Thursday, September 27, 2018

Cross-Border M&A under Trump’s “America First” Ideology: No “Terra FIRRMA”

Are you considering acquiring a U.S. company or negotiating an exclusive license for U.S. technology?  Are you looking at any “critical technologies”?

Every foreign investor interested in investing in the U.S. need sit up and take notice of the newly enacted Foreign Investment Risk Review Modernization Act ("FIRRMA"), part of the John S. McCain National Defense Authorization Act (NDAA) recently signed into law by President Trump on August 13, 2018.  FIRRMA expands the role and responsibilities of the Committee on Foreign Investment in the United States ("CFIUS"), an inter-agency Committee, originally established in 1950.  Its charge is to review inbound foreign investment ("covered transactions") in U.S. interstate commerce [specifically, any "merger, acquisition, or takeover…by or with any foreign person" or with a foreign government or foreign government controlled entity] which may potentially affect the national security of the United States and to block or enforce any agreement or condition to mitigate any such threats to national security.  FIRRMA adds "teeth" to how CFIUS can review potential investments which in the past have been outside its jurisdiction and to more effectively provide timely reviews of submissions.

FIRRMA's key provisions were adopted in response to growing foreign investments,   particularly from China, in real estate acquisitions in sensitive areas and in U.S. companies which provide access to sensitive information or technologies critical to U.S. security, even if the investment is non-controlling and represents a minority investment.  Other significant changes include an extended timeline for review, short form "declarations" to speed up the review process, mandatory submissions for certain transactions and initiation of filing fees and funding for CFIUS.

While some changes will take effect immediately, many changes will not take effect until CFIUS prescribes their implementing regulations.  Current regulations are in force until CFIUS provides guidance on the specifics of the new regulations, which is the earlier of either 18 months of the date of enactment or the date that is 30 days after publication in the Federal Register after a determination that the regulations, organizational structure, personnel, and other resources necessary to administer the new provisions are in place.

However, in this new environment, foreign businesses and their legal advisors need to understand the emerging U.S. framework for national security and economic impact review, with a new, expanded bureaucratic role for CFIUS.  These changes will impact due diligence, deal structuring, risk allocation, execution and post-execution deal breakup scenarios. 

"Covered Transactions."   Covered transactions have been expanded to include:
a. Any merger, acquisition or takeover carried out through a joint venture;
b. U.S. real estate purchases, leases or concessions by a foreign person:
    1. "Located within or will function as part of, an air or maritime port;"
    2. In close proximity to a U.S. military installation, government facility/property that is sensitive for reasons relating to national security, such as at risk of foreign surveillance of national security activities or collection of intelligence on activities being conducted at the facility/property.
Furthermore, subject to CFIUS review now, is:
a. any change in the rights of a foreign person if that change results in control of a U.S. business;
b. any "other investment" by a foreign person in any unaffiliated U.S. business, that:
    1. Owns, operates, manufactures, supplies, or services critical infrastructure;
    2. Produces, designs, tests, manufactures, fabricates or develops one or more critical technologies;
    3. Maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.
"Other investment" is further defined as direct or indirect by a foreign person in a U.S. business that affords the person access to any material nonpublic (not in the public domain) technical information relevant to critical infrastructure or critical technologies or membership or observer rights on the board of directors or any other decision-making rights in these U.S. businesses.

However, FIRRMA gives CFIUS the ability to limit the scope of these type of non-controlling passive investments.  Some waivers and exemptions exclude the financial information of a U.S. business' performance, indirect other investment in funds where the fund is managed by the general partner, managing member or equivalent and is not a foreign person or where the foreign person does not have the ability to control the fund or has access to any material nonpublic technical information.

By adding "other investment," FIRRMA appears to be more likely to capture small investments which may have escaped prior notice.

While broad in scope, it is still incumbent on CFIUS to prescribe regulations that govern much of the terms, such as "foreign person" and to "enumerate specific types and examples of such critical infrastructure." Critical technologies also includes "emerging and foundational technologies," as yet to be defined in section 1758 of the "Export Control Reform Act (ECRA) of 2018," another part of the NDAA.

Non-Declared Transactions.  FIRMMA authorizes CFIUS to establish a process to identify covered transactions for which a notice or declaration was not submitted..

Extended Timelines.  Effective immediately, CFIUS' initial review period for written notices is extended from 30 to 45 days and its subsequent investigation period of 30 days can be extended by 15 days in "extraordinary circumstances."  However, it also mandates comments from CFIUS to all parties within 10 days of a draft or written notice, enabling parties to respond on a more timely basis. In the past, CFIUS had no such requirement.

