Tuesday, October 1, 2019

Corporate Governance Fiasco at WeWork, Crisis Management Playbook and Lessons Learned: The Expulsion of Adam Neumann from the Garden of Eden

Adam Neumann founded WeWork in 2010 but was expelled from management functions as CEO of the company (newly named The We Company) in September 2019.  He became non-executive Chairman of the Board.1   These changes were adopted by The We Company Board of Directors (undoubtedly after consulting shareholders).  The changes followed a disastrous aborted IPO that overvalued the company at $47 billion.  The withdrawn IPO will result in cash flow shortages for ordinary operations, unless the bleeding is stopped. 

Mr. Neumann’s fall from grace last week comes right out of the biblical Garden of Eden (eating forbidden fruit), Greek tragedy (blind hubris) and Dante’s Inferno Ninth Circle (betrayal of trust of family, community and country).   There must be a better way to run a closely held company.

The loss of cash anticipated from the failed IPO created a dramatic need for cash to sustain operations.  Let’s look at changes in corporate governance and new strategies for crisis management strategies.

Corporate Governance

Board Duties.  In this case, Delaware law governs The We Company’s governance. Decision-making is done by the Board of Directors, appointed and removable by the voting stockholders.   The directors have a fiduciary duty to act prudently, a duty of loyalty to avoid self-dealing and a duty of care to justify the reasonableness of exercising their business judgment.

Board Actions.  Here, the Board and voting stockholders appear to have been captured and mesmerized by a flamboyant and extravagant founder engaged in self-dealing.  The Board approved, or did not discipline, apparent self-dealing of hiring Mr. Neumann’s many friends and family as employees.  The Board appears to have allowed but then rescinded a deal for Mr. Neumann’s sale to the company of a trademark registration for $1.6 million or so; however, the timing of discovery and rescission are apparently not public. The Board allowed the purchase of a $60 million private Gulfstream jet for Mr. Neumann’s use.  The Board approved dealings where Mr. Neumann, his family and even other members of the Board are the landlord and the company is the tenant.  In their risk analysis on SEC Form S-1 filed with the SEC August 14, 2019, the company admitted:
    “We have engaged in transactions with related parties, and such transactions present possible conflicts of interest that could have an adverse effect on our business and results of operations.  We have entered into a number of transactions with related parties, including our significant stockholders, directors and executive officers and other employees. … we may have achieved more favorable terms if such transactions had not been entered into with related parties and these transactions, individually or in the aggregate, may have an adverse effect on our business and results of operations or may result in government enforcement actions or other litigation.”
This looks like an invitation for a class action by future stockholders after an IPO.

The Board approved spending of over $500 million for acquisitions (arguably, for “diversification” and “synergies”).   Such investments generated revenues but arguably were different lines of business that would not build the core business.  The investments include WeGrow (pre-school and elementary education), Rise by We (fitness club), WeLive (rentals of dorm-like apartments), Meetup.com (event planning) and Conductor (search engine optimization).

The Board’s actions appear responsible for precipitating a crisis of trust.  The Board authorized the IPO documentation that did not provide segmented accounting by line of business.  The SEC Form S-1 omitted other information that one might consider “material.”  Investors rejected the IPO valuation of $47 billion and complained.  The Board has now withdrawn the public offering.

Crisis Management Playbook.

Board Action.   Having backed itself into a crisis, the Board took steps to rectify all of its apparent past neglect.  It terminated the founder’s employment.

Stockholder Action.  The stockholders appointed Mr. Neumann as non-executive chairman of the Board.  This action solved a lot of conflicts. It satisfied Mr. Neumann’s need to continue in some form of management.  It satisfied the stockholders’ need to remove him from operations while preserving whatever goodwill is associated with his inspirational reputation.

More significantly, the stockholders kept Mr. Neumann’s feet to the “fiduciary fire” so that he would be held responsible for future decisions that he approved.  Thus, Mr. Neumann’s personal rights (as stockholder) to complain about future Board decisions would be coopted and any bad decisions he approves henceforth will be subject to his responsibility for participating in and approving them. And he signed a voting agreement that substantially dilutes his super majority voting control.

Action Steps in Crisis Management.  The Board’s cleanup crew focused on reform of leadership and cash management.

Nepotism and Cronyism.  The Board fired Mr. Neumann’s wife and about 20 members of his family and friends, who held senior positions.  A crisis transition will occur, where pending projects will need to be identified, prioritized and terminated or re-adopted under increased Board supervision.  A new leader, free of prior association with Mr. Neumann’s entrancement, will guide as CEO.

