Monday, November 24, 2014

Redesigning the U.S. Business Workforce by Obama Fiat

If you thought Obama’s recent fiat on immigration only on focuses on Hispanic families and other illegal aliens, you are wrong. It targets business growth across the size, maturity and territorial footprint of a wide array of US businesses.

On November 20, 2014, President Barack Obama announced an Executive Order changing the legality of current illegal residents, creating  a path to regularization and amnesty for some 4 million to 5 million illegal aliens who have been in the United States for over 5 years, are not felons and will pay taxes.  But the real economic impact of his governing by “national interest waiver” and “parole” of foreigners into the U.S. will be felt more broadly, in startups, technology-based businesses and outsourcing services.

His proposal is to govern not by enforcing law, but by waiving enforcement and announcing it as an executive fiat rather than by legislative reform.  For politicians, this will potentially expose his waiver policy to judicial scrutiny and political contests in Congress, so much so that I believe that true legislative reform is highly unlikely in the next two years.

The political impetus was humanitarian aid to foreign parents of U.S. citizen children.   The economic impact will be felt broadly, not only in industries (such as restaurants, food processing, farming, landscaping and small business) that have traditionally employed illegal foreign workers.  Indeed, the greater impact will be felt across broad sectors involving STEM technology, startups, venture capital, outsourcing, global consulting and multinational companies.

  • Domestic business owners will face increased costs of compliance with new administrative regulations. Those businesses that have relied upon illegal foreign workers will likely have to increase wages because the newly protected illegal foreign workers will have new portability of their work at one employer as a basis for adjustment of status to lawful permanent resident.  The new rules for the “Deferred Action for Childhood Arrivals” (DACA) program will impact every U.S. employer who will need to adopt new employment eligibility reviews, on terms to be defined under future regulations.
  • Startup Mania.
    • Foreign-owned startups won’t need to worry about H1-B’s.  They will benefit either by “national interest waivers” or (on a case-by-case basis for “urgent humanitarian reasons or significant public benefit”) by “parole.”  For foreign inventors, researchers and founders of start-up enterprises, the Obama administration has set an agenda to “clarify the standard by which a national interest waiver may be granted to benefit the U.S economy.”  Under individual decisions on to “parole” a foreigner, the USCIS will evaluate and grant individual requests for admission from abroad or even extend the right to “stay in place” in the United States.  According to USCIS, waivers and paroles will be granted to “eligible inventors, researchers and founders of start-up enterprises who might not yet qualify for a national interest waiver,” but who (i) have been awarded “substantial U.S. investor financing”; or (ii) “otherwise hold the promise of innovation and job creation through the development of new technologies or the pursuit of cutting-edge research.”
    • Startup Investors.  The US government estimates that this will benefit about 400,000 highly skilled foreign workers.  U.S. angel investors, venture capitalists, startup incubators and their operational supporters will be overjoyed, though the details remain to be seen. 
    • Domestic startups will probably have greater access to foreign inventors, researchers and co-founders.
  • Foreign investors in US companies, global consulting companies and foreign outsourcing companies dodged a bullet.  Foreign outsourcers will probably be able to continue to send large numbers of skilled foreign workers to fill gaps in the US workforce.    However, I suspect that new regulations will be drafted to adopt (tacitly or explicitly) the restrictions and additional governmental scrutiny under the draft Border Security, Economic Opportunity and Immigration Modernization Act, see S. Rept. 113-40 (113th Cong., 1st Sess.), as passed by the Senate in mid-2013.  Thus, H1-B skilled worker dependent employers would likely need to take good faith steps to recruit U.S. workers first, advertise H1-B jobs on a U.S. Department of Labor website and offer the job to a any U.S. worker who applies and is equally if not better qualified than a potential H1-B skilled worker.
  • Foreign spouses of H1-B skilled foreign workers will get the right to work. This will bring additional foreign skills and competition to the American labor market.  But Indian and other foreign outsourcing companies were disappointed not to get an increase in the current 65,000 ceiling on H1-B visas, though they must accept that such an increase would take a new law, not a new “waiver” or “parole.”
  • Foreign students will likely get increased access to work in the U.S. after U.S. university training under an expanded and extended definition of “optional practical training.”
  • Foreign skilled workers who entered the country legally and are in limbo waiting for green cards (lawful permanent residency) will have new flexibility to change jobs without getting sent to the back of the queue for green cards.  This newfound job mobility will give them higher, more competitive salaries and thus less likelihood of being abused as “cheap labor.”
  • U.S. labor unions, Obama’s core supporters, have kept their mouths shut.  They probably will be happy to see higher wages for H1-B’s due to portability and no increase in the 65,000 H1-B cap.   They can’t complain about humanitarian waivers and parole for family unification under the DACA program.
  • Governing without a legislature.  In the short term, Obama’s executive order to waive the application of the law on a wholesale basis is good for business (especially high-tech, e-business and startups).  As a political gesture, it is probably bad for the incoming Republican-controlled Congress and the constitutional balance of power.  Thus, it will unlikely be overturned legislatively until a new Congress in 2016.
Not only illegal aliens, but businesses of all sizes, universities, startups, venture capital, business angels, tech-based operations can rejoice.   Of course, the devil’s in the details. 

Monday, November 10, 2014

Bringing Phoenix Value to Failed Startups

Entrepreneurship is strewn with startup corpses.  Dynamically, the world’s entrepreneurs, investors, governments, business schools (and their supporters like attorneys, accountants, incubators, consultants and advisors) have created millions of new startups in the last few years.   But startups have a high failure rate.  Yet few commentators discuss the painful process of what happens to failed startups. 