"Declaration" Filings.  Certain transactions may be submitted to CFIUS by one party as a declaration with basic information, not to exceed 5 pages in length (instead of a written notice), which could result in shorter review times since CFIUS must respond to such declarations within 30 days.   It may request a written notice for review, initiate a unilateral review and approve the transaction.

Mandatory Declarations.  In the past, written notices to CFIUS were voluntary, although CFIUS had the power to compel parties to file a written notice for review.  Now, certain covered transactions are mandatory declarations.  These involve a foreign person's investment that results in a substantial interest in a U.S. business by a foreign government or any investment by a foreign person in a U.S. business that develops one or more critical technologies.  If CFIUS determines that the foreign person demonstrates that the investments of the foreign person are not directed by a foreign government and the foreign person has a history of cooperation with the Committee, it may waive review.

Filings Fees and Funding and Staffing.  FIRMMA requires dedicated CFIUS staffing and allows agencies to appoint new staff.  Its initial budget is $20,000,000 to perform the functions of CFIUS.  In addition for the first time, it institutes filing fees for written notices (not declarations) and sets limits on these fees.  However, it leaves the implementing regulations for prescribing these fees and procedures for CFIUS to define.

Remedies.  Expanded choices include:  suspension of the covered transaction while under review or investigation; referral to the President for a decision at any time; or negotiate, impose, enforce any agreement or condition with any party to a completed covered transaction to mitigate any interim risk after a risk based analysis.  Any agreements or conditions are to be effectuated in a compliance plan, that must be monitored for adherence and kept updated.  If non-compliant, the CFIUS may impose penalties, injunctive relief or negotiate a plan to remediate the lack of compliance.

Reporting Requirements.  FIRRMA significantly increases the number of reports to be made to Congress, including a much more detailed review of all covered transactions completed, especially monitoring and compliance plans, as well as all declarations.  Other reports include  Chinese investment in the U.S. (every 2 years), how it compares to the Made in China 2025 plan and any difficulties in collection of the data, the national security risks of foreign state-owned or controlled entities in the manufacture or assembly of rail systems in the U.S. and a briefing on transactions reviewed by CFIUS in the past 5 years which would have allowed foreign persons to inappropriately influence democratic institutions and processes within the United States and in other countries; and the disposition of such reviews.

Planning for Cross-Border Investment and Exclusive Licensing Deals.  Corporate counsel should manage several issues when engaged in cross-border transactions under these new regulations.

Plan.  Planned transactions should include a pre-negotiation analysis of the suitability of the deal under CFIUS.  Management needs to understand national security vulnerabilities and threat factors, SOE risk analysis, transparency, and disclosures by the acquirer and the costs, risks, and contractual allocation of risks in case the deal is blocked.

Understand Timing Expectations.  The parties should expect delays of up to four months (the maximum timeline for CFIUS reviews and referral to the President is 105 days), yet be able to respond to CFIUS information requests in three days, regardless of languages and time zones. Sensitivity to delays should be managed. If either buyer or seller is a publicly-traded company, investors will need to be informed under applicable securities disclosure laws. 

Manage Foreign Financing Risks.  Foreign buyers subject to foreign exchange control must ensure the timing of CFIUS review does not kill the financing.  They must also account for the advent of filing fees to be added to their budgets.

Manage CFIUS-Based Risks.   The parties should identify and manage the impact of CFIUS delays, mitigation and outright denials. Contractually, such risks should be defined and allocated to the foreign buyer in an enforceable manner.  Sellers might insist on a reverse-breakup fee if CFIUS blocks the deal.  To secure payment, an escrow could be imposed.  To secure CFIUS consent, before negotiating any definitive agreement, the parties should negotiate conditions under which buyer would accept CFIUS-imposed mitigations to clear the transaction.

Investors and business alike interested in cross-border deals should continue to monitor the development and implementation of the new regulations by CFIUS.  FIRRMA enables CFIUS to more effectively and efficiently address national security concerns with foreign investment once it finishes its rulemaking process which should provide greater transparency and predictability for investors and businesses as they design their global strategies.  It also provides the opportunity to work more closely with foreign investors in countries allied with the U.S. as its new declarations notices allow CFIUS to expedite reviews, thus reducing time and cost in closing these cases. 

