Wednesday, February 2, 2022

Forthcoming U.S. Regulations for Reporting Business Ownership Information and Foreign Investments in the U.S.

          Proposed U.S. Treasury Department regulations will require disclosures of beneficial ownership information (“BOI”) for all legal entities doing business in the United States.  Under the Anti-Money Laundering Act of 2020 (a part of the Corporate Transparency Act of 2020), Treasury’s Financial Crimes Enforcement Network (FinCEN) published the proposed regulations on December 8, 2021, requesting public comments on or before February 7, 2022.  Every one of the roughly 25 million U.S. businesses (in whatever form of legal entity) will be subject to reporting obligations and criminal fines, penalties and possible imprisonment for non-compliance.  Exemptions may apply.   

        The proposed regulations target abuses by domestic or foreign “shell” companies that might engage in domestic or international money laundering, tax fraud, financial fraud, sales of illicit drugs and weapons, election fraud, bribery, evasion of international trade sanctions, terrorism and other crimes.  The proposed regulations will create civil and criminal risks for individuals in business ownership, management and services providers who file any business registrations with state and tribal authorities.  

        Unless exempted, virtually every business person (and not just an owner) can be responsible for disclosures, regardless whether your company is a startup, family-owned business, high-growth business or multinational enterprise. Founders, incorporators, entrepreneurs, investors, shareholders, owners, directors, officers, managers and others filing official documents are at risk of personal liability. 

        Other countries have adopted similar rules on disclosure of the ultimate beneficial owners of business entities.   See, e.g., German Anti-Money-Laundering Law (GeldWaescheGesetz).

        Who Must File?  The proposed regulations describe two distinct types of reporting companies that must file reports with FinCEN—domestic reporting companies and foreign reporting companies. Generally, under the proposed regulations, a domestic reporting company is any corporation, Limited Liability Company or other entity (including a trust) that is created by the filing of a document with a secretary of state or Indian tribe. A foreign reporting company is any entity formed under the law of a foreign jurisdiction that is registered to do business within the United States.  

        A “beneficial owner” would be any individual who meets at least one of two criteria: (1) exercising “substantial control” over the reporting company; or (2) “owning or controlling” at least 25 percent of the “ownership interest” of the “reporting company.”

        Some individuals would be covered as a “company applicant,” even if not a “beneficial owner.” If you individually are engaged in forming or registering legal entities in the United States, you will be personally subject to the CTA reporting requirements.  In fact, the proposed regulations target individuals who file the document that forms the U.S. legal entity (or domestic companies) or who file the document that first registers the foreign entity to do business in the United States.  Under a general principle of hierarchical control, the proposed regulations specify that a “company applicant” includes anyone who directs or controls, directly or indirectly, the filing of the document by another.  Exempted are minor children, employees acting solely as employees, creditors and holders of a future ownership interest under inheritance law.

        You have "“substantial control” if you own at least 25% of all "ownership interests."

        Ownership interests” would be broadly defined (similar to the Securities and Exchange Commission definition of “equity security,” 17 CFR 230.405).   Thus, “ownership interests” would include both equity in the reporting company and other types of interests, such as capital or profit interests (including partnership interests), or convertible instruments, warrants or rights, or other options or privileges to acquire equity, capital, or other interests in a reporting company.  This could include Simple Agreements for Future Equity in startups.  Debt instruments would be included if they enable the holder to exercise the same rights as one of the specified equity or other interests, including the ability to convert the instrument into one of the specified equity or other interests.

        “Control” would be defined very broadly, both de jure and de facto, beyond just 25% registered ownership.  Control could exist directly or indirectly. Under the proposal, “substantial control” can arise under one of three independent indicators:

  1. service as a senior officer of a reporting company;
  2. authority over the appointment or removal of any senior officer or dominant majority of the board of directors (or similar body) of a reporting company; or
  3. the direction, determination, or decision of, or substantial influence over, important matters of a reporting company.

        Who is Exempt?   Existing and future entities will need to navigate quickly whether they are exempt and, if not, be ready to file accurate reports under penalty of perjury.  Banks, securities brokers and dealers, investment advisors, tax-exempt entities, accounting firms and several other heavily regulated businesses would be exempt.  Surprisingly, “large operating companies” are exempt, provided they have more than 20 employees, annual receipts over $5 million and an operating presence at a physical office within the United States.

        What information Must Be Disclosed?   Required reports must identify the beneficial owner of each covered reporting company.  A “beneficial owner” is any individual who meets at least one of two criteria: (1) Exercising substantial control over the reporting company; or (2) owning or controlling at least 25 percent of the ownership interest of the reporting company.  