Like political questions, a “startup failure” depends on how you define it.  About three-quarters of venture-backed firms in the U.S. don't return investors' capital, according to a Wall Street Journal report on the research of Shikhar Ghosh, a Harvard Business School senior lecturer.   For him, “failure” means 0% ROI.  The same article cited more optimistic venture capitalists’ estimates that 30% to 40% of startups “fail completely” while another 30-40% return the original investment, and only 10% or 20% yield substantial returns. 

“Startup corpses” have “Phoenix Value.”   A “loser” is any project with 0% ROI.  Starting with the “Dot Bomb” bust in 2003,  some are purely domestic, like the web developers who offered new social “community” business models in 2003 for $500,000 that today would cost $5,000 to $20,000.  Others involve cross-border startups (and more mature enterprises) entering the U.S. markets seeking customers, funding, talent and sometimes a new home.  For example, this category includes “pet robots,” web analytics software and online video editing. 

A “winner” is a successful traveler from the Gulf of Nothingness to the radiant shores of Exitness.  Steps could include incorporation to “friends and family” funding, to VC rounds 1 and 2, to bridge loans where the founders mortgaged their souls (and shares), to sale of non-strategic assets, refinancing, generation of strong customer relationships and highly profitable exit sale.

However, don’t think that failed startups are always lost causes. Professionals can resuscitate, reutilize and reintroduce the lost value from startup corpses.  To help recover value from the startup crematory, an ecosystem of “Phoenix Value hunters” has arisen.   They consist of attorneys, restructuring experts, valuation advisers, investment bankers, stable businesses looking to fill tech gaps and “Phoenix Value” investors. 

Here are a few lessons learned from the trenches.

  • Founders and early-stage investors in startups want to ensure the legal entity owns the intellectual property, trade secrets and, to the extent possible, the people doing the innovation. 

  • VC investors want a preference in liquidation.  This means not only a preferred payment (ahead of common stockholders) but also a preferred return (the “liquidation preference” multiple of invested capital).
  • VC investors need the right to fire the founder from management roles.

  • Founders can leave failing startups and build anew, but the manner, timing and perceptions about their departures will impact their ability to raise capital in the future.

  •  “Phoenix Value” investors can make good money by buying distress assets from a failing or failed startup.  They don’t anticipate any more “funding rounds.” “Phoenix Value” investors create Phoenix Value for transformation of “dead” or “useless” innovation into productive assets in a sustainable, well-funded business.

  • Proper foresight in management and administration of intellectual property (as well as the people who create and manage it) can reduce losses, increase gains and avoid surprises that can kill or delay prospective acquisitions.

  • Some bankrupt companies in one country might reappear in the markets of other countries, thanks to Phoenix-stage investors finding and generating new value from the ashes.

 So, when considering a startup or a new product development plan, keep planning for both success and failure.   Understanding how failures can be used to retrieve and revive a “sunk cost” can make a big difference in your personal and professional success.

Tuesday, November 4, 2014

New Tax Planning for Your Digital Business

Two recent developments in the news should get you thinking about what if….

Domestically, the U.S. Internet Tax Freedom Act (“ITFA”) will expire on December 11, 2014, unless Congress passes another extension.   ITFA, enacted in 1998 to encourage the growth of internet access and e-commerce, has already been extended three times, the last time in 2007.  It essentially prohibits any new direct taxation by state and local governments on internet access, multiple taxes on internet transactions (can’t be taxed twice by different jurisdictions) and discriminatory taxes (same tax rate must apply for both online and its physical counterpart) on online transactions.  A permanent ITFA was passed by the House in July, 2014, but has been held up in the Senate, politics being what it is.  ITFA was due to expire November 1, 2014, just prior to Election Day, but was kindly extended by Congress to December 11 for obvious reasons. 

So what if it is not extended or made permanent:

1)    Consumers and businesses alike would be hit by higher taxes in its usage and access to the internet.
2)    Higher taxes may restrict the ability of (moderate to lower income) consumers to access the internet, thereby reducing e-business sales and profits, affecting the nationwide economy.  Dissemination of information on the internet would suffer as well from lack of access.
3)    Services, such as e-mail, may be subject to taxes, taking a bigger bite of everyone’s budget.

Although it is likely to be extended, e-businesses need to be prepared for the possibility of higher taxes, going forward.

Internationally, on October 29, 2014, the OECD and G20 countries endorsed a new standard for the automatic intergovernmental exchange of financial and tax information, which will usher a new era of international financial transparency, beginning in 2017.  As one of the policies to prevent “artificial” “base erosion and profit shifting” (BEPS), the standard follows the US model of adopting information exchange treaties to identify all financial transactions of its citizens globally, where foreign governments become the willing enforcement mechanism for U.S. tax law.   See  and recent press release by oecd.
    …, [I]t is also recognised that the business models and key features of the digital economy exacerbate BEPS risks and therefore must be addressed. It is expected that the other actions will address these risks but at the same time a number of specific issues have been identified which must be taken into account when doing the work (permanent establishment issues, importance of intangibles and use of data and possible need to adapt CFC rules and transfer pricing rules to the digital economy). A number of broader direct tax challenges have also been analysed, such as the ability of a company to have a significant digital presence in the economy of another country without being liable to taxation due to the lack of nexus and further work will be carried out to evaluate their scope and urgency and potential options to address them. Finally, challenges in the area of indirect taxes in relation to business to consumer transactions have also been identified and will be addressed by 2015.  OECD, BEPS report, p. 8 (see above).
And Ireland has bowed to international pressure to eliminate the “Double Irish” corporate tax loophole, which allows an Irish-registered subsidiary to send royalty payments for intellectual property to another that resides for tax purposes in a country with no corporate income taxes (such as Bermuda).