Board Structure.  The Board may be increased to include more directors, who will be assigned to committees.  There will be significant changes in the role of directors including independent directors.

Cash Management.   Since the IPO documents revealed that expenses were growing as fast as revenues, cash management becomes a priority for survival.  SoftBank was reportedly ready to contribute another $10 billion when it was valued at $47 billion, but the valuation is now more in the range of $15 billion according to estimates.  Further, SoftBank’s own leadership has undoubtedly been questioned by its investors for having acquiesced in Mr. Neumann’s management “mistakes.”  So cash management can be expected to result in significant emergency restructuring.  This could involve:
  • New scrutiny of all elements of the company’s business to revise:
    • its value proposition
    • its core business (which incidentally can be reviewed by looking at recent trademark applications)
    • its risk management and resiliency plan
    • cash flow requirements
    • operational reporting for greater transparency
  • Mass layoffs of persons not closely tied to the core real estate leasing operations
  • Sales of ancillary companies that, while profitable, are not “core” businesses
  • Termination of “non-core” projects
  • Demands for recovery of expenses incurred by Mr. Neumann and his “oval office” coterie of family and friends that had “no relation” to the company’s business
  • Possible renegotiation of lease terms or requiring Mr. Neumann to assign his rights as landlord to a third party where he controls WeWork’s landlord
  • Tax audits and amended income tax returns to reflect higher income and reduced deductible expenses from personal projects that a tax auditor might assert was a personal expense
  • Slower expansion
  • Termination of certain low-performance real estate projects that generate losses
  • An increase in the coverage limits for the company’s directors’ and officers’ liability insurance coverages
  • A new formulation and new solicitation of private equity, with a “down round” that values the company at less than the valuation agreed when SoftBank had invested.
Liability Management.  A crisis plan can help reduce the risk of shareholder litigation against the Board and officers as well as against SoftBank.  The “good governance” bullet that killed Mr. Neumann’s CEO role ricocheted towards SoftBank and its leader Masayoshi Son, whose own investors apparently revolted in Japan.  This crisis plan will help SoftBank justify additional capital contributions at a lower valuation, assuming SoftBank’s investors will approve it.

For other closely held businesses, the lessons are clear.  It might be time to restructure your corporate governance with new policies, procedures, practices and internal controls.

1 For history, The We Company, SEC Form S-1 (Aug. 14, 2019) and Elliot Brown, Anupreeta Das and Maureen Farrell, “WeWork to Push Out Staff Close to Ex-CEO,” Wall St. J. Sept. 27, 2019, pp. A1, cols. 4-5, p. A8, cols 3-6; Eliot Brown, “WeWork’s Adam Neumann Runs on Excess,” Wall St. J. Sept. 19, 2019, pp. 1, cols. 5-6; p. A8, cols. 1-6.

Thursday, August 1, 2019

Implications of New York’s Expanded Data Privacy Protections (July 25, 2019)

If you operate or work in a business that collects personal data of New Yorkers, you could be subject to civil penalties for possible data security breaches or concealment.  This is a follow-up to my blog in June on this draft law, which was just passed.

On July 25, 2019, New York Governor Andrew Cuomo signed the SHIELD ACT (“Stop Hacks and Improve Electronic Data Security), expanding New York law on standards of care and liability for data breaches of “private information.”  The New York SHIELD Act represents a further compliance burden for all companies worldwide.  This follows a trend on data privacy laws with extraterritorial effect, like the General Data Protection Regulation (“GDPR, European Union, effective May 25, 2018) and California Consumer Privacy Act (“CCPA,” effective January 1, 2020).  The title captures the name of the Federal “Privacy Shield,” a program for voluntary compliance by U.S. companies with the GDPR.

The New York SHIELD Act also impacts HR departments, IT departments, supply chain management, service providers and strategic transactions such as strategic alliances, M&A and the sale or purchase of a business. 

Key Provisions.

Reportable Data Breaches.  The law expands a data breach.  In addition to unauthorized copying of protected information, the New York SHIELD Act adds “unauthorized access.”  This definition invites a comparison to the Federal Computer Fraud and Abuse Act, 18 U.S.C. 1830 (“CFAA”).  Both laws thus target both third-party attackers and rogue or negligent internal personnel who gain access to data that is outside the authorized scope of their employment. 

Private Information.  The new law extends protection (data breach notification) to additional classes of “private information”: (1) social security number, (2) driver’s license number or non-driver ID card number, (3) “account number, credit or debit card number, in combination with any security code or access code”, (4) such account number or debit or credit card number, alone, where access to financial information can be obtained without a security code, (5) biometric information (obtained from measuring an individual’s unique physical characteristics) such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data to identify an individual.

