Cross-Border Data Flows after EU Invalidation of EU-US Safe Harbor Agreement

Stop the presses!  On October 6, 2015, the European Court of Justice invalidated the July 26, 2000 international agreement between the European Union (EU) and the United States called the “Safe Harbor” agreement.  The case, Schrems v. Facebook, Inc., arises from a complaint by an Austrian national concerned about the protection of his personal data held in the U.S. by Facebook in the wake of the 2013 disclosures by Edward Snowden regarding the sharing of personal data stored by Facebook and others with U.S. intelligence.

This decision could have a huge impact on all U.S. Internet-based businesses, all multinational businesses that collect data from EU individuals.  It may require reworking and new contracts for data center management, collection and data analytics that uses EU Big Data, social and mobile websites.

Under the Safe Harbor Agreement, U.S. companies and their EU affiliates could freely exchange EU “personal data” (concerning individuals residing in the EU), even if the U.S. did not have “adequate protection” to comply with the EU Data Protection Directive of 1995.  The Safe Harbor only required that the U.S. companies enter into an agreement with their foreign affiliates to comply with EU Data Protection mandates and to file the agreement with the U.S. Department of Commerce.

The EU Court invalidated the Safe Harbor Agreement for several reasons. The Safe Harbor Agreement fails to comply with the EU Data Protection Directive’s rules that:

• the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data;
• The EU Commission has not made a finding that the U.S. ensures an adequate level of protection by reason of its domestic law or its international commitments; and
• The U.S. has not designated any public authorities (“data protection authority”) responsible for monitoring the application within its territory of the local “national provisions” adopted on the basis of the EU directive.

Considering a potential conflict of laws between the U.S. and the European Union, in the Court’s press release No. 117/15:

the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

As a result, cross-border data transmission from the EU to the US could be prohibited without new U.S. federal legislation equivalent to the EU Data Protection Directive.   This will prevent social media like Facebook, data brokers, credit card companies, and consumer goods websites from storing EU personal data in the U.S.  Data stored in computers in the EU will be under the jurisdiction of EU courts.

This decision underscores the importance of a strong digital compliance program to cover not just personal data, but also digital business records.  It’s time to review your policies, procedures, roles and responsibilities, and business models.  It’s a whole new digital world!

Protecting Company Intellectual Property: Simple Moves against In-house Theft of Trade Secrets and IP

Intellectual property (“IP”) is the elephant in the valuation of a company at sale or financing, but can be undervalued on the balance sheet.  Major enterprises have compliance officers, legal departments and major law firms and tech consultants to help secure their intellectual property?  What about small to mid-sized enterprises or small multinationals?  

Leadership.   First, appoint a person responsible for managing intellectual property.  This usually requires someone with a broad overview of the company’s business strategies, methodologies and competitive positioning.   In a smaller company, this could be the CEO or a deputy. 

Training and Managing Your Employees and Value Chain.   Every person in the company’s “value chain” should be trained in the basics of intellectual property.   These include (1) the differences between a trade secret and a patent, (2) the limited but potentially valuable scope of protection of copyrights, (3) the value of trademarks and related goodwill and how such value can be protected or lost, and (4) the rules defining who owns intellectual property in the absence of a contract.  The “value chain” includes the company’s employees and contractors, and employees of corporate contractors.  

Adopting and Highlighting Policies to Your Employees and Value Chain.    Written policies and procedures on IP protection can serve as references for education, swords against wrongdoers and shields against competitors and other adversaries.   Such policies can be included in employment contracts, employee handbooks, sales manuals (to guide sales personnel), template contracts, joint venture agreements, licenses, IP assignment agreements, website “Terms of Use” and other handy everyday documents.    Without good policies and procedures, the company’s shareholder value risks dilution.

Data Security.   The Healthcare industry lives under federal regulations governing logical, administrative, legal and technological barriers to unauthorized data access.   Your business should apply the wisdom of such practical protections.

Transition Management.    Change management refers to adaptive behaviors.   Transition management relates to a company’s procedures for transitioning relationships (onboarding or termination) with individual employees, contractors, suppliers and others in the value chain.   Checklists, coordination among IT and HR departments and Sales can help avoid or mitigate litigation costs.  Make sure your trade secrets and other IP do not leave the company when the individuals “in the know” leave the company.