So, what should the ordinary e-business do to simplify business and minimize compliance problems?

    First, you can’t hide.  As an “ultimate beneficial owner” (“UBO”), you should forget any hope of confidentiality of your ownership interests in any legal entity.  While American corporate laws do not require reporting of ownership to local Secretaries of State, tax laws do.  Under the OECD/G20 standard, you can’t hide behind a foreign holding company.  

    Second, develop strategies for workforce deployment and outsourcing.  Learn about “form vs. substance” and the principles of what constitutes a taxable nexus.  Anticipate that transferring intellectual property to a tax-favored holding company might not work unless it is in the same jurisdiction as your innovative employees who create the IP.  This principle will encourage smaller companies to outsource new product development since outsourcers normally assign IP rights across borders without much tax complexity. 

    Third, refocus on transfer pricing and be reasonable.  The new rules invite governments to tax more.  As governments get more active in adopting a new template for country-by-country reporting and challenging transfer pricing, businesses can consider collective action through trade associations to define standards for transfer pricing levels.  (Of course, exchanging of pricing information smells of concerted monopolism, so this would need some care to avoid crossing the line into anti-competitive conduct).

    Fourth, ask your portfolio companies what they are doing and how they are adapting.     

    Finally, rethink your game plan for tax compliance and eventual tax audit.  Maybe your internal analysis on allocation of value-creation and taxable revenue streams could be programmed into a software model that you could sell on the market.  After all, compliance costs for everyone will only increase, and you could recover your investment. 

Every pain enables someone to gain.  No pain, no gain.

Monday, September 22, 2014

"Pitch Night" - Tips for Innovative Start-ups

“Pitch Night” is the opportunity for startups and innovators to show their business ideas to potential investors/advisors and get feedback on their presentations. I recently attended one in the health IT sector and thought that the critiques presented by these advisors were invaluable advice, not just for this sector, but for anyone interested in exploiting a new e-business idea. I thought I would share some of these key lessons with you today:

1. Who Will Pay for Your Solution? Identify your business opportunity and target market by explaining who is in pain and willing to pay money for your pain-relieving solution.
  1. Your pitch should explain:
    1. “This is our customer.”
    2. “Our customer base is losing money (estimated at $XX per “transaction”/ “event” for YY transactions per year) because of problems we solve. [Describe the problems.]
    3. “This is why our customer will gladly pay for our solution to overcome their current chronic problems.”
  2. Don’t develop “a tool in search of a problem.”
  3. Talk to 100 buyers before you finalize your solution’s design. Understand how they identify their pain and what your solution does and fails to do to resolve that pain.
  4. Lawyer’s caution: Be careful. If you explain the “problem that you solve,” you might be explaining the trade secret in your patent application. Think about your “inside voice” (trade secret disclosure under a non-disclsoure agreement) and your “outside, or pitch” voice.
2. Finding the Niche: Steer Away from Obvious Competition. While your solution might have a broad market, you risk losing to deep-pocket competitors who also see a broad market. So target on a niche market where you can acquire a dominating competitive advantage.
  1. For large enterprises, third party administrators (TPA’s) already manage large health and wellness programs. They might not see the value of your product.
  2. For smaller enterprises, the value of your technological solution might come from the combination of lower per-capital costs of managed services (normally provided by a TPA) where you combine managed administrative services (like a TPA) and the underlying technological solution in a single pricing plan.
  3. Identify your “similars”: competitors who have a similar solution, and refine your solution to be different.
  4. Explain why you are different and your solution cannot be accessible to your competitors: patents, trade secrets, licensing, governmental monopolies, regulations, first-mover advantage, etc.
3. Prove your Concept. Investors want to know your solution works and is accepted by at least one key “early adopter.” Develop a pilot program to gather performance metrics that demonstrate “proof of concept.”

4. Exploit your Big Data. If your innovative solution collects data (through sensors in the “Internet of Things,” a “tracking” or wearable “monitoring” devices), then develop a plan to own and commercially exploit the value of such Big Data across all your revenue streams.
  1. Lawyer’s caution: Before you exploit personally identifiable information (“PII” under data privacy laws) or personal health information (“PHI” under HIPAA), adopt legal procedures for obtaining consents to use it and for securing it from hackers.
  2. Design your data collection strategy based on whether it complies with privacy rights. It’s “privacy by design.”
5. Exploiting Mobility; Provide Teleservices. Design your solution for use in telemedicine. If you are selling sensors or other tracking devices and services, identify how your solution overcomes existing problems of distance, such as remote villages lacking world-class medical support, or on the ocean or in the air, or other scenarios where it is predictable that the user will lack access to adequate medical care without your solution.

6. Consider Selling to Channels, not just to Customers. A channel consists of an industry player that regularly supports your target customer’s critical needs. It might be a distributor. But it might also be a strategic buyer who has a gap in its product line and would want to integrate your solution into its solution. Find the gap. Such a strategic buyer might invest in return for some form of preferential distribution rights.