In addition, “private information” includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

If encrypted, private data is subject to protection if the encryption key is used to identify the individual.

When to Report Data Breach.  The breach must be reported when the private information of any resident of New York State is “accessed or acquired” by “any person without valid authorization.”  Reporting must be expedient yet show with due respect for law enforcement actions.  An exception to reporting is allowed for “inadvertent disclosure by persons authorized to access private information,” that the person or business “reasonably determines” is “not likely” to “result in misuse of such information or financial harm…or emotional harm.”  In such exceptions, an incident report must be prepared and maintained for 5 years.

Notification to Data Controller.  While not using GDPR wording, the New York law requires the data processor to notify the data controller or data owner.

Method of Notification.  Several possible notification methods are permitted, including mail, e-mail (“electronic notice”), and telephone, or substitute notice (in case notification would cost more than $250,000 including e-mail, website announcement and notifying “major statewide media.”

Enforcement; Civil Penalties. While there is no private enforcement, the state Attorney General can seek damages of up to $250,000.  The statute of limitations is two or three years from the date of the act (or discovery), but not more than six years.  Exceptionally, if the victimized business conceals the “breach,” there is no time limit for such enforcement.

Extraterritorial Jurisdiction.  Like GDPR and CCPA, the New York SHIELD Act now applies to anyone who has private information about a New York resident.  Thus, its scope applies to businesses worldwide that have no office, employees, warehouse or operations in New York. 

What’s Missing.  Unlike the GDPR, CCPA or Nevada’s new privacy law effective October 1, 2019, the New York privacy law expressly prohibits any private right of action by the data subjects whose private information is illegally accessed (Section 4).    And it does not focus on consumer consents but rather on the custody, processing and destruction of private data.  Also, the New York law does offer a hornet’s nest of litigation opportunities of shareholder derivative actions, breach of fiduciary duty and whistleblower litigation.

Impact on Business Stakeholders.

Management’s Liability.   As a matter of corporate governance, the board of directors (or managing members of an LLC) must take steps prudently to protect the business from foreseeable risks.  The New York law calls on all such managers to exercise their fiduciary duties to develop, monitor and update such plans for risk management, insurance, business continuity and loss prevention.

Human Resource Departments; Employee Handbooks.  By prohibiting unauthorized access to protected information, the New York SHIELD Act invites HR managers to revise their employee handbooks to underscore the duty not to access such information without due authorization, and to report accidental “accessing” of protected information.  In theory, your employee handbook already covers this scenario because you comply with federal law (CFAA).  Further, you now have a duty to train your personnel in compliance.

Unlike other data privacy laws, the New York law’s protections allow an employer to avoid having to report a breach that occurs in case an employee or agent of your business gains “good faith access to, or acquisition of,” personal private data, “provided that the private information is not used or subject to unauthorized disclosure.”  In determining whether unauthorized access has occurred, you may consider, “among other factors, indications that the information was viewed, communicated with, or altered by a person without valid authorization or by an unauthorized person.”

Information Technology Departments.   Like the GDPR (“adequate protection”), the New York law requires “reasonable security” measures.  This requires a program of designating a responsible coordinator, identifying reasonably foreseeable internal and external risks, assessing the reasonableness of safeguards, selecting capable service providers, destroying private data that is no longer needed and updating the program.   The legally mandatory policies and procedures are very detailed (Section 4) 

Small businesses get an easier standard of care if they employer fewer than 50 employee, earn less than $3 million per year for the preceding 3 years, or have less than $5 million in assets (Section 4)However, this lower standard of care invites professional advice because it still requires “reasonable administrative, technical and physical safeguards” taking into account the nature of the business and the degree of sensitivity of the private data. 

Impact on Strategic Transactions and Business Models.

Stock Purchase Agreements / M&A.  The GDPR and CCPA shed new light on the risks assumed by a purchaser of a business.  The New York law will invite greater due diligence and contingent price adjustments post-closing to identify and cover cybersecurity risks.  Transactional liability insurance (including “representation and warranty insurance”) will become more prevalent to respond to worries by both buyers and sellers.

Downstream: Flow-downs to Supply Chain Management; Strategic Business Alliances.  If you rely upon a third party to process private data, you should review your Master Services Agreement and update the service provider’s duties to ensure you can demonstrate your service providers comply.  Similarly, if your company shares any private data in a marketing services agreement for lead generation, social media, paid search, search engine optimization (“SEO”), you should identify what data they collect (for all data breach notification purposes), how they collect it (for GDPR purposes), how long they retain it and what plans exist for destruction of private personal data within the broadest definitions under GDPR, CCPA and the New York SHIELD Act.

