Today's General Counsel, V14 N1, February/March 2017 by Today's General Counsel

TODAY’S GENER AL COUNSEL FEB/ MAR 20 17

FEB/ MAR 2017 VOLUME 1 4 / NUMBER 1 TODAYSGENER ALCOUNSEL.COM

RETHINKING

CYBER FIVE COMMON MISCONCEPTIONS “STRUCTURED DATA” IN E-DISCOVERY NEGLECTED THREAT: SPYMAIL The FTC’s Strong Hand in Cyber-Privacy How to Optimize the Preservation Process Insourcing, International Due Diligence and Data-Culling

VOL 14 / NO 1

INTELLECTUAL PROPERTY • Troll Repellent: Rewrite Your Supplier Agreements • Is Patent Reform Dead? How Law Departments are Working Smarter Preparing the Expert Witness $199 Subscription rate per year ISSN: 2326-5000 View our digital edition: digital.todaysgeneralcounsel.com

TodaysGeneralCounsel.com The newly redesigned website provides a daily glimpse of curated content from experts, consultants, law firms and other valued information sources.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

Action, meet results. Too many law firms mistake activity for action. As they churn away on unnecessary tasks, your matters drag on. At Barnes & Thornburg, we are focused on keeping things moving and helping your business grow. Delivering results you can count on.

Uncommon Value

ATLANTA

CHICAGO

DALLAS

DELAWARE

INDIANA

LOS ANGELES btlaw.com

MICHIGAN

MINNEAPOLIS

OHIO WASHINGTON, D.C.

feb / mar 20 17 toDay’s gEnEr al counsEl

Editor’s Desk

These are alarming times in many ways, so Saad Gul’s article in this issue of Today’s General Counsel makes for a nice change of pace. Among the myths about cybersecurity that he punctures is one that keeps many a corporate legal officer awake at night – that data breaches are certainties and the globe is overrun with hackers who are constantly on the prowl for corporate data so they can use it for extortion (There are two types of companies: those that have been hacked and those that will be, FBI director Robert Mueller famously said, in 2012). Yes, there are a lot of hackers out there, scanning for targets of opportunity, says Gul, but they are looking for vulnerabilities, and those are preventable. Beware, but don’t be paranoid is his message. Remember Sally Yates? She was fired as acting Attorney General for refusing to enforce the President’s directive on Muslim immigrants, but what she’s more likely to be remembered for in business circles is The Yates Memo, which directed the DOJ to look for culpable individuals when there is corporate wrongdoing. Surprisingly, Alex Brackett and James Neale predict that the Yates Memo will remain DOJ policy insofar as it is consistent with intent-driven criminal enforcement. They also have some interesting predictions about enforcement of the Foreign Corrupt Practices Act and the False Claims Act. Gul’s article points out that cybersecurity insurance is a good idea but it’s not a silver bullet. Wasif Qureshi discusses another form of insurance, often overlooked, that general counsel should be aware of: patent infringement protection. He notes that a solid percentage of infringement cases are brought against companies that are not in the tech field, and anyone that uses patented technology, even in the form of a service provided by another company, can be liable.

Mike Hamilton has some good tips about cost-saving data preservation on an ongoing basis, and in a Q&A, Chris Adams talks about a trend toward flexible technology that seems to be taking hold with both law firms and their corporate clients globally.

Bob Nienhouse, Editor-In-Chief bnienhouse@TodaysGC.com

AND

“ THE EXCHANGE” CONFERENCES E-DISCOVERY UNIQUE INTERACTIVE FORMAT • PROVIDES ACTUAL SOLUTIONS TO REAL BUSINESS ISSUES • DESIGNED SPECIFICALLY FOR C-LEVEL EXECUTIVES

MARCH 20-21

JUNE 6-7

JULY

SAN FRANCISCO

CHICAGO

NEW YORK

SEPT 13-14

OCTOBER

DECEMBER

HOUSTON

SEATTLE

LOS ANGELES

FEB/ MAR 2017 TODAY’S GENER AL COUNSEL

Features

48 50

PREPARING THE EXPERT WITNESS FOR DEPOSITION John C. Maloney, Jr. Be ready for the “CSI effect.”

THE FOUR “Cs” OF DRAFTING AN EFFECTIVE ARBITRATION CLAUSE Lauren Garraux and Thomas E. Birsic Preventing a costly detour through the courts.

C O LU M N S

WORKPLACE ISSUES The Year Ahead in Labor and Employment Policy Ilyse Schuman and Michael Lotito Less enforcement, more compliance assistance.

THE ANTITRUST LITIGATOR Compliance and the Antitrust Division’s Leniency Program Jeffery M. Cross The race to self-report.

54 4

THE GC AS STRATEGIC BUSINESS PARTNER Debbie Hoffman Revenue, people and black-letter law.

IMPLICATIONS OF THE SEC’S UNIVERSAL PROXY CARD RULES

REGULATORY ENFORCEMENT POST-ELECTION

SURVEY: HOW LAW DEPARTMENTS ARE WORKING SMARTER

BACK PAGE FRONT BURNER Patent Legislation in the 115th Congress Q. Todd Dickinson Some reform notions have lost steam, but others are in the wings.

By Clyde Tinnen and M. Ridgway Barker Proposal would promote “fair corporate suffrage.”

Alex J. Brackett and James F. Neale FCPA enforcement not likely to abate.

Lauren Chung Using technology, optimizing resources.

Page 58

AND

“ THE EXCHANGE” CONFERENCES CYBERSECURITY UNIQUE INTERACTIVE FORMAT • PROVIDES ACTUAL SOLUTIONS TO REAL BUSINESS ISSUES • DESIGNED SPECIFICALLY FOR C-LEVEL EXECUTIVES

APRIL 6-7

APRIL 26-27

MAY 23-24

SAN FRANCISCO

BOSTON

NEW YORK

NOV 15-16

NOVEMBER

DECEMBER

DALLAS

WASHINGTON, D.C.

LOS ANGELES

feb/ mar 2017 toDay’s gener al counsel

Departments Editor’s Desk

Executive Summaries

Page 24

L abor & empLoyment

16 The Importance of HR in FCPA Compliance Libby Simmons Callan and Allison Goico When hiring becomes bribery.

e-discovery

18 Structured Data Analysis in E-Discovery Patrick Grobbel and Michael Busen When keyword searches won’t do it.

20 Tips to Optimize Your Preservation Process Mike Hamilton In-place searching is a powerful and costsaving process.

24 Insourcing, International Due Diligence, and Data-Culling Q&A with Chris Adams Investing now to achieve downstream cost reduction.

26 E-Discovery Trends to Watch in 2017 Michele C.S. Lange FRCP amendments, court precedents, are changing the protocols.

inteLLec tuaL propert y

28 Supplier Agreements Should Include Patent Litigation Protection Wasif Qureshi An often overlooked and readily available variation on insurance.

cybersecurit y

32 Get Ready for More Cyber Litigation Kenneth N. Rashbaum Law departments should seek budget increase to cover it.

34 Common Misconceptions About Cybersecurity Saad Gul Don’t fall into the fatalist trap.

36 The FTC’s Strong Hand in Cyber-Privacy Cases Neda Shakoori and Christine Peek $100 million for violating an FTC injunction.

40 Spymail Risk Often Ignored Paul Everton and Chad Gilles Your email is leaking.

42 Three Expert Lessons About Digital Threats Philip Favro New challenges from the IoT and the cloud.

AND

“ THE EXCHANGE” CONFERENCES COMPLIANCE UNIQUE INTERACTIVE FORMAT • PROVIDES ACTUAL SOLUTIONS TO REAL BUSINESS ISSUES • DESIGNED SPECIFICALLY FOR C-LEVEL EXECUTIVES

APRIL 13

MAY 9

OCTOBER 12

HOUSTON

WASHINGTON, D.C.

CHICAGO

editor-in-Chief Robert Nienhouse managing editor David Rubenstein

exeCutive editor Bruce Rubenstein

senior viCe president & managing direCtor, today’s general Counsel institute Neil Signore art direCtion & photo illustration MPower Ideation, LLC law firm business development manager Scott Ziegler database manager Matt Tortora Contributing editors and writers

Chris Adams M. Ridgway Barker Thomas E. Birsic Alex J. Brackett Michael Busen Libby Simmons Callan Lauren Chung Jeffery Cross Q. Todd Dickinson Paul Everton Philip Favro Lauren Garraux Chad Gilles Allison Goico

Patrick Grobbel Saad Gul Mike Hamilton Debbie Hoffman Michele C.S. Lange Michael Lotito John C. Maloney, Jr. James F. Neale Christine Peek Wasif Qureshi Kenneth Rashbaum Ilyse Schuman Saba Shakoori Clyde Tinnen

editorial advisory board Dennis Block GREENBERG TRAuRIG, LLP

Subscription rate per year: $199 For subscription requests, email subscriptions@todaysgc.com

reprints For reprint requests, email rhondab@fosterprinting.com Rhonda Brown, Foster Printing

Robert Profusek JONES DAy

Thomas Brunner

Joel Henning

Art Rosenbloom

WILEy REIN

JOEL HENNING & ASSOCIATES

CHARLES RIvER ASSOCIATES

Peter Bulmer JACKSON LEWIS

Sheila Hollis

George Ruttinger

Mark A. Carter

DuANE MORRIS

CROWELL & MORING

David Katz

Jonathan S. Sack

DINSMORE & SHOHL

James Christie BLAKE CASSELS & GRAyDON

WACHTELL, LIPTON, ROSEN & KATz

Steven Kittrell

MORvILLO, ABRAMOWITz, GRAND, IASON & ANELLO, P.C.

MCGuIREWOODS

victor Schwartz

FTI CONSuLTING

Jerome Libin

SHOOK, HARDy & BACON

Jeffery Cross

SuTHERLAND, ASBILL & BRENNAN

Adam Cohen

FREEBORN & PETERS

Thomas Frederick WINSTON & STRAWN

Jamie Gorelick

subsCription

Dale Heist BAKER HOSTETLER

WILMERHALE

Robert Haig KELLEy DRyE & WARREN

Jean Hanson FRIED FRANK

Robert Heim DECHERT

Timothy Malloy Mc ANDREWS, HELD & MALLOy

Jean McCreary NIxON PEABODy

Steven Molo MOLOLAMKEN

Thurston Moore HuNTON & WILLIAMS

Jonathan Schiller BOIES, SCHILLER & FLExNER

Robert Townsend CRAvATH, SWAINE & MOORE

David Wingfield WEIRFOuLDS

Robert zahler PILLSBuRy WINTHROP SHAW PITTMAN

Ron Myrick RONALD MyRICK & CO, LLC

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information or retrieval system, with out the written permission of the publisher. Articles published in Today’s General Counsel are not to be construed as legal or professional advice, nor unless otherwise stated are they necessarily the views of a writer’s firm or its clients. Today’s General Counsel (ISSN 2326-5000) is published six times per year by Nienhouse Media, Inc., 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Image source: iStockphoto | Printed by Quad Graphics | Copyright © 2017 Nienhouse Media, Inc. Email submissions to editor@todaysgc.com or go to our website www.todaysgeneralcounsel.com for more information. Postmaster: Send address changes to: Today’s General Counsel, 20 N. Wacker Drive, 40th floor, Chicago, Illinois 60606 Periodical postage paid at Oak Brook, Illinois, and additional mailing offices.

AND

“ THE EXCHANGE” CONFERENCES INFORMATION GOVERNANCE UNIQUE INTERACTIVE FORMAT • PROVIDES ACTUAL SOLUTIONS TO REAL BUSINESS ISSUES • DESIGNED SPECIFICALLY FOR C-LEVEL EXECUTIVES

NOVEMBER 1

ATLANTA

FEB/ MAR 2017 TODAY’S GENER AL COUNSEL

Executive Summaries L ABOR & EMPLOYMENT

E-DISCOVERY

PAGE 16

PAGE 18

PAGE 20

The Importance of HR in FCPA Compliance

Structured Data Analysis in E-Discovery

Tips to Optimize Your Preservation Process

By Libby Simmons Callan and Allison Goico Dinsmore

By Patrick Grobbel and Michael Busen FTI Consulting

By Mike Hamilton Exterro

In April 2016, the DOJ announced it had increased the size of its FCPA unit by more than 50 percent and the FBI established three new squads of special agents devoted to FCPA investigations. Companies with operations abroad should take a close look at their approach to FCPA compliance. Practitioners are advised to keep an eye on who is hired for international operations, and for what reasons. Recent activity indicates that the government considers employment opportunities (including unpaid internships) a “thing of value” that can trigger FCPA liability. Efforts to push applicants through in ways that circumvent normal procedures should be questioned and reported to management/compliance. In 2016, the DOJ instituted its one-year “Pilot Program” to encourage self-reporting of potential FCPA offenses. Penalties for companies that self-report ahead of a DOJ investigation could be significantly reduced. The DOJ has publicly declined FCPA prosecution in five cases, and in all five the DOJ pointed to proactive company measures, in part, as the reason. There are many views on what pending changes in DOJ leadership could mean for FCPA prosecution. Some think the Administration could let the Pilot Program expire this year, while others believe it could be extended and applied to non-FCPA enforcement. Either way a strong FCPA compliance program, along with consistency in hiring, investigations and disciplinary actions, can minimize the risk of violation and potential prosecution for employers.

Electronically stored information can be boiled down to two types, unstructured and structured. Lawyers are most familiar with unstructured data (e.g., emails, Word documents and PowerPoint presentations). Structured data includes such things as transaction records or stock trading activity, and associated “fielded data.” While the concept may seem daunting, addressing it is a practical and defensible way to hone in on key information and inform case strategy for legal matters of any size. When made part of the standard e-discovery strategy, structured data can provide valuable information about document sets that might otherwise be invisible. Structured data should be part of the early case assessment process. Counsel should address it at the meet and confer, to ensure the appropriate structured databases are included among the systems that will be part of the process. Cross-team collaboration makes it easier to leverage various databases as the guide for document collection and review, and often one group already has key knowledge that can inform another’s case. Even in matters where paper documents, antiquated data sources (such as microfilm) or documents not in native form (such as transactional data provided in PDF format) are part of the review, structured data can play a role and be produced in an unstructured manner. The key is for counsel to remain open minded about when and how structured data should be leveraged and begin thinking about it as a practical and critical resource for all matters.

E-discovery professionals should not use the same preservation approach for each case, but rather should follow a repeatable process that meets a reasonableness standard. Keep in mind that by asking the right questions in the identification stage, you can create a proportional and defensible preservation strategy. Preserving irrelevant data is easy to do on the front end but will cost you on the back end. There are three general categories of data in an organization: Unstructured data, structured data and new data types (social media, mobile, chat, etc.). Finding how much total responsive data you have is crucial early in the process and can determine the scope of discovery. One of the easiest ways to begin finding responsive data is custodian interviews. To achieve efficient preservation, there are a number of often-overlooked strategies. Among them is to leverage in-place searching, before collection. This little-known technique is powerful, and it brings significant cost savings. Traditionally in early data assessment, you have to collect a sample of the client’s data. Now, some e-discovery solutions are able to go out and look at the data before collection. Given that collecting data is an expensive and time consuming endeavor, if you have the ability to index data without having to process it and collect it, costs are lowered considerably. There is no good alternative to preparing for preservation before there is even a hint of litigation. Assume that sooner or later, preservation will be an issue.

today’s gener al counsel feb/ mar 2017

Executive Summaries e-Discovery

intellec tuAl ProPert y

PAGe 24

PAGe 26

PAGe 28

Insourcing, International Due Diligence and Data-Culling

E-Discovery Trends to Watch in 2017

Q&A with Chris Adams Consilio

By Michele C.S. Lange Kroll Ontrack

Supplier Agreements Should Include Patent Litigation Protection

The movement toward more flexible technology is taking hold with both law firm and corporate clients globally. For lawyers, this means it’s important to be able to explain the full e-discovery process to a less technologically sophisticated judge, or even opposing counsel. If lawyers feel as if they don’t understand how a technology works, it can be difficult for them to effectively lobby for its use. One major trend in e-discovery management is insourcing. Law departments want to bring technology or people inhouse, but they don’t want to pay for the infrastructure or other associated costs. Departments are looking for companies to augment their current technology or personnel. This potentially moves the risk from their side of the ledger, at the same time it enables scaling to meet changing needs and makes overall spend more predictable. The biggest challenges in international M&A occur both at the very front end of the transaction, during the due diligence process, and post-merger when companies are going through the transition work to consolidate operational procedures. It is necessary to know what raises red flags in one country but might be permissible in another. In terms of downstream e-discovery technology, there seems to be a movement to employ technology to the “left side” of the electronic discovery reference model (EDRM) spectrum, to significantly impact the volume of data before it reaches data review. This is where we are seeing an increase in spend, investment and attention.

Courts will expect parties to cooperate. Federal Rules of Civil Procedure amendments in 2015 make it clear that increased cooperation is required in e-discovery. If parties cannot agree about scope, search terms, production formats or other issues, assume courts will send the disputes back to the parties for resolution. In-house counsel will also need to understand proportionality. When setting parameters, Rule 26(b) requires parties to take into account such things as “the amount in controversy,” “the parties’ resources,” “the importance of the issues at stake in the action,” and “whether the burden or expense outweighs its likely benefit.” Cost-splitting or shifting could also become a norm as part of proportionality. When ESI has been lost, counsel will need to be prepared to argue it occurred despite “reasonable steps” having been taken. Under amended Rule 37(e), there should be no sanctions so long as a party took reasonable steps to preserve the evidence. Additionally, for there to be spoliation, the party responsible for the lost evidence must be shown to have acted with an “intent to deprive,” and the information must not be obtainable by other means. Predictive coding is taking its place in legal systems internationally. Its use has been approved in Ireland, in Britain, and most recently in Australia. This is just the beginning of what we will see in years to come, as both international and domestic courts recognize the value that new technologies bring to discovery.

By Wasif Qureshi Jackson Walker LLP

Anyone who uses patented technology can in theory be an infringer, and a considerable number of patent infringement cases are now being brought against non-tech companies. Use of a patented technology can result in liability even when only a part of the claimed invention is actually practiced, or not practiced at all. One safeguard against this kind of litigation is including patent infringement indemnification terms in supply agreements involving any product or service that could be considered a basis for a patent suit. At minimum, seek language that current and future approved purchase/service orders are covered for indemnification under the master supply agreement, or else in the language of particular orders. When a supplier provides a form agreement, make sure the terms include patent suit indemnification safeguards and don’t include fine print limiting the scope of coverage in situations where the customer modifies or uses the product in a manner not intended by the supplier. Have a system for storing supply agreements for extended periods of time. Instruct responsible employees to ensure that addendums and specifications pertaining to the master agreement are easily accessible. These suggestions are particularly important for small to medium-sized non-tech companies that do not anticipate patent suits because of the nature of their business, who may have little or no experience with patent lawsuits, or where a patent suit could severely impact the company’s operations.

FEB/ MAR 2017 TODAY’S GENER AL COUNSEL

Executive Summaries CYBERSECURIT Y

PAGE 32

PAGE 34

PAGE 36

Get Ready for More Cyber Litigation

Five Common Misconceptions About Cybesecurity

The FTC’s Strong Hand in Cyber-Privacy Cases

By Kenneth N. Rashbaum Barton LLP

By Saad Gul Poyner Spruill LLP

By Neda Shakoori and Christine Peek McManis Faulkner

The Great Recession of 2007-2009 caused a precipitous drop in litigation, and legal spend for litigation dropped as well. That is about to change, as parties discouraged by lack of government protection against hackers turn to courts for redress in the face of cyber attacks and data breaches. Forty-seven states have breach notification or other cybersecurity law, and in particular there are numerous safeguards governing the life sciences and financial services industries. Given increasing reliance on digital assets and the advancing sophistication of cyber attacks, it is only a matter of time before a court permits a shareholder derivative action against corporate directors stemming from a data breach. Federal privacy law does not preempt state laws that are stricter than the federal provisions. As breaches of health information increase, expect more state litigation alleging failures to meet standards of care with regard to state statutory or common law. FINRA, following a period of quiescence, has awakened to the realities of potential damage cyber attackers can wreak on broker-dealer funds. Late last year, a settlement of $650,000 in a proceeding involving Lincoln Financial Securities was announced. It was significant for the amount, but also because the basis of the FINRA proceeding was a breach by Lincoln’s cloud services provider. Whether at the sole practitioner, law department or corporate board level, without a high level of cybersecurity based on best practices, the likelihood of costly litigation is increasing.