        As proposed, a reporting company would need to file reports disclosing its identity and identifying information plus additional information about the reporting company and each beneficial owner. The report must include the name and address of each beneficial owner and company applicant, including each’s (1) full legal name, (2) date of birth, (3) current “tax residence” street address (for individuals) or business street address (for entities), and (4) a unique identifying number from an acceptable identification document; or, if this information has already been provided to FinCEN, by a FinCEN identifier obtained by separate application to FinCEN.

      When Must You File?   For existing companies, you will have a year after the new regulation becomes effective to file your initial report.  A new domestic reporting company will have to file its BOI report with FinCEN within 14 calendar days of the date when the entity was formed as specified by a secretary of state or similar office.  A foreign reporting company will need to file a report within 14 calendar days of the date it first becomes a foreign reporting company.   Updates must be filed within 30 days to reflect changed information.  Correction reports must be filed within 14 days after learning of an error in a prior report.

       Who Can Access your BOI?   Given the sensitivity of the reportable information, the CTA imposes strict confidentiality, security, and access restrictions on the data. FinCEN is authorized to disclose reportable BOI to a statutorily defined group of domestic and foreign governmental authorities and financial institutions, in limited circumstances such as for national security, intelligence, or law enforcement activity, or as part of a criminal or civil investigation or for foreign law enforcement in specified circumstances.  This includes enforcement for antitrust, taxation, foreign direct investment and virtually any new law.  

        Experience with similar "transparency regulations" in other countries suggests that private claimants might also obtain business ownership information if their claims allege a need for law enforcement. 

        Prepare Now!   FInCEN estimates that over 25.8 million initial BOI reports will be due in the first year, with 11 million updated BOI reports and 3.2 million new BOI reports in the second year. The proposed regulations can become effective very soon.  If you miss a deadline, both entities and individuals could face fines, penalties and even imprisonment.
        Get the Big Picture, beyond FinCEN!  Now is a good time to review your general obligations for reporting ownership, control and investments to relevant authorities.  Don’t forget to file any other required disclosures about international business transactions.

  • Foreign direct investment (using Bureau of Economic Analysis reporting forms);
  • Foreign ownership of U.S. entities, IRS Form 5471, Information Return of a 25% Foreign-Owned U.S. Corporation or a Foreign Corporation Engaged in a U.S. Trade or Business;
  • U.S. ownership of foreign entities, IRS Form 5472, Information Return of U.S. Persons With Respect To Certain Foreign Corporations; and
  • Export controls and international sanctions reports.

        Welcome to America!  It’s time to plan for new disclosures and ensure compliance.

Monday, July 26, 2021

Protecting Your Business from President Biden's "New Deal" for FTC to Curtail "Non-Compete Clauses"


                 On July 9, 2021, President Biden issued an Executive Order to coordinate all federal agencies around a national policy to promote competition, prevent and curtail abusive monopolies and monopolistic practices.  

 The Executive Order calls upon the Federal Trade Commission (FTC) to “address agreements that may unduly limit workers' ability to change jobs.”  Under Section 5(a) of the FTC Act, the FTC can regulate “unfair or deceptive trade practices in or affecting interstate commerce.”  Existing 2015 FTC policy targets “the promotion of consumer welfare.”   President Biden seeks to expand that policy to include worker mobility: “to curtail the unfair use of non-compete clauses and other clauses or agreements that may unfairly limit worker mobility.”  But “unfairness” is not defined by statute.  If a non-compete agreement is too restrictive, a worker might not find a new job with higher wages or better employment opportunities.

                For business owners and tech investors, it is time to anticipate and manage potential challenges to non-competition covenants. 

                For employees, consultants, business service providers and strategic alliance partners, new federal regulations probably cannot replace the need for smart negotiations to prevent possible abusive enforcement of a valid restrictive covenant.  

                What is a Non-Compete Clause?  A non-competition clause or “covenant” is a contractual obligation by an employee not to compete with the employer’s business during employment and for some limited period after employment.  This restricts the employee from joining a competitor until after a reasonable “cooling off” period.  But the restriction is limited in scope, duration and, if appropriate, geography.  Every situation is different, so courts analyze the benefits, burdens and reasonableness.  The non-compete clause typically includes protections for trade secrets, which can exist forever (e.g., Coca Cola’s secret formula for its soft drink).