Upstream: Flow-Ups to Enterprise Clients and Customers.  Similarly, your company can now be expected to respond to questionnaires and other audit techniques from your global enterprise clients worldwide, asking whether your company complies with the SHIELD ACT’s cybersecurity precautions and breach notification measures.  So the New York SHIELD Act (like GDPR and CCPA) will create a new compliance process for virtually all businesses worldwide that process any private personal data of New York residents, depending on the character of the data and the reasons for processing it.

Risk Management and Resiliency Plans; Cyber-Security Insurance.  If you don’t already have some cyber-security insurance coverage, you might find it reasonably priced, if you focus only on New York legal liability.   But if you add GDPR, CCPA and Nevada, your cyber insurance may be a prudent move  But you’ll probably have to demonstrate some sophistication, planning, supervision and related disciplines in the underwriting process, not only as to cyber risks, but also general risk management and business continuity planning.

New Business Models.  The expansion of jurisdictions adopting data protection and breach notification laws invites the creation of new business models not dependent on knowledge of the particular individual’s identity in plain text.  In adopting GDPR, the EU Commission invited business models that depersonalize personal data, such as by aggregation, encryption and pseudonymization.  For digital media agencies, they may find ways to guess a customer’s intent rather than know which customer is contacting them and studying the particular individual’s conduct.  Thus, anonymized search tools (currently available on certain browsers) and search engines (e.g. Apple) may become the norm.

Effective Dates.

All sections of the law are effective ninety days after signature (October 25, 2019), with Section 4 effective two hundred forty days after signature, March 21, 2020.

If you have not begun the data protection self-examination, it’s never too late to start. 

Wednesday, June 12, 2019

A new Privacy SHIELD: New Data Breach Notification Law Pending in New York State

Privacy law and breach notification may become proportionately stricter in the United States if a draft New York "Stop Hacks and Improve Electronic Data Security Act” (“SHIELD Act") is enacted.

Updating New York’s Data Breach Notification Law.  Today, virtually all U.S. states have a security breach notification law that is about 15 or so years old.  Mandatory security notifications are generally required only after there are at least 5,000 impacted consumers. If a “privacy shield” bill passed in New York’s Senate on June 5, 2019 is enacted, New York’s cybersecurity breach notification law, enacted in 2005, would be amended to require notifications for much small security breaches, even on an individual basis, with broadened coverage.

NY Privacy SHIELD.  Passed by the New York Senate on June 5, 2019, the New York SHIELD Act (Sen. 5575-A, 2019-2020 session, available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/a ), would amend and add sections  to the New York General Business Law and the State Technology Law on data breach notification.

Expanded “Personal Information. The draft law would expand the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA. It would cover “personal information," defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”  Privacy rights would apply to personal information that is “private” by reason of consisting of one or more key identifiers consisting of unencrypted data elements (or even encrypted data elements if accessed or acquired).  Such key identifiers would include (1) social security numbers, (2) driver’s license or non-driver ID card, (3) financial account access information, (4) biometric information including facial recognition, voice recognition or other unique physical characteristic, (5) a user name or e-mail address with password or security question and answer for accessing an online account, and (6) unsecured protected health information under HIPAA. 

Employers and Employees: What is a Data Breach? The draft SHIELD law would broaden the definition of a data breach to include unauthorized access to private information.  This poses a major shift since it would make employers liable for the actions of their employees who lacked due authority to access personal information.   And it would now include those practicing ransomware.

Extraterritorial Scope.   Welcome to New York, virtually!  Like the EU GDPR and California’s Consumer Privacy Act of 2018 (“CCPA”), the draft New York law would have extraterritorial effect.  It would apply its notification requirement to any person or entity, regardless of their base of business,  with the private information of a New York resident, not just to those that conduct business in New York State.
What is a Data Security Breach Event under NY SHIELD?  The scope of breach notifications would depend on the number of affected New York residents and the severity of the risk.   Data controllers and data processors suffering a breach of personal information would need to give such notification if the database was breached, or “is reasonably believed to have been, accessed or acquired by a person without valid authorization.”

Varying Thresholds for Security Breach Notifications.  The New York SHIELD Act would apply to any person or business that owns or licenses computer data that includes private information.  It would create data security and breach notification requirements tailored to the size of the business.  Depending on the number of persons affected, different types of notifications would apply.
  • 1 to 500 Individuals. The draft SHIELD would require disclosure of any security breach to each affected individual. 