IP Risk Prioritization.   Sure, every person in a business has some knowledge of trade secrets that could help a competitor.  But, as in George Orwell’s Animal Farm, certain people are more equal than others, by reason of having broader scope and deeper knowledge of trade secrets.  The Board needs to ensure surveillance and even forensic analysis in relation to high-risk positions such as heads of R&D, scientists, product developers and new business developers. 

Business Modeling in Outsourcing, Licensing and Joint Ventures.  In the early days of outsourcing, companies gladly gave up their employees to the external service provider without charging a headhunter fee or a training fee, and without getting the right to re-hire them, or to get some knowledge management tool to capture the company’s implicit knowledge so it can be restored upon termination of the outsourcing.   The same applied to joint ventures.   This was pretty astounding.   Over time, business models have evolved to incorporate knowledge management.   When outsourcing a process, think about how to keep some residual knowledge for effective management of service providers and integration of the supply chain.   See www.outsourcing-law.com for more.

Spoliation of Evidence.   If business owners and managers have learned anything in the last 10 years, it’s “e-discovery” and “spoliation of evidence.”   Policies and procedures should be adopted to ensure against insider theft of trade secrets and spoliation of evidence of theft.   There are software tools and IT procedures for network administration that can help manage this increasingly costly risk to IP owned by or licensed to the company.  When a high-profile IP person leaves, the company should conduct a quick forensic review.  Evidence lost when hard drives are overwritten can be irreplaceable.

Legal Audit.   When you suspect a loss of IP, call the lawyers.  An internal investigation supervised by lawyers is entitled to confidentiality protections in court under the attorney-client privilege and the attorney work-product doctrine.  Put the lawyer in charge as Maestro, and let the IT, HR, security, forensic analysts and other joint the orchestra.   Even if you don’t suspect any problems, attorneys with Maestro batons can elicit better-protected music for your IP.   And consider legal audits on a regular basis, not just before the time you sign up for an intellectual property rights insurance policy.

Are we feeling innovative yet?

Strategic Minimal Investments in Cybersecurity and IoT

Today’s cybersecurity challenges remind me of “Frog and Toad” children stories, where Frog and Toad are debating how to stop eating all the cookies right away.  They concoct a plan to put the cookies in a jar in a high cabinet where they can’t reach…easily.  But someone can always reach.   You can’t even trust yourself sometimes, so can you trust your buddy? 

Cybersecurity concerns every facet of modern life, from children’s toys to self-driving automobiles and every consumer transaction.  Cybersecurity threats will worsen with the Internet of Things, as millions and billions of sensors will collect and perform comparisons and data analytics to some data center.  Analytics will help move from data chaos to predictive strategies.

Prudent risk management requires diversification of risk.   Consumers and businesses alike need to use caution in approaching investments in sensors and IoT.  Access rights to a sensor that combines sensitive personal data with controls for the household or factory would increase the risks of abuses by employees as well as hostile hackers.

The Department of Justice’s guidebook on anticipating and dealing with data security breaches (Best Practices for Victim Response and Reporting of Cyber Incidents, published April 29, 2015, http://1.usa.gov/1I0QxAl) highlights how every business needs to adopt prudent risk management, particularly supply chain risk management, in their business.  As a contract attorney in technology businesses (and former high school wrestler), I am reminded of my coach’s advice: stick to the basics, and do them exceedingly well, and also anticipate your adversary’s expectations so you have a plan to defeat the “normal” expectation. 

Today, private equity and venture capital (and strategic acquirers) are targeting cybersecurity companies for investment and acquisition.  We all have to buy cybersecurity  or be at risk of tremendous damage to brand goodwill, fines and even monitoring. 

How much should private industry collaborate to deal with privacy challenges?  On one hand the government is offering to share security risk data with private industry (See H.R. 1560, a bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats (passed by the House of Representatives on April 22, 2015) and H.R. 1731, a bill to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections (passed by the House of Representatives on April 23, 2015).  The ACLU opposes enhanced sharing as an invasion of civil liberties and inviting private abuses of shared information.

On the other hand, private industry can do that job without yielding data that could be abused.  The flip side of security is the question of trust: whom can you trust, and for how long?

So, for business and consumers, it’s time to consider whether the hassles and additional marginal costs of encrypting data are a better investment than high-premium cyber-risk insurance, traditional loss prevention and recovery methods. 

And, as a matter of information governance and Internet safety, every investment in cybersecurity would be wise.  The simpler the better.