Why Businesses Require Non-Compete Clauses.  Non-compete clauses serve valid competitive purposes.  They protect a business against:

·         Poaching of the business’s clients and employees (but not forever);

·         Unauthorized disclosure of trade secrets (both of the employer and third parties doing business with the employer) and other employer confidential information; and

·         An employee’s abuse of his or her duty of loyalty while an employee.

 What are the Public Policy Limitations on Enforcement of Non-Compete Covenants.  In New York, such clauses are permitted as a matter of long-standing public policy (“common law,” not statute) to protect an employer.  (An exception exists for the broadcast industry.)  New York common law (“public policy”) already limits non-compete covenants.  The covenant must be reasonable in scope of work (relating to the first employer’s business activities), duration and geography.  As summarized by a former New York attorney general in 2017:

A non-compete [agreement] is only allowed and enforceable to the extent it (1) is necessary to protect the employer’s legitimate interests, (2) does not impose an undue hardship on the employee, (3) does not harm the public, and (4) is reasonable in time period and geographic scope. An employer’s legitimate interest may include protecting an employer’s trade secrets and confidential information and preventing employees from taking specialized skills they gained on the job to a competitor. A non-compete’s restrictions must be no greater than necessary to protect the legitimate interests of the employer. To determine if a non-compete is enforceable, courts consider an employee’s job duties, the employer’s business interest, and the language of the agreement.

In contrast, a California statute bans non-competition covenants as a “restraint of trade” unless negotiated as part of the sale of shares or the employer’s business.  Exceptions apply to situations involving business exit transactions including the sale of the goodwill of a business, the seller’s entire ownership interest in the business entity, or all or substantially all of a business’ operating assets together with the goodwill.  Calif. Bus. & Prof. Code §§ 16600 and 16601.

 Negotiated Contractual Limitations on Non-Compete Clauses. To limit an overly broad limitation on mobility of workers and business service providers, employees, business service providers, licensors, strategic partners and others can negotiate limitations on non-compete clauses.  For example, one might negotiate an exclusion for information and know-how that is “general skill and knowledge” in an industry.  Or an employee might negotiate a separation bonus can seek some compensation, particularly where the employee to cover the post-termination period, especially where the termination was “without cause.”   For new senior executives coming on board with broad substantive and strategic knowledge, a blacklist of “competitors” and a whitelist of “non-competitors” might be identified to give comfort to both employer and executive.

 Planning How to Improve your Chances of Enforcing a non-Competition Clause.  Anticipating new FTC regulations on interstate businesses, you can improve your odds of judicial enforcement of your non-competition covenants.  In addition to carefully crafting your non-compete clauses, you can:

 ·         Pay some money that is earned only during the post-termination period.  This provides special “consideration” beyond one’s normal salary. 

-        In England, they send such employees to “garden leave” to do nothing but grow a garden. 

-      In Japan, the “corner office work” serves the same function, where job duties are restricted with full pay.

·          Limit the scope to what is needed for saving your customers, your employees and your trade secrets from poaching.  

·         Protect trade secrets through internal management practices, manuals, trainings and segregation of functions, as well as clauses in employment agreements, licensing agreements, business services agreements (outsourcing), non-disclosure agreements, financings, strategic transactions, and any transaction for a change of control.

·         Protect existing and prospective client relationships and employees from being poached by delivering good customer experiences and employee satisfaction.

·         Link non-compete clauses to stock options, restricted stock units and/or deferred compensation.

·         Negotiate with your new employees (and their attorneys) to have them agree the restrictions are reasonable.

·         Require disclosure to new employers so that they can evaluate whether there is a risk of conflict and breach.

·         Consult an attorney who understands your business model and can help you build, protect and securely exit your business.

Thursday, January 28, 2021

U.S. National Security Regulation of Information Technology Supply Chains and IT Infrastructure as a Service: (CFIUS-Style National Security Review for Cloud Computing, Software, Hardware, SaaS, IoT and Other Tech-Enabled Devices)

Regulation of IT Supply Chain after January 19, 2021 and after SolarWinds

On January 19, 2021, as a final act of the departing Trump administration, the Department of Commerce published an interim final rule (the “Rule”) and President Trump signed an Executive Order (the “Order”) to regulate U.S. information technology (“IT”) companies in transactions with foreign actors.  Entitled “Securing the Information and Communications Technology and Services Supply Chain,” the Rule is based on delegated authority under the International Emergency Economic Powers Act. The Order expands on an Executive Order issued May 15, 2019.   The Rule coincides with newspaper reports that some U.S. governmental agencies and other tech services companies downloaded malicious software from SolarWinds, a Texas tech services company reportedly with over 18,000 customers, that appears to have been hacked by foreign hackers.