  • 500+ Individuals.If the breach affects more than 500 New York residents, the data controller would need to deliver a written determination to the New York State Attorney General within 10 days after the determination.   Further, the police, Office of Information Technology Services  and Department of State would need to be notified and consulted on the form, timing and content of any breach notification to New York residents. 

  • 5,000 Individuals. Currently, New York has a security breach notification statute similar to those of all other states.   In other states similar statutes do not all require notification to individuals unless a breach involves more than 5,000 individuals.   As with other breach notification statutes, for breaches affecting more than five thousand New York residents, the notification would also be given to the “consumer reporting agencies” to exchange views on the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents.
Delayed Disclosures.  The SHIELD law would allow delays in notification for legitimate needs of law enforcement and for measures necessary to determine the scope of the breach and restore the integrity of the system.   Rather than establish a presumption of a duty to disclose, the SHIELD act would allow non-disclosure of inadvertent disclosures to authorized persons, where the data controller reasonably determines that there will likely be no misuse, financial harm or emotional harm and the data controller documents the determination breach notification under certain other laws (GLB, HIPAA, 23 NYCRR Part 500 or other breach notification law), no duplicative notice would be required.

How must a Notice of Data Breach be Delivered to New York Residents?  Notices may be in writing, electronic or by telephone or, for big breaches when over 500,000 notifications must be sent or where notification would cost more than $250,000, a substitute notice online, on one’s website and by press release to major statewide media. Since this provision fits within the definition of computer fraud under the federal Computer Fraud and Abuse Act, the draft SHIELD law invites litigation against any employer that fails to define and enforce access rules for personal information.

Who is Liable for a Data Security Breach?  Unlike many other privacy laws, the data controller or data processor suffering a data breach may be held legally liable for all consequential financial losses occurring after the failure to notify, as well as all costs (attorneys’ fees).  Knowing and reckless violations may result in a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, up to $250,000. Action must be commenced within three years after  either when notification was sent to affected individuals or when the Attorney General  was notified, whichever comes first,  but in no case later than 6 years after the date of discovery  of the breach.  No limitation applies for cases of concealment of a breach.

Exemptions for Good Faith.  The draft law would provide protection from liability for certain entities that take steps to verify their safeguarding of private information.

Possible Trends.

  • Administration of Privacy Laws in New York.  The SHIELD act would designate the New York Department of State as a key agency for coordination of breach notification efforts.  This agency also is responsible for registration of companies doing business in New York.  Like the U.S. Department of Commerce, the New York Department of State could keep a public list (à la Mikado) of errant data managers. 

  • Trend towards More State Legislation?  The New York SHIELD law signals a further tightening of U.S. state privacy laws, triggered by the EU GDPR adopted May 25, 2016 and effective May 25, 2018, and the California Consumer Privacy Protection Act of 2018, effective January 1, 2020.  The New York cybersecurity breach notification law, enacted in 2005 and amended in 2013, would become effective 180 days after enactment.  Other states (such as Nevada, with a pending bill) can be expected to follow the process. 

  • Continued Profiling of Customers (The One that Got Away: New York Privacy Act).  The passage of the draft SHIELD Act reflects continuing state legislative turmoil between consumers and retail merchants, B2B and B2C service providers.  The draft SHIELD law represents the abandonment, for now, of a much more drastic proposed law, the New York Privacy Act, which would have created a “fiduciary duty” for data custodians and covered virtually all elements of “personal information.”  The withdrawn New York Privacy Act would have defeated e-commerce tools for profiling and anticipating e-consumer’s purchasing decisions.  It would have imposed heavy obligations on all companies using or providing digital media, digital marketing, predictive marketing analytics and even robotic process automation that automatically profiles consumer data.   And it would have instigated litigations by consumers claiming rights under vague and subjective definitions.

  • Trends in Corporate Governance; Information Governance; Risk Management.  This mild reinforcement of the data breach notification statute underscores the need for information governance at the Board of Directors level.   To manage risks and ensure organizational resiliency, Boards should include knowledgeable persons aware of the business, technology, legal and brand impact of data privacy and cyber security across borders.   And the Board needs the help of more technical and legally detailed personnel (or advisors) acting as Data Protection Officers (“DPO’s”) under the GDPR, Chief Privacy Officers  (“CPO’s”), Chief Information Security Officers (“CISO’s”) under New York’s Department of Financial Services, or any other title that commands full authority and responsibilities.