The first misconception is that a breach is inevitable and there is little in-house counsel can do to prevent it. Formidable firewalls and security measures may not stop a fanatically committed attacker, but virtually all hacked companies are soft targets of opportunity. Hackers typically scan random systems and identify vulnerability. Once they detect it, they can decide whether to exploit it. Most vulnerabilities are created by preventable human error. Another common misconception is that insurance is a silver bullet, which can lead to a false sense of security. Policies vary widely, and many coverage issues have yet to be definitively addressed by the courts. There is no average policy, and no average risk profile. An organization’s preferred policy may have exclusions or riders that do not address the business context. Another notion that creates problems: that a carefully prepared cybersecurity plan can be considered finished. In fact every business evolves, as does the technology itself, and the “perfect” plan is frequently out of date. Absent constant revision, the company will have plans that look good on paper, but are increasingly disconnected from the reality of operations. If disaster strikes, counsel can expect regulators and future opposing counsel to focus on the gap between this reality and the letter of the plan. Cybersecurity risk is like other risks. It requires steadfast attention to current and potential issues. Inside counsel play a key role, not simply in addressing breaches when they occur, but also in articulating the risks, establishing protocols and enforcing compliance.

The authors briefly review the FTC’s enforcement authority against unfair or deceptive acts and practices, and examine pre-and post-settlement enforcement actions in the area of cyber-privacy. In Practice Fusion, Inc. the FTC alleged failure to disclose that consumer responses to a satisfaction survey would be published on Practice Fusion’s website. Without admitting or denying the allegations, Practice Fusion agreed to a 20-year consent order. In 2012, the DOJ initiated a civil action against Google to enforce a consent order settling FTC allegations that Google misled consumers about its social networking tool, Google Buzz. Among other things, the order prohibited Google from misrepresenting the extent to which it protected certain user information. Google agreed to pay a $22.5 million fine without admitting liability. In 2015, the FTC initiated a contempt action against Lifelock for violation of a permanent injunction enjoining it from misrepresenting the nature of its identity theft protection service, or the extent to which it protected consumers’ personal information. Without admitting or denying the allegations, Lifelock agreed to settle through a modified permanent injunction that included a $100 million judgment for equitable monetary relief. That gave the FTC the largest monetary award it has obtained to date in an order enforcement action. As illustrated by the FTC’s proceedings against Google and Lifelock, entry of a consent order or stipulated judgment does not end the FTC’s enforcement proceedings. Rather, it begins a new phase.

today’s gener al counsel feb/ mar 2017

Executive Summaries cybersecurit y

feAtures

PAGe 40

PAGe 42

PAGe 48

Spymail Risk Often Ignored

Three Expert Lessons About Digital Threats

Preparing the Expert Witness for Deposition

By Philip Favro Driven Inc.

By John C. Maloney, Jr. Zuber, Lawler & Del Duca, LLP

There is increasing need for organizations to strengthen security measures as part of their information governance plan. To do this, information security cannot be isolated within legal or information technology departments. Security professionals, business units and company executives should be jointly involved to establish a culture of security. IT experts should manage the technical side, while in-house counsel offers guidance on the regulatory and legal implications. With more data, devices, and technological developments, there are many gateways that cyber criminals and malicious insiders can exploit. These range from email and smartphones, to IoT and external messaging and collaboration tools. The IoT (Internet of Things) in particular is becoming more of a challenge. Done well, it can pay off significantly: Businesses currently generate more than $613 billion of profits annually from IoT devices. But these devices require the centralization of heterogeneous networks as data is aggregated and analyzed. As a result, corporate teams must make exceptional efforts to build strong security measures into these repositories. Organizations can prepare by creating “concept of operations documentation.” This flexible governance tool should provide a roadmap for installation, integration and ongoing auditing of connected devices. In addition, companies can strengthen everyday security by carefully managing employee use of clouds and devices. Ensure that proprietary data is not removed from the corporate network, particularly upon termination of an employee.

Most civil cases today involve the use of testifying experts to address both liability and damages issues. The presence of experts has become so pervasive that modern trials are now often viewed as a “war of experts,” and motion practice regarding Daubert or the state equivalent test of admissibility of expert opinion is a regular step in the pre-trial process. This article provides a checklist for preparing for deposition, to ensure the expert witness can successfully navigate the special challenges he or she may confront. Vet experts early. Experts normally must be designated well before their report is submitted and the deposition noticed. Keep in mind that the expert must be able to make difficult concepts simple and be comfortable using visuals to illustrate testimony. In the expert’s report, as well as in deposition testimony, the expert must demonstrate mastery of the relevant case facts, data and documents, and the ability to link the opinions expressed to them. The expert, like any witness no matter how experienced, must be well prepared for the deposition. Frequent and in-depth rehearsals, including a substantial mock deposition, are key to instilling selfconfidence and achieving success. The expert must also be prepared to address the adversary party’s expert report in depth, to concede unimportant points or where common agreement might be found, to compare and contrast differences in methodology, assumptions and results, and to support his or her conclusions as the correct or better view of the issue in dispute.

By Paul Everton and Chad Gilles MailControl

Approximately 10 percent of non-spam business emails are spymail – email containing hidden tracking code that relays details about the recipient’s interactions with the email back to the sender. These details may include such information as when and where the email was opened and forwarded. In the wrong hands, this kind of intelligence can expose any business to a range of legal, privacy and security risks. However for legal departments it can be especially damaging. By design, spymail is hidden from the recipient. Using concealed tracking code, it can even reveal the identity of the device that opened the email, and the physical location of the device when it was opened. The onus falls on legal department leaders, in conjunction with IT managers, to make sure attorneys are trained in email security practices and vigilant in guarding against the dangers email can pose. Spymail can have a direct effect on litigation efforts, industry compliance, and client relationships. If, for instance, an adverse party sees where one of its emails was forwarded, it may be able to use that information to determine who clients or witnesses are, what documents to request for discovery, who to request them from and who to depose or add as additional defendants. This not only gives the opposition the upper hand in negotiations and litigation, it jeopardizes client trust. It may also make organizations vulnerable to reputational damage, a malpractice suit, and in some situations potentially a class action lawsuit.

FEB/ MAR 2017 TODAY’S GENER AL COUNSEL

Executive Summaries FEATURES

PAGE 50

PAGE 56

PAGE 58

The Four “Cs” of Drafting an Effective Arbitration Clause

Implications of the SEC’s Universal Proxy Card Rules

Regulatory Enforcement Post-Election

By Lauren Garraux and Thomas E. Birsic K&L Gates

By Clyde Tinnen and M. Ridgway Barker Withers Bergman

By Alex J. Brackett and James F. Neale McGuireWoods

Arbitration is not suited for every contract, dispute, or business. However, a comprehensive and well-drafted arbitration clause will allow the parties to reap the benefits of arbitration, which are a faster, more efficient and lower-cost resolution of a dispute. An effective arbitration clause must clearly commit the parties to arbitration and identify the types of disputes that will be arbitrated. In domestic commercial contracts, parties have great latitude to shape how they will resolve disputes, who will resolve them, where, and according to which rules. However, a party can fail to make the arbitration clause as comprehensive as it should be and find itself shocked at the procedure it has obligated itself to pursue. Where important business relationships are involved, parties may consider requiring mandatory negotiation or nonbinding mediation before commencing an arbitration proceeding. In this regard, the arbitration agreement should include language that allows a court to enter judgment on the award and specifies the court in which a motion to confirm should be filed. The parties may also consider limiting judicial review of an arbitration award or requiring that appeals be made to a private arbitration panel and be limited to specified grounds. There is no way to anticipate every potential issue that may present itself when a dispute between contracting parties arises, but a well-drafted arbitration clause may prevent a costly detour through the courts or an arbitration proceeding that does not meet a party’s expectations.

In October 2016, the SEC proposed amendments to the federal proxy rules that would require universal proxies in connection with a contested election of directors. The proposal would require the use of proxy cards that include the names of both board and dissident nominees and thus allow shareholders to vote by proxy in a manner that more closely resembles how they vote in person. The SEC’s stated goals are part of a broader set of sweeping proposals to allow shareholders “fair corporate suffrage.” Boards need to understand how the rules will change the process of soliciting proxies for the annual meeting. Some directors may object to being forced to lend their name to the election campaign of a dissident. This concern may be mitigated by the proposed requirement to clearly distinguish between types of nominees and through disclosure in the respective party’s proxy statements. The company’s voting standards for director elections may be impacted by use of a universal card. Companies with pure majority voting standards (no application of plurality in the event of a contested election) are more likely to have a failed election. Universal proxy cards may exacerbate this issue by enabling fragmented voting selections among a larger combined slate (company and dissident), reducing the probability that any candidate receives a majority of votes cast. Accordingly, cumulative voting combined with universal proxies may lead to unexpected cooperation between shareholders and informal pooling of votes to drive certain outcomes.

The Trump Administration will likely seek to scale back many forms of regulatory enforcement. However, President Trump campaigned on a law-and-order platform, and that makes it likely that prosecutors will continue focusing on cases involving fraud, corruption and other offenses where it can be shown that individuals acted with clear criminal intent. In that respect, the Yates Memo will likely remain DOJ policy insofar as its focus on individuals is consistent with intent-driven criminal enforcement. SEC officials have outlined their intent to pursue FCPA enforcement actions grounded on commercial rather than official bribery, pursuant to the FCPA’s accounting provisions. Last year the SEC settled its first significant FCPA case against a hedge fund, and it included charges under anti-fraud provisions of the Investment Advisers Act of 1940. Increased criminal enforcement via the False Claims Act could be possible due to a DOJ policy requiring criminal prosecutors to review qui tam cases to determine whether to open a parallel criminal investigation. Strategies that in-house counsel can apply to protect their clients include investing in compliance programs. Even where they fail to prevent violations, these can demonstrate efforts to avoid them. Also, learn from others’ mistakes. The best predictor of issues your organization could face is what has happened to your industry peers. One useful technique, in order to avoid groupthink: When nine people agree on a certain analysis or likely outcome, a tenth should be assigned to take a contrary view.

TODAYâ&#x20AC;&#x2122;S GENER AL COUNSEL FEB/ MAR 2017

Executive Summaries FEATURES PAGE 62

Survey: How Law Departments are Working Smarter By Lauren Chung HBR Consulting

The 2016 HBR Consulting survey found that worldwide corporate law department spending increased a modest one percent from the prior year. Behind this seemingly minor change is a significant shift in law department strategy. In addition to enforcing spending caps, law departments are embracing creative ways to optimize internal resources and ensure that the right people are handling the right work in the most cost efficient manner possible. Law firm billing rates increased steadily, giving corporate law departments more reason to curtail outside counsel spend. Outside legal costs accounted for 52 percent of law departmentsâ&#x20AC;&#x2122; total spend, down from 55 percent reported in the 2015 survey. About two-thirds of law department respondents report using more consistent planning and budgeting, as well as tougher oversight of outside counsel billing guidelines, to rein in spending. Nearly half of survey participants cite ramping up technology use as an important way to cope with swelling demand while maintaining internal efficiency. A comparable percentage are placing a priority on re-engineering work processes and automating routine activities, in order to optimize use of staff time and resources. Law department median internal spend on systems and technology stands at $204,000, up three percent from last yearâ&#x20AC;&#x2122;s survey. Legal spend analytics is another area poised for technology investment in 2017, as departments look for new ways to harness their internal data for greater transparency and to support key management decisions in such areas as organization and budgeting.

TodaysGC Daily Newsletter The daily newsletter is a terrific advertising vehicle to reach 35,000 corporate subscribers. With a high open rate, the newsletter is unmatched as a marketing vehicle within the corporate counsel community.

T OD AY S GE NE R A L C OUN S E L .C OM / S UB S C R IB E

feb / mar 2017 today’s gener al counsel

Labor & Employment

The Importance of HR in FCPA Compliance By Libby Simmons Callan and Allison Goico

hile 2015 saw a dip in Foreign Corrupt Practices Act (FCPA) enforcement actions, recently the Department of Justice and the Securities and Exchange Commission have picked up the pace. Near the close of 2016, news broke that a global bank will pay $264 million to settle a government investigation into its hiring practices. In April of 2016, the DOJ announced that it had increased the size of its FCPA unit by more than 50 percent and the Federal Bureau of Investigation established three new squads of special agents devoted to FCPA investigations. “This should send a powerful message,” the DOJ warned, “that FCPA violations that might have gone uncovered in the past are now more likely to come to light.” With the uptick in enforcement actions, now is the time for companies with operations abroad to take a close look at their approach to FCPA compliance. FCPA prosecutions generally have one thing in common: improper employee activity. That means the involvement of human resources must be part of an international employer’s implementation and administration of an FCPA compliance policy. In addition to facilitating FCPA training, there are several other

areas where human resources personnel should play an active role in FCPA risk avoidance and assessment: Hiring. Keeping an eye on who is hired for international operations, and for what reasons, can be critical in FCPA compliance. Recent activity makes clear that the government considers employment opportunities (including unpaid internships) a “thing

of value” that can trigger FCPA liability. In March of 2016, an international telecommunications company agreed to pay $7.5 million to settle FCPA prosecution, in part for hiring relatives

of Chinese foreign officials to gain favorable positioning for its wireless communication technologies. The chief of the DOJ criminal division commented that the “so-called Sons and Daughters Program was nothing more than bribery by another name.” In its order resolving the matter, the government highlighted that company employees who worked in Human Resources did not receive FCPA training, and “several important business functions such as human resources . . . were not considered in [the company’s] FCPA compliance program.” Seemingly, at the hiring phase, human resources at this telecommunications company might have flagged the offending new hires as not having adequate skills or background for the available positions. In this program, relatives of the foreign officials were typically given the same titles and paid the same as entry-level investment bankers, “despite the fact,” said the DOJ, “that many of these hires performed ancillary work such as proofreading and provided little real value to any deliverable product.” Had these inconsistencies been noted at the hiring stage, the company could

today’s gener al counsel feb / mar 2017

Labor & Employment have explored the true motivation for the hires and potentially avoided the risk entirely. Employers operating abroad should be sure that human resources personnel are properly trained in FCPA compliance. In turn, those assisting in the hiring process should see to it that all applicants go through the company’s standard hiring process and are qualified for their positions. Efforts aimed at pushing an applicant through, despite company procedures or applicant qualifications, should be questioned and reported immediately to management/ compliance. Investigations. In 2016, the DOJ instituted its one-year “Pilot Program” to encourage companies to self-report potential FCPA offenses. Under the Pilot Program, if companies self-report ahead of a DOJ investigation, FCPA penalties could be significantly reduced. Since announcing the initiative, the DOJ has publicly declined FCPA prosecution in five cases, and in all five the DOJ

can help position the company at the initial stages of an investigation. Firing/Discipline. In each of the five instances where the DOJ did not prosecute under the Pilot Program, it commented on the consequences for the employees who engaged in the triggering misconduct. The DOJ specifically acknowledged terminations, suspensions, pay freezes, bonus suspensions and reductions of responsibilities of these offending employees. Accordingly, human resources personnel should play a part in making meaningful recommendations when it comes to disciplining (and perhaps terminating) employees whose conduct violates FCPA principles. In addition, employers should take note that employee whistleblowers can be eligible for awards if they come forward with “unique and useful information that leads to a successful enforcement action.” Indeed, as recently as December of 2016 the SEC made a $900,000 award, and it

“The so-called Sons and Daughters Program was nothing more than bribery by another name.”

pointed to proactive company measures, in part, for its reasons to decline prosecution. With this in mind, human resources personnel should be able to recognize activity that might run afoul of the FCPA. When such conduct is identified, thorough investigations become necessary. With the help of counsel, the process to determine relevant facts and identify involved parties should start immediately. Once a company has identified the issues, self-reporting under the Pilot Program can be considered. Regardless of whether the decision to self disclose is ultimately made, human resources

has awarded around $136 million to whistleblowers generally. When employees are disciplined or terminated, employers would be wise to thoroughly document. As vigorous FCPA enforcement continues, companies operating abroad should be prepared to closely monitor international employee activity. The government takes note of both weak and strong compliance programs, and in particular the role played by human resources. There are many views on what pending changes in DOJ leadership could mean for FCPA prosecution. Some think the administration could let the Pilot

Program expire this year, while others believe it could be extended and applied to non-FCPA enforcement actions. Regardless of the course it takes, a strong FCPA compliance program, along with consistency in hiring, investigations and disciplinary actions, can minimize the risk of violation and potential prosecution for employers. ■

Elizabeth Simmons Callan is a partner in Dinsmore’s Labor and Employment Department. Having started her career as an assistant prosecuting attorney, she now concentrates on management-side employment litigation in her practice. She also works with clients on issues and claims brought under the ADA, Title VII and state discrimination statutes, with a particular specialty in issues facing the hospitality industry. elizabeth.simmons@dinsmore.com

Allison L. Goico is a partner in Dinsmore’s Labor and Employment Department. Her practice is focused on litigation and counseling, with an emphasis on management-side employment discrimination, wage and hour, non-competes, and leave laws, for both private and public employers. She regularly appears before state and federal courts as well as administrative agencies and has experience with arbitrations under collective bargaining agreements. allison.goico@dinsmore.com

feb / mar 2017 today’s gener al counsel

E-Discovery

Structured Data Analysis in E-Discovery By Patrick Grobbel and Michael Busen

espite the fact that “finding a needle in a haystack” has always been used to describe a seemingly impossible task, many attorneys today have become adept at doing just that – sifting through endless piles of information to find a single important piece of evidence. Advancements in e-discovery technology and analytics have significantly lightened the burden

for counsel. However, despite these strides, this work remains challenging, time consuming and costly. With the proliferation of data types and massively growing data volumes, the challenges are not going to become manageable without the implementation of new approaches. Alternative strategies that can bring further clarity and efficiency to

e-discovery do now exist, but have yet to gain mainstream adoption. One of these is the application of structured data analysis to the e-discovery process. Electronically stored information can be boiled down to two types, unstructured and structured. Unstructured data (Word documents, emails, Power Point presentations) are the types of information with which counsel are

today’s gener al counsel feb / mar 2017

E-Discovery

most familiar, and the ones that are relied upon to identify the one needle in the haystack that can confirm or refute key points of a case. Structured data is typically stored in databases and can include anything from transactional records (sales data, stock trading activity and healthcare claims) to fielded data associated with unstructured documents (e.g., modified date). These data frequently describe the size, the shape, or the entry/exit path of “the needle.” While the concept of structured data discovery may seem daunting, it is actually a practical and defensible way to hone in on key information quickly

review should be part of every legal team’s standard methodology, notwithstanding the scope of the corporation’s litigation and investigations. All too often, counsel will assume this type of e-discovery is overly expensive and that their small or medium-sized matters won’t benefit. In reality, structured data can help reduce costs and speed up the review for any type of matter. That said, there is not a one-sizefits-all approach for structured data, and how it is used needs to be assessed on a case-by-case basis. In some cases, the need to collect structured data is obvious – such as when there are accounting systems

The legal industry has a long way to go in attaining widespread awareness and adoption of structured data. and inform case strategy. Its insights can benefit legal matters of any size. When leveraged as part of the standard, proactive e-discovery strategy, structured data can provide valuable information about document sets that might otherwise be invisible or lost. MAPPING A ROUTE

Awareness about how structured data can benefit the e-discovery process has increased in recent years. We’re seeing more litigation support teams that are including structured data in their e-discovery workflows – a trickle-down from counsel that have become more savvy about the current and evolving data landscape. An increasing number of financial services and pharmaceutical institutions are becoming very sophisticated on this front, as their e-discovery profiles are extensive compared to most corporations in other industries. However, the legal industry itself has a long way to go in attaining widespread awareness and adoption of structured data as part of the go-to e-discovery strategy. Ultimately, structured data

involved or an ESI order from the court to produce fielded data. In other cases, a savvy attorney or experienced outside partner is needed to advise on how structured databases may be utilized as a guide to show what and where the key documents are. In highly complex cases involving massive amounts of data, the role of structured data becomes more important. For example, in a recent litigation, our corporate client was required to identify and review design drawings that were potentially relevant to the matter. Content searches were run on the unstructured data to locate all of the sets of drawings, but the results were not comprehensive. By running targeted searches on the structured fielded data associated with the document population, our team was able to locate important drawings that other searches had failed to find. KEY STEPS

In order to move forward and begin incorporating structured data into the legal department’s e-discovery approach,

there are a few key steps and recommendations counsel should consider. These include the following: Begin at the starting line. Structured data should be looked at as part of the early case assessment process, just as unstructured data is analyzed to guide early decisions about the direction of a case. Counsel should address it at the meet-and-confer, to ensure the appropriate structured databases are included in the systems that will be part of the discovery process. Collaborate internally. By working with internal compliance and audit teams, counsel can better understand how the organization’s various data repositories fit together. Cross-team collaboration makes it much easier to leverage various databases as the guide for document collection and review. Often, one group already has key knowledge (such as how certain databases are used across the organization, or which have proven useful in similar matters) that can inform another group’s case at hand. This type of internal cooperation prevents redundancy and allows for the potential re-use of data that has already been reviewed. Understand the formats. Even in matters where paper documents, antiquated data sources (such as microfilm) or documents not in native form (such as transactional data provided in PDF format) are part of the review, structured data can play a role and be produced in an unstructured manner. In an extensive financial services fraud case, our team was tasked with reviewing bank statements and financial transactions dating back to the 1970s. Much of this material was provided as PDFs or TIFFs from restored microfilm. Despite the fact that these were loaded in the review platform as unstructured documents, they contained transactional data that could be better evaluated as structured data, and we were able to develop a platform that allowed us to convert those transactional records into a database that could be analyzed in its true form. To be done thoroughly and continued on page 23

FEB / MAR 2017 TODAY’S GENER AL COUNSEL

E-Discovery

Tips to Optimize Your Preservation Process By Mike Hamilton

reserving data may be the single most difficult e-discovery challenge. Data is everywhere, and it’s extremely fluid, constantly being created, sent, received, edited, moved and deleted. To meet preservation obligations, you essentially have to freeze this process. Electronically stored information – ESI – also tends to be highly unorganized. Business users store information in a way that makes sense to them, and usually in a variety of locations (laptop, shared drives, etc.). Just by looking at the facts of the case, legal teams have no way of knowing where all relevant ESI resides, let alone how best to preserve it. With this in mind, here are some tips on developing a preservation approach

Here are four things your legal team should know in order to develop a smart preservation approach:

Know the data types you are required to preserve. There are three general categories of data in an organization: Unstructured data (email, Word documents, videos, photos, PPT, etc); structured data (data with a high degree of organization, e.g. inclusion in a relational database); new data types (social media, mobile, chat, text, Cloud-based platforms, etc.).