Summary of New ITSC Regulation

As of January 19, 2021, any American business’s purchase of Information and Communications Technology and Services (“ICTS”) from “persons owned, controlled our under the jurisdiction or direction” of a “foreign adversary” is subject to a Commerce Department review for national security and critical dependency risks.  The Rule covers all ICTS Transactions where the tech or services are “designed, developed, manufactured or supplied” by such persons.  The Rule seeks to protect the American IT supply chain (“ITSC”).  No exemptions apply, regardless of your company’s size, industry or activities.  

The 2021 ITSC Rule follows the policies reflected in the 2018 amendments to laws governing virtually all foreign acquisitions of U.S. tech companies, under scrutiny for national security by the Committee on Foreign Investment in the United States (“CFIUS”).  To avoid duplication, the Rule states it does not apply to ICTS Transactions that CFIUS is actively reviewing, unless the ICTS Transaction is distinct from a CFIUS-reviewed transaction.  Like the CFIUS review process, the Commerce Department can identify a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection with the Order.

The ITSC Rule

Scope of ITSC Transactions

Virtually every digital service and product is covered, regardless whether it handles a single computer, a computer network, cloud service, telecommunications switches or just individual product data.

Definition of ICTS.  The Rule defines “Information and communications technology or services or ICTS” to mean “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”

Definition of ICTS Transaction.  Under the Rule, “ICTS Transaction” means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order.”

Broad Scope.  In its preliminary discussion of ITSC vulnerabilities, the Commerce Department clearly intended to include SaaS (software as a service), Infrastructure as a Service, Cloud data storage and computing, IoT Internet-devices embedded in consumer goods, mobile phones and their Apps, Web browsers, drones and networked surveillance cameras.  

“Foreign Adversaries.”  The list of “foreign adversaries” consists of the following foreign governments and non-government persons: the People's Republic of China, including the Hong Kong Special Administrative Region; the Republic of Cuba; the Islamic Republic of Iran; the Democratic People's Republic of Korea; the Russian Federation; and Venezuelan politician Nicol├ís Maduro (Maduro Regime).

Effective Date of Rule

The Rule applies to any ICTS Transaction that is initiated, pending, or completed on or after January 19, 2021.  Further, any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract or installation of software updates, is an ICTS Transaction on the date that the service or update is provided.

Future Compliance Impact

The ITSC Rule imposes potentially costly compliance obligations for risk identification, assessment and regulatory licensing.  The Rule serves as a boycott of technologies from “foreign adversaries” unless approved by a Commerce Department license.  There are civil and criminal penalties, but prosecution of millions of small businesses is not practical.  Assuming the Biden Administration pursues the Rule, the scope will change the landscape for everyone, including our foreign trading partners, with potential retaliation by “foreign adversaries.”

If implemented, the ITSC Rule will likely generate a hornet’s nest in the business world and international politics.  But the reported SolarWinds hacking supports the logic of greater transparency in IT supply chains.

ICT Company Burdens.
  ICT providers will need to verify countries of origin and give warranties about their extended ICT supply chains.  Even absent a legal requirement, there will be an increased need to document supply chain risk management analysis in the event an ITSC transaction is investigated by the Commerce Department.  ICT services companies must now identify the nationality, origin, foreign control and sensitivity of data that flow through their digital infrastructures.   

Corporate Governance.  Corporate boards, officers, purchasing and procurement departments and strategic planners will need to identify the risks across a potentially multi-layered IT supply chain.  How much should a board spend on verification?  Is an ICTS supplier’s self-certification sufficient?  Will an independent sourcing audit become the norm?  What should be the policy, the process and the budget?

Information Governance.  New Information Governance ("IG") policies and procedures will be needed for ITSC risk management and regulatory licensing compliance.

Privacy and Cyber-Security Risk Management.  The ITSC Rule will highlight special risk management procedures, and perhaps insurance, that relate to compliance with privacy laws, such as the California Consumer Privacy Act (to be replaced in 2023 by a Consumer Privacy Rights Act) and potentially EU’s GDPR and draft Digital Services Act.

Antitrust and Competition Law.  If Google or other dominant market player were to insist that its European subsidiaries buy only from suppliers complying with the ITSC Rule, that would have the effect of exporting American ITSC risk management compliance.  Foreign local suppliers sourcing from a “foreign adversary” would be barred.  This would be a secondary boycott unless a Commerce Department license were granted.