7. Sustainable User Intrigue, not Fatigue. In your sale to users, you cannot merely sell them the product and a six-pack of diagnostic data presentations from the user’s uploading of his/her data to your servers. Over time, the user will become tired because “nothing changes” after the initial use and the initial improvement. To be sustainable, you must design sustainable user demand after the initial “quick success.” Possible solutions:
  1. Telemedicine
  2. Real-time feedback loop for health improvement (or other benefits) when your solution collects the data from the user
  3. “Emergency” alerts, dashboards and “managed care” support
  4. Habit-forming disruptive self-service that simplifies life and gives it more meaning with less hassle.

Friday, September 19, 2014

Legal Surprises When You "Like" a Facebook Posting

In a time when online presence defines many of our perceptions, we often think that online comments and postings about an employer would be a big no-no. Think again. A recent decision by the NLRB has given the green light to employees to express themselves freely, even if the employer may see those comments as defamatory.  Employers, beware.

In a recent decision by the National Relations Labor Board in Triple Play Sports Bar & Grille, 361 NLRB No. 31 (August 22, 2014) the NLRB upheld an earlier decision (NLRB 34-CA-01291, January 3, 2012) that the Triple Play Sports Bar & Grille had unlawfully discharged two employees for making disloyal and defamatory posts about their employer in their participation in a Facebook discussion.  In this case, several employees discovered that due to mistakes in their employer’s calculations of their withholding taxes, they would have to pay more taxes and took to their Facebook accounts with their complaints. The recently departed employee posted:
"Maybe someone should do the owners of Triple Play a favor and buy it from them. They can’t even do the tax paperwork correctly!!! Now I OWE money...Wtf!!!!"
In response to this complaint, other employees replied in kind, liked the post and customers of Triple Play commented. The Bar &Grille caught whiff of the thread and terminated two employees for their actions.

Long story made short: the NLRB ruled that the activities of these employees constituted NLR Act, Section 7, protected “concerted activities” for the purpose of employees’ mutual aid and protection and  their right to act together to improve terms and conditions of employment. The ruling found that their discussion related to known tax liabilities in their workplace and issues to be raised in the next staff meeting (ergo, protected and concerted) and that no intended malice or false statements were made by them regarding the products and services of their employer and directed to the public.  This latter was a major contention by the Bar & Grille, which had an Internet/Blogging employment policy prohibiting engaging in “inappropriate discussions about the company, management and/or co-workers.”  This policy was also ruled unlawful in that its employees could perceive these “discussions” to include protected activities in violation of  NLR Act, Section 8 (a)(1), which protects employees’ rights in NLR Act, Section 7, despite the policy’s  “savings” clause, “In the event state or federal law precludes this policy, then it is of no force or effect.”

Lesson to all employers:  Know that certain social media activities are protected by the National Labor Relations Act, particularly when two or more employees act together to improve terms and conditions of employment.  Learn the distinction between employee protected and unprotected social media activities, both in and out of the workplace.  Review your employee policies to ensure compliance with the latest NLRB decisions.

Tuesday, September 2, 2014

“Airtight” Online “Terms of Use” via Clickwrap or Browsewrap

Do you know the differences between a “clickwrap” agreement and a “browse-wrap” agreement?  If you don’t, you might be unable to enforce your website’s “terms of use.”  In either case, it might be time to redesign your Website’s legal links to ensure they are valid contracts enforceable against your users.

In a recent decision, the U.S. Court of Appeals for the Ninth Circuit upheld an earlier ruling (Nguyen v. Barnes & Noble, Inc., USDC, C.D. California, Aug. 28, 2012) that an online customer at an e-commerce website did not agree to the website’s terms and conditions governing website use and sale of goods, even though there was a conspicuous hyperlink on every page to the website’s “Terms of Use.”   Nguyen v. Barnes & Noble, Inc. (9th Cir. Aug. 18, 2014).  The court held that the user never gave valid binding consent to arbitration or choice of law terms, because (1) the user did not click on the “Terms of Use”, (2) there was “no notice to users” that they were entering into a contract by using the website, and (3) there was no prompt to users to take any affirmative action to demonstrate assent to formation of a contract.  As a result, the website owner was unable to rely upon the Terms of Use, and the consumer was entitled to sue in court for claims arising out of a failed online commercial purchase.

For website users, the decision encourages never clicking on any hyperlinks relating to “terms of use”, “privacy,” “legal conditions” or other hyperlinks customarily posted by website owners.  For website owners, the decision is a wake-up call to immediately change the layout and functioning of the “terms of use,” “legal conditions,” “privacy” and other warnings.

In Nguyen, the court reminded the parties that there are only two flavors of contracts formed on the Internet.

  • Under “clickwrap” (or “click-through”) agreements, website users are required to click on an “I agree” box after being presented with a list of terms and conditions of use.
  • Under “browse-wrap” agreements, a website’s terms and conditions of use are generally posted on the website via a hyperlink at the bottom of the page, but there is no functionality requiring the user to manifest assent to the terms and conditions expressly.  Because there is no affirmative duty to express such assent, the determination of the validity of the browse-wrap contract depends on whether the user has actual or constructive knowledge of the website’s terms and conditions.  (Such knowledge may be presented on the website or may be given later, in the form of a mailed notice of breach and demand for cure.  Without such knowledge, there is no online contract.