Thursday, May 23, 2019

Risk Management and Resiliency Planning (Privacy Alert) a Year on First Anniversary of GDPR (and six months before the California Consumer Privacy Act (“CCPA”) becomes effective)

One year after the European Union's General Data Protection Regulation (“GDPR”) effective date of May 25, 2018, two years after GDPR was adopted as EU law, can we hope that the GDPR will just go away? No, that’s wishful thinking. As of February 2019, 59,000 GDPR violations had been reported, with only about 71 enforcement actions. According to several surveys, less than 50% of American businesses are GDPR compliant.

Any implied “grace period” for non-compliance is rapidly coming to an end. You are entering the twilight zone of intentional or grossly negligent non-compliance with GDPR if you are a closely-held businesses with cross-border operations, any global digital business, digital media service provider, a website collecting user information, social media marketers, mailing-list managers (whether using customer relationship management (CRM) software or Outlook or Gmail), anyone uploading data to a “war room” (virtual data room (VDR)).

How do you get really started? It’s time for data mapping, IT risk assessment and mitigation plans, corporate risk management and resiliency plans, especially for privately owned companies such as startups, family-owned business, professional service providers (such as law firms, accounting firms, consultants and financial advisors).

Hidden Risks from Hiding (or Making False Promises that You are Compliant)
. By when you really need to be fully compliant? Escapism and non-compliance will work for those with short lists of customers, colleagues, foreign friends and low revenues. For those with more than a half million in revenues, you need to be compliant as soon as possible. But SMB’s need to think about special reasons for immediate compliance:

  • Lenders. Bank lenders want to maintain your value as an ongoing business, both to demonstrate their own prudent (regulated) lending practices and to prevent a loss of value (such as fines or reputational damage) that might impair “loan-to-value” ratios. You might not be able to get bank financing (or any financing at all) if you cannot represent and warrant that you are in regulatory compliance, with particular reference to privacy laws.
  • Investors. Business angels, venture capitalists and private equity investors will want the same assurances, since the value of their equity investment (and opportunity for an eventual exit by M&A) will decline.
  • Co-Shareholders. If you are a member of the Board of Directors of a corporation (or manager of a normal LLC), you have a fiduciary duty to be prudent.
  • Global Enterprise Customers. Global enterprises that are your customers and clients are already including “flow-down” mandates in their Master Services Agreements (MSA’s) and requirements for Requests for Proposals (RFP). Some might allow no change in your legal obligations until the expiration of your existing contracts. But if your MSA requires you to generally comply with all applicable laws, your enterprise customer will likely be entitled to cancel your deal unless you provide new assurances…including the right of the customer to audit your security and confidentiality covenants.
  • Loss of Clientele of Publicly Traded Clients and Customers. Under federal securities laws, a publicly-traded company that neglects its legal obligations under GDPR is subject to fines for false or fraudulent disclosures. Whenever a public company’s stock price drops rapidly due to some surprise to investors, the class action litigators file a lawsuit for punitive damages due to breach of fiduciary duty. The directors of public companies thus have no choice but to adopt GDPR compliance and enforce it throughout their global supply chains.
  • Valuation for Sale, Change of Control or Family “Transmission” (Estate Planning). If you are transferring your business in a sale, or inheritance context, you might consider non-compliance as a valuation risk. In valuation of private companies, a discount should apply for known risks of non-compliance with rules that could have a material adverse impact. “Uncertainty as to the stability or continuity of the future income from a property decreases its value by increasing the risk of loss of earnings and value in the future.” IRS Revenue Ruling 59-50, 1959-1 CB 237. The valuation discount become dramatic when one considers the potential impact of an actual security breach, data breach notification costs, indemnification of users, a year’s free access to reputation management services for each affected EU user.
  • Financial Audit. Financial auditors have begun asking questions about privacy compliance because the auditor’s role is to identify material risks to your company’s viability. A qualified financial auditor’s opinion may constitute a breach of covenant under your revolving credit loan. It might trigger an event of default under a commercial, financial, investment or other transactional documents.
  • Reputational Risks. A data security breach puts your reputation at risk. You might lose clients, employees or existing or prospective business partners. Further, restoring your reputation will be difficult, costly and potentially impossible. Even if you have strong cybersecurity, you should manage the risk by planning your message, your notifications and your story before the breach.
  • Vicarious Liability for Defaults of Your Suppliers. Like the EU’s 1995 Data Protection Directive, GDPR makes you liable for the personal data breaches of your suppliers at any level of your supply chain. The CCPA does the same.
  • False Advertising. Under the Federal Trade Commission’s rule on false advertising, if you advertise anything about privacy and it’s not true, that’s a violation of federal law.
How can I get compliant? You must change your perspective and re-think your attitude. The GDPR calls for “privacy by design.” Rethink your entire business operations for digital compliance (and, later, for digital services taxation in cross-border and U.S. interstate services). If you receive personal information about European residents, you must comply, or at least have a plan for compliance that is credible for purposes of mitigating damages.