Best Practices for Vetting: Know Your IT Service Provider.  If they don’t already do so, enterprise customers will include an ITSC Transaction questionnaire in their requests for proposals, requests for quotations and master services agreements.  ICT agreements will include warranties and rights to audit and inspect supply chain information.  Chief Information Security Officers (CISO’s) will push for more certifications by “ethical hackers” -- independent third party testers of malware – and perhaps even direct testing.

Redrawing Supply Chains and Strategic Alliances.  Geographic and national security issues will translate into modifications in supply chains, starting with digital business models and leading into all enterprise strategic alliances, global business services, outsourcing services providers and shared services centers.  Procurement and IT departments will also examine the impact across strategic sourcing, supplier management, assessment of third party risks, artificial intelligence and robotic/intelligent process automation.

M&A and Corporate Finance.  New representations and warranties will appear in die diligence and documentation for business valuation, corporate finance and M&A transactions.

Audits.  Accountants will require ITSC audits before certifying or commenting on financial statements, which could include disclaimers as to an entity’s viability due to “incomplete” ITSC disclosures.

Cyber-risks, Hacking, Cyber-Security and Privacy.  The new Rule concerns national security, digital security, privacy and extortion.  “This [potential] data exfiltration—supported by U.S. web data hosting and storage servers—threatens to allow foreign adversaries to exploit Americans' personal and proprietary information by allowing a foreign adversary to track the locations of Americans, build dossiers of sensitive personal data for blackmail, and conduct corporate espionage from inside the borders of the United States.” Cyber-insurance policies will need to be revised to impose underwriting constraints and higher premiums on non-conforming insured enterprises.

International Trade Agreements.  In light of the reported SolarWinds hacking, President Biden will need to decide how stringently to enforce the Trump administration’s ICTS Rule.  New trade agreements might create group action against the same “foreign adversaries.”  Conflicts with allies may arise as to ICT products designed or manufactured in a trade ally country by a subsidiary from a “foreign adversary.”  For example, the Chinese tech company Huawei is planning to build 5G telecom products in France, potentially for sale to other trade allies.

How to Get a Department of Commerce License.  

Assuming a company plans to update or sign up for any "foreign adversary" technologies, a license will be needed.  To afford parties greater certainty, the Commerce Department intends to publish, within 60 days after January 19, procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license.  Implementation is scheduled within 120 days after January 19.  The change from President Trump to President Biden will determine how this Rule plays out in March and May 2021.

This summary is not legal advice.  These matters are subject to change.  If you have any questions or comments, please feel free to contact us. (C) 2021 W.Bierce.


Tuesday, October 1, 2019

Corporate Governance Fiasco at WeWork, Crisis Management Playbook and Lessons Learned: The Expulsion of Adam Neumann from the Garden of Eden

Adam Neumann founded WeWork in 2010 but was expelled from management functions as CEO of the company (newly named The We Company) in September 2019.  He became non-executive Chairman of the Board.1   These changes were adopted by The We Company Board of Directors (undoubtedly after consulting shareholders).  The changes followed a disastrous aborted IPO that overvalued the company at $47 billion.  The withdrawn IPO will result in cash flow shortages for ordinary operations, unless the bleeding is stopped. 

Mr. Neumann’s fall from grace last week comes right out of the biblical Garden of Eden (eating forbidden fruit), Greek tragedy (blind hubris) and Dante’s Inferno Ninth Circle (betrayal of trust of family, community and country).   There must be a better way to run a closely held company.

The loss of cash anticipated from the failed IPO created a dramatic need for cash to sustain operations.  Let’s look at changes in corporate governance and new strategies for crisis management strategies.

Corporate Governance

Board Duties.  In this case, Delaware law governs The We Company’s governance. Decision-making is done by the Board of Directors, appointed and removable by the voting stockholders.   The directors have a fiduciary duty to act prudently, a duty of loyalty to avoid self-dealing and a duty of care to justify the reasonableness of exercising their business judgment.