The Nguyen decision did not address whether the website user is deemed to have assented to the website’s privacy policy.   However, the same principles could apply if the user were to argue that she had no actual knowledge of the privacy policy and never assented to the use of cookies, pixel tags, metadata analysis, profiling or other clandestine surveillance, or the re-transfer of personal information to third parties.

To ensure actual consent, the Court warned that “the onus must be on website owners to put users on notice of the terms to which they wish to bind consumers.”  Website owners now must be more “aggressive” or “unfriendly” by giving “actual notice” of the terms and demanding either a clickwrap or a browse-wrap agreement.  “User experience” (“UX”) engineers must now find solutions to keep the website user engaged and in a positive mood, while ensuring that the user is aware of the terms of use and consents to such terms.

One solution involves delaying an “I agree” button (or a display of actual terms of use) until the user is ready to make a purchase or submit information.  But that probably is too late, since the website owner will want to keep any dispute (even as to pre-purchase website usage) out of court and limited to applicable law and a chosen arbitral forum.

Another solution is to force a “pop-up” “I consent” when the user wants to leave the home page.  This could work for privacy matters as well so long as no customer profiling information (from cookies, etc.) were collected at the landing page.  That would require a change in search engine optimization and metatagging customs.  Or “Privacy” might be incorporated into “Terms of Use” to reduce the number of “approval” clicks by users.

A third solution might involve displaying a “Website Terms of Service” button that states “By clicking here, you are indicating that you have read and agree to the Terms of Service.”

The bottom line: “Whether a user has inquiry notice of a browsewrap agreement,  in turn, depends on the design and content of the website and agreement’s webpage.”  Slip opinion, p. 12.  This decision invites everyone to review and perhaps to redesign the legal framework for their online website-based legal agreements.

Friday, May 16, 2014

EU’s Judicial Ruling on “Right to be Forgotten” (Takedown Rights) for Claims by Individuals against Search Engines, and Implications

A recent ruling by the Court of Justice of the European Union (CJEU) has potentially far reaching implications for data privacy in support of an individual’s “right to be forgotten” online both inside and outside the European Union.  Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (CJEU, May 13, 2014).

It raises serious liability issues for every Internet search engine and international data collection company. To the extent that increased compliance costs will be passed on to advertisers, the opinion increases the cost of doing e-business with EU customers and could increase prices for consumers.

Responsibilities of A Search Engine as a “Data Controller” under EU Privacy Law.  In the case in Spain, which prompted this ruling, a man requested that Google Spain remove the links to old newspaper articles, lawfully published, which were no longer relevant to his situation, but could create a negative impression of him when read.  Google refused, claiming that a search engine creating links to the content of other websites is not the “data controller” but merely an intermediary in relation to third party websites and could neither monitor nor remove this data.

In addition, Google alleged that it was not subject to the 1995 EU Data Protection Directive because its search engine was in the US and it did not have a nexus on EU soil.  Google Spain’s office only sold advertising.

The Spanish court ordered Google to remove the links. Google appealed and the court referred the case to the CJEU for an opinion.  In summary, the CJEU opined:

1) Jurisdiction.   Google was subject to the EU’s jurisdiction because the processing of the data was carried out in the context of the activities of its subsidiary located in Spain and directed at EU member states.

2) Redefinition of “Data Controller.”  Google is indeed a “data controller” because while it just processes the data, even more than third party sources, it controls the dissemination of the data and therefore plays the key role in how such information (already available on other websites) affects the personal privacy and data protection of the individual, making it subject to the EU Directive.

3) Right to be Removed from a Search Engine (sometimes, “the right to be forgotten”). The fundamental rights of the individual to privacy and data protection override the right of Google for economic gain and the right of the public to access this information unless it is in the public interest to do so (as in the case of a public figure).  The individual should be entitled to go to search engines and request that links that were “inadequate, irrelevant or no longer relevant” be removed.

Impact within the EU.
Impact on Search Engines. The decision will reduce the ability of search engines to publish links to personal data of complaining European nationals, will add operating costs for search engines and potentially increase litigation where search engines refuse to “take down” personal data about ordinary citizens.

Impact on EU Data Protection Authorities.   The Google Spain  decision will require each European Data Protection Authority to balance policy factors of free speech versus personal privacy.  This will result in costly, complex and policy-based decisions by administrative bodies, a nightmare for both administrators and litigants.

Impact on Non-EU Web Services Companies.
Jurisdiction.  If you have a “sales subsidiary” in an EU country, your e-commerce operations will now be subject to the full direct application of EU data protection and personal privacy rights, even though your servers, operations and accounts are outside the EU.  The concept of EU judicial jurisdiction over foreign companies in data protection and privacy now looks analogous to broad U.S. federal constitutional limits on judicial jurisdiction, where your “presence” plus your “purposeful availment” of activities in a foreign state will subject you to the jurisdiction of the foreign state under “long arm” statutes.  If there was any doubt, it is now clear that running an e-business globally will subject you to local long-arm jurisdiction on data protection and privacy.  The irony here is that you might be properly outside the taxing jurisdiction (under traditional norms of international jurisdiction within the definition of a “permanent establishment” in tax treaties) while being subject to long-arm jurisdiction for regulatory compliance and privacy torts in a foreign jurisdiction.

Vicarious Liability of the Search Engine as Data Controller without Primary Liability of the Offending Websites whose Sites are Linked by the Search Engine.   One key irony of this decision is that the website publishing the “offensive” “personal data” is not mandated to take down the individual’s “personal data,” but that the search engine that multiplies the number of people who access such content is deemed the “data controller” held liable to honor the “fundamental rights” of the individual.  The ruling imposed vicarious liability for making links but not direct liability for publishing the “private” personal information.