  • Data Mapping. First, you need to know your data flows and where your data is stored. If you already know your sources and uses of funds in your accounting statements, you can understand the sources and uses of private data as well as its full life cycle of collection, processing, storage, end of useful life and destruction. 
  • Informed and Updated Consents of Users. Update your terms of use and privacy conditions. Data Management. Adopt and implement policies for managing personal data, for “privacy by design” and implementation. Do you need to receive personal data? If you receive IP addresses, will that constitute “personal data” under the circumstances? Can you operate using some form of anonymization?
  • Data Security. Security starts at home and ends with your suppliers at all levels.
  • Data Transfers. Sharing of personal data with others is a risk.
  • Corporate Governance: Policy Adoption and Enforcement. Privacy compliance is for Board review and action. They can be held responsible for breaches.
  • IT Governance. Every IT contract needs a privacy clause.
  • Procurement Governance. Every procurement contract needs a privacy clause.
  • Training. Every employee should be trained not only on cyber-security, but also on legal compliance obligations.
  • Audit and Certification. For credibility, it’s advisable to conduct privacy audits. They will help identify weaknesses and can lead to certification, thus preserving customer confidence. As with financial auditing, the individuals responsible for compliance should not be auditing the systems and procedure they have designed and implemented.
  • Disaster Recovery Plan / Business Continuity Plan. Such plans are expected in any supply chain. So be ready.

In conclusion, the first anniversary of GDPR marks perhaps the end of any implied grace period, or period of ramp-up of enforcement capabilities of the EU’s data protection agencies.

Thursday, April 11, 2019

When Disaster Strikes: 10 Key Steps to Protect Yourself in a Business Divorce

As equity owner, you operate a business entity or department, as partner, manager, managing member, director, officer, etc.   When your business “partners” have gone “hostile” or, as a result of this hostility, have expelled you from the legal entity that operates your business, you should consider taking several immediate steps for your own self-protection.

1.    Segregate your fiduciary role from your personal role.   Out of habit, you might want to assert your continuing rights in your fiduciary role.  You want your voice to be heard and heeded.  Yet, by acting to assert your fiduciary role, you expose yourself to claims of self-dealing, breach of duty of loyalty and intentional damage to shared rights.  Thereby, your personal interests may suffer due to possible conflicts between personal rights and fiduciary duties.  So, resigning your fiduciary role should normally eliminate a conflict and free you to pursue personal goals from the outside.  You might enjoy an advantage in reconnecting personally with clients (if you are not subject to a non-compete covenant) or regrouping with certain employees (if you don’t have a non-solicit covenant).  If you have the freedom to do so, you could become the new professional advisor, “business partner” or even a new part-time employee of a key client, giving you not only cash flow but other benefits as well.

2.    Clearly identify friends and foes.  Establish criteria for segregating friends and foes. And then consider pursuing new alliances if that’s feasible. This will help map a plan with friends through joint strategy and shared resources with the ability to potentially receive common advice from professional advisors supporting all of your “friends” as a group (if that’s what you want) and avoid fruitless delays of pursuing “blind alley” discussions with your foes.

3.    Be honest with yourself about mistakes made by yourself as well as others.  This is a learning opportunity before you leap into the same scenario again.  What values were in conflict (money, power, control, domination, transparency)?  What personality types crossed your wires (micromanagers or project managers working under a plan, budget, goals and deadlines)?

4.    Prioritize to protect your mental and physical health.  Yes, litigation is a tool to assert rights and obtain the remedies of justice.  But, as Ambrose Bierce said in his “Devil’s Dictionary,” a litigant is one who freely gives up his shirt in the hope of saving his skin, while litigation is a machine where enter as a pig and exit as a sausage.  Consider alternative dispute resolution, such as ad hoc arbitration and mediation. Even a partial agreement on certain elements of business separation can limit the harsh personal impact of ongoing disputes.

5.    Hire professional advisors, not only to fight, but also to settle and restructure.  Understand that a litigator might have a financial incentive to continue the formal dispute whereas a conciliator might focus on limiting financial/public damage to all parties involved in bargaining for a quick resolution.  In a stressful conflict environment, the insights of professional advisors can help you see clearly to conflict resolution and eventual creation of new opportunities for self-renewal.  An advisor can help define your future goals and keep you on track.