Board Actions.  Here, the Board and voting stockholders appear to have been captured and mesmerized by a flamboyant and extravagant founder engaged in self-dealing.  The Board approved, or did not discipline, apparent self-dealing of hiring Mr. Neumann’s many friends and family as employees.  The Board appears to have allowed but then rescinded a deal for Mr. Neumann’s sale to the company of a trademark registration for $1.6 million or so; however, the timing of discovery and rescission are apparently not public. The Board allowed the purchase of a $60 million private Gulfstream jet for Mr. Neumann’s use.  The Board approved dealings where Mr. Neumann, his family and even other members of the Board are the landlord and the company is the tenant.  In their risk analysis on SEC Form S-1 filed with the SEC August 14, 2019, the company admitted:
    “We have engaged in transactions with related parties, and such transactions present possible conflicts of interest that could have an adverse effect on our business and results of operations.  We have entered into a number of transactions with related parties, including our significant stockholders, directors and executive officers and other employees. … we may have achieved more favorable terms if such transactions had not been entered into with related parties and these transactions, individually or in the aggregate, may have an adverse effect on our business and results of operations or may result in government enforcement actions or other litigation.”
This looks like an invitation for a class action by future stockholders after an IPO.

The Board approved spending of over $500 million for acquisitions (arguably, for “diversification” and “synergies”).   Such investments generated revenues but arguably were different lines of business that would not build the core business.  The investments include WeGrow (pre-school and elementary education), Rise by We (fitness club), WeLive (rentals of dorm-like apartments), (event planning) and Conductor (search engine optimization).

The Board’s actions appear responsible for precipitating a crisis of trust.  The Board authorized the IPO documentation that did not provide segmented accounting by line of business.  The SEC Form S-1 omitted other information that one might consider “material.”  Investors rejected the IPO valuation of $47 billion and complained.  The Board has now withdrawn the public offering.

Crisis Management Playbook.

Board Action.   Having backed itself into a crisis, the Board took steps to rectify all of its apparent past neglect.  It terminated the founder’s employment.

Stockholder Action.  The stockholders appointed Mr. Neumann as non-executive chairman of the Board.  This action solved a lot of conflicts. It satisfied Mr. Neumann’s need to continue in some form of management.  It satisfied the stockholders’ need to remove him from operations while preserving whatever goodwill is associated with his inspirational reputation.

More significantly, the stockholders kept Mr. Neumann’s feet to the “fiduciary fire” so that he would be held responsible for future decisions that he approved.  Thus, Mr. Neumann’s personal rights (as stockholder) to complain about future Board decisions would be coopted and any bad decisions he approves henceforth will be subject to his responsibility for participating in and approving them. And he signed a voting agreement that substantially dilutes his super majority voting control.

Action Steps in Crisis Management.  The Board’s cleanup crew focused on reform of leadership and cash management.

Nepotism and Cronyism.  The Board fired Mr. Neumann’s wife and about 20 members of his family and friends, who held senior positions.  A crisis transition will occur, where pending projects will need to be identified, prioritized and terminated or re-adopted under increased Board supervision.  A new leader, free of prior association with Mr. Neumann’s entrancement, will guide as CEO.

Board Structure.  The Board may be increased to include more directors, who will be assigned to committees.  There will be significant changes in the role of directors including independent directors.

Cash Management.   Since the IPO documents revealed that expenses were growing as fast as revenues, cash management becomes a priority for survival.  SoftBank was reportedly ready to contribute another $10 billion when it was valued at $47 billion, but the valuation is now more in the range of $15 billion according to estimates.  Further, SoftBank’s own leadership has undoubtedly been questioned by its investors for having acquiesced in Mr. Neumann’s management “mistakes.”  So cash management can be expected to result in significant emergency restructuring.  This could involve:
  • New scrutiny of all elements of the company’s business to revise:
    • its value proposition
    • its core business (which incidentally can be reviewed by looking at recent trademark applications)
    • its risk management and resiliency plan
    • cash flow requirements
    • operational reporting for greater transparency
  • Mass layoffs of persons not closely tied to the core real estate leasing operations
  • Sales of ancillary companies that, while profitable, are not “core” businesses
  • Termination of “non-core” projects
  • Demands for recovery of expenses incurred by Mr. Neumann and his “oval office” coterie of family and friends that had “no relation” to the company’s business
  • Possible renegotiation of lease terms or requiring Mr. Neumann to assign his rights as landlord to a third party where he controls WeWork’s landlord
  • Tax audits and amended income tax returns to reflect higher income and reduced deductible expenses from personal projects that a tax auditor might assert was a personal expense
  • Slower expansion
  • Termination of certain low-performance real estate projects that generate losses
  • An increase in the coverage limits for the company’s directors’ and officers’ liability insurance coverages
  • A new formulation and new solicitation of private equity, with a “down round” that values the company at less than the valuation agreed when SoftBank had invested.
Liability Management.  A crisis plan can help reduce the risk of shareholder litigation against the Board and officers as well as against SoftBank.  The “good governance” bullet that killed Mr. Neumann’s CEO role ricocheted towards SoftBank and its leader Masayoshi Son, whose own investors apparently revolted in Japan.  This crisis plan will help SoftBank justify additional capital contributions at a lower valuation, assuming SoftBank’s investors will approve it.

