may have led you to file a host of applications across a number of technology areas. In preservation mode, your IP counsel can help you preserve existing IP with minimal spend and preserve new developments for protection. Your review can start with identifying the most valuable assets in your IP portfolio.
you to slow spend but preserve options for protection when revenues recover. Preserving your IP in your principal market is a must, but nascent or limited markets and their associated filings provide an opportunity to reduce your expenditures. Often new markets do not materialize as expected, and recognizing that in your IP targets can preclude throwing good money after bad.
Provisional applications, when used correctly, can put off expensive drafting efforts, but avoid the temptation to make quick and dirty filings. Robust provisional applications with well-developed descriptions push timelines and limit costs. Quick filings can miss important or valuable details and expose your company to unnecessary risk.
Addressing these issues head on by having straightforward discussions of budgets and goals, and regular review of your IP assets, can ensure the health and continued success of the business.
Typically, revenue generating technologies and products fall into the high-value class. Ensuring that your company preserves your rights in those technologies should be the minimum. Market differentiators that may not be directly tied to revenue but allow your product to shine should also be protected. Peripheral technologies, or technologies that have not matured as expected, offer opportunities to reduce spend and limit investment. It is essential to avoid neglecting the long term in view of short term headwinds.
Continue to identify areas for future growth and revenue, and ensure your IP covers at least those areas.
Once you identify your core IP targets, there are a number of options to limit or push out costs. For example, you can reassess your existing filings and strategy. Foreign filing may have been warranted at the initial stages of product development, but of limited value now. Procedural options may permit
For existing IP, consolidation can be an effective tool to limit costs, but must be balanced against preserving your company’s rights in valuable technology. In one example, creative use of priority claims in continuation filings was an option for consolidating a number of inventions into a single filing, which was later re-expanded into multiple different applications, and ultimately multiple patents. Review your options against potential budget. Novel solutions can be found in any circumstance.
When necessary, the same considerations can be used to reduce your IP targets and eliminate IP assets entirely that do not align with your core IP. While this option should be used sparingly, identifying outlier IP assets or even ranking your assets by strategic value supports reasonable pruning until budget meets targets.
With some effort, companies can implement strategies that will position them for success during challenging economic times.
Scheduling routine reviews of your portfolio is a key to success.
When it comes to cybersecurity, the most important choice business leaders face is determining which risks to address proactively, with assessments, workforce training, policy preparation, and insurance, versus which risks to address reactively, in the form of breach remediation.
Recently, our security business got a call from a mid-sized company that lost $150,000 to a classic business email compromise. The hacker sent a phishing message to an AP clerk, who then gave up his login credentials. The hacker accessed the clerk’s emails and his OneDrive account. Combing through the data, the hacker identified a legitimate vendor receiving monthly
payments of $50,000, and then posed as the vendor requesting payment. The company didn’t realize what was happening until three months later. Could the attack have been avoided? Easily. But, the company reasoned that cyber prevention was just too expensive and they were small enough to escape the attention of hackers.
IBM noted that the average cost of a breach rose from $4.24 million in 2021 to $4.35 million in 2022. But let’s be real. These averages are skewed high because they factor in hefty losses by large businesses. Small and medium businesses are not likely to suffer such losses.
So let’s run some numbers for small and medium businesses based on the experience of the company above. The company lost $150,000 to the hacker, which was unrecoverable. There were also additional reactive costs on top of the initial loss:
• $42,000 for post-breach forensics;
• $50,000 for a breach coach;
• and $120,000 for client notifications and credit monitoring.
That’s a total loss of $362,000. And that does not include costs that are more difficult to quantify, such as sunk employee time remediating the breach, and reputation damage.
cyber-attack prevention, we have to compare the ALE to the annual cost of cyber readiness for a smallmedium business. Year one costs are typically higher because companies new to cyber readiness have not been assessed, and haven’t closed cyber gaps, drafted policies, or tested their workforces for social engineering. So in year one, a small-medium business can expect to pay $20,000 to $60,000 for an initial assessment, which usually includes vulnerability scanning. Then add $7,500 to $12,500 for regular phishing tests, and an additional $10,000 to $25,000 for the formulation of an incidence response plan and related tabletop exercises. That’s a total year one cost of between $37,500 to $97,500.
reasonable level of cyber readiness. Given the uncertainty of proactive measures as well as their associated costs, small and medium businesses may be tempted to just incur reactive costs if and when a data breach does occur. But odds are, that’s a bad call. In the long-run, preparing for a cyber-attack is nearly always going to be less expensive than simply reacting to a breach.
Using the information from this loss, which is typical of those seen by small and medium businesses, we can make a loose extrapolation of the expected monetary loss to cyber-attacks over the course of a year. Let’s multiply that $360,000 loss by the annualized rate of occurrence (ARO) for cyber-attacks, which the Hiscox Cyber Readiness Report put at 23 percent in 2021. That gives us an estimated annualized loss expectancy (ALE) of $82,800 for a small-medium business.
In order to calculate the appropriate amount to spend on proactive
Successive years are typically half the year one cost. Extrapolating out to five years from the start of a business, the aggregate ALE would be $414,000, while the range for proactive cyber readiness costs could be between $112,500 and $292,500. These loose calculations illustrate that it can potentially pay for a small or medium business to undertake proactive cyber readiness measures, if it is able to make prudent decisions that keep it on the lower end of that spectrum while still effectively covering risk.
You may believe that cyber insurance will cover all breach-related expenses. Network Assured found that 25 percent of all claims are either partially or fully denied due to exclusions in the policy. And those figures assume your small-medium business is insurable. Many aren’t because they can’t demonstrate a
Brian Gillam is the chief operating officer for Cozen O’Connor’s ancillary business units. He uses his unique background as a large firm chief financial officer and chief information officer to grow the firm’s business investments in eDiscovery, cybersecurity, physical security, family office services, subrogation claims handling, and lobbying. bgillam@cozen.com
There is an estimated annualized loss expectancy of $82,800 for a small or medium business.
UPCOMING
THURSDAY, SEPTEMBER 21
1PM ET / 12PM CT
Register for this webinar to learn how to:
• Create processes to preserve and collect data from new collaboration tools that may be relevant to litigation
• Understand how evolving case law is redefining what are “reasonable steps” to preserve potentially relevant data to litigation
• What ways technology can automate, streamline legal hold and preservation activities
Sponsored by
UPCOMING
THURSDAY, SEPTEMBER 28
1PM ET / 12PM CT
In this webinar, we will discuss:
• How organizations can create modern and more compliant records retention schedules to better handle both paper and electronic information
• Tips to privacy-enable your schedule
• Questions to consider to determine if your record retention schedule is in need of an update
• Benefits of utilizing a modernized program including compliant preparedness, ease of execution, and more
Sponsored by
WEDNESDAY, OCTOBER 11
1PM ET / 12PM CT
Join this webinar and:
• Discover how you can draft, negotiate, and identify deviations with confidence.
• Explore how the Document Intelligence platform can provide fast and efficient contract abstraction for dayto-day operations, pending litigation, and fire drills.
• Learn how to quickly assess inherited obligations and risks before or after an M&A transaction using AI that reads, instead of relying on manual review or outsourcing.
Sponsored by