Expanding Foreign Business to the U.S. Markets

As a business lawyer, I’m constantly focused on business growth and liquidity, with a healthy respect for compliance and risk mitigation. Lately, I have been on the road a lot, both here at home in the U.S. and abroad, attending conferences and meetings, where I have been hearing and answering questions on how entrepreneurs and small to mid-sized foreign businesses can enter global markets? This is a key concern for my business and for my clients.

It’s also the key topic in a conference I will be attending this week in Milan sponsored by the International Bar Association Committee on Small International Business. It was the basic theme of the U.S. Department of Commerce’s “Select USA” program that I attended in Washington last month with 2,500 foreign business owners hearing promotions from 44 states and the Feds on why a foreign business should invest and employ workers in the U.S. Earlier this year, I spoke at a techUK.org meeting to UK tech businesses about expanding their operations in the U.S.

Let me share with you what I have learned and the questions every business needs to ask itself when expanding across borders:

What are your business objectives? First, consider the type of local activity: manufacturing, distribution, sales, R&D, shared services? By determining your requirements for a new operation, you can develop criteria for evaluating locations. This will help focus on the essential local operations. For smaller companies, a U.S.sales office might be the first opportunity by generating new revenues at marginal cost. For larger companies, toehold acquisitions achieve an instant workforce, manufacturing capability, installed customer base and local management. For all, localization improves branding and the quality of the customer experience.

Second, conduct a “cluster analysis.” At an early stage, you will want to identify the “clusters” of talent pools, markets, customers, customer influencers, supply chains, logistics and other local service providers. The U.S. Department of Commerce has developed a “cluster” database that can help identify clusters by industry, such as information technology, data services, automotive, pharmaceuticals, new technologies, manufacturing and business services.

Third, consider the balance between up-front capital investment costs and anticipated operating revenues and cost savings. You’ll need a financial analysis that gives you a model for identifying and optimizing return on investment (“ROI”). If you have a web-based SaaS platform, your marginal capital expenses can still be significant, but you can cut them using shared work spaces (e.g., Regus, WeWork) and incubators, a mobile workforce, Cloud-based infrastructure and virtual operations. 

Fourth, research the availability of incentives, grants and tax credits from local, state and federal governments and balance them against tax liabilities. The Select USA program identifies a list of 10 reasons to invest in a particular state. The states are both competitive and collaborative. Incentives can include income tax holidays (e.g., “Startup New York”), tax credits, abatements or rebates, project grants for capital investment or R&D, incentives for hiring and training local employees, abatements or rebates of property taxes, electricity costs, and eco-incentives (e.g., energy savings, pollution control).

Fifth, consider alternative sources of capital. Few foreigners understand the uses of the EB-5 employment-based visa as a source of investment capital. This federal immigration law permits you to finance a U.S. business by capital investment from other foreigners. You can reduce your cost of capital, but you must meet eligibility requirements for both the project and the foreign investors. For each investor, you’ll need to guarantee 10 full-time jobs. Each investor will need to invest at least $1.0 million (reduced to $500,000 if coordinated through a “regional center” for EB-5 visas).

Sixth, plan the legal structure. An effective legal structure will start simple but must follow certain rules of the game to limit unnecessary liabilities for taxes, regulatory compliance, employment practices, contractual obligations and supply chain risks. In my experience, foreign companies all want a Delaware corporation. Yes, that’s often an essential part of the puzzle. But there are other considerations, such as where intellectual property will be created, licensed and used, so that you might need a separate IP operation elsewhere. And for foreign startups, access to U.S. VC funding may require a new U.S. holding company and perhaps even a new U.S. operating company. A dual structure can also be essential for planning acquisitions in the U.S. And don’t forget to “tie the bow” with appropriate intercompany agreements on financing, services, licensing, sales and administration.

Finally, get the right people. Many foreign companies start their U.S. operations with foreign expatriates. That might be necessary for U.S. subsidiaries that will need to build upon a unique business model, mission, culture or operating structure. In my experience, foreign expats are generally essential for starting new U.S. operations, but over time talent can come from many sources. Americans today are more multicultural and globally oriented than 20 or 30 years ago, so hiring local talent with multilingual skills may be down the road for you.