For other closely held businesses, the lessons are clear.  It might be time to restructure your corporate governance with new policies, procedures, practices and internal controls.

1 For history, The We Company, SEC Form S-1 (Aug. 14, 2019) and Elliot Brown, Anupreeta Das and Maureen Farrell, “WeWork to Push Out Staff Close to Ex-CEO,” Wall St. J. Sept. 27, 2019, pp. A1, cols. 4-5, p. A8, cols 3-6; Eliot Brown, “WeWork’s Adam Neumann Runs on Excess,” Wall St. J. Sept. 19, 2019, pp. 1, cols. 5-6; p. A8, cols. 1-6.

Thursday, August 1, 2019

Implications of New York’s Expanded Data Privacy Protections (July 25, 2019)

If you operate or work in a business that collects personal data of New Yorkers, you could be subject to civil penalties for possible data security breaches or concealment.  This is a follow-up to my blog in June on this draft law, which was just passed.

On July 25, 2019, New York Governor Andrew Cuomo signed the SHIELD ACT (“Stop Hacks and Improve Electronic Data Security), expanding New York law on standards of care and liability for data breaches of “private information.”  The New York SHIELD Act represents a further compliance burden for all companies worldwide.  This follows a trend on data privacy laws with extraterritorial effect, like the General Data Protection Regulation (“GDPR, European Union, effective May 25, 2018) and California Consumer Privacy Act (“CCPA,” effective January 1, 2020).  The title captures the name of the Federal “Privacy Shield,” a program for voluntary compliance by U.S. companies with the GDPR.

The New York SHIELD Act also impacts HR departments, IT departments, supply chain management, service providers and strategic transactions such as strategic alliances, M&A and the sale or purchase of a business. 

Key Provisions.

Reportable Data Breaches.  The law expands a data breach.  In addition to unauthorized copying of protected information, the New York SHIELD Act adds “unauthorized access.”  This definition invites a comparison to the Federal Computer Fraud and Abuse Act, 18 U.S.C. 1830 (“CFAA”).  Both laws thus target both third-party attackers and rogue or negligent internal personnel who gain access to data that is outside the authorized scope of their employment. 

Private Information.  The new law extends protection (data breach notification) to additional classes of “private information”: (1) social security number, (2) driver’s license number or non-driver ID card number, (3) “account number, credit or debit card number, in combination with any security code or access code”, (4) such account number or debit or credit card number, alone, where access to financial information can be obtained without a security code, (5) biometric information (obtained from measuring an individual’s unique physical characteristics) such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data to identify an individual.

In addition, “private information” includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

If encrypted, private data is subject to protection if the encryption key is used to identify the individual.

When to Report Data Breach.  The breach must be reported when the private information of any resident of New York State is “accessed or acquired” by “any person without valid authorization.”  Reporting must be expedient yet show with due respect for law enforcement actions.  An exception to reporting is allowed for “inadvertent disclosure by persons authorized to access private information,” that the person or business “reasonably determines” is “not likely” to “result in misuse of such information or financial harm…or emotional harm.”  In such exceptions, an incident report must be prepared and maintained for 5 years.

Notification to Data Controller.  While not using GDPR wording, the New York law requires the data processor to notify the data controller or data owner.

Method of Notification.  Several possible notification methods are permitted, including mail, e-mail (“electronic notice”), and telephone, or substitute notice (in case notification would cost more than $250,000 including e-mail, website announcement and notifying “major statewide media.”

Enforcement; Civil Penalties. While there is no private enforcement, the state Attorney General can seek damages of up to $250,000.  The statute of limitations is two or three years from the date of the act (or discovery), but not more than six years.  Exceptionally, if the victimized business conceals the “breach,” there is no time limit for such enforcement.

Extraterritorial Jurisdiction.  Like GDPR and CCPA, the New York SHIELD Act now applies to anyone who has private information about a New York resident.  Thus, its scope applies to businesses worldwide that have no office, employees, warehouse or operations in New York. 

What’s Missing.  Unlike the GDPR, CCPA or Nevada’s new privacy law effective October 1, 2019, the New York privacy law expressly prohibits any private right of action by the data subjects whose private information is illegally accessed (Section 4).    And it does not focus on consumer consents but rather on the custody, processing and destruction of private data.  Also, the New York law does offer a hornet’s nest of litigation opportunities of shareholder derivative actions, breach of fiduciary duty and whistleblower litigation.