CFIUS operates pursuant to section 721 of the Defense Production Act of 1950, as amended (section 721), and as implemented by Executive Order 11858, as amended, and regulations at 31 C.F.R. Part 800.


Thursday, July 12, 2018

Comparing GDPR "Privacy by Design" and California Consumer Privacy Act of 2018

Most business people know that data protection, cybersecurity, “safe” profiling and ethical marketing are compliance obligations under the European Union’s General Data Protection Regulation (effective May 25, 2018, the “GDPR”). Echoing the GDPR, on June 28, 2018, effective January 1, 2020, California’s Consumer Privacy Act of 2018 ("CCPA") adopted substantially the same protections for California residents as GDPR does for EU (and EEA) residents. This article compares the EU’s GDPR and the California Consumer Privacy Act and offers some focus for business strategies.

Hidden Profiling. Both GDPR and CCPA focus on unauthorized “profiling” of consumer information that would enable online marketers, using metadata collected without the individual’s knowledge or consent, to draw conclusions about a consumer’s purchasing habits and preferences. The CCPA attacks unauthorized profiling for drawing inferences on “the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligences, abilities and aptitudes.” Sounds like Marketing Segmentation 101.

Privacy Policies. Both GDPR and CCPA require privacy policies and procedures to give an individual notice about the categories of personal information being collected, the categories of sources, the business or commercial purposes for collection or use and the categories of third parties with whom personal data are shared or sold. Both require “informed consent” (or other justified need). Given the similarities, your privacy practices and corresponding privacy policies can probably be “synchronized” to meet the goals of both California Consumer Privacy Act and the General Data Protection Regulation.

Rights of the Individual. Both GDPR and CCPA give the individual the right to access, correct and even request the deletion of personal data, and to receive their personal information in “portable” data formats. Both permit website operators to refuse to delete data where necessary to fulfill a contract and for compliance with law enforcement. GDPR permits retention for “legitimate interests” of the data controller or data process. The CCPA permits retention “to enable solely internal uses [by the data controller or processor] that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Both exceptions leave a lot of wiggle room for legal interpretations and litigation.

Enforcement. Each law creates legal rights for individuals whose personal information has been collected, processed or stored without consent (or other “legitimate” purpose). Such rights can be enforced individually or by class action, so the larger the class, the higher the cost. Each permits government officials to sue on behalf of an injured class of consumers. The GDPR permits imposition of fines up to 4% of the worldwide revenues of affiliated groups. The CCPA specifies minimum penalties of at least $100 (up to $750, or greater, for actual damages) per violation per individual. Given the U.S. Supreme Court’s June 21, 2018 Wayfair decision (allowing states to impose sales taxes on out-of-state Internet sales, as a reasonable and non-discriminatory burden on interstate commerce, , the extraterritorial application of California and EU laws will likely be enforceable as a matter of U.S. constitutional law, too.

          Differences between California Consumer Privacy Act and EU General Data Protection Regulation. Discrimination. The California Consumer Privacy Act of 2018 has several features that differ from the GDPR:
  • Who Must Comply. The GDPR applies to any personal data of any resident of the European Union and the European Economic Area that are processed outside such zones. The CCPA applies to data collectors that meet one of three conditions: (1) gross annual revenues of $25 million, (2) collects, shares or sells personal information from 50,000 or more persons per year, or (3) derives 50% or more of annual revenues from “selling” (sharing) consumers’ personal information. Thus, California law applies to any mid-market enterprise, one with CRM data on over 50,000 people or any search-engine optimization digital media business.

  • No Discrimination against Individuals Asserting Privacy Rights. California grants a right to California residents to equal service and price, even if they exercise their privacy rights (for example, by refusing to trade their personal information for a sweepstakes entry or free limited subscription). Online marketers cannot charge “different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.” Nor can online marketers “provide a different level or quality of goods or services to the consumer, if the consumer exercise the consumer’s rights” to privacy. But a business may offer a different price, rate, level or quality of goods or services if the price or other difference is “directly related to the value provided to the consumer by the consumer’s data.” So this invites price discrimination on the basis of a consumer’s income level or net worth.