I’ve seen some smart solutions by foreigners. Big American consulting companies often hire well-paid employees to work mostly at home and “on the road.” Like Americans, they might choose to have a small (or virtual) a corporate office or a shared showroom in a big town and keep other functions in lower-cost locales in the US or abroad. We had one foreign client that organized a US holding company, got funding in California, paid its foreign staff from the US funding and had only two US employees, in sales, in a city with their core customers. I was not surprised when they sold to a Japanese strategic acquirer at a multi-million company valuation after 8 years of innovation, growth and “globalization.”

Derivative Startups: Building Ecosystems of Innovation

We hear more and more about the success stories of Uber (or Lyft) and Airbnb.  I can personally vouch for both the nice ride and the nice lodging.    What is also happening, on the side, is that a new #DerivativeStartup business model has sprung up.  In a “derivative startup,”  entrepreneurs are building  new businesses  that are ancillary to another startup’s business.   For example, while Uber and Lyft offer rides to passengers, Breeze and HyreCar offer car leasing to drivers who want to provide such rides under an Uber or Lyft mobile platform.  And Guesty helps Airbnb manage its real estate properties. 

This piggybacking approach reflects the development of add-ins or complementary, non-competing technologies and services in support of a “host” successful startup.   Thus, #DerivativeStartups are second-generation startups that provide goods and services to larger startups.  http://on.wsj.com/1BlMD2y (“Piggybacks”, Wall St. Journal, Feb. 19, 2015).   

Whether these #DerivativeStartups become successful depends on a number of factors.  Certainly, as a business model, derivative startups face higher risks of failure.  Either the “host” startup might fail or it might become a competitor.   Or the derivative startup might face other competition or an inability to meet market demand.  Yet this dual risk also creates an opportunity for a double success.  For this reason, derivative startups may attract investors who regret having missed an opportunity to invest in the “host” startup.

Lessons can be learned from studying key performance indicators for other ecosystem business models used by public companies and private equity.  Traditionally, public companies use carve-outs and spin-offs to exit a line of business that no longer fits the company’s core mission.   In a carve-out, the public company transfers shares in the “carved-out” stand-alone business to existing shareholders for no cash, or it sells them to a private equity group.  The public company facilitates the spinoff’s operations by providing a transitional services agreement for a year to enable the spinoff to keep operating smoothly.    Also, private equity uses consolidation (“roll-up”) strategies to combine core lines of business with some ancillary “feeder” business lines, for a bundle to be sold off.

Like any small company feeding its “mother ship”, a derivative startup can avoid conflict and competition by developing a product or service that the “mother ship” / “host” startup cannot easily provide.  By changing the “SWOT” landscape for the “host” startup, it must also discourage the “host” startup from entering the derivative startup’s own line of business.

• Incentives for Collaboration; Disincentives for Competition.   The derivative startup must avoid being merely a supplier of “generic” products that could be copied or sourced from other suppliers.  It should strive to be a “unique” supplier.  The key is to offer incentives for collaboration, whether financial or otherwise, to the “host” startup, which in turn would discourage the “host” startup from competition. To achieve such a lasting alignment, the derivative startup’s management must identify commercial, financial, legal, intellectual property and regulatory frameworks that discourage the “host” startup from entering the derivative startup’s line of business. 
• Intellectual Property.  Many startups are created by individuals who leave another startup due to disagreements over business strategy or opportunities.   A derivative startup could face claims of misappropriation of intellectual property or trade secrets in such situations.  A successful defense will involve proof that the “information” is actually not confidential and not proprietary.
• Non-Competition Covenants.  Similarly, non-competition covenants could inhibit “look-alike” startups.   For the protection of both sides, it is therefore essential to define clearly the scope of the “host” startup’s business to avoid confusion and potential needless litigation.
• Type of Relationship with “Host” Startup.  Before approaching the “host” startup, the derivative startup should decide whether it wants any funding, intellectual property, services or other value from the “host” startup, as well as what the derivative offers to the host.  The host might offer to invest in the derivative, creating a “cross-ownership.”   Such arrangements can create inherent tensions that can exacerbate existing competitive risks.
• Exit Strategy.   The exit strategy for a derivative startup is limited since its raison d’etre is based on the host startup.  To avoid having a depressed price or being forced into an early exit, the derivative startup should remain focused on a business model of independent management and operations even as it seeks to ride the wave created by the host startup.  Additionally, it should seek other possible clients should the “host” startup fail.

High-risk, high reward derivative startups may be here to stay.  Derivative startups can improve their odds for success by taking some pages from mature multinationals and private equity tools of “carve-outs,” “spin-offs” and roll-up consolidation plays.