Know how much responsive data is there. Finding how much responsive data you have is crucial early in

Preserving irrelevant data is easy to do on the front end, but will cost you on the back end.

and addressing the preservation of new data types, with some often-overlooked solutions. HOW AND WHEN TO PRESERVE DATA

One thing most legal professionals know is that no two cases are alike. If you ask an attorney a legal question, the usual answer is “it depends.” Likewise, e-discovery professionals should not use the exact same preservation approach for each case, but they should follow a repeatable process in order to show they have met the reasonableness standard. By asking the right questions in the identification stage, you can create a reasonable, proportional, and defensible preservation strategy.

the e-discovery process, because it can determine the scope of discovery, which can affect costs, thereby helping the legal team determine a proportional strategy for the matter.

Know how to access responsive data. One of the easiest ways to begin finding responsive data is to utilize custodian interviews. This provides insight into what data sources they use, how and when they use them, along with other important information regarding their data. You can also leverage technology that can crawl the enterprise’s data, allowing you to search and analyze search terms, data types, and key custodians for responsive data. Collaborating with the IT

Department and records management teams can also provide much needed information regarding the data that may need to be preserved.

Know the available preservation methods. The most important element of preservation is showing that you have a reasonable approach, and the way to do this is to have a standardized and repeatable process. The baseline method of preservation is the legal hold. In-place preservation leverages technology that can lock down data in its original form and location, without making a copy of it (which would be collection), and then syncs it with the legal hold tool, thus preserving data as soon as the legal hold is sent out without collection. That saves time and costs. The most expensive and most riskaverse approach is preservation via collection. With this approach, remember that a reasonable preservation approach is proportional. Preserving irrelevant data is easy to do on the front end, but will cost you on the back end. PRESERVATION OF NEW DATA TYPES

There is no question that business is conducted by way of alternative data sources. For example, a recent study found that 60 percent of M&A transactions are closed by text message. If litigation arises, those texts have to be collected. If your team is using Slack as a collaboration tool, and litigation arises around that particular project, it’s possible that you’ll have to preserve and collect from Slack. As Lori Ryneer, E-Discovery Paralegal, Deere & Company, put it: A vital step in dealing with new data types is “understanding what platforms are being used and how to

TODAYâ&#x20AC;&#x2122;S GENER AL COUNSEL FEB / MAR 2017

E-Discovery

feb / mar 2017 today’s gener al counsel

E-Discovery

preserve from those platforms before a legal hold is placed.” With new data sources there is a tug of war between business needs and legal/ regulatory obligations. Nevertheless, the obligation to collect remains the same, and so does the overall approach. “The essence of how to deal with these new media types is not that different from the way we’ve handled media types in e-discovery all along, which is to identify data within an organization and then decide what to do with that data,” says Antonio Rega, Director of Berkley Research Group. “Once there’s an understanding of what exists you can plan collection strategies.” OFTEN OVERLOOKED PRESERVATION OPTIONS

Using EDA to Refine Case Strategy. EDA – Early Data Assessment – is identifying how much potentially relevant data is related to your case by using a sample search of key custodians/data sources and analyzing it for the purpose of figuring out the relevance criteria (file types, search terms, relevant custodians, date ranges, etc.). These metrics can be used to develop a budget, and to prepare your team to negotiate and fight for favorable e-discovery parameters at your Rule 26(f) conference. Tiering Your Collections. Tiering is the process of staging your discovery, narrow-to-broad, with the idea of convincing the opposing side to focus on the core documents and core custodians first, to assess the responsiveness of that data, and then expand out from a position of knowledge and power. The opposing side should be willing to do this, because it means making an educated decision as opposed to shooting in the dark. The problem with tiering is that it depends on how sincere the parties are about working together to streamline collections. Leveraging In-Place Searching Before Collection. This is one of the least known techniques being used today, but it can be a powerful weapon with incredible cost savings. Traditionally in EDA, you have to collect

a sample of the client’s data. Now some of the e-discovery solutions available have the ability to go out and look at the data before collection. You can view documents and the relevance of search terms, allowing you to figure out the relevance criteria, prepare for the Rule 26(f) conference and develop a budget, without collecting data. In-place searching can also be leveraged when you don’t know much about

should not be conducted. They are expensive and collect everything on a data source, including computer generated files and other irrelevant data. To be defensible, data collections should include a document’s metadata, and a showing that a chain of custody is maintained (i.e. MD5 hashing). The thing that makes preservation so difficult is that the duty to preserve comes before litigation ever begins.

A recent study found that 60 percent of M&A transactions are closed by text message.

your case and are conducting an investigation prior to litigation, or even during a purely internal investigation. Collecting data is an expensive endeavor, but if you have the ability to index data without having to process it and collect it, the costs are lowered considerably. Negotiating for Proportional Collection Requirements. Once you’ve preserved everything you need to preserve, you can engage in negotiations with the opposing side. Since the updated Federal Rules of Civil Procedure took effect, this process takes place much sooner than in the past. By negotiating about what truly is discoverable, you can define and give guidance about what you are going to collect. You can also use technology to determine the scope of discovery before the Rule 26(f) conference, which can help case strategy in regard to a making a fact-based proportionality argument. Avoiding Over-Engineering Your Collections. In e-discovery you are going to have to collect data, but that doesn’t mean you have to over-think how you collect it. For civil litigation, and when a likelihood of fraud or bad faith activity (e.g. disgruntled employee, etc.) isn’t apparent, bit-by-bit, forensic collections

This is why it’s so important to have a handle on where your data is located, which data types are being used by potential custodians, and the strategies and tools you need to have in place when that duty to preserve is triggered. Add that to the shortened timeframe (90 days) for the Rule 26(f) conference under the new FRCP amendments, and there really is no alternative but to be prepared for preservation before the hint of litigation ever comes up. Because there’s no doubt that, sooner or later, it will. ■

Mike Hamilton is the Director of E-Discovery Programs at Exterro. He has a legal and business background, and he frequently writes and speaks on e-discovery issues and best practices. He is a graduate of the University of Oregon School of Law. michael.hamilton@exterro.com

TODAY’S GENER AL COUNSEL FEB / MAR 2017

E-Discovery

Structured Data

continued from page 19 defensibly, this type of work requires involvement of experienced data analysts. For counsel however, it is important to understand the many formats and options, so they can make strategic decisions about how to best conduct a review. Embrace fielded data. As described earlier, fielded data analyzed from structured databases can provide a wealth of information to target the collection and document review. This type of data targeting is key in defensibly reducing the amount of data that may need to be collected and reviewed. Particularly in cases that require fielded data to be produced to the courts, where the team is already dealing with fielded data, it makes practical sense to leverage it to help tell the back-story. TWO CASES

In the fraud matter mentioned above, our team and others in the firm were tasked with developing an understanding of the details. The client faced deadlines, with intense pressure to provide answers to the court and those impacted by the fraud. Records were recovered from numerous systems, including thousands of backup tapes and microfilm reels across multiple domestic and international

locations. Performing structured data analysis along with other collection and review activities and investigations, we reconstructed hundreds of millions of transactions that could identify indications of fraud and provide evidence needed for recovery efforts. This work led to filing of more than 1,000 lawsuits and repayment of more than $8.8 billion that had been stolen – the largest ever fraud recovery. In another case, the client was required to review customer complaint reports, which were stored in Excel files. By leveraging technology similar to that built for the fraud case, we helped the client display the content from the Excel files in a way that was easier to follow and review for relevancy. This also made it possible for counsel to capture coding decisions made on other parts of the review and apply them to the Excel data. These matters are examples of how vast structured data can be and how great an impact its review can make on the e-discovery process in a high-stakes case. We’ve handled many smaller and less complex cases, with clients that likewise benefitted from structured data review and leveraged it to find critical information. The key is for counsel to remain open minded about when and how structured data should be leveraged, and to begin thinking about it as potentially a practical and critical resource for all matters. ■

View our digital edition D IGI TA L .T OD AY S G E NE R A L C OUN S E L . C OM

Patrick Grobbel is a managing director with FTI Consulting’s Forensic & Litigation Consulting segment, based in Washington, DC. He is a Certified Fraud Examiner who handles all phases of the EDRM lifecycle, including initial evidence assessment, preservation and collections through data review, in regulatory, internal investigations and complex litigation matters. Patrick.Grobbel@fticonsulting.com

Michael Busen is a managing director in the FTI Forensic and Litigation Consulting practice, based in Washington, DC. Focusing on large data sets, he has analyzed transactional records across various industries, performed tracing of financial transactions between bank accounts, developed complex models to identify potential exposure, and assisted in the production of structured data during discovery. MICHAEL.busen@fticonsulting.com

feb / mar 2017 today’s gener al counsel

E-Discovery

Insourcing, International Due Diligence and Data-Culling Today’s General Counsel Q&A with Consilio’s Chris Adams

What are some of the major e-discovery trends to watch for this year?

he movement toward more flexible and adaptive technology is something that seems to be really taking hold with both law firm and corporate clients around the globe. Clients continue to express an interest in working with technologies that offer more simplicity and clarity around analytics and predictive analysis.

For lawyers, this means that it’s important to be able to explain the full e-discovery process to a potentially less technologically sophisticated judge, or even opposing counsel. If lawyers feel like they don’t understand how the technology works, it can be difficult for them to effectively lobby for its use, even where substantial cost reductions can be realized in a case. This puts the onus on e-discovery providers and counselors to provide not just the technology,

but the process and people around that technology. Another major e-discovery trend we see is an increase in insourcing inquiries, and I would expect to see even more of that in the coming year. Insourcing in this context would be when in-house law departments or general counsel want to bring technology or people in-house, but they don’t want to pay for the infrastructure or other associated costs. Rather, they are looking for

today’s gener al counsel feb / mar 2017

E-Discovery

companies to augment their current technology or personnel. It’s a smart move with several benefits. It moves the risk from their side of the ledger, provides immediate scaling to meet needs that can change throughout the year, and makes their overall spend far more predictable. In cases of international M&A, what are some e-discovery issues and challenges? How can companies avoid the risks?

the acquired company is in a different country. Often, we find that this is the area that companies considering an international M&A transaction don’t think through during the merger process, and which turns out to pose substantial downstream risk and costs. Knowing the culture and laws of that country and having a plan to effectively deal with the issues is essential to avoiding this type of post-merger risk. As analytics and predictive coding for review processes have become more common, how are courts and government agencies across international borders accepting – or not accepting – this technology?

nterestingly, the biggest challenges in international M&A occur both at the very front end of the transaction during the due diligence process, and post-merger when companies are going through the transition work to consolihile predictive coding and date operational procedures. analytics have become more On the front end, the key is idenmainstream and better understood in tifying and ameliorating risk through the U.S., we still aren’t seeing a huge more effective due market for predicdiligence, and paying tive coding and particular attention analytics use interIf lawyers feel to different complinationally. This isn’t ance laws in different because agencies like they don’t countries and across and courts refuse to various jurisdictions. embrace the techunderstand how the nology, but rather Unlike in the U.S., you don’t find one set of simply because the technology works, governing laws that technology hasn’t dictate what constibeen widely undertutes risky behavior it can be difficult for stood or utilized in that could impact those regions. an M&A deal. You This trend them to effectively need to know what reflects the smaller raises red flags in one volume of e-discovlobby for its use, country that might be ery matters generpermissible in another. ally compared to To do this, compathe United States. even where nies undertaking an A much smaller international M&A percentage of EU substantial cost cases involve an transaction need to e-discovery compotake a comprehensive reductions can be nent. While there view of the potential is not a great deal compliance issues to realized in a case. of understanding reduce risk early in of the process and the process. Post-merger, the technology that go into predictive coding internationacquiring companies are suddenly conally, there also isn’t great resistance to fronted with all the same transitional it. As long as a company is working challenges that domestic companies diligently to comply with a discovery encounter. This is compounded by both request, agencies and courts aren’t the cultural and legal differences when

necessarily focusing on what technology is being employed to do it. What is the next horizon of e-discovery technology? What are some of the new challenges and/or opportunities that will arise as a result of new technologies?

n terms of downstream e-discovery technology, I don’t see anything on the immediate horizon that will significantly impact the data review process itself. Rather, there seems to be a movement to employ technology to the left side of the EDRM [electronic discovery reference model] spectrum, to significantly impact the volume of data before it reaches data review. This is where we are seeing an increase in spend, investment and attention. We see that clients are hoping that downstream cost reduction will justify the investment of technology to more effectively cull data. However, clients can’t make these decisions in a vacuum. They need to fully understand the costs associated with supporting and deploying these technologies. This is where spend decisions often hit a wall, and where we are often called on to help with the analysis. ■

Chris Adams is a Managing Director at Consilio and leads the company’s Discovery Consulting division. His experience includes advising companies on best practices relating to e-discovery, document management and litigation preparedness. He received his J.D. from the George Mason University Law School. cadams@consilio.com

feb / mar 2017 today’s gener al counsel

E-Discovery

E-Discovery Trends to Watch in 2017 By Michele C.S. Lange reiterated that discovery should be driven by the parties and not micromanaged by the court. If parties cannot agree about scope of discovery, search terms, production formats or other such issues, assume that courts in 2017 will send the disputes back to the parties to attempt to amicably work it out.

erhaps no area of the law is evolving faster than e-discovery. Significant amendments to the Federal Rules of Civil Procedure (FRCP) in late 2015, and then a flood of judicial opinions interpreting the new rules and standards in 2016, have made it difficult for in-house counsel to keep pace. With these challenges in mind, this article looks at five predictions for what inhouse counsel can expect for e-discovery in 2017.

Courts will expect parties to cooperate in discovery. Litigation by nature is adversarial, but when it comes to e-discovery, the case for cooperation

is compelling, given the complicated technical protocols and intersecting roles among inside counsel, law firms and service providers. Furthermore, the FRCP amendments in 2015 made it clear that increased cooperation is required in e-discovery, and counsel have taken this seriously. In fact, in a recent informal poll by KrolLDiscovery, 85 percent of e-discovery professionals surveyed agreed that parties are making more of an effort to cooperate as a result of the amendments. The importance of cooperation was also manifest in some 2016 judicial opinions. In a Pennsylvania case, Pyle v. Selective Ins. Co. of Am., the court

Now more than ever, in-house counsel will need to understand proportionality. The 2015 amendments to the FRCP included a significant change to the scope-of-discovery provisions in Rule 26(b). The long-standing “reasonably calculated to lead to the discovery of admissible evidence” language was removed. The new Rule 26(b)(1) has a set of proportionality factors. They require parties to take into account such things as “the amount in controversy,” “the parties’ resources,” “the importance of the issues at stake in the action,” and “whether the burden or expense outweighs its likely benefit.” At its core, proportionality is a balancing test, ensuring that parties receive the information they need to plead their claims and argue their defenses, but curtailing expensive and time-consuming waste. What does this mean for in-house counsel? Courts are now more likely to say “no” if they conclude a request is designed to burden a party and has relatively little value. Be prepared to argue specifics as to why certain ESI is critical to the case and that your requests are narrowly tailored. While judges may not be able to define proportionality, they recognize it when it is presented to them. Given the proportionality analysis is fact-specific, the job of counsel is to demonstrate to a judge that proportionality is being observed in a particular case. To be successful in gaining access to critical information counsel must see proportionality as a tool and not a

today’s gener al counsel feb / mar 2017

E-Discovery

constraint. For 2017, keep in mind this short, simple analogy from Judge Paul Grewal, formerly of the Northern District of California, in Gilead Sciences v. Merck & Co. Certain requests, he said “would be like requiring GM to produce discovery on Buicks and Chevys in a patent case about Cadillacs simply because all three happen to be cars.”

Cost-splitting or shifting could become a new norm, as a part of proportionality. Under the general concept of proportionality, cost is also an important consideration. If a requesting party makes a potentially burdensome discovery request, be primed to refute claims about how the interest in the evidence outweighs the burden and have cost-shifting arguments ready. Consider, for example, that in one 2016 case from a Washington court (Elkharwily v. Franciscan Health Sys.), the plaintiff wanted to see email that was disproportionately burdensome for the defendant to produce, considering its evidentiary value. The court denied the motion to compel. However, because the data was discoverable, the court did allow the plaintiff access to the data – provided they paid for it, in advance.

When ESI has been lost, counsel will need to be prepared to argue “reasonable steps.” What happens when ESI is lost and cannot be produced to the requesting party? The Federal Rule of Civil Procedure regarding spoliation, remedies and sanctions – Rule 37(e) – was rewritten in 2015 to provide a new guideline for courts evaluating ESI spoliation. Under the amended Rule 37(e), the court should not levy sanctions for spoliation so long as a party took reasonable steps to preserve the evidence. Additionally, for there to be spoliation, the party responsible for the lost evidence needs to have acted with an “intent to deprive” and the information cannot be obtainable by other means. Mere negligence is not enough. Therefore, in 2016, many of the Rule 37(e) cases focused on whether a party took the required “reasonable

steps” or had acted with the requisite bad faith. This was highlighted in Marten Transp., Ltd. v. Plattform Adver., Inc, where an employee’s internet search history was lost due to routine business practices. The court found that the party had taken reasonable steps to preserve evidence, in part because most businesses do not preserve such internet search history. This case sums up the gist of Rule 37(e): The new rule requires “reasonable steps” for preservation, not perfection. Courts have also weighed in on the intent requirement of new Rule 37(e). In Living Color Enters. v. New Era Aquaculture Ltd., a party faced sanctions for failing to turn off auto-delete features on a cell phone, resulting in lost text messages. While the court said that the conduct at hand did not satisfy the requirement of “reasonable steps,” more was needed for sanctions: “[T]he Court does not find any direct evidence of either ‘intent to deprive’ or bad faith… There is nothing nefarious about such a routine practice under the facts presented here.” From this case, we see one of the main Rule 37(e) mandates: Intent matters when it comes to imposing sanctions. Should preservation issues arise, in-house counsel should be prepared to demonstrate good faith efforts.