  • No Vicarious Liability of Data Controller for Breach of Privacy by Data Processor. While the GDPR requires data controllers (who collect personal information) to impose “data processing agreements” on data processors, the California Consumer Protection Act does not. Instead, the CCPA holds the data controller liable only if it is aware of the data processor’s breach of privacy and does nothing to stop it.
          Actions to Limit Potential Liability. Business managers can avoid liability for privacy breaches by making a small investment in privacy design, policy, procedures and emergency management planning.
  • Your New “Customer Relationship Management”: Personal Attention, not Just CRM. Your website privacy policy (and terms and conditions of use) should be revised to align your business model with privacy laws. You can get more credibility, customer loyalty and greater legal protection if you carefully disclose, and obtain individual “informed consent” to your stated business purposes, intended uses and possible future disclosures as to all personal information. This transparency is especially important under the California Consumer Privacy Act because its definition of “personal information” is exceptionally broad. Transparency is likewise essential to avoid Federal Trade Commission claims of deceptive practices.

  • Business Model Review. The GDPR and CCPA, and new laws likely to be adopted by U.S. federal and state legislators, require all business owners, marketing departments and sales managers to review their business models. “Digital transformation” of the business from Main Street to Internet, and Search engine optimization and social media tools generate huge data sets. Your business model should be based on disclosing your value proposition and inducing your clientele to place trust in the legitimacy of your uses of their personal information and your value proposition. You should give great attention to why there is some value for both you and the customer for doing business with you. If you follow the California model, you can redesign your business to offer financial incentives for collection of personal information.

  • Managing your Data Supply Chain and Value Chain: Updating Your Data Processing Agreements. It’s time to re-examine the ecosystem in which you collect and process, directly or through outsourced service providers, personal data and transactions with customers.
    • Maybe you should localize in Europe your data processing for European residents.
    • Or you might focus on trusted data processors who adopt the U.S. “Privacy Shield” self-certification program that is enforced by the U.S. Department of Commerce in support of the EU’s GDPR.
    • Or you might just rely upon your service provider’s contractual assurance not to use or disclose the personal information other than for the contractual processing requirements.
    • Or adopt the “model clauses” under the EU’s data protection regime.

  • Using “Good” Technology to Defeat “Bad” Technology. Encryption, pseudonymization, de-personalization technologies can relieve the stress of possible privacy violations. If you have the right tools, compliance should be easier, and your business owners might relax more.
In short, it’s time to rethink your relationship with your customer and the impact of these privacy laws on your business model and your business operations. Having done this process for our clients, I have found this a rewarding opportunity for compliance functions to support marketing functions.

Tuesday, April 3, 2018

Board of Directors’ Governance Duties on Privacy, Compliance and Sexual Harassment: How to avoid “Falling Flat on your Facebook”

Corporate Directors must manage the company for the best in interests of stockholders and, in general, to ensure the company complies with its regulatory and contractual obligations.  Today, every company undertakes some digital transformation, using Cloud, social media, mobile devices, Big Data, analytics and potentially virtual reality, augmented reality, robotic process automation and sensor-driven “Internet of Things” like self-driving vehicles and remote controls using mobile devices. But the benefits of digital transformation come with many disruptive risks such as cyber security breaches, privacy violations that will cost serious money under the EU’s General Data Protection Regulation effective May 25, 2018, etc.  The scalability of tech “solutions” invites hackers and thieves.  At best, the company’s reputation is tarnished.

In a new threatening world, the “business judgment” rule protecting corporate directors and officers from personal liability requires greater vigilance and broader risk management.  A corporate director’s personal liability for the misdeeds of the corporation and its employees depends on how well the director planned for and responds to the “inevitable” corporate governance disaster such as:
  • Neglect of safety of its workers or consumers using a useful but potential dangerous product;
  • Abuses of consumer trust, such as setting up fictitious bank accounts to reward employees, without customer knowledge;
  • A claim of persistent sexual harassment by the CEO (à la Steve Wynn) or;
  • A business model based on unrestrained data aggregation and the “unforeseen” problem of unauthorized access or use by an authorized third parties data broker to the personal data of millions of online subscribers worldwide (à la Facebook and Cambridge Analytica).
Here are my suggestions for good corporate governance, risk management and compliance in response to digital transformation.  Just as lawyers have a duties of confidentiality and competency in technology, corporate directors have a duty of risk identification and threat management.

1. Maintaining Independent Judgment despite Lack of Control Anticipating

It may be impossible to fulfill the directors’ duty of loyalty and to maintain one’s independent judgment if the CEO owns a majority of voting control of the company’s voting shares.  That’s the case for Facebook, where Mark Zuckerberg, founder and CEO, owns about 10% of the shares but controls a majority of voting rights.  If you displease the CEO, you could get fired from the board of a valuable and prestigious company.  If you don’t displease the CEO, you might not have exercised independent judgment.   So you need to identify and implement measures that will be best for the company, which could include mandating certain actions by the CEO who is in control of your position as director.  And your D&O insurance carrier expects nothing less so as to mitigate any payouts on the inevitable derivative claims by shareholders.