Developing Best Practices for Compliance.   Assuming a search engine accepts a takedown notice as a matter of policy, how can it comply?  How can it be certain that the complaining individual is entitled to a takedown?  If any discretion is involved, it will gum up web commerce.  If no discretion is involved (and one can make new rules that favor takedowns), the technology that allows “opt-outs” and “unsubscribes” can be reconfigured to allow takedown notices.  But the costs of verification of the identity of the affected party will have to be borne by someone, and the decision is one more step towards balkanization of the Internet for free speech and e-commerce.

Impact on US-EU Free Trade.   Privacy law has become a trade barrier of sorts.  The CJEU decision interferes with attempts at harmonization of privacy rights under the pending negotiations for the Transatlantic Trade and Investment Partnership between the US and the EU.  To the extent the Data Protection Directive (1995) and the proposed “General Data Protection Regulation” fail to provide some form of US safe haven (beyond the existing one), the Google Spain decision will likely promote more compartmentalization, less international commerce in data processing services and more localized separate computing environments (e.g., a local “EU Cloud”).

Penalizing the Wrong Business.   The Google Spain decision on data protection and privacy gives preference to privacy rights over freedom of expression.  It punishes the business that links Internet searchers to a validly published Internet website. It adopts a bludgeon against the business that scrapes information from other websites, not the “offending” websites.   The decision punishes the wrong business.

Monday, April 21, 2014

Big Data, Big Abuse Potential

SMAC, n.  (1) a variation of crack-cocaine; (2) a highly addictive, volatile, potentially life-transforming multi-composite drug, sometimes used illegally, universally available in medicine, commerce, education, and family economics; (3) social, mobile, analytics and cloud computing; (4) Big Data.

On April 11, 2014, the U.S. Federal Trade Commission (FTC) announced a public “workshop” on September 15, 2014, to examine effects of Big Data on “low income and underserved consumers.”  The workshop invites comments, reports, and original research to explore current practices in the uses of Big Data on high-income consumers and privacy rights generally.  The FTC will explore concerns that been raised about whether Big Data may be used to categorize consumers in ways that may affect them unfairly, or even unlawfully. (For more info, visit their website.)

The workshop will address consumer protection issues that could result in new regulations or laws affecting virtually all companies (whether or not they are “tech companies):

How are organizations using Big Data to categorize consumers?

What benefits do consumers gain from these practices? Do these practices raise consumer protection concerns?

What benefits do organizations gain from these practices? What are the social and economic impacts, both positive and negative, from the use of Big Data to categorize consumers?

How do existing laws apply to such practices? Are there gaps in the legal framework?

Are companies appropriately assessing the impact of big data practices on low income and underserved populations? Should additional measures be considered?

This workshop comes after the FTC examined privacy issues associated with big data practices in its 2012 report Protecting Consumer Privacy In An Era of Rapid Change: Recommendations for Businesses and Policymakers, and its ongoing examination of the data broker industry.

The proliferation of smart phones, tablets, intelligent mobile devices (including wristbands, headphones, automobiles and wearable telecom devices) and online social media have enabled the collection and analysis of huge datapoints.   The Internet of Things will include sensors (some of which are mobile) that are collecting data streams in real time.  Data brokers collect different related information that can be assembled into a mosaic of demographic information that might include race, religion, national origin, sex, sexual orientation, health conditions (subject to HIPAA), disability, veteran status and other commercially “relevant” criteria.  Big Data thus enables the pinpoint analysis of individual conduct as well as the conduct of individuals according to demographic, geographical, financial, educational and economic variables.

The FTC is looking at issues of the use of insights from Big Data (including credit risk scores, demographic information and other assessments) for illegal purposes.  While the FTC has been clear about potential abuses by financial institutions, the issues apply to all companies using Big Data.

Business executives (and law departments) should be asking how their own practices of collecting, analyzing and using Big Data might be abusive or illegal.

Now is a good time to conduct an internal review of your Big Data strategies.

What criteria do you use for market segmentation?  Consider how you use any Big Data (or direct customer data) in a manner that might discriminate against certain demographics in pricing, new product availability, service priority, credit card lines of credit, retirement account services, financial services, volume discounts, “early bird” or “favored customer” sales.

What criteria do you use for making preferential offers?  Do you limit access to “unfavored” customers in terms of access to higher quality products, services or content?

What policies do you have that might create (intentionally or not) a “disparate impact” (which, under one theory of law enformceemnt, constitutes intentional wrongful discrimination)?

Have you integrated your Big Data initiatives with your corporate social responsibility (CSR) and governance, risk management and compliance (GRC) programs.

Wednesday, March 5, 2014

Darwinian Survival through Disaster Recovery and Information Governance

It seems like stock prices fall pretty quickly after a data security breach.   Just ask TJ Maxx, Target, Nieman-Marcus or Sears.   The big boys probably have their business continuity plans (BCP’s) and information governance rules.   What about you?  What’s it all about, Alfie (the CEO, CIO, GC or Webmaster or Board member)?

My dalliance with BCP and “disaster recovery’ (“DR”) started 15 years ago, when I was negotiating long-term outsourcing contracts for enterprise customers.   No BCP/DR, no deal.