Savvy counsel will leverage technology to increase document review efficiencies while reducing costs. Manual review of electronic documents is no longer the e-discovery gold standard. Predictive coding will be used increasingly as proportionality cements its place in the legal system. Predictive coding can help cull through vast amounts of data by quickly identifying relevant and responsive documents and making the review process less time consuming. A key driver behind the use of predictive coding is the cost of discovery, and reducing those costs plays into the proportionality requirement of the new Rule 26(b)(1). One reason that some litigation teams in the past avoided predictive coding was lack of explicit approval by courts. However, there is now a growing body of U.S. case law approving its use, and that trend is likely to continue in 2017.

In 2016, two key opinions, Hyles v. New York City and In re Viagra (Sildenafil Citrate) Prods. Liab. Litig., noted the efficiencies associated with predictive coding, but refused to compel or force a party to leverage the technology. Instead, it was reiterated that a responding party is best situated to decide how to search for and produce ESI responsive to a document request. As noted by Magistrate Judge Andrew Peck from the Southern District of New York, in Hyles, someday it may be unreasonable for a party to refuse to use predictive coding, but we are not there yet. Nonetheless, savvy in-house counsel in 2017 will anticipate how technology is changing the way lawyers conduct e-discovery to make it a more efficient process. Predictive coding is now taking its place in legal systems internationally. In March of 2015, its use was approved in Ireland, followed by Britain in 2016. Most recently, Australia had its first predictive coding case. The Australian court approved it, after noting that the massive quantity of documents needing review made the manual process too expensive and referencing case law from Britain, Ireland and the United States. These opinions are no doubt just the start of what we will see in years to come, as both international and domestic courts recognize the value that new technologies bring to discovery. The year 2016 saw major changes in e-discovery standards, and 2017 will build on this momentum. Both law firm and in-house counsel will need to familiarize themselves with evolving rules, case law and standards, as they embrace what technology has to offer. ■

Michele C.S. Lange is the director of thought leadership and industry relations for Kroll Ontrack, an LDiscovery Company. mlange@krollontrack.com

feb / mar 2017 todayâ&#x20AC;&#x2122;s gener al counsel

Intellectual Property

Supplier Agreements Should Include Patent Litigation Protection By Wasif Qureshi

today’s gener al counsel feb / mar 2017

Intellectual Property

efending against a patent infringement lawsuit can be expensive and frustrating. Patent litigation often requires attorneys with not only legal expertise, but also science or engineering backgrounds, thus enabling litigators to charge premium fees. Moreover, although patent cases rarely go to trial, in those cases that reach infringement verdicts, damages routinely extend into the millions of dollars. These expenses and risks, coupled with attendant business disruption, can be particularly surprising for companies hit with a patent suit for the first time. Demands from investors familiar with the perils of patent litigation to expeditiously resolve the suit might add to the headache. This aggravation becomes exacerbated when you realize that despite weak allegations (e.g., the U.S. Patent Office should not have issued the patent because it is invalid, your company clearly does not infringe, or there are no profits from the accused product or

or in some situations not practiced at all – by the accused infringer. For example, I had a regional banking client that was recently sued on a patent covering a method alleged to read EMV “chip card” transactions. But the only thing my client did was solicit its account holders to sign up for credit cards printed with the bank’s insignia. The bank had nothing to do with, nor did they have any knowledge or desire to know about, the chip card transaction process. Yet, the plaintiff claimed my client was liable because the bank benefitted from decreased fraud claims associated with the more secure chip cards. Patent plaintiffs rely on such broad reads of what constitutes patent infringement, however legally or factually deficient, to target unsuspecting small-to-medium sized companies and scare up settlements. Because the vast majority of companies rely in some way or another on some form of technology, from a server and software to serve up a web

having strong indemnification protections. I frequently come across, and am no longer surprised by, companies that fail to include or even propose patent infringement indemnification language in supply agreements. This lack of focus on what basically is a form of built-in insurance further resonates when a company that’s hit with a patent suit acknowledges that they never reviewed the agreement to check on infringement indemnification. Even when a supplier provides a form agreement, it is advisable to carefully review the terms to ensure patent suit indemnification safeguards have been implemented. Many companies agree to supply contracts that expressly disclaim or significantly limit indemnification, contain supplier-friendly “at supplier’s sole option” indemnification language, or are silent on indemnification (in which case there may be common law relief). Too often, companies that did not anticipate or understand the potential

A good portion of the often dozens of patent cases filed daily are brought against non-tech companies. service), litigating to a favorable judgment would take far more time and money than biting the bullet and paying off the plaintiff. Indeed, if the plaintiff is a “non-practicing entity” whose sole business is to license and sue on patents, they may want nothing more than to scoop up a quick settlement check. You might not consider a patent suit an immediate threat due to the nature of your business. However, a good portion of the often dozens of patent cases filed daily are brought against non-tech companies including banks, insurance companies, retail, and even real estate. This is because patent infringement is not limited to those who develop or sell technology. Rather, the law provides that anyone who uses patented technology can be an infringer. That use can result in liability even when only a part of the claimed invention is actually practiced –

page to intricate protocols to facilitate secure communication over the internet, question arises: What can a company to do limit its exposure, especially when the company has no visibility into or need to know the inner workings of a “black box” technology product or service procured from a third party – and when even if it did, the task of analyzing it to assess infringement risk would likely require significant time and money? “BUILT-IN INSURANCE”

One safeguard is to include patent infringement indemnification terms in your supply agreements involving any product or service that could be considered a basis for a patent suit (that range is broad). Unfortunately, in their eagerness to close the deal, customers often overlook or devalue the importance of

of a patent infringement lawsuit will sign these agreements. To avoid having to defend against expensive litigation, insist on patent suit indemnification coverage before moving forward. Better still, in RFPs, include indemnification requirements up front, on your own terms. However, due diligence requires more than the rote inclusion of a patent infringement indemnification provision in your supply agreement. Supplier provided language may include fine print limiting the scope of coverage in situations where the customer, for example, orders a product or service to specification, modifies the procured product or service, uses the product in a manner not intended by the supplier, or buys a product for use in compliance with an industry standard (e.g., USB, Bluetooth). A customer might be surprised to learn

feb / mar 2017 today’s gener al counsel

Intellectual Property that it waived indemnification when it provided the supplier specifications necessary to ensure a working interface between the supplier’s product and the customer’s existing business. At minimum, the customer should seek language that current and future approved purchase/service orders are covered for indemnification under the

distance themselves when they sense a patent suit. Further, over the course of six years, it is not uncommon for a company to change providers of a particular product or service, whereby relationships with past suppliers are lost. While there are numerous suppliers who “step up” when their customers are sued for patent infringement, there are

A supplier might rely on ambiguous language to refuse indemnification based on some use of the product that the customer believed to be customary.

master supply agreement, unless specifically agreed to with respect to particular orders. What counts as unintended or modified use should be clarified. A supplier might rely on ambiguous language to refuse indemnification based on some use of the product that the customer believed to be customary. In many cases, the indemnification language is carried over from older or unrelated agreements, and has not been revised to reflect sale and use of the specific product or service being considered. Thus, it is crucial to dissect any proposed indemnification language and ensure that it is crafted to the particular circumstance. DETAILED RECORDS

It is also important to understand the importance of record-keeping, as a patent plaintiff can seek damages accruing from at least six years before the date of the lawsuit. Have a centralized system for storing supply agreements for extended rolling periods of time. That entails instructing employees responsible for the business relationship with the supplier to ensure that addendums, specifications, etc. pertaining to the master agreement are easily accessible. You could ask a supplier for a copy of an agreement that you cannot locate, but many suppliers have a tendency to

also many who want nothing to do with patent litigation, even at the expense of losing a customer. The supplier might be unfamiliar with patent litigation, or intimidated by it – or it might want to stay away because it fully understands the risks. A supplier also might be concerned about its identity being disclosed, leaving it vulnerable to becoming a target of the patent plaintiff. It might not want to set precedent by contributing even nuisance-value dollars to settle for just one customer, because a license to cover all its customers would be costprohibitive. Notwithstanding the importance of having strong infringement indemnification protections, a company hit with a patent suit should not give up when it finds no contractual protection. I have been in a number of situations where my clients’ suppliers, despite no written indemnification obligation, agreed to assist with patent litigation, obtain a license for the customer, and/or take over defense of the lawsuit. Those suppliers have typically been large corporations who are no strangers to patent lawsuits, who have budgets to afford protracted litigation or challenge the validity of asserted patents at the Patent Office, have access to patent acquisition networks which can take patents off the lawsuit market, and/or have particular leverage

to license or outright purchase a suedupon patent at value not attainable by smaller companies. But such good will, even when a customer believes it has leverage because it pays significant dollars to the supplier, should not be assumed. To reduce uncertainty in the face of a patent suit, it is in the customer’s interest to have a clear written agreement that the supplier is required to relieve the customer when use of the product or service precipitates an infringement suit against the customer. Having clear indemnification terms also lessens the likelihood of a dispute arising between supplier and customer, which could otherwise lead to its own litigation, or at minimum a damaged relationship possibly impacting the customer’s business. These suggestions are particularly important for small to medium-sized nontech companies who do not anticipate patent suits because of the size or nature of their business, who may have little or no experience with patent lawsuits, or where a patent suit could severely impact the company’s operations. ■

Wasif Qureshi is a patent attorney and partner in the Houston office of Jackson Walker LLP. He represents and counsels businesses, from start-ups to Fortune 100 and other worldwide companies, in various types of IP legal matters. His primary practice involves patent litigation, but he also routinely assists companies with diligence and product clearances, licensing, U.S. Patent office proceedings, and best practices for protecting intellectual property. wqureshi@jw.com

Database Marketing for Lead Generation With over 220,000 names, the TGC database enables marketers an unmatched array of choices to send out co-branded emails with content of their own choosing to several desirable segments within the database.

T O D AY S G E N E R A L C O U N S E L . C O M /A D V E R T I S E

feb / mar 2017 today’s gener al counsel

Cybersecurity

Get Ready for More Cyber Litigation By Kenneth N. Rashbaum

he Great Recession of 20072009 caused a precipitous drop in litigation. Court filings fell dramatically, as the costs of litigation, including discovery of digital evidence, discouraged parties from litigating. Layoffs hit many judicial districts around the country. As a consequence, legal spend for litigation diminished. That is about to change, and it may be advisable to begin marshaling evidence for an increase in the legal department budget. As organizations and individuals become discouraged by the relative lack of government protection against hackers, they are poised to turn to the courts to redress costly cyber attacks and data breaches. In 2016 we saw enhanced enforcement of existing cybersecurity protections by agencies including the Federal Trade Commission, the Office for Civil Rights (OCR) and the Financial Industry Regulatory Authority (FINRA). Cybersecurity enforcement shows little signs of abating, as the public appears to have little tolerance for breaches of healthcare data or attacks on organizations that hold corporate and private funds, and the recent presidential

election is unlikely to discourage cyber litigation or regulatory activity. Regulatory proceedings and litigation is likely to increase in the following areas: Shareholder Derivative Actions Following Massive Data Breaches. The Business Judgment Rule, by which corporate directors are protected from the consequences of their decisions if those decisions are made in the best interests of the corporation, has been eroding since a 2006 Delaware derivative lawsuit over the termination bonus given to Michael Ovitz (In re Walt Disney Litigation). The court dismissed the complaint, but in doing so promulgated several qualifications to what had previously been considered an unconditional defense. The U.S. District Court for the District of New Jersey, in Palkon v. Holmes, further qualified the Rule with regard to derivative actions arising from massive data breaches. While that court also dismissed the complaint, it did so because the Wyndham Worldwide board had taken steps the court believed appropriate and warranted

under the Business Judgment Rule. Those included retention of experts, documented discussions of information controls, documented advice of counsel and actions to investigate the breach. Palkon stands for the proposition that directors will not get the benefit of the Business Judgment Rule unless they take the steps indicated in the opinion. The Rule, then, is not absolute. Its protections must be earned, by documented actions. The Delaware Court of Chancery in October, 2016 may have provided incentive for more such claims. In Reiter v. Fairbank, the court considered and dismissed an action based on the inaction of a board to deal with what appeared to be “red flags” indicating money laundering activities. Citing Disney, where the court held that “intentional dereliction of duty” or “conscious disregard of one’s responsibilities” could be evidence of bad faith, the Reiter court found that the directors’ conduct did not meet that standard. Yet, the court left open the possibility of a derivative action where there is clear evidence of board action, or inaction, that violates cybersecurity laws or regulations, or where a board utterly fails to implement systems or controls over electronic information safeguards in violation of law. Forty-seven states have some form of breach notification or other cybersecurity law, and information safeguards are abundant in regulations governing the life sciences and financial services industries. Given the increasing reliance on digital assets and the advancing sophistication and frequency of cyber attacks, it is only a matter of time before a court permits an action against corporate directors stemming from a massive data breach to go beyond the dismissal motion stage. State Privacy and Cybersecurity Law. Federal privacy law does not preempt state laws that are more strict. The

today’s gener al counsel feb / mar 2017

Cybersecurity

television network ESPN learned an expensive lesson about this when it was sued under common law and a Florida privacy statute over its broadcast of information concerning injuries suffered by New York Giants defensive end Jason Pierre-Paul in a fireworks accident. Pierre-Paul’s hospital records were photographed and sent to ESPN, which then broadcast information regarding the extent of the injuries and Pierre-Paul’s treatment. In August of last year the federal court, in PierrePaul v. ESPN in the Southern District of Florida, denied a motion to dismiss, holding that under state law the patient’s authorization was required for such disclosures. The Connecticut Supreme Court, 2014, tied federal law to state litigation when it ruled, in Byrne v. Avery Center for Obstetrics and Gynecology, that HIPAA could be a standard of care in an action alleging violation of state statutory or common law on privacy. Similarly, a 2016 class action concerning the breach of health information from Anthem Inc. was allowed to proceed under New York and California consumer laws. As breaches of health information increase, expect more state litigation alleging failures to meet standards of care with regard to state statutory or common law. Class Certifications For Data Breach Class Actions. Related to the plethora of large data breaches, a trend may be emerging to permit class certification where the class members do not appear to have sustained a discernible concrete injury, or there is little commonality among the damages sustained by class members. The Supreme Court, in remanding Spokeo v. Robins to the Ninth Circuit to ascertain the existence of “concrete injury,” cautioned that “concrete” is not synonymous with “tangible,” and that “real risk of harm can satisfy the requirement of concreteness.” The Northern District of California, in the In re Anthem, Inc. Data Breach Litigation class action that predated Spokeo, ruled that loss of personally

identifiable information, by itself, was a loss that was compensable and that created commonality, without regard to proof of mathematically-deducible individualized damages. Regulatory Proceedings under FINRA. Following a relatively long period of quiescence, the Financial Industry Regulatory Authority has awakened to the realities of the potential damage from cyber attackers on broker-dealer funds. In October of 2016, a settlement of $650,000 in a penalty proceeding involving Lincoln Financial Securities was announced. The settlement was significant for the amount, but also because the basis of the FINRA proceeding was a breach by Lincoln’s cloud services provider. Among the allegations in the FINRA complaint were that Lincoln did not properly monitor its cloud provider for cybersecurity protection, and that it failed to obtain sufficient assurances before it provided financial information to the provider. FINRA’s new enforcement posture, then, will look at information protections for the covered entity, but also the organization’s due diligence and monitoring of third parties to whom financial information is sent and with whom it is stored and used. Regulatory Proceedings under HIPAA and the Office for Civil Rights. Healthcare information breaches rose at an alarming rate in 2016. The Office for Civil Rights has taken an especially aggressive stance, with penalty settlements reaching record levels. The OCR announced a new HIPAA penalty settlement almost every month last year. These included proceedings for failures to monitor third-party vendors (for $5.5 million); failures to monitor and maintain firewalls; neglect of provided security patches; and an action against a hospital system for failure to have a required contract, known as a HIPAA Business Associate Agreement, that resulted in a $650,000 settlement. It is noteworthy that some of these settlements involved small numbers of compromised records. Indeed, Jocelyn Samuels, Director of OCR, recently

announced that her office would institute more proceedings against covered entities where a smaller number of patient records was involved. Expect more vigorous enforcement activity from OCR in 2017. Legal Malpractice. A Complaint filed in the Supreme Court of the State of New York in Millard v. Doran alleges departures from professional standards of care and breaches of fiduciary duty in maintaining an attorney’s website on AOL, and in failing to take reasonable security precautions to prevent unauthorized access to the client’s data. The claim arose from a spoof email, in which attackers gained access to attorney Doran’s computer and sent a false email to her clients, who were purchasers of a condominium in Manhattan. The spoof required them to email a deposit of $1.9 million to false credentials. (Incredibly, law enforcement was able to recoup all but $175,000 of the misdirected funds.) The claim serves as a reminder that in 2017, the duty to maintain good stewardship over client funds, as well as client information, requires a base level of technical knowledge and implementation of safeguards. It’s clear that whether at the sole practitioner, law department or corporate board level, without a high level of cybersecurity based on best practices, the likelihood of costly litigation is increasing. ■

Kenneth N. Rashbaum is a partner at Barton LLP. He advises multinational corporations and healthcare organizations in the areas of privacy, cybersecurity and e-discovery. He is an Adjunct Professor of Law at Fordham University School of Law and formerly was on the Adjunct Faculty at the Maurice A. Deane School of Law at Hofstra University. krashbaum@bartonesq.com

FEB / MAR 2017 TODAYâ&#x20AC;&#x2122;S GENER AL COUNSEL

Cybersecurity

Five Common Misconceptions About Cybersecurity By Saad Gul

n-house attorneys at companies large and small are for the most part aware of cyber-risks and compliance requirements. It would be hard not to be. A recent study determined that a third of corporate in-house counsel have dealt with a data breach firsthand. As far back as 2014, a survey by the Association of Corporate Counsel found that nearly 80 percent of

respondents listed security breaches, information privacy and data protection as top concerns. This article addresses those concerns â&#x20AC;&#x201C; not indicting counsel for any lack of awareness of cybersecurity risks, but looking instead to educate about certain misconceptions that make successful cybersecurity and compliance harder. It identifies five of the most

common issues I have come across in my practice, the pitfalls they can lead to, and potential approaches to resolving them. FATALISM

The first of the misconceptions is that cybersecurity risks cannot all be addressed. In short, that the challenge is too hard. This leads to a sense of

today’s gener al counsel feb / mar 2017

Cybersecurity

fatalism, a belief that some sort of cyber-apocalypse is at hand. Even before the recent parade of cyber-wrecks, former FBI director Robert Mueller famously stated that there were only two types of companies: those that have been hacked, and those that would be hacked. This sense of crisis generates a sense of resignation, a suspicion that companies in general, and in-house attorneys in particular, can do nothing.

a basic security and privacy plan thus pays disproportionate dividends. Is the company vulnerable because an individual failed to upload a patch that would have plugged a known gap? An established security plan, audited regularly for compliance, would automatically remedy this. Such plans are increasingly mandated by regulators, ranging from FINRA to the New York State Department of Financial Services. Since

to complete a rumored acquisition of online advertising intermediary InMobi to an FTC settlement concerning the latter’s compliance with the Children’s Online Privacy Protection Act. Regulators have imposed significant cybersecurity compliance requirements on many industries, such as utilities and defense contractors. New York’s proposed cybersecurity regulations for financial institutions are a sign of the

Few companies face an implacable deep-pocketed foe. Virtually all hacked companies are targets of opportunity.