Impact on Business Stakeholders.

Management’s Liability.   As a matter of corporate governance, the board of directors (or managing members of an LLC) must take steps prudently to protect the business from foreseeable risks.  The New York law calls on all such managers to exercise their fiduciary duties to develop, monitor and update such plans for risk management, insurance, business continuity and loss prevention.

Human Resource Departments; Employee Handbooks.  By prohibiting unauthorized access to protected information, the New York SHIELD Act invites HR managers to revise their employee handbooks to underscore the duty not to access such information without due authorization, and to report accidental “accessing” of protected information.  In theory, your employee handbook already covers this scenario because you comply with federal law (CFAA).  Further, you now have a duty to train your personnel in compliance.

Unlike other data privacy laws, the New York law’s protections allow an employer to avoid having to report a breach that occurs in case an employee or agent of your business gains “good faith access to, or acquisition of,” personal private data, “provided that the private information is not used or subject to unauthorized disclosure.”  In determining whether unauthorized access has occurred, you may consider, “among other factors, indications that the information was viewed, communicated with, or altered by a person without valid authorization or by an unauthorized person.”

Information Technology Departments.   Like the GDPR (“adequate protection”), the New York law requires “reasonable security” measures.  This requires a program of designating a responsible coordinator, identifying reasonably foreseeable internal and external risks, assessing the reasonableness of safeguards, selecting capable service providers, destroying private data that is no longer needed and updating the program.   The legally mandatory policies and procedures are very detailed (Section 4) 

Small businesses get an easier standard of care if they employer fewer than 50 employee, earn less than $3 million per year for the preceding 3 years, or have less than $5 million in assets (Section 4)However, this lower standard of care invites professional advice because it still requires “reasonable administrative, technical and physical safeguards” taking into account the nature of the business and the degree of sensitivity of the private data. 

Impact on Strategic Transactions and Business Models.

Stock Purchase Agreements / M&A.  The GDPR and CCPA shed new light on the risks assumed by a purchaser of a business.  The New York law will invite greater due diligence and contingent price adjustments post-closing to identify and cover cybersecurity risks.  Transactional liability insurance (including “representation and warranty insurance”) will become more prevalent to respond to worries by both buyers and sellers.

Downstream: Flow-downs to Supply Chain Management; Strategic Business Alliances.  If you rely upon a third party to process private data, you should review your Master Services Agreement and update the service provider’s duties to ensure you can demonstrate your service providers comply.  Similarly, if your company shares any private data in a marketing services agreement for lead generation, social media, paid search, search engine optimization (“SEO”), you should identify what data they collect (for all data breach notification purposes), how they collect it (for GDPR purposes), how long they retain it and what plans exist for destruction of private personal data within the broadest definitions under GDPR, CCPA and the New York SHIELD Act.

Upstream: Flow-Ups to Enterprise Clients and Customers.  Similarly, your company can now be expected to respond to questionnaires and other audit techniques from your global enterprise clients worldwide, asking whether your company complies with the SHIELD ACT’s cybersecurity precautions and breach notification measures.  So the New York SHIELD Act (like GDPR and CCPA) will create a new compliance process for virtually all businesses worldwide that process any private personal data of New York residents, depending on the character of the data and the reasons for processing it.

Risk Management and Resiliency Plans; Cyber-Security Insurance.  If you don’t already have some cyber-security insurance coverage, you might find it reasonably priced, if you focus only on New York legal liability.   But if you add GDPR, CCPA and Nevada, your cyber insurance may be a prudent move  But you’ll probably have to demonstrate some sophistication, planning, supervision and related disciplines in the underwriting process, not only as to cyber risks, but also general risk management and business continuity planning.

New Business Models.  The expansion of jurisdictions adopting data protection and breach notification laws invites the creation of new business models not dependent on knowledge of the particular individual’s identity in plain text.  In adopting GDPR, the EU Commission invited business models that depersonalize personal data, such as by aggregation, encryption and pseudonymization.  For digital media agencies, they may find ways to guess a customer’s intent rather than know which customer is contacting them and studying the particular individual’s conduct.  Thus, anonymized search tools (currently available on certain browsers) and search engines (e.g. Apple) may become the norm.

Effective Dates.

All sections of the law are effective ninety days after signature (October 25, 2019), with Section 4 effective two hundred forty days after signature, March 21, 2020.

If you have not begun the data protection self-examination, it’s never too late to start.