Fast forward to 2014.   Now just about everyone understands BCP/DR, requires it in their cloud computing agreements and maybe even in their strategic supplier agreements for manufacture of consumer packaged goods, or whatever.  So it’s time to reinvent and look at “information governance” as a subset of BCP/DR strategy.   And everyone MUST do something about “information governance” because you can get sued, pay a lot of money and lose customers.   Did I mention you (if you are a senior officer) might get fired? 

With your job on the line, where’s the crib sheet for mastering “information governance” and building your own job security plan (“JSP”)?

First step, sound the alarm and look for a BCP.  A business continuity plan acts like the Internet: multiple nodes, multiple points of failure, resiliency.  You plan your own company’s exit (and stresses leading to exit).

Second step, focus on an information governance strategy as a mini-BCP, directed at information technology, telecom and data security, brand management and liability management (to cut your losses on “stray” or “hacked” data).  Throw in a privacy policy too, with a compliance officer to run the deal.

Here’s the plan:
  • Face the music.  You won’t hear Beethoven, Mozart or Handel being mentioned with Gramm-Leach-Bliley, Obama(Care), or the less eponymous laws like HIPAA, HITECH or regulations on banking, financial services or insurance (“BFSI”).  Frame your frameworks.
  • Do some yoga.  A little flexibility, a little strength and resilience will help your company deal with surprise encounters of the info management kind.
  • Round up your data, Cowboy!/Cowgirl!.  Identify sources, uses, flows, warehousing, processing and transmittal of data.
  • Put your data collection on a diet.  Imagine a Web without intrusive cookies (as the EU regulators are considering due to easy identification of individuals with geolocalization tools).  Collect and keep personal data (and data leading to individual identification) only if you “need” it.   Otherwise, it’s digital baggage that, if hacked, will cause legal and branding hassles.
  • Orchestrate your musicians. 
    • Identify “records custodians.” 
    • Designate an “information governance team” for all managers who will have inputs into information management and technologies.
    • Designate an “incident response team” and allocate roles, responsibilities and strategies for each team member.   Include HR, IT, marketing, legal, purchasing, compliance, finance and
  • Get political.
    • Identify all of the company’s constituencies who may be impacted by an “incident.”  Consider suppliers, licensors, licensees, customers, joint venture partners, regulators, public relations, reporters, shareholders, directors, officers, employees, lenders, courts, litigants, and anyone else affected by your business.  
    • For “B corporations,” consider your social and environmental mission and constituencies.
  • Unchain your paranoia.  Assess vulnerabilities and mitigate risks.
  • Virtualize and diversify your supply chain (through to your customer delivery service too).  Identify and plan for “disaster” scenarios and the impact on operations, legal compliance, customer loyalty and the company’s value chain.
  • Treat data like gems and rare anti-venom snake serum.  For legal issues, the plan should address preservation of legal records and evidence, engagement of forensic analysts and timely statutory notifications of security breach incidents.
  • Party hearty, but only after you successfully do your mock “disaster” (“incident”).  The “incident response team” must practice the “table top exercise” drill of data recovery, data security breach notifications and remedial public relations.
  • Be democratic.  Get everyone involved, trained and conscious.
  • Adapt.  Evaluate and continuously monitor the data security practices and compliance of your internal and external tech providers.  Revise your policies to adapt to new threats and scenarios.  Get a trip to the Galapagos Islands and see what adaptive survival looks like.
Sometimes looking at digital life in analog form makes good sense. Stay healthy.

Wednesday, February 12, 2014

Your Global Brand: Reconciling Business Models and Supply Chains

On Abe Lincoln’s birthday, we can derive inspiration from the life and lessons of “Honest Abe.” Like your parents told you, you are known by the company you keep.  This is true for each employee in a service business as well as the entrepreneur, the growing business and the global business.   Your business model and your associations with others directly impact your business success.  Increasingly, you need to orchestrate your business operations and branding messages across both individual and shared brands.

Now, more than ever, creating and managing your global brand is essential to all aspects of your business, beyond attracting and retaining loyal customers under an understood trademark.  Every business today is a service industry, and your brand reflects quality of service and user experience (UX) for everyone who touches your business.

Value Chain Branding.  Brand management means running all aspects of your business as a strategic relationship throughout the entire business value chain. Your global brand transcends across customers, employees, suppliers, outsourced service providers, investors, professional advisors and even regulators and competitors. Think of the benefits of a strong brand in terms of strong corporate culture, employee morale, investor confidence and enterprise sustainability.

Proprietary vs. Shared Brands.   In the American culture, individualism and community can collide.  A proprietary brand is owned, controlled and managed by one enterprise.   A “shared brand” is the brand of shared enterprise.  The logic of collective action suggests that individuals and small and emerging businesses should brand themselves uniquely, while joining in shared brands that may include competitors and suppliers.

Managing Your Own Brand.   In the individualistic enterprise model, managing your own brand requires trademark registration in relevant markets (including countries where you source your products and services).  Think Coca Cola®

Sharing a Brand.   The Big Four accounting firms and the global law firms might present themselves as partnerships, but they  segregate their operations for tax, legal and regulatory purposes by setting up a common brand and then licensing it to themselves.  That’s sharing a brand at the individual enterprise level.  The leaders develop the concept, the membership follows the model and markets under the shared brand. Think Ocean Spray®, a cooperative of growers of cranberries.