In-house attorneys went to law school. They know the law, but not the detailed nuances of information technology. If the NSA, with its highly classified tools and ultra-savvy personnel is not immune, what chance do attorneys have to change that? The answer is they have a good chance, for two reasons. First, while it is true that the most formidable firewalls and security measures will not stop a fanatically committed and resourceful attacker, few companies face such an implacable deep-pocketed foe. Virtually all hacked companies are targets of opportunity. Hackers typically use bots to scan random systems and identify vulnerability. Once they detect a vulnerability, they can decide whether to exploit it. Second, by far the single leading cause of breaches is human error. Somewhere in the organization, a person or persons failed to follow a protocol that could have averted disaster. Even the NSA’s Shadow Broker leak, which resulted in the loss of some of the crown jewels of communication intelligence, stemmed from an apparent operator oversight. Known vulnerabilities can be mitigated and human errors can be reduced. In cyber-compliance, a problem identified is often a problem rectified. Studies have found that developing and implementing

the plans are a regulatory requirement, in-house counsel have an indispensable role to play in their development, adoption, and enforcement. NOT JUST A TECH PROBLEM

The second misconception is that cybersecurity is an information technology issue. After all, the attackers are IT specialists outside the organization, right? The logical conclusion is that the entity’s own defenders should be technology specialists inside the organization. At one level this is correct. The immediate defense against a cyber-incident is an IT management matter. So are certain procedures and responsibilities in an attack’s aftermath. The problem with this mindset, however, is that security breaches are only one potential cyber-hazard. Moreover, even breaches have long, and short term impacts. Data security and privacy issues present legal problems quite apart from the technical ones. They have significant legal and business-level repercussions. The fallout from recent major breaches has made this clear. Top executives at high-profile companies such as Sony and Target have stepped down in the wake of a hack. A single breach at Anthem has cost hundreds of millions. In another case, the trade press attributed Microsoft’s failure

regulatory climate. There is a prevailing political perception that companies can no longer be entrusted with determining their own security procedures. Moreover, M&A due diligence processes increasingly require warranties on cybersecurity issues. At the time this was written, experts were debating the potential impact of the Yahoo data breach on Verizon’s proposed acquisition. These concerns require the active participation of in-house legal personnel in counseling different sections of the organization to ensure that no issues slip through the cracks. RISK TRANSFER IS RISKY

A third myth is that insurance is the silver bullet that can handle it all. Like all myths, this has an element of validity. Cybersecurity coverage has in recent years been a growth area in an industry that is eager for growth. A large number of policies are now on the market, and offerings continue to proliferate. But risk transfer is a dangerous approach if organizations rely on it too much. The array of available insurance options leads to a false sense of security and a conviction that the right policy will be a panacea for all problems. The problem is that policies vary widely. There is no average policy and no average risk profile. An organization’s continued on page 39

feb / mar 2017 today’s gener al counsel

Cybersecurity

The FTC’s Strong Hand in Cyber-Privacy Cases By Christine Peek and Neda Shakoori

n order to protect consumers from unfair or deceptive acts and practices, the Federal Trade Commission has authority to investigate and bring enforcement actions against companies alleged to have engaged in unlawful activity that falls within its jurisdiction. Because the robust body of law created by FTC enforcement actions provides more detailed guidance than the relatively minimal body of judicial opinions, companies must read and heed FTC rules, standards and decisions to understand their regulatory compliance obligations and minimize any associated costs. The vast majority of FTC enforcement actions are resolved through settlement and the entry of a consent order, in which the company agrees to abide by negotiated conditions. In most consumer protection cases the

take steps not only to avoid becoming the subject of a consent order, but also to evaluate their long-term ability to comply with any final order that may be entered. To illustrate these points, we briefly review the FTC’s enforcement authority against “unfair” or “deceptive” acts and practices, and examine recent pre-and post-settlement enforcement actions. ENFORCEMENT AUTHORITY

If the FTC has reason to believe the law is being violated, or has been violated, it may initiate an enforcement action by issuing an administrative complaint, or by asking a court to issue a temporary restraining order or preliminary injunction, even before it issues a complaint. In the latter case, assuming the FTC does issue a complaint, it may also seek a permanent injunction from the court.

If the respondent chooses to contest the charges, the complaint is first adjudicated before an administrative law judge rather than a trial court. The ALJ is charged with recommending either the entry of a cease and desist order, or dismissal of the complaint. The decision may be appealed to the full Commission, which will issue a final decision and order. In turn, the FTC’s final decision and order may be reviewed by any appellate court within whose jurisdiction the respondent conducts business, resides, or where the challenged practice was employed. RECENT ENFORCEMENT ACTIONS

Recent high profile cases have involved enforcement against companies for failing to take reasonable measures to ensure the security of consumers’ sensitive information, or for failing to

Because consent orders often last as long as 20 years, a “settlement” does not signal an end to the enforcement proceedings, but rather the next phase. FTC lacks authority to fine companies absent a consent order, but it does have authority to fine companies in contempt actions for violating a consent order. Until recently, the maximum civil penalty for violating such orders was $16,000 “per violation.” But in 2016 the FTC announced a rule change that increased the maximum penalty to $40,000 per violation. The new maximum penalties took effect on August 1, 2016. Because consent orders often last as long as 20 years, a “settlement” does not signal an end to the enforcement proceedings, but rather the next phase. With the increased penalties, it is more important than ever for companies to

Once the Commission has issued a final cease and desist order, it may also bring a civil action to redress injury to consumers from an unfair or deceptive act or practice, and it may seek relief such as rescission or reformation of contracts, refund of money or return of property, damages, and public notification of the unfair or deceptive act or practice. In response to an administrative complaint, the respondent can contest the allegations, or settle by consenting to a final order without admitting liability. If the respondent agrees to a consent order, the order is placed in the public record for thirty days in order to allow for public comment prior to final entry.

provide accurate information about their security practices to consumers. LabMD, Inc. was a contested administrative enforcement action in which the FTC alleged that LabMD, a laboratory that performed cancer-detecting services for doctors, engaged in unfair acts or practices by failing to use reasonable measures to prevent unauthorized access to personal information, including dates of birth, social security numbers, medical test codes and health information. In particular, the FTC alleged LabMD’s lax security practices exposed the sensitive medical information of 9,300 consumers over a peer-to-peer file-sharing network. The administrative proceedings concluded with a July, 2016, Opinion and

today’s gener al counsel feb / mar 2017

Cybersecurity

Final Order that imposed on LabMD a number of requirements, including that it notify affected consumers, establish a comprehensive information security program, and obtain independent assessments regarding implementation of the information security program. The FTC’s Final Order would have remained in effect for 20 years. However, having ceased operations, and relying on pro bono counsel, LabMD exercised

its right to appeal the FTC’s final ruling, and asked the Eleventh Circuit to stay the FTC’s order pending appeal. The Eleventh Circuit found the FTC’s interpretation of its own standard of proof on the first prong of the unfairness test – “that the act or practice is ... unfair if it causes or is likely to cause substantial injury to consumers” – was unreasonable, and it granted a stay. The court further found the cost of

complying with the FTC’s Final Order would irreparably harm LabMD, given its “bleak” financial outlook, and there was no risk of a data breach given LabMD’s nonoperational status. The appeal remains pending. In ASUSTeK Computer Inc., the FTC alleged that ASUSTeK’s routers and “cloud features” that allowed customers to remotely access files on USB storage devices included multiple security

feb / mar 2017 today’s gener al counsel

Cybersecurity

vulnerabilities, and that ASUSTeK falsely represented that it acted reasonably to secure its products. Without admitting or denying these allegations, ASUSTeK agreed to the entry of a 20-year consent order requiring it: (1) not to make further misrepresentations, (2) to implement a comprehensive security program, (3) to obtain independent assessments from qualified thirdparty professionals regarding implementation of the security program and (4) to notify consumers of security updates and steps to mitigate security flaws, in addition to common record-keeping, compliance reporting and other notification requirements. In Practice Fusion, Inc., the FTC alleged deceptive acts and practices when Practice Fusion failed to adequately disclose that consumer responses to a satisfaction survey, many of which contained sensitive medical and identifying information, would be published on Practice Fusion’s website. Without admitting or denying these allegations, Practice Fusion agreed to the entry of a 20-year consent order providing, among other things, that the company (1) must not make misrepresentations regarding the extent to which it protects sensitive information, (2) must notify consumers through clear and conspicuous disclosure when their information is being made publicly available, and obtain affirmative express consent, and (3) must not maintain or publicly display any healthcare provider review information, except for use by healthcare provider customers or their agents, or as required by law. POST-SETTLEMENT ENFORCEMENT ACTIONS

In August, 2012, the DOJ initiated a civil action against Google on behalf of the FTC, to enforce a consent order settling the FTC’s allegations that Google had misled consumers in connection with the launch of its social networking tool, Google Buzz. Among other things, the consent order prohibited Google from misrepresenting the extent to which it protected certain user information. The DOJ alleged that Google told users of Apple’s Safari browser that they

did not need to change their default settings to opt out of Google’s DoubleClick Advertising Cookie, when in fact, Google placed the DoubleClick Advertising Cookie on the browsers of Safari users who had not changed their default settings. The DOJ sought civil penalties of up to $16,000 for each misrepresentation. To resolve these and other allegations, Google and the DOJ entered into a Stipulated Order for Permanent Injunction and Civil Penalty Judgment, approved by the court in November of 2012. Google agreed to pay a civil penalty of $22.5 million, maintain systems that delete Google cookies from Safari browsers, and report on its compliance efforts to the FTC, all without admitting liability. The FTC initiated a contempt action against Lifelock, Inc. in July of 2015, for violation of a permanent injunction enjoining it from misrepresenting the nature of its identity theft protection service, or the manner or extent to which it protected consumers’ personal information. Under a 2010 injunction, Lifelock also was to implement a comprehensive information security program, and create and retain records necessary to evaluate its compliance. The FTC alleged that Lifelock failed to comply with the Permanent Injunction and falsely claimed it protected consumers’ identity by providing alerts “as soon as” it received any indication there was a problem. Without admitting or denying these allegations, Lifelock agreed to settle them through entry of a modified permanent injunction. Significantly, the terms of the modified injunction included a $100 million judgment against Lifelock for equitable monetary relief. The modified injunction also subjected Lifelock to compliance monitoring requirements, including the requirement that Lifelock submit reports sworn under penalty of perjury, appear for deposition, and allow access during normal business hours to inspect business operations, all within fourteen days of receipt of written notice from the FTC. According to an FTC press release, the Lifelock settlement gave the FTC

the largest monetary award it has obtained to date in an order enforcement action. However, the FTC’s actions were not without controversy. Commissioner Maureen K. Ohlhausen issued a dissenting statement, in which she opined that the record “lacks clear and convincing evidence that LifeLock failed to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumers’ personal information.” As illustrated by the FTC’s enforcement proceedings against Google and Lifelock, entry of a consent order or stipulated judgment does not end the FTC’s enforcement proceedings. Rather, it begins a new phase. In light of the increased penalties, the stakes for companies contemplating settlements with the FTC have increased as well. ■

Christine Peek is a partner at McManis Faulkner. Her practice emphasizes business and constitutional litigation, including privacy claims, contract disputes, unfair competition, fraud, trade secret misappropriation and other business torts. cpeek@mcmanislaw.com

Neda Shakoori is a senior associate at McManis Faulkner. She established and now leads the firm’s E-discovery and Technology practice. She provides counseling, management, and oversight on all e-discovery, data privacy and cybersecurity matters. nshakoori@mcmanislaw.com

today’s gener al counsel feb / mar 2017

Cybersecurity

Cyber Misconceptions continued from page 35

preferred policy may have exclusions or riders that do not suit the business context. Do the occurrence and retention limits make sense, for example? Assume a breach has exposed the records of 5000 customers. Is each loss to be considered a separate occurrence? If so, the selfinsured retention may mean that the policy coverage is never triggered. Moreover, the most significant risks may not be covered by the policy. A retailer facing a point-of-sale breach may have contractual obligations to

users, they can cripple operations. Users develop their own work-arounds – internal “hacks” – that can create new hazards. The prototypical example is the New York investment brokerage that was recently fined for a breach. Its rigid internal controls made it difficult for an employee to access the information to do his job, so that employee copied data to a personal database to generate reports. The defenses on his personal machine were weaker than those of his employer, and the defenses were breached. The lesson is that an organization’s cybersecurity plan must reflect the reality of business needs and processes.

Internal controls made it difficult for an employee to access the information to do his job, so that employee copied data to a personal database.

reimburse credit card providers. But most policies exclude coverage for such contractual obligations. The solution is simple. In-house counsel must assess the entire enterprise-wide operation for potential cybersecurity risks. Having identified and quantified the risks, including potential mitigation measures, the company is aware of its institutional exposure. In-house counsel can then evaluate and compare different proposed policies to ascertain which is the appropriate fit given the company’s risk posture. The fourth misconception is one of control – that is, the belief that if a business can develop and enforce sufficiently stringent data processing practices, it can take itself out of the risk zone. If access can be sufficiently restricted, if data is sufficiently limited and if databases are sufficiently encrypted, then security is assured. As in-house lawyers know, however, even if such plans can be developed and implemented over the howls of

This inevitably means balancing operational needs with security demands, compliance requirements and risk mitigation. A plan may not be perfect, but it will be realistic. An imperfect plan that is followed is worth ten perfect plans that gather dust in cabinets. Speaking of dusty plans, the fifth misconception is the myth of stasis, or the permanent plan. Many companies have devoted so many resources to hammering out a cybersecurity plan that they balk at the prospect of reopening and revising it. That view is understandable. In-house counsel often consider their plan a miracle and a masterpiece. After all, it somehow emerged from a protracted process and gained the grudging acceptance, if not applause, of every stakeholder: operations, IT and legal. The plan addresses risk, privacy, security, and compliance issues. Resistance to revisiting contentious issues is understandable, but it is also a mistake. Every business evolves. This entails change at every level: in operations, in the regulatory regime, in computer

systems. The compound effect of these changes is that the “perfect” plan is frequently out of date. Absent constant revision, the company will end up with plans that look good on paper but are increasingly disconnected from the reality of operations. If disaster strikes, counsel can expect regulators and future opposing counsel to focus on the gap between this reality and the letter of the plan. I have seen documents that referred to systems, products and processes that had been discontinued a decade ago. The solution is clear if painful. The general counsel must incorporate a process of periodic revision into the plan. This process would ensure that key personnel from IT, business units, and legal meet on a regular schedule to review the plans. If the plan and operations do not align, then one or the other must be modified until they do. In summary, cybersecurity risk is like other risks faced by organizations. It requires steadfast attention to current and potential issues. Proactive compliance monitoring is critical, as is having legal and risk management measures in place. Inside counsel play a key role, not simply in addressing breaches when they occur, but also in articulating the risks, establishing protocols and enforcing compliance. Being aware of these five misconceptions and planning how best to address the challenges they present is a vital first step. ■

Saad Gul, a partner at Poyner Spruill LLP, advises clients on a wide range of privacy, data security and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications and breach obligations. He was formerly an IT consultant, and is currently a member of the Cyber Security Task Force of the U.S. Chamber of Commerce. sgul@poynerspruill.com

feb / mar 2017 today’s gener al counsel

Cybersecurity

Spymail, a Little-Known Risk for Attorneys and Firms By Paul Everton and Chad Gilles

ttorneys are no strangers to risk. But in the midst of managing the modern legal department, most are overlooking one big risk: their email. We are finding that about 10 percent of non-spam business emails are spymail. That means it contains hidden tracking code that relays details about the recipient’s interactions with the email (such as when and where the email was opened and forwarded) back to the sender. In the wrong hands, this kind of intelligence can expose any business to a range of legal, privacy and security risks. For legal departments, it can be especially damaging. Attorneys, like most professionals these days, rely on email. From navigating the discovery process to collaborating with colleagues, to exchanging contracts and case documents, email is to the modern organization what file cabinets were to their predecessors. But email poses many risks. WHAT IS SPYMAIL?

Spymail is not spam, and it’s not conventional “spyware.” By design, spymail

is hidden from the recipient. Using concealed tracking code, spymail gives senders visibility into if, when, and how many times an email was opened, whether it was forwarded, and even the physical location and device from which it was opened. Spymail (and its consequences) earned mainstream attention more than a decade ago when it was revealed that Hewlett-Packard used spymail to identify a journalist’s confidential source. Back then, implementing spymail was technologically challenging and feasible only for a large enterprise such as HP. Now there are dozens of spymail tools that cost just a few dollars and install in seconds. According to one report, the amount of spymail has grown nearly 300 percent over the last three years. While most of these senders do not have ill intentions, the reality is that many are using spymail for nefarious purposes. Spymail is not just spam, which simply defined is any email that is not wanted by the recipient. Most email

providers use a spam filter that blocks the vast majority of spam before it reaches user inboxes. While some spam that does reach user inboxes is spymail, many emails that attorneys want to receive from clients, opposing parties, witnesses, and others, are also spymail. Spymail is also not the same as “spyware,” as the term is commonly used. Spyware in the conventional sense is software that must be installed on a device and then secretly runs in the background to collect information. Conventional anti-spyware tools thus typically look for malicious code installed on the device. Spymail does not require anything to be installed on the computer. The tracking code dwells entirely within the email. The sender doesn’t have to trick you into clicking any links or opening any attachments. Simply opening the email is all it takes to reveal your sensitive information. INCREASINGLY VULNERABLE TARGET

Unlike most professionals, attorneys face regulatory pressure to understand the risks associated with any technology they use, and to make efforts to mitigate those risks. In 2012, the American Bar Association amended its Model Rules of Conduct to emphasize the importance of monitoring trends in legal technology. Under the adjusted Model Rule 1.1, lawyers are expected to “have a basic understanding of the benefits and risks of relevant technology.” The ABA also expanded Model Rule 1.6., insisting that lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” client information. Despite these standards, most attorneys say their organizations lack the requisite IT policies and defenses to govern technology use. In 2015, less than half of attorneys said their firms had a program in place to regulate

today’s gener al counsel feb / mar 2017

Cybersecurity

email use, and only 28 percent said their firms had a plan in place to respond to a data breach. When it comes to email, these shortcomings are even more glaring. Most legal departments and law firms are making no effort at all to prevent the inadvertent disclosure of confidential client information via spymail. Some firms have already had to deal with fallout from their lax stance on cybersecurity and poor email habits. In 2011, the FBI began warning law firms about the potential for targeted cyberattacks. Earlier this year, it was revealed that Russian cybercriminals had aimed malicious efforts at nearly 50 major law firms. In March, Cravath, Swaine & Moore and Weil, Gotshal & Manges confirmed that their IT systems were breached in 2015. One reason corporate legal departments and law firms are attractive targets for cybercriminals is that, perhaps more than any other profession, they are in possession of confidential information that can be sold or used for insider trading, blackmail and other malign purposes. Having a weak IT security posture makes it easy for this data to slip through the cracks undetected until the damage has been done. Due to the sensitive nature of almost every communication sent by legal department staff, spymail can have a direct effect on litigation, industry compliance, and client relationships. To take one scenario, attorneys frequently receive emails from senders who are, or who may become, adverse parties. Attorneys do not want these senders to have visibility into when and where those emails are read or forwarded. If, for instance, an adverse party sees where one of its emails was forwarded, it may be able to use that information to determine who are clients or witnesses, what documents to request for discovery and who to request them from, who to depose and who to add as additional defendants. This not only gives the opposition the upper hand in negotiations and litigation, it jeopardizes client trust, opening organizations to reputational damage, a malpractice suit and potentially a class action lawsuit.