2. Identify Worst Scenarios for Your Particular Business and Your Value Chain

From an insurer’s perspective, risk management requires identification and assessment of risks for probability and adverse impact. The digital economy increases the number and nature of risks.

Public companies must identify their risk profile in their quarterly and annual SEC reports.  Private companies must likewise disclose key risks on private placement memoranda, loan applications, and prospective acquirers in shareholder meetings under the principle of shareholder democracy.  For Wynn Resorts, an empire built on gambling casinos and flashy entertainment, the risks of sexual predation by the founder, who has access to private suites and private transportation, was predictable to directors who focus on high-probability risk analysis.   For Facebook, a director who understands the business model of vacuuming personal data from subscribers and their network of “friends” for resale to “data consolidators” like Cambridge Analytica could predict a failure of accountability in the value chain.  At a minimum, all supply chain contracts should guarantee that the corporation’s trusted data and business secrets will be protected and that any governmental mandates (such as privacy protections) applicable to the supplier’s services should flow down to the supplier.

Since worst case scenarios change over time, anticipating how changes in laws, politics and public opinion becomes part of the director’s job too.  No one asked, but it’s your duty to worry and plan.

3. Insulate and Compartmentalize Processes; Identify Failure Switches

The Titanic sank because it hit an iceberg at high speed at night.  Appropriately, the captain went down with the ship, but so did many hundreds more.  The ship was designed to withstand four breached compartments, but not five.  The lessons today are, don’t accelerate in risky waters and insulate and compartmentalize to insulate the business operation from cumulative, cascading risks.

For international companies, a private cloud might effectively limit risk.  Minimization of cross-border transfers of sensitive personal data can be done by using multiple servers, two in each country (the second is for failover).   Insulation can also be achieved by pseudonymization, a new concept advocated by the EU’s GDPR that stops short of full encryption but achieves compliance … until the code is broken.

4. Incentivize Prudent Behaviors by Employees

Wells Fargo made the mistake of incentivizing its bank branch officers to create new accounts not requested by the customers.  The IT department and compliance departments were asleep and could have stopped this fraud.  While few customers were adversely affected, some suffered.  So, prudent employees should be rewarded for not taking excessive risks and, in a complex organization, be encouraged to question the validity and prudence of decisions in other departments, especially where teamwork is needed for global integration.  And maybe consider small penalties for thoughtless behaviors, like opening spam attachments.

5. Monitor Compliance by Internal and External Audits

An airtight outsourcing service agreement does not guarantee compliance.   In the world of “Tech As A Service,” SaaS agreements should still require service providers to hire trusted independent external auditors for cybersecurity and business process management.   Audits under SSAE 16 type 2 and ISO compliance principles are no guarantee, but they help demonstrate prudent business judgment.

6. Appointing Compliance Officer Reporting to the Board

While compliance should be built into the company’s DNA through leadership at the top and company policy manuals, appointing an internal auditor and compliance office can give the directors access to someone who worries for them.

7. Run Away at Your Own Risk

Normally, a director has the remedy of resigning as director in case of policy differences that cannot be reconciled.  But running away might not be possible.   In tort law, the doctrine of “last clear chance” imposes liability on the actor who fails to use all reasonable efforts, at the last minute before a disaster, to protect the imminent victim from a third-party’s foreseeable misdeeds.  In corporate law, the fiduciary duty of loyalty may include a duty to not leave the corporation stranded when it falls into difficulties, since a new director might not be able to rectify the problems as quickly as the knowledgeable director seeking to walk away.   So the director’s job is never done, especially if there is no easy alternative but to persevere in the exercise of prudent business judgment.  No one hired you to quit when the risks are high and no one else can do a quick turn-around.

8. Identify Your Goals as Director and Apply Early Warning Systems

In the 1960’s, the NORAD “distant early warning” system deployed advanced radar to identify incoming hostile missiles.  Today’s corporate director needs a system for identifying goals personally and for the corporation, with metrics, triggers and analytics for situations hostile to the corporation.  If you don’t have the time or courage to set up your own warning systems, you might consider letting someone else do the job.  Or characterize your role as “just an advisor” to the board.