Sharing a brand normally means losing your individual identity.   Ironically, in the services industries, the value of a shared brand depends on the quality and integration of the components (individuals) operating under that brand.  By marketing and delivering your own unique skills, doing your own blog and having your own little team within a larger organization, you can enjoy both the economies of scale of the larger organization and the unique profile that attracts and sustains your own clientele.  For this reason, broker-dealers, law firms, consulting firms and other service enterprises encourage each individual to be a rainmaker with unique talents and to team with others offering collective and synergistic talent.

Co-Branding.  Consider possible solutions to piggy-back upon the goodwill of others:

  • Creating new venues by co-marketing (under different brands) of different goods and services to the same target clientele.
  • Advertising to your target clientele in venues that your competitors do not use.
  • Giving financial incentives to referral sources by “partner referral” or “business partner” programs.
  • Earning a “certification” from a well-respected source of trust, such as a top university or the International Standards Organization, or other non-profit or non-governmental organization.
  • Participating in the development of industry standards.
  • Building a new trademark and enlisting others to sell under it, either as licensees, franchisees or even as co-owners of the brand.
  • Becoming a strategic advisor or “resident” expert to a university, think tank, startup incubator or non-profit organization.

Interplay of Individual Brand and Your Supply Chain.  Sharing a brand can also mean building a network of trusted suppliers and service providers who are the back-end of your service delivery platform.  You need to manager your suppliers to ensure you deliver on your promises (and your regulatory compliance obligations).   Otherwise, you have no business, and you have legal liability for breached contracts.  Think about your vendor contracts and your supply and service contracts for your customers.

Joint Ventures, Strategic Alliances and Teaming.  Synergies also come from collective operations that are either new enterprises or an extension of your own enterprise using third parties as co-providers or as suppliers.  Dow Corning has been a joint venture for over 40 years and has developed its own customer.  CSC (US) just announced a partnership with HCL (India) that enables CSC to deliver data center management and cloud computing using HCL as supplier and HCL can enjoy the benefit of CSC’s sales and customer relationships.  Think about introducing a strong “partner” to return and engage clients.

Rethinking your Brand Strategy.   Effective branding strategies bear fruit upon sale of the company, since trademarks and goodwill are valuable marketable assets that can be sold separately (like Abercrombie and Fitch) or as part of a business.  These distinctions might help you rethink your brand strategy and develop and support multiple brands for yourself.

P.S.  I’m being interviewed on the relationship of business models and global brand management tomorrow at 2 PM ET, at

Thursday, January 30, 2014

President Obama’s January 28, 2014 State of the Union Address sets a nationalistic agenda for American jobs.  There are some ideas that even business people (including business lawyers like me) can warm up to in the January Polar chill.

If you have been following the changes in the law, you might find his remarks a bit hypocritical and bombastic.  At least it was an occasion to be selectively optimistic to anticipate future legislation (or executive orders, i.e., Presidential fiat).

Insourcing.  Manufacturing has been outsourced and offshored in global supply chains for a long time due to wage arbitrage, efficient global logistics, factory automation and computerized design.   Obama notes: “over half of big manufacturers say they’re thinking of insourcing jobs from abroad.”  Any reshoring of manufacturing production jobs would unlikely bring back the number of jobs lost during the offshoring years.   Re-localization of these jobs would probably require new skills as manufacturing processes have become more highly efficient. 

Tax Reform.  Obama wants to reform “our tax code [that is] is riddled with wasteful, complicated loopholes that punish businesses investing here, and [that] rewards companies that keep profits abroad.”  He wants to “close those loopholes, end those incentives to ship jobs overseas, and lower tax rates for businesses that create jobs here at home.”  What’s missing is that any tax reform should be used to raise revenue on a permanent basis for both personal and corporate income taxes.  Current proposals will only result in a temporary revenue increase, which Obama would allocate to infrastructure investment.

Small Business and Entrepreneurship.  Recognizing the role of SMB’s in job creation, economic growth and foreign trade revenue, Obama exhorted Congress to “do more” for them.   He claims that “Over the past five years, my administration has made more loans to small business owners than any other.”    How about reducing government regulations which impose onerous costs on SMBs?

International Trade.  Obama wants trade, “new trade partnerships with Europe and the Asia-Pacific” to help SMB’s create more jobs.  “We need to work together on tools like bipartisan trade promotion authority to protect our workers, protect our environment, and open new markets to new goods stamped “Made in the USA.”  China and Europe aren’t standing on the sidelines.” This is a plug to get trade negotiating authority for the Trans-Pacific Trade Partnership and the Trans-Atlantic Trade and Investment Partnership diplomatic deals. 

Innovation.    Obama claims the US is the global leader in innovation, giving us “an edge America cannot surrender.”   He wants to restore R&D tax credits, which lapsed due to the failure of his Administration and the Congress to enact a general tax law for three or four years due to dogmatic positioning.
Patent Trolls.  Obama wants to “pass a patent reform bill that allows our businesses to stay focused on innovation, not costly, needless litigation.”  Of course, he fails to mention that business process method patents, judicially approved in the mid 1990’s, helped create new industries in Silicon Valley.  The America Invents Act of 2010 was supposed to have protected businesses from unwarranted litigation through reforms in the processes for evaluating the patentability of pending patent applications.

Immigration.   Immigration reform offers significant economic benefits, which Obama focused on.  Pending reform legislation would open the doors to foreign entrepreneurs, investors and retirees, making the U.S. more competitive with other immigrant – favorable jurisdictions. It will also eliminate abuses of H1-B visas by foreign service companies and promote a more balanced global workforce with significant U.S. consultancies.