Spymail also throws a new wrench into a current litigation trend, the patent infringement lawsuit. In the hands of patent trolls, spymail can help identify potential defendants, and help prove those defendants had prior knowledge of the patent. With spymail “open notifications” now admissible in court, data extracted via spymail could be what is needed for a finding of willful infringement and treble damages. STEPS TO PROTECT AGAINST SPYMAIL

Risks aside, email will always be more efficient than playing phone tag or running between in-person meetings. It’s unrealistic for corporate legal departments to banish email entirely, but they can and should take steps to be smart about how they use it. Protecting corporate attorneys and their clients against spymail demands more than a “be careful” policy. Organizations need a multi-pronged approach that combines technology, education, and process improvements to counter inbox espionage. Here are three ways to start:

Make training a priority. The onus falls on legal department leaders, in conjunction with IT managers, to make sure attorneys are fluent in email security practices and vigilant in guarding against the dangers email can pose. Instituting regular training sessions, not just during onboarding, and developing educational resources can raise attorney awareness of threats to watch for and bad habits to avoid. Because legal departments and law firms are such lucrative targets, they cannot afford to be ignorant of spymail and the risks it presents. Don’t leave IT in the dark. Though attorneys need to be well versed in safe use of email, cybersecurity isn’t their primary responsibility. To successfully confront spymail, legal operations professionals overseeing legal department functions, from IT strategy to vendor management, need to become liaisons between their teams and corporate IT leaders. Collaborating directly with the IT department ensures that prospective email security providers are properly vetted, and that any new tool doesn’t

interfere with attorneys’ existing workflow. Make sure your cyber-security tools are up to the task. Attorneys often falsely assume that corporate spam filters and anti-virus tools will keep them safe from all types of attacks that may show up in their inbox. In truth, this age of targeted threats requires targeted security solutions. Legal departments should demand their company have software specifically designed for protecting against the latest threats. For the most secure companies, this will include antispymail and anti-phishing software, in addition to the conventional anti-spam and anti-virus tools. As the cybersecurity threat landscape matures and the techniques of bad actors become more sophisticated, it’s easy to underestimate the danger email presents. Given the financial and reputational havoc spymail can inflict on an organization, legal teams need to start taking their inbox blind spots seriously. ■

Paul Everton is the founder and CEO of MailControl. Prior to launching MailControl, he founded Chicagobased startups Yapmo and Visible Vote. paul.everton@mailcontrol.net

Chad Gilles is the marketing manager of MailControl. He previously served as a patent attorney and technical specialist at McAndrews, Held & Malloy. chad.gilles@mailcontrol.net

feb / mar 2017 today’s gener al counsel

Cybersecurity

Three Expert Lessons About Digital Threats By Philip Favro

hat are the common gateways to cyber attacks? What steps can an organization take to address personal cloud applications and other potential digital age threats? What are the risks associated with the Internet of Things (IoT)? These were just a few of the questions that a panel of legal technology experts considered last October, at Relativity Fest 2016. The panelists included Judy Selby, managing director of technology advisory services for BDO Consulting; Darin Sands, who chairs the data security and e-discovery practice groups at Lane

Powell PC; and Donald Billings, manager of litigation and practice support at Sidley Austin. In response to these and other key questions, the panel came up with these three important lessons:

Information security should be a collaborative discipline. There is a growing need for organizations to strengthen security measures as part of their overall information governance plan. Businesses, regardless of the nature of their enterprise, should explore holistic strategies for securing their corporate

network and proprietary information. “Information security is not just an IT problem,” as Judy Selby put it. “The collaboration needs to go beyond IT and legal teams to holistically address cybersecurity.” That means information security should not be isolated within the legal or information technology departments. Instead, security professionals, business units and company executives should be jointly involved to ensure that a culture of security is established. IT experts must be in place to manage the technical side of security, with in-house counsel

today’s gener al counsel feb / mar 2017

Cybersecurity

offering guidance on the regulatory and legal implications of strong (or weak) information security. Beyond these traditional information governance stakeholders, key business leaders should also be involved, in order to ensure security measures address the needs of their respective business units and teams. Once this collaborative process is established, a company can develop appropriate security measures.

currently generate more than $613 billion of profits annually from IoT devices.

IT experts must be in

Don’t underestimate the risks of personal cloud applications. Cloud applications are increasingly common in the business world, including, in particular, consumer-grade clouds, which have proliferated. Employees are frequently using cloud applications, despite specific policies to the contrary. While shadow cloud use can certainly cause mischief, organizations that have designed a “bring your own cloud” (BYOC) policy may be begging for trouble. BYOC policies are difficult to audit and enforce. Even when companysanctioned personal cloud applications are used, organizations may be unable to monitor what data employees are storing in these applications. “With BYOC policies, you don’t have control over data when employees leave,” Darin Sands noted. Equally troubling, organizations may not even know what data has been removed. All of this can leave a gaping hole in the company’s security plan.

place to manage the

BEST PRACTICES

Address IoT-related Cyber Risks. With more data, devices, and technological developments, there are numerous gateways that cyber criminals and malicious insiders can exploit. Those gateways range from email and smartphones, to IoT and external messaging and collaboration tools. “A big IoT risk is that you can take down an entire enterprise network with one breach,” said Don Billings. Evidence that IoT threats have moved beyond the realm of science fiction includes a massive attack this past fall

technical side of security, with in-house counsel offering guidance on the regulatory and legal implications. on security cameras and digital video recorders. That attack disabled French web hosting provider OVH and U.S. security researcher Brian Krebs, by flooding their networks with web page requests and other data. IoT devices require the centralization of heterogeneous networks as data is aggregated and analyzed. As a result, corporate teams must make exceptional efforts to build strong security measures into these repositories. Done well, the IoT can pay off significantly: Businesses

With digital age threats rapidly increasing, how can organizations keep their information security policies and procedures current? The panel touched on several important practices, some of which are detailed in the “New Information Governance Playbook for Addressing Digital Age Threats,” published by the Coalition of Technology Resources for Lawyers (CTRL). Its recommendations include the following: • Save time during a crisis with proper data mapping. It is important for enterprises to understand what data they generate, receive and store. A current and accurate data map is essential after a breach or attack in order for there to be effective incident response. A good data map can also enable companies to assert greater control over proprietary data and help them develop reasonable information retention goals.

• Mitigate damage from cyber attacks by proactively building a defensive plan. It is essential that organizations prepare for attacks. Consider retaining a consultant to assess security vulnerabilities. Outside counsel and other experts should be engaged to help develop an incident response plan. In addition to mitigating harm, this process can provide a voice for addressing important issues. • Develop an IoT Security Plan. Organizations can prepare for the astronomical number of IoT devices that are or soon will be connected (there were an estimated 6.4 billion at the end of 2016) by creating “concept of operations documentation.” This flexible governance tool should provide a roadmap for installation, integration and ongoing auditing of connected devices. • Strengthen everyday security by carefully managing employee use of clouds and devices. No matter what policies have been implemented, it is essential to have an employee education program regarding the use of personal clouds, smartphones and other devices. Audit, enforcement and verification measures must be deployed to ensure that proprietary data is not removed from the corporate network, particularly upon termination of an employee. ■

Philip Favro is a consultant for Driven Inc. As a practicing attorney he advised clients regarding business disputes and complex discovery issues. He is a member of the Utah and California bars, and actively contributes to Working Group 1 of The Sedona Conference and to the Coalition of Technology Resources for Lawyers. Philip.favro@driven-inc.com

FEB / MAR 20 17 TODAY’S GENER AL COUNSEL

WORK PL ACE ISSUES

The Year Ahead in Labor and Employment Policy By Ilyse Schuman and Michael Lotito

ith the victory of Donald Trump, the landscape of labor and employment policy in the coming year and beyond has shifted dramatically. Much of the workplace policy agenda put in place by the Obama Administration will likely be reversed or substantially modified. Yet, a number of the changes to a more business-friendly position will not occur overnight. While some can occur with the stroke of a pen, others will have to wait longer for a new rulemaking process to be completed or even for Congress to act.

Ilyse Schuman is a shareholder and co-chair of the Workplace Policy Institute at Littler Mendelson, where she provides strategic counsel and representation to clients on a broad array of workplace issues and developments in Congress and executive branch federal agencies. ischuman@littler.com

Michael Lotito is a shareholder and co-chair of the Workplace Policy Institute at Littler Mendelson, where he serves as lead counsel for some of the country’s largest corporations, helping them develop and implement business, legal and preventive strategic solutions to labor and employment issues. mlotito@littler.com

President Trump will be emboldened by Republican majorities in both the House and Senate. Despite a daunting election map, Republicans held control of the Senate, losing only two seats. With 52 Senate seats in the 115th Congress, Republicans can set the agenda and keep committee gavels in their hands, but will fall short of filibuster-proof control for legislation and Supreme Court nominations. By virtue of a change to Senate filibuster rules made by Democrats several years ago, Republicans will be able to confirm with only a majority vote President Trump’s executive and

other judicial nominees. Accordingly, leadership of the Trump Administration Department of Labor (DOL) and other Departments can fairly quickly be filled. Once new leadership of the DOL is in place, employers can expect the unraveling of the Obama Administration’s regulatory and enforcement agenda to begin in earnest. However, the all-important nomination to fill Justice Scalia’s seat on the Supreme Court is still subject to a 60-vote threshold. With the balance of power on the Court at stake, including a number of important labor and employer decisions

today’s gener al counsel feb / mar 20 17

in the years ahead, a confirmation battle is expected. For DOL and Federal Acquisition Regulatory (FAR) Council rules issued pursuant to executive orders – rules such as the “Fair Pay and Safe Workplaces,” paid sick leave and minimum wage executive orders targeting federal government contractors – a new order signed by President Trump could revoke their authority. The government’s defense of other final rules that have been the subject of injunctions by federal courts, namely the “persuader” and overtime rule, could be abandoned once the new

However, employers should guard against becoming lax in their compliance efforts, as the DOL will still be in the enforcement business. Change at the National Labor Relations Board (NLRB) will come, but perhaps not as soon as some employers would like. Many employers and Republicans in Congress have taken issue with a number of Board actions designed to tilt the scale heavily in favor of organized labor. These include the “quickie election rule,” the new joint employment standard, the Specialty Healthcare decision on micro-units, the D.R. Horton decision

pursuit of bigger-picture efforts and systemic enforcement initiatives. Reversals of Obama-era labor and employment policies may come more swiftly through congressional action than through the time-consuming new rulemaking process. The Congressional Review Act is a tool to overturn regulations submitted to Congress late enough in President Obama’s term to trigger disapproval by Congress and the President. The appropriations legislation to fund the government for the remainder of FY 2017 could contain provisions blocking funds for current

Employers can expect relief from some onerous regulatory requirements and a transfer of resources away from enforcement to compliance assistance. 45 Administration takes over. With respect to the overtime rule increasing the salary threshold for the white collar exemption, the legal action could pave the way for a smaller increase more favorable for employers. Sub-regulatory guidance and enforcement policies – such as the DOL Wage and Hour Administrator’s interpretation of independent contractor misclassification and joint employment, or the Occupational Safety and Health Administration’s “walk around” directive – could be withdrawn and new guidance issued in their stead. To rescind or modify other final rules already on the books, the DOL would need to pursue a new rulemaking, triggering a public noticeand-comment period. A dramatic shift in regulatory and enforcement policy for wage-and-hour law, workplace safety, employee benefits and federal contract compliance will no doubt ensue in the Trump DOL. Generally, employers can expect relief from some onerous regulatory requirements and a transfer of resources away from enforcement to compliance assistance.

on class-action waivers and an expansive view of Section 7 rights. While the two current vacancies on the Board will give President Trump an opportunity to promptly create a Republican majority, efforts to swing the labor law pendulum away from the direction taken by the Obama Board will take time. As with the NLRB, changes will come from the Equal Employment Opportunity Commission, but it will take time for a new Republican-controlled Commission to be in place. While equal pay was expected to be a priority of a Clinton Administration, it may not receive such a prominent role in Trump’s. This may prompt more state and local efforts to promote pay equity and other employment-related changes that Washington does not tackle. Recent changes to the EEO-1 report, widely criticized by many in the employer community, are likely on the chopping block. So too may be the priorities set forth in the EEOC’s Strategic Enforcement Plan. The EEOC’s focus will likely be re-directed to address existing discrimination claims, instead of continuing

controversial labor and employment policies. Beyond reversing the Obama administration’s policies, the new administration and next Congress hold the potential for proactive regulatory and legislative changes that better reflect the evolving 21st century workplace. Reforms to the National Labor Relations Act, EEOC, FLSA and OSHA may be advanced. Bipartisan momentum for paid sick or parental leave may also emerge. However, Republicans’ power to remake workplace policy in Congress will be limited by Senate Democrats’ ability to filibuster legislation. Republicans may turn to the budget reconciliation process and its expedited procedure in the Senate to repeal the Affordable Care Act. But the contours of a replacement for the sweeping health care law may well take time and bipartisan support. The inauguration of President Trump ushers in a new era of labor and employment policy in Washington. The timing and details of these changes remain to be determined, and employers can play an important role in shaping them. ■

feb / mar 20 17 today’s gener al counsel

T H E A N T I T R U S T L I T I G AT O R

Compliance and the Antitrust Division’s Leniency Program By Jeffery M. cross

I 46

n October, I again had the privilege of serving as one of the moderators for the Today’s General Counsel Compliance and Ethics Forum in Chicago. The participants were in-house counsel and compliance officers who engaged in a peer-to-peer discussion on topics of interest to them. One of the matters they discussed was a robust compliance program, the benefits of which include early detection of an antitrust violation and self-reporting to qualify for the DOJ Antitrust Division leniency program. It may be valuable to focus on some of the details of that program. There are clear benefits for a corporation that qualifies. It will not face a criminal conviction. There will be no criminal fines. There will be no jail time for executives who admit their knowledge or participation in the conduct, and who fully cooperate with the government. Most importantly, in terms of the inevitable follow-on civil treble damage class actions, the corporation that qualifies for leniency and cooperates with civil plaintiffs will not face treble damages, and it will be liable

Jeffery cross, is a columnist for Today’s General Counsel and a member of the Editorial Advisory Board. He is a partner in the Litigation Practice Group at Freeborn & Peters LLP and a member of the firm’s Antitrust and Trade Regulation Group. jcross@freeborn.com.

only for single damages attributable to its own commerce, as opposed to joint and several liability for damages to the entire industry. Only one corporation per conspiracy – the first to report – can obtain immunity. Therefore, there is a race to report against co-conspirators, and possibly the company’s own employees. The Antitrust Division has instituted a “marker” system to facilitate that race. When counsel first learns of a possible

violation there may not be sufficient information to know for certain whether a violation has actually occurred. The marker system holds an applicant’s place in line while the applicant gathers more information. A marker is established by calling the Antitrust Division’s Deputy Assistant Attorney General for Criminal Enforcement, or one of the Division’s five criminal investigative offices. Counsel must report that the company has uncovered some information indicating

TODAY’S GENER AL COUNSEL FEB / MAR 20 17

a criminal antitrust violation, the general nature of the conduct, and the industry involved. In most cases, counsel must also initially identify the client. A marker is provided for a finite period, typically 30 days. However, the marker may be extended depending on the location and number of employees that need to be interviewed and the documents that need to be reviewed. An extension may also depend on whether

Only one corporation per conspiracy – the first to report – can obtain immunity. the Division has initiated an on-going investigation. There are two types of leniency, Type A and Type B. Type A involves a report to the Division before the government has received information about the activity. To qualify for Type A leniency, the company must have promptly and effectively terminated the conduct; reported the wrongdoing with candor and completeness; provided full, continuing, and complete cooperation; confessed its wrongdoing; provided restitution to the victims of the wrong-doing; and must not have coerced any party to participate in the conspiracy or acted as the leader in, or the originator of, the activity. Type B leniency is granted after the Division has some information about the conduct, but not sufficient evidence to result in a sustainable conviction. In these cases, the requirements for Type A leniency also must be met. Both types of leniency are initially conditional. The Division grants final leniency after all of the above-listed conditions are met. The cooperation required for leniency is extensive. The company must provide a full exposition of all known facts, and produce all relevant documents without subpoena. The company

must also use its best efforts to secure ongoing, full, and truthful cooperation of directors, officers, and employees. The company must facilitate the appearance of directors, officers, and employees for interviews and testimony, including grand jury appearances and trial. Further, the company must use its best efforts to ensure that such persons testify completely, candidly and truthfully, and not attempt to falsely protect, or falsely implicate, any person. Finally, the company must make all reasonable efforts to pay restitution to victims. However, payments in civil class actions will generally qualify as restitution. Leniency under the program is binding only on the Antitrust Division. However, the Division will intercede with other agencies to emphasize that the company did cooperate. Although only the first to report an antitrust violation qualifies for leniency, there are benefits available to those who are second or later to report. There is no leniency or immunity as outlined above, but the parties can enter into a plea agreement that will provide for a fine reduction under the Sentencing Guidelines for cooperation. Of course, such benefits are not as predictable as leniency because they are case-specific, and the Division has discretion regarding its recommendations to a sentencing court. Under a plea agreement, the company’s criminal sentence could be substantially reduced in a number of ways. These include the scope of the affected commerce used to calculate the fine range, and a substantial assistance departure from the Guideline’s fine calculation. A plea agreement could also include favorable treatment for culpable executives. As emphasized by the discussion at this past October’s Compliance and Ethics Forum, the principal benefit of an effective compliance program is to prevent violation of the laws in the first instance. However, if an antitrust violation does occur, an effective compliance effort may allow a company to qualify for, and benefit from, the Antitrust Division’s leniency program. ■

BEYOND PRINT

TodaysGeneralCounsel.com

IN YOUR INBOX

Digital.TodaysGeneral Counsel.com

E-DISCOVERY CONFERENCES

TodaysGeneralCounsel.com/ Institute

TODAYSGENERALCOUNSEL.COM

Preparing the Expert Witness for Deposition By John C. Maloney, Jr.

today’s gener al counsel feb/mar 2017

ost civil cases today involve the use of testifying experts to address both liability and damages issues. The presence of experts has become so pervasive that modern trials are now often viewed as a “war of experts,” and motion practice regarding Daubert or the state equivalent test of admissibility of expert opinion is a regular step in the pre-trial process. At the same time, popular television culture has raised the bar for expert testimony. Because of the so-called “CSI effect,” today’s jury has unrealizable expectations with respect to the ability of the parties to satisfy their burdens of proof in civil and criminal cases and connect the dots resolving all factual disputes with precise, comprehensive and compelling expert presentations. Experts are different from other trial witnesses. Unlike fact witnesses, experts do not have personal knowledge of the relevant facts. Unlike corporate representatives, their testimony is not limited to designated factual subject matters on which they must be prepared to testify. Instead, by virtue of education, training, or experience, experts are allowed to offer opinions on relevant trial issues, so long as their testimony is deemed helpful to the trier of fact, whether it is a jury or a bench trial. Experts are also expected to respond to hypothetical questions of fact. The expert’s deposition becomes a key event during discovery, and it requires careful and thorough preparation by defense counsel. The deposition provides the only opportunity before cross examination for adversary counsel to explore in depth the expert’s qualifications and experience, as well as the assumptions, factual bases, variables, and limitations of the expert’s opinions. It also allows adversary counsel to lock in the expert’s testimony for trial. The following checklist for deposition preparation provides useful reminders to defense counsel to make sure the expert witness can successfully navigate the special challenges he or she may confront. VET EARLY Usually experts must be designated well before their report is submitted and the deposition noticed, and preparation of the expert begins with defense counsel’s first communication. If defense counsel does not successfully complete the vetting process before designation, it may be too late to remedy any defects in qualifications, experience or justifications for opinions when the report is due. Qualifications and experience must be checked and confirmed, and prior testimony and publications rigorously reviewed

for any inconsistencies or other problems with anticipated trial testimony. The expert must be reasonably prepared to give the specific opinions identified by defense counsel as necessary for success in the case, as well as key supporting facts, data, reasons and methodologies justifying those opinions. The expert must be someone who can adopt a “your favorite teacher” demeanor during testimony – that is, someone whom the trier of fact will like, respect, and most importantly, understand – and must be able to make difficult concepts simple. That means someone who can offer explanations that rely on easily understood analogies and everyday common sense examples, and someone who is comfortable using visuals to illustrate testimony. The expert must not be arrogant, and must not talk down to the trier of fact or appear evasive in responding to questions. THE EXPERT REPORT The expert generally prepares a report stating his or her opinions, and the bases for those opinions, as well as the assumptions, relevant facts or data, documents, testimony and materials that are being relied upon to reach those opinions. The report must also explain any methodology used and list the expert’s qualifications, publications and testimonial experience. The report will become the principal focus of defense counsel’s examination during deposition, and the expert needs to be prepared to address all the foregoing subjects in detail, to compare and contrast his or her opinions with the adversary’s expert, and to respond to hypothetical questions testing the boundaries of and identifying any caveats to the opinions. In the report, as well as in deposition testimony, the expert must demonstrate mastery of the relevant case facts, data and documents, and the ability to link the opinions expressed to them. The report will be the result of a substantial collaborative effort between the expert and defense counsel. The collaboration process gives defense counsel the best opportunity to prepare the expert for later deposition and trial testimony. It is protected – drafts of reports and communications between the expert and defense counsel are generally not discoverable. However, expert’s compensation, facts or data provided by defense counsel and that the expert considered in forming an opinion, and the assumptions that defense counsel provided continued on page 53

THE FOUR “Cs” OF DRAFTING AN EFFECTIVE ARBITRATION CLAUSE BY LAUREN GARRAUX AND THOMAS E. BIRSIC

TODAY’S GENER AL COUNSEL FEB/MAR 2017

rbitration clauses are often neglected in of domestic commercial contracts, parties have commercial contracts. They are generally great latitude to shape how they will resolve thrown into the mix during the 11th their disputes, who will resolve them, where they hour of negotiations and often receive little attenwill be resolved, and according to which rules. tion until a dispute under the contract arises. At However, a party can fail to make the arbitration that point, the parties are frequently confronted clause as comprehensive as it should be and find with a plethora of complications, unresolved itself shocked at the procedure it has obligated issues and unattractive options that could have itself to pursue. been avoided with greater forethought. Some believe that selecting a set of arbitraArbitration is not suited for every contract, tion rules, such as those promulgated by the every dispute, or every business. However, it American Arbitration Association (AAA), Judican be used to resolve some disputes. A compre- cial Arbitration and Mediation Services (JAMS) hensive and well-drafted arbitration clause will or other institution is sufficient in and of itself. allow the parties to reap the oft-cited benefits of What parties may not realize is that these rules arbitration: a faster, contain various more efficient and defaults that can lower-cost resolution materially change the of a dispute. way that disputes are Even with an arbitration While a perfect resolved. An example arbitration clause does is the designation of clause, parties can unwittingly the number of arbinot exist, this article discusses four “C’s” of trators and how they end up in court if the clause drafting an arbitration are selected. Under clause that, ideally, will the AAA Commercial is poorly drafted. maximize the benefits Rules, for instance, if of arbitration and anthe arbitration clause ticipate and minimize does not specify the potential pitfalls. We number of arbitrators, note this article focuses on transactions involvthe dispute will be heard by one arbitrator, “uning U.S.-based parties and domestic arbitration. less the AAA, in its discretion, directs that three Contracts that are international in scope or arbitrators be appointed.” involve a foreign counterparty may raise unique Similarly, under the JAMS rules, if the parties issues. cannot agree on a single arbitrator or a panel of arbitrators, either by themselves or through the CLARITY selection procedures set forth in the JAMS rules, Parties generally choose to include arbitration “JAMS shall designate the sole Arbitrator or as clauses in their agreements because they want many members of the tripartite panel as are to resolve a dispute without entering the court necessary to complete the panel.” system. However, even with an arbitration clause, These rules may effectively take important parties can unwittingly end up in court if the decisions out of the control of the parties and clause is poorly drafted. Thus, first and foremost, place them in the hands of the arbitral instituan effective arbitration clause must clearly commit tion, creating the potential for a panel of varying the parties to arbitration and define its scope quality and experience. and reach by identifying the types of disputes Thus, at a minimum, an arbitration clause that will be arbitrated. should address the following: The arbitration clause also should commit to arbitration all disputes regarding whether the • The disputes that will be subject to arbiunderlying dispute is arbitrable. Otherwise, before tration. the parties can arbitrate that underlying dispute, • The fact that arbitration is mandatory they may first have to determine in court whether and final. their dispute falls under the purview of their • The arbitral institution that will administer agreement to arbitrate. the arbitration, the procedural rules that will govern and where the arbitration will COMPREHENSIVENESS take place. Arbitration is generally referred to as a “crea• The substantive law that will apply. ture of contract.” This means that in the case • The entry of judgment (discussed below).

Lauren Garraux is an associate at K&L Gates. Her practice focuses on business and commercial litigation, including contract and business tort disputes, shareholder governance matters, including fiduciary duty litigation and challenges to M&A transactions, and disputes arising under securities laws. She also counsels and litigates on behalf of health care providers, in a variety of matters. lauren.garraux@ klgates.com

feb/mar 2017 today’s gener al counsel

• The number of arbitrators and the procedure by which they are chosen, including how a deadlock is resolved. Depending on the transaction, parties may also consider the following issues: • The availability and scope of discovery. • Coordination and participation of third parties/non-signatories to the arbitration agreement. • Whether the arbitrator(s) must provide a reasoned award. • Available remedies, including the availability of and procedure for obtaining preliminary relief and the recoverability of attorneys’ fees and costs to the prevailing party, punitive damages, and any limitation on the amount of damages that a party may recover.

Thomas E. Birsic, who has been with K&L Gates since 1979, is currently the CoPractice Area Leader of the firm’s Global Litigation and Dispute Resolution group and a member of the firm’s management committee. He maintains an active trial, arbitration and counseling practice focused on a wide range of complex commercial and insurance coverage litigation. He is also a frequent lecturer on trial and arbitrationrelated issues involving commercial litigation, insurance coverage and international arbitration issues. thomas.birsic@ klgates.com

While comprehensiveness is important, and there are a handful of issues every arbitration clause should address, experienced arbitration practitioners know that the arbitration clause should not be “overdrafted,” or too specific. This can happen, for instance, when the arbitration clause invokes the Federal Rules of Civil Procedure and/or Federal Rules of Evidence as the required procedural rules for the arbitration. When an arbitration clause is excessively detailed or invokes unnecessary procedural rules, all the layers of detail can make it difficult or impossible to arbitrate a dispute. CHARTING A COURSE While agreeing to arbitrate disputes eliminates recourse to court litigation, that does not mean that other forms of alternative dispute resolution, namely formal or informal negotiation or mediation, need to be taken off the table. Where long-standing or important business relationships are involved, for example, parties may want to consider requiring mandatory negotiation or non-binding mediation of disputes before commencing an arbitration proceeding. Conversely, in situations where time is of the essence and any delay in resolving a dispute may increase costs or potential liabilities, parties may omit pre-arbitration negotiation or mediation and chart a course directly to arbitration on a specific but realistic timeline. Regardless of which path dispute resolution takes, an arbitration clause should be tailored to reflect the existing or future relationship between the parties, the underlying transaction, and the

effect that potential disputes may have on that relationship or the parties’ business operations going forward. At the same time, the charted course must be realistic. Dispute resolution involving commercial parties takes time. While arbitrating disputes (as opposed to litigating them) may bring the parties to a resolution more quickly, the clause should not set unrealistic or unattainable deadlines that may appear innocent on paper, but in reality may thwart, short-circuit, or inject unnecessary adversity or complication into the process before it begins. CONFIRMATION Perhaps you have won the arbitration and the arbitrators have rendered an award in your favor – or perhaps you did not win and want to challenge the award. What happens next? An arbitration award is not self-executing. To be effective and for the matter to be brought to conclusion, the award must be confirmed by a court. While the confirmation procedure in and of itself is a straightforward summary proceeding, it can take time and in some circumstances can be used to delay satisfaction of the award. An effective arbitration clause will anticipate and address potential issues relating to confirmation to keep the procedure as efficient and smooth as possible. In this regard, the arbitration agreement should include language that allows a court to enter judgment on the award (a requirement under the Federal Arbitration Act) and specifies the court in which a motion to confirm should be filed. The parties may also consider limiting judicial review of an arbitration award (a subject on which courts have reached differing conclusions) or requiring that appeals be made to a private arbitration panel and be limited to specified grounds. There is no perfect arbitration clause, and there is no way to anticipate every potential issue that may present itself when a dispute between contracting parties arises. That said, a well-drafted arbitration clause may prevent a costly detour through the courts or an arbitration proceeding that does not mirror a party’s expectations. While the four “C’s” discussed above will not completely insulate a party from every potential issue or pitfall, they will go a long way toward ensuring that an arbitration proceeding is in line with the expectations of the parties and maximize the benefits of arbitration as an alternative form of dispute resolution. ■

today’s gener al counsel feb/mar 2017

Expert Witness

continued from page 49

Defense counsel must allocate sufficient time to conDuct a substantial mock examination of the expert in preparation for the Deposition. or the expert relied on, are not protected against disclosure. Defense counsel must take responsibility to provide – and list, if requested by the adversary – all relevant facts, data, documents, testimony and assumptions that are requested by the expert, or are selected and communicated by defense counsel. The quality and credibility of the expert opinion in both the report and testimony will depend upon defense counsel’s skill in making sure that the expert masters the key case facts and documents. This is a continuing requirement for defense counsel. Adversary counsel can be expected to drill down into any overlooked facts, or any testing or analysis that the expert witness delegated to another. PREPARING FOR DEPOSITION Like any witness, no matter how experienced, the expert must be prepared for deposition. Frequent in-depth rehearsals are the key to instilling selfconfidence and achieving success. A review of the expert’s prior transcripts may identify specific performance problems, such as a tendency not to listen to examining counsel’s questions or answer the question directly, or the equally problematic tendency to explain too much, use technical jargon or rely on too many caveats or limitations. Defense counsel needs to provide the expert witness with advice about the special challenges a video deposition may pose in terms of the expert’s appearance, distracting mannerisms and presentation deficiencies. Defense counsel must also allocate sufficient time to conduct a substantial mock examination of the expert in preparation for the deposition. This exercise will require that defense counsel

prepare to play the role of adversary counsel, become immersed in the subject matter of the expert’s opinion, examine the expert’s qualifications, experience and opinions in depth, and pose appropriate hypothetical questions. Defense counsel must then provide constructive feedback to the expert with respect to the performance and provide any necessary quick fixes. Particular attention must be paid to the expert’s demeanor during the mock examination, as well as to the testimony itself, including the vocabulary chosen, the responsiveness of the answer to the actual question posed, the clarity of expression, and the content and length of the answer. The expert may be asked any questions that occur to the examiner and must be prepared to deal with a difficult examiner who is not familiar with the subject matter, who will not ask easily understood questions and will test the patience of the witness. In these instances, expert witnesses are on their own, since defense counsel should not direct the expert not to respond. The expert, however, should be able to rely on training during deposition preparation to respond that he or she has no opinion, or has not been engaged to – and/or has not conducted the necessary investigation and analysis to be able to – give an opinion on a particular question. The expert must also be prepared to address the adversary party’s expert report in depth, to concede unimportant points, or where common agreement might be found, to compare and contrast differences in methodology, assumptions and results, and to support his or her conclusions as the correct or better view of the issue in dispute. ■

John C. (Jay) Maloney, Jr. is a partner in the Commercial Litigation Department of Zuber, Lawler & Del Duca, LLP. His practice is focused on complex commercial disputes, business torts, pharmaceutical litigation, products liability, patent, toxic tort law and real estate matters in the state and federal courts of New Jersey and New York. He has served on the faculty of the National Institute for Trial Advocacy (NITA) deposition and trial advocacy training programs. jmaloney@zuberlaw. com

The GC as sTraTeGiC Business ParTner By Debbie Hoffman

here is perhaps no professional more stereotyped than the attorney, in novels, movies, by family and friends, and

probably even by some CEOs. The image: They are inflexible, expensive, argumentative, and never have good news. Skilled attorneys, on the contrary â&#x20AC;&#x201C; and general counsels in particular â&#x20AC;&#x201C; are significant assets in the development, maintenance and growth of a successful business. In addition to being able to decipher black letter law as the result of their legal training, general counsels possess a diverse range of skills that can make them invaluable to executive leaders as business partners. Executives are confronted daily with a myriad of decisions for which they must be accountable to their shareholders and board members. These range from everyday client and revenue-generating operational matters to immediate crisis situations, like cybersecurity breaches and public relations challenges. The general counsel, by virtue of training and experience, is equipped with skills to make thorough but quick decisions that comply with the law.

today’s gener al counsel feb/mar 2017

Given the attorney’s role to uphold the law, most employees and a majority of executive leadership feel comfortable confiding concerns with the general counsel, knowing the top lawyer is also a problem solver. GCs are trained to address legal quagmires and are often among the best detectives in the company, able to grab pieces of information from various employees and departments – including finance, human resources and operations – to get to the truth regarding complex situations. When companies enter into sophisticated business transactions, including mergers and acquisitions, it is imperative to have a general counsel who understands both the nuances of the business and the regulations that could come into play. Where outside law firms are utilized in complex business transactions, they typically will rely on the expertise of the GC to help them understand the goals and details of the business, and will need to work with the GC to achieve the best possible outcome. In these situations, GCs are also critical as liaison to the board, a role for which they are well-equipped by virtue of understanding both underlying company goals and relevant legal requirements. General counsel have also become liaisons and partners to the information technology and security teams. No company or client is immune from cyber security concerns, and it’s the legal department, along with IT, that owns this function. A skilled GC needs to be able to understand when forensic investigation is needed and how to implement it, whether proactively for greater information security or after an event, in conjunction with legal investigations. In addition to cyber security and forensics, tech-savvy general counsel may now be using social media sites as an investigative tool in litigation, or when there is the threat of litigation, for such things as tracking down details about people, positions, counterparties or witnesses. GCs, focused on law and regulation across multiple jurisdictions, are positioned to be the navigators and drivers of risk management in a manner that not only aligns with requirements, but can take advantage of them in a way that grows the business. One example is in the mortgage lending space, where new Home Mortgage Disclosure Act (HMDA) requirements promulgated by the Federal Housing Administration require many more data points related to borrowers. One approach would be to simply comply with the new requirements. But a more creative and strategic approach would be to embrace the change and utilize it for lenders

to open up offerings to the minorities and the under-served populations. What happens when a company employee suddenly becomes front page news and the media is camped in the parking lot outside company headquarters? The general counsel needs to partner with public relations and the executive team to plot a course and present as favorable a picture as possible. There are even times when general counsels may become the social workers of the company, referring their network of colleagues and outside lawyers to employees for personal needs, such as divorce or buying a house. Attorneys also learn to become people problem solvers, working side-by-side with Human Resource departments regarding employee issues, including harassment, behavioral, drug or other issues. Skilled GCs are able to help bring solutions to the table, keeping in mind regulations (such as those related to the Department of Labor) and constitutional rights. HR departments that partner with their legal counterparts and who seek out their expertise on labor and employment matters are more successful in addressing employee issues proactively. In addition, the GC must partner with the marketing function of the organization to ensure that the company is not running afoul of social media concerns, ranging from labor and employment related issues to regulatory restrictions related to advertising. Perhaps one of the most important contributions of the GC as a strategic business partner is helping to develop revenue growth for the company. There is no reason why the legal department cannot have a division that is also an operations center, outsourcing compliance functions in areas that are not considered the forbidden unauthorized practice of law. These functions could include due diligence, licensing and research, all of which may not be considered legal advice. The ability to analyze, problem-solve and articulate make the GC an indispensable strategic player on the executive team, and a reliable counsel and leader for the board of directors. The general counsel’s unique qualifications in this area include the ability to understand the business in light of its specific needs, while also being able to analyze the legal implications of company goals and strategic vision, as well as its day-to-day operations. ■

Debbie Hoffman, is chief legal officer at Digital Risk, LLC., a provider of technology services to the financial services industry. She has oversight over legal, compliance, risk and licensing functions for the company and its subsidiaries, and for directing outside counsel. Previously she was a real estate finance attorney at Thacher Proffitt & Wood. She has also been a legal writing instructor at Florida A&M University College of Law and taught classes in real estate and environmental law at the University of Central Florida. dkhoffman@ digitalrisk.com

feb/mar 2017 today’s gener al counsel

ImPLICATIOnS I Of THE SEC’S UnIvERSAL PROxy CARd RULES By Clyde Tinnen and M. Ridgway Barker

n October, 2016, the SEC proposed amendments to the federal proxy rules to require the use of universal proxies in connection with a contested election of directors. The proposal would require the use of proxy cards that include the names of both board and dissident nominees, and thus allow shareholders to vote by proxy in a manner that more closely resembles how they can vote in person at a shareholder meeting. State corporations law mandates a “last in time rule,” whereby a later-dated proxy card revokes any earlier-dated card and invalidates the votes on the earlier-dated card. In contested elections, this means that shareholders cannot pick and choose “à la carte” from nominees on both cards. Under the SEC’s “bona fide nominee rule,” no party is allowed to include the other party’s nominees on its proxy card unless the other party’s nominees consent to being named in the soliciting party’s proxy statement. Accordingly, neither party is authorized to include nominees of the other without consent of nominees, which often is not forthcoming given the contentious nature of proxy contests. These laws and rules effectively create a system in which parties to a contested election distribute their own proxy cards that include only a subset of all nominees, generally leaving shareholders with two mutually exclusive alternatives. Shareholders desiring to vote for a combination of both slates are required to either appear in person at a shareholders meeting or request a “legal proxy” from their brokers to allow them to vote by ballot at the meeting. THE SEC’S PROPOSAL As stated in the SEC’s adopting release, the SEC is proposing the mandatory use of universal proxy cards to allow shareholders “fair corporate suffrage.” The SEC’s stated goals are part of a broader set of sweeping proposals that would:

• Revise the consent required of a bona fide nominee so that a nominee can be named on a proxy card. • Eliminate the “short slate rule,” which allows shareholders nominating persons for less than a majority of board seats to “round out” their nominations with company nominees. • Require the use of universal proxy cards in all non-exempt solicitations in connection with contested elections.

today’s gener al counsel feb/mar 2017

be mitigated by the proposed requirement to clearly distinguish between the types of nominees and through disclosure in the respective party’s proxy statements. This may be little consolation to directors that rightfully feel personally attacked by dissident • They must clearly distinguish between regisclaims. However, general counsel should reassure trant nominees, dissident nominees and any directors that the mandated inclusion of dissident proxy access nominees. • Within each group of nominees, they must be nominees on the proxy card does not equate to an endorsement of such individuals. Moreover, listed in alphabetical order by last name. the proxy statement disclosure can strongly com• The same font type, style and size must be municate the board’s clear advantages over the used to present all nominees. • They must prominently disclose the maximum dissident nominees and unequivocally disclaim any association with such persons. number of nominees for which authority to In addition, proxy statements require disclovote can be granted. sure if any director has determined to serve only • They must prominently disclose the treatif the company’s slate is elected, or to resign if ment and effect of a proxy executed in a one or more of the opposing party’s nominees manner that (a) grants authority to vote for are elected to the board more nominees than of directors. Therefore, the number of direcif a contested election tors being elected, (b) General counsel should occurs, director questiongrants authority to naires should be updated vote for fewer nomireassure directors that to specifically ask about nees than the number directors’ intent. of directors being the mandated inclusion As is often the case, elected, or (c) does unusual circumstances not grant authority to of dissident nominees on may stress the provisions vote with respect to of the company’s existany nominees. the proxy card does not ing contracts and raise questions as to the proper Where both parties equate to an endorsement. interpretation of such have proposed a full slate provisions. For example, of nominees and there many contracts that are no proxy access nominees, the SEC also proposed that the proxy card companies enter into, such as loan agreements, may provide the ability to vote for all dissident indentures, severance agreements, employment nominees as a group and all registrant nominees agreements and equity award agreements typically include a “Change in Control” provision as a group. Where proxy access nominees will be included on the proxy card or where a dissident that often triggers the acceleration of certain obligations of the company. Common language or a registrant is proposing a partial slate, neireads as follows: “‘Change in Control’ shall be ther proxy card would be permitted to provide deemed to have occurred in any of the following the option to vote for any nominees as a group. circumstances: (i) any ‘person’ or ‘group’ within If multiple dissidents are soliciting proxies in the meaning of Section 13(d) or 14(d)(2) of the support of separate slates of director nominees, Exchange Act acquires by proxy or otherwise each slate must be clearly distinguished. the right to vote on any matter or question with respect to X percent or more of the then outstandBOARD EDUCATION AND SOCIAL ISSUES ing Common Stock or X percent or more of the It is important for boards to understand how combined voting power of the then outstanding the rules will change the ordinary process of voting securities of the Corporation.” soliciting proxies for the annual meeting. Some While the purpose of such provisions is typidirectors may object to being forced to lend cally to ensure that the party relying upon them their name, stature and reputation to the elecis protected in the event that the continuity of tion campaign of a dissident, particularly if the leadership of the company is broken, a univernominee is a highly controversial figure. In its sal proxy card raises the prospect that even if release, the SEC acknowledged that it was cognizant of this concern and believes that it will continued on page 61 The SEC’s proposal included the following presentation and formatting requirements for all universal proxy cards used in contested elections:

Clyde Tinnen, a partner in the Withers Bergman corporate finance practice group, focuses on debt and equity financing transactions and mergers and acquisitions. His experience includes representing public and private corporations, from startups to Fortune 100 companies. clyde.tinnen@ withersworldwide.com

REGULATORY ENFORCEMENT POST-ELECTION Two of the questions that clients ask the most these days are: What will be the long-term impact of the Yates Memo, and what do the election results mean for my business? The honest answer is only time will tell. The Yates Memo has been in place for somewhat more than a year, and white collar enforcement matters take years to develop. That long investigatory half-life is relevant to predicting the impact a Trump Administration will have on white collar enforcement. The Trump Administration will likely seek to scale back many forms of regulatory enforcement, including certain white collar enforcement efforts. However, President Trump campaigned on a law-and-order platform, making it likely

that federal prosecutors will continue focusing on cases involving fraud, corruption and other offenses, where it can be shown that individuals acted with clear criminal intent. The Yates Memo will likely remain DOJ policy insofar as its focus on individuals is consistent with focusing on intent-driven criminal enforcement. As these matters crystallize, it is worth considering what kinds of innovations may be coming with respect to enforcement tools, particularly if an individual-focused enforcement mindset remains in place. One pattern that appears ripe for repeating involves officials applying existing enforcement tools in novel ways in order to hold individuals accountable for corporate wrongdoing.

TODAY’S GENER AL COUNSEL FEB/MAR 2017

circumstances, to pursue FCPA enforcement under the FCPA’s accounting provisions. SEC using Advisers Act liability to reach nonissuers. Earlier this year, the SEC settled its first significant FCPA case against a hedge fund, and quietly included charges under the anti-fraud provisions of the Investment Advisers Act of 1940 (the Advisers Act). The Commission based Advisers Act liability on alleged self-dealing and the improper use of managed investor funds, failure to prevent the use and misuse of managed investor funds by a business partner, and the omission of material information regarding corrupt and self-dealing transactions from disclosures to investors. While that case involved an issuer, under the right facts and circumstances the SEC could pursue what is essentially FCPA liability against non-issuers subject to the Advisers Act.

BY ALEX J. BRACKETT AND JAMES F. NEALE

Thus corporate counsel should consider powerful tools that have been available for years, but with limited application to date. FCPA INNOVATIONS While priorities will undoubtedly shift under a Trump Administration, many observers agree that Foreign Corrupt Practices Act enforcement is unlikely to abate. Potential innovations to consider as FCPA enforcement evolves include: Commercial bribery charges brought under the accounting provisions. Securities and Exchange Commission (SEC) officials have outlined their ability and intent, under the right facts and

ANTICIPATORY OBSTRUCTION OF JUSTICE Anticipatory obstruction of justice under 18 U.S.C. § 1519 was enacted with little fanfare as part of the Sarbanes-Oxley Act of 2002 and has not been heavily utilized. However, by not requiring that a proceeding be known to the accused – or be even pending – in order for obstruction to occur, it substantially broadens more familiar obstruction statutes. Violation only requires knowingly destroying or concealing a record or document, with the intent to impede or obstruct any federal matter (including those contemplated but not yet initiated). This is a dangerous pitfall for individuals who could face charges based on mistakes they make in anticipation of or response to a federal investigation. MORE FCA CASES Increased criminal enforcement via the False Claims Act is possible due to a DOJ policy announced in September of 2014. It requires criminal prosecutors to review all qui tam cases to determine whether to open a parallel criminal investigation. This mandatory review policy could impact both individuals and companies facing False Claims Act matters via initiation of ancillary criminal investigations based on allegations raised in a civil qui tam suit. There are some additional innovations that we would have felt more likely to emerge under a Clinton Administration, but are worth noting: Control person or responsible corporate officer theories of liability. These are not new, but

feb/mar 2017 today’s gener al counsel

Alex Brackett is a

partner at McGuireWoods and co-chair of the firm’s Strategic Risk & Compliance team. He defends corporate and individual clients in white collar criminal and corporate compliance matters, with a focus on anticorruption laws including the Foreign Corrupt Practices Act. abrackett@ mcguirewoods.com

Jim Neale, a partner at McGuireWoods, is a trial lawyer with substantial mass tort and class action litigation experience. He currently serves as co-chair of the firm’s foodborne illness litigation practice group. jneale@ mcguirewoods.com

they are infrequently used. In areas like food strategies that in-house counsel can apply universafety, there have been a growing number of sally to protect their clients: individual prosecutions for food-borne illness outbreaks based in large part on application of Invest in compliance. Compliance programs the Park doctrine, a broad and powerful food can prevent or forestall violations. Even where safety-specific formulation of the responsible they fail to do so, they provide companies and corporate officer doctrine. That doctrine was their officers, directors and employees a demonrevived in recent years after sitting largely strable basis to show that if issues have arisen, unused for decades. they did so in spite of reasonable best efforts Imposing individual liability through mechato avoid them. This can be compelling evidence nisms like this can be transformative, but it can when seeking to resolve regulatory and law also be argued as an enforcement inquiunfair over-criminalizaries – whether focused tion of quintessentially The Yates Memo will likely on the conduct of an regulatory matters. organization or on In any case, execuwithin it remain DOJ policy insofar individuals tives and managers – although the failure should factor into their to implement, support as its focus on individuals decision-making the and enforce such propotential they could can be equally is consistent with focusing grams be held liable for the damning. misconduct of others on intent-driven criminal below them in the Learn from the organization. Their mistakes of others. enforcement. commitment to, The best predictor support of, and of issues your orgainvestment in ethics nization could face and compliance programs within the scope of is what has happened to your industry peers. their management responsibilities is particularly When you see one of them come under fire, do important. This includes taking reasonable and not assume that your organization is is immune well-documented steps to drive accountability from scrutiny or above engaging in the type of for compliance both up and down their chain misconduct alleged. Regulators and law enforceof command. ment are likely to use the lessons they have learned from past investigations to investigate Proliferation of regulatory reach over financial others in the industry. services. For individuals in the industry, this creates real concern about exposure to liability Use the tenth man rule. When nine people agree for corporate misconduct. Intense regulatory on a certain analysis or likely outcome, a tenth and law enforcement scrutiny of the industry is should be assigned to take a contrary view in well-manifested in the emergence of entities such order to stress-test the consensus and avoid as the Consumer Financial Protection Bureau groupthink. Companies should apply this rule and the Office of the Special Inspector General to their risk analyses and other compliance for the Troubled Asset Relief Program, as well as efforts, to identify weaknesses and avoid selfby the Financial Crimes Enforcement Network’s serving conclusions that rest too heavily on ascontinued broadening of the scope of anti-money sumptions. Bringing in outside advisors to serve laundering laws and regulations. Many observers as “tenth man” can be particularly effective. predict the Trump Administration will trim the Whatever strategies in-house counsel adopt, wings of some of these regulators. In the long they should take seriously the developments in term, that would allow the industry to breathe this space. Change is coming, and as always it easier, but in the short term it may result in agwill be a trap for the unwary. ■ gressive investigations, as entities seek to justify their existence or consolidate recent gains. MOVE FORWARD OR FALL BEHIND Regardless of how the transition to the Trump Administration plays out, there are a few

today’s gener al counsel feb/mar 2017

Proxy Card Rules

pressure, many public companies have moved toward two other voting standards in director continued from page 57 elections: “plurality plus” and majority voting. a dissident seeks only to change a minority of Under a plurality-plus voting standard, an the board of directors, if such dissident obtains incumbent director agrees in advance to resign if proxies above the stated threshold, a Change in a majority of shareholders do not vote in favor Control event may be triggered. Disclosure of of such director’s re-election. Under a majority such possibility and the consequences thereof voting standard, director nominees are elected are required to be made in the company’s proxy only if they receive a majority of shareholder votes statement. cast. Many companies that have plurality-plus or As noted earlier, the majority voting have bySEC has specified certain laws that apply plurality There are studies on presentation requirements. standards if a contested However, thoughtful election occurs. the “ballot order effect” design and reflection will There are also combe required to implement panies with cumulative in political elections, them. For example, the voting rights, where sharecompany will have to take holders are permitted to concluding that the first an official stance on the cast all of their votes for treatment of faulty proxy a single nominee for the choice on a ballot may cards (i.e., signed proxy board of directors when cards purporting to vote the company has multiple for the election of more have an almost 20 percent openings on its board. or less nominees than the Companies with pure open board seats) and majority voting standards advantage merely disclose such treatment. (meaning majority voting Very often, there is standards with no apbecause of placement an assumption that retail plication of plurality in investors are more likely the event of a contested on the ballot. than institutional inveselection) are more likely tors to support company to have a failed election. nominees, and that retail investors are more Universal proxy cards may exacerbate this issue likely to make voting errors that result in faulty by enabling fragmented voting selections among proxy cards. For companies subscribing to this a larger combined slate (company and dissident), school of thought, the policy should favor some effectively reducing the probability that any sort of remedial treatment for faulty proxy cards candidate receives a majority of votes cast. The to permit them to be counted. Contrary to the outcome of such an election is not clear unless SEC’s anticipated columnar format, most compathe company’s organizational documents specify nies will likely want to present the proxy card how open seats are to be filled and by whom. with the company’s nominees first. There are Cumulative voting by design gives minority studies on the “ballot order effect” in political shareholders a voice that is disproportionate to elections, concluding that the first choice on a their share ownership and, accordingly, makes it ballot may have an almost 20 percent advaneasier for at least one of the dissident’s nominees tage merely because of placement on the ballot. to gather enough votes to be elected. Strategic If the same is true in proxy contests, there may voting that coincides with cumulative voting be real power in presenting one’s slate first. may be further spurred by universal proxy cards, given the lack of all-or-nothing voting that the VOTING STANDARDS AND FAILED ELECTIONS last in time and bona fide-nominee constraints The company’s selected voting standards for placed on voting. Accordingly, cumulative voting director elections may also be impacted by the combined with universal proxies may lead to use of a universal card. Director nominees are unexpected cooperation between shareholders generally elected under either a plurality voting and informal pooling of votes to drive certain standard or a majority voting standard. Under outcomes. ■ the plurality voting standard, the director nominee receiving the highest number of votes for a given seat is elected. In response to activist

M. Ridgway (Ridge) Barker, a partner in the Withers Bergman corporate finance practice group, focuses on corporate finance and securities law, advising on a variety of issues including capital market matters, corporate governance, asset securitizations, debt financing, and venture capital transactions. mr.barker@ withersworldwide.com The authors are among the few (if not the only) lawyers to have advised a U.S. corporation that agreed to use a universal proxy card in a proxy contest.

survey: How Law Departments are working smarter By Lauren Chung

orporate law departments continue to face the unenviable task of taking on more responsibility with increasing legal demand, along with heightened top-down pressure to minimize expenses. Over the years, we have seen law departments rise to this challenge, and according to HBR Consultingâ&#x20AC;&#x2122;s annual Law Department Survey, 2016 may go down as the year they mastered it. The 2016 survey of nearly 300 participants worldwide found that corporate law department spending increased a modest one percent from the prior year. However, behind this seemingly minor change is a significant shift in law department strategy. The survey finds that in addition to enforcing spending caps, law departments are embracing creative ways to optimize internal resources and ensure that the right people are handling the right work in the most cost efficient manner possible.

spend. In fact, almost all law departments (97 percent) have taken steps to actively reduce outside counsel expenses, and they are succeeding. Outside legal costs accounted for 52 percent of law departmentsâ&#x20AC;&#x2122; total spend, down from 55 percent reported in the 2015 survey. This decrease is not only a matter of keeping more tasks in-house. About two-thirds of law department respondents report using more consistent planning and budgeting, as well as tougher oversight of outside counsel billing guidelines, to rein in spending. Alternative fee arrangements (AFAs), including fixed-fee per matter and flat fees across all matters, are also being used widely to manage expenses. Eighty-five percent of law departments now use AFAs, up five percent from the 2015 survey. Organizations that yielded savings from AFAs were able to reduce outside counsel spending by around eight percent.

FIRM RATES UP, OUTSIDE SPENDING DOWN

Law firm billing rates increased steadily throughout the year, giving corporate law departments even more reason to curtail outside counsel

CONFLICTING MARCHING ORDERS

Nearly 80 percent of law department respondents agree that legal demand is growing. This

TODAY’S GENER AL COUNSEL FEB/MAR 2017

uptick makes it all the more difficult for general counsel to fulfill their cost-containment responsibilities, but departments appear to be rising to the occasion, relying on a variety of methods. Nearly half (49 percent) of survey participants cite ramping up technology use as a vital way to cope with swelling demand while maintaining internal efficiency. A comparable percentage are placing a priority on re-engineering work processes and automating routine activities in order to optimize use of staff time and resources. Rather than task chief legal officers or general counsel with leading this operational transformation, many departments are establishing or strengthening their legal operations function to manage the “business of law.” More than half (56 percent) of law departments reported having a dedicated operations professional – in most instances, a non-lawyer – on staff, thereby freeing up senior attorneys to focus primarily on the practice of law. The need for legal operations support, whether it is built internally or outsourced as a managed service to industry specialists, is expected to grow as law departments continue to address the challenge of delivering more, smarter and better. INVESTING IN PEOPLE

While outside counsel spending comprises a shrinking portion of law department budgets, inside spending is on an opposite trajectory. Internal budget allocations accounted for 44 percent of worldwide legal spend over the past year, up from 43 percent in the previous survey. Much of this growth is the result of law departments’ considerable investment in new and existing team talent. More than half (54 percent) of organizations have increased legal staff, attorneys in particular, in a trend consistent with last year’s results. Looking ahead, more than one-third (36 percent) of law department leaders anticipate a continued increase in attorney staffing over the next 12 months. Addressing the fact that the legal industry is prone to high turnover rates – and that incentivising talented employees to stay is just as important as attracting them in the first place – law departments are doubling down on their compensation packages to encourage staff loyalty. For the in-house lawyer this year, total average compensation – including base salaries, cash bonuses and long-term incentives – rose almost four percent to $339,000. Although hefty bonuses can be an enticing end-of-year perk, law departments’ latest

compensation strategies put annual salaries in the spotlight. The average base salary for in-house lawyers is up 3.3 percent (to $195,000), while bonus compensation growth slowed to 9.7 percent (down from nearly 15 percent in 2015). MORE TECHNOLOGY

Accommodating an uptick in legal demand without a spending surge requires law departments to not only recruit the best people, but to also ensure that their time is used effectively. For many organizations this has meant fleshing out technology systems in hopes of automating various legacy manual processes. Law departments’ median internal spend on systems and technology stands at $204,000, up three percent from last year’s survey. To date, the majority of organizations have already invested in legal-specific tools such as electronic billing (77 percent), matter management (72 percent) and entity management (66 percent). Looking ahead, law departments expect to adopt some less industry-specific solutions as way to enhance internal efficiency and streamline workflows. Document, contract and records management technology top the list of the systems corporate law departments plan to implement in the next one to two years. Legal spend analytics is another area poised for technology investment in 2017 and beyond, as departments look for new ways to harness their internal data for greater transparency and to support key management decisions in such areas as organization and budgeting. BALANCING ACT FOR 2017

This year, evolving legal demand and new financial pressures will continue to test law departments’ ability to go beyond the traditional role as legal advisers and strategic business partners, and to function like other corporate groups that have operation efficiency targets and goals. If 2016 has been any indication, law departments are equipped for the challenge. Law department leadership operating under the new norm understands that some attitudes that served their teams well in years past must evolve in order to achieve smarter budgeting and resource allocation. With an equal focus on people, tighter processes and sophisticated technology, law departments can scale their existing investments without exhausting budgets or staff, to achieve transformational goals in 2017. ■

Lauren Chung, a senior director in the Law Department Consulting Practice at HBR Consulting, has over 15 years of management consulting experience. She works with law departments on strategic planning, process and operational management, benchmarking and best practices. She has worked in a variety of industries in the United States and Europe, in both the public and private sectors. lchung@ hbrconsulting.com

feb / mar 20 17 today’s gener al counsel

B A C K PA G E F R O N T B U R N E R

Patent Legislation in the 115th Congress

A By Q. todd dickinson

After the tumultuous pol iticAl yeAr we’ve just come through, it is almost foolhardy to predict what might happen in the 115th Congress, and that includes patent legislation, especially given the contentiousness that surrounded patent issues in the last Congress. Nevertheless, let’s give it a shot.

“Patent litigation reform” legislation has been pending for several sessions of Congress. In the House, the Innovation Act of 2014, sponsored by Judiciary Committee Chairman Rep. Bob Goodlatte (R-VA), sought to make a number of substantive changes in how patent litigation is conducted. It provided for modified discovery rules to address perceived abuses, greater disclosure in the complaint, “customer stays” provisions limiting the impact on certain end-users, easier attorney fee shifting in frivolous cases, and greater transparency of real-partiesin-interest. A similar bill, the Patent Act of 2014, was before the Senate Judiciary Committee. In both cases, the bills failed to advance. Opposition from a variety of constituencies was potent enough to stall even watereddown versions. Similar bills will probably be debated in this Congress. Any movement seems unlikely, however, at least in the short term. There are too many other pressing issues in the relevant committees: immigration in both houses, a priority commitment to copyright issues in the House, and confirmation of a controversial attorney general and Supreme Court nominee Neil Gorsuch. The steam has gone out of several patent-related issues. For example, the “patent troll” letter problem (demanding a modest amount of compensation to avoid a slap-dash

Q. todd dickinson is a Shareholder in the Washington, D.C. office of Polsinelli, PC. He is the former Under Secretary of Commerce for Intellectual Property and Director of the U.S. Patent and Trademark Office. tdickinson@polsinelli.com

complaint) has tapered off dramatically. Patent litigation is down significantly, and post-grant procedures that are part of the America Invents Act are slowing it further. The courts have also played a significant role – as for example with the Supreme Court’s relaxing the rules on granting attorney fees in frivolous cases – and the passage of the Defend Trade Secrets Act in the 114th Congress is providing a new and attractive federal alternative to patent protection. Meanwhile, several other issues have risen in priority, displacing or at least augmenting a previous slate. The constraining effect of the Supreme Court’s recent Alice and Mayo decisions on the basic question of patent eligibility under §101 of the Patent Act has led to proposals for reconsideration, including legislation. Meanwhile, the growing chorus of concern regarding the USPTO’s administration of post-grant The steam has procedures has its own proponents of legislative reform, most notably gone out of Sen. Chris Coons (D-DE). Also, Sen. Dianne Feinstein several patent- (D-CA), who has a very broad set of constituents to satisfy, will become the related issues. Ranking Member on Senate Judiciary. Finally, it is unknown what the position of the Trump Administration will be on these issues. Speculation swirls, but the common wisdom is that the President’s antipathy to various components of Big Tech will replace the extremely tech-friendly support that came from the Obama White House. The next Director of the USPTO, unknown at this point, will also have an impact. But stay tuned. In as unpredictable a political environment as any in memory, these issues, or even something not currently on the radar screen, could bounce back onto the 115th Congress agenda. ■

The Magazine The six-time yearly publication, with strategies, best practices and analysis written by expert practitioners within the legal profession, offers an excellent branding opportunity to 15,000 print and 80,000 digital subscribers.

T O D AY S G E N E R A L C O U N S E L . C O M / S U B S C R I B E

LOOK NO FURTHER.

THE AAA® JUDICIAL PANEL The AAA has a long-established Judicial Panel capable of efficiently handling even the most complex and contentious arbitrations and mediations. Composed of over 300 former State, Federal Magistrate, and Appellate judges throughout the United States, the AAA’s Judicial Panel can provide the legal knowledge, process skills and decisiveness to move your case expeditiously through the process; resolving your conflict while controlling cost. When your client’s dispute calls for the expertise only a former judge can provide, trust the American Arbitration Association®.

adr.org/judicial

| +1.800.778.7879