6.    Deal responsibly with failing partners before expelling them.  When a partner is not achieving common goals or acting selfishly, consider giving her or him a deadline for corrective action.  For example, your enterprise might have taken some growth initiatives that continue to require capital contributions by partners or owners who will not be getting the benefit of the future anticipated growth.  All they do now is subsidize the growth partners who are building their business.  In such cases, rather than give the expectation of perpetual unconditional support, meet with the “growth” partners and search for agreement on interim goals, a future go/ no-go decision for continued support, criteria for continuation vs. separation, and budget for limited future funding of the “growth” opportunity.  If done smartly, the separation of the failing “growth” partners could result in future rewards from future shared business opportunities or even future co-branding.  You could convert a “global partnership” into a “country-by-country partnership” under a global shared brand, with structured incentives for cross-referrals and future collaboration.

7.    Set up a plan and communicate it.  If others disagree, at least you will know what won’t work and who won’t cooperate.  Then redesign the plan.  After multiple iterations, you might achieve consensus.  If not you will understand the framework for litigated dispute resolution.

8.    Get the facts.  Do your own due diligence as if you were buying or selling the company.  (You might have to do one or the other anyway.)  Does the company own all its assets in its own name?  Can some ongoing liabilities be transferred to others, such as by a sublease of rented premises, and if so which third party consents would be required? 

9.    Look for a complete solution (indeed, one that might include potential future collaboration without requiring it).  But plan for partial solutions.  A complete separation agreement has many moving parts and includes both accounting for past mistakes and current assets.  A good solution might also consider a future reward for future mutual benefit, such a non-exclusive software license agreement, a sales commission agreement, and other arrangements that promote collaboration and discourage disparagement, denigration and “unfair” competition.

10.    Address the particular structural issues and governance rules in your organization.   For example, a partnership of lawyers generally face limitations on effective governance since a minority might block the separation agreement, even if the terms are fair to all.  Restructuring is essential at all stages of the organization’s development, so that future scenarios do not torpedo the entire enterprise.  Restructuring promotes joint decision-making and can provide a smooth exit path for those partners who cannot keep up with the new direction of the majority in interest.  Such scenarios may include rapid growth, investment in new technologies, death, resignation or incompetency of a partner or group of partners or the loss of key clients.  Partnership and shareholder agreements should be updated every five or ten years.  By being explicit about governance rules, all partners can feel confident of the future direction, their opportunities to share in future rewards and understand a transparent framework for compliance not only with legal mandates but also the organization’s evolving spirit.

Above all, in a potential business divorce, it is important to maintain clear communication channels, seek professional advice on strategies and tactics and find resolutions which will work not only for you but for your partners as well.

Thursday, March 21, 2019

Brand Management in a Crisis: Protecting Goodwill after Employees are Accused of Illegal Conduct

How should you, as CEO, handle an accusation that your employee(s) engaged in illegal activities?  How can you prepare for a crisis where your company’s goodwill, brand and reputation are publicly attacked?

This question hit home to me when I read the news last week about the bribery scheme involving dozens of parents of students applying to prestigious universities.   Athletic coaches were accused of taking bribes to give admission to students who were not fully qualified for their particular sports.  A response by one of these universities, Yale, showed how to respond to a potentially embarrassing crisis that could threaten goodwill among all constituencies, current and prospective.   The lessons apply to businesses and non-profits as well as educational institutions.

1.    Risk Management and Resiliency Planning.  The Board of directors (or trustees) is responsible for identifying and managing risks that could threaten the enterprise’s value, ability to conduct operations and brand.  Any alleged illegality by employees threatens the organization under the legal doctrine of “respondeat superior” as well as loss of brand value.  The entity (as “principal”) is liable for the wrongdoing of its agents.  Under a risk management and resiliency program, management and the team are responsible for anticipating, defining and planning for risky outcomes.  This means scenario analysis, business impact analysis, measuring risk according to severity and probability, adopting insurance and indemnification policies, business continuity planning, disaster recovery planning, corporate governance policies to prevent rogue actions and setting standards of conduct for all employees and contractors.

2.    Prepare an Emergency Response Team.  As with any form of crisis management, effective brand management in a crisis requires governance by a team of individuals, both internal and external to the organization, to investigate, respond, communicate, rectify (if needed) and reconfigure to avoid a repeat of the disaster.   The team should include leaders from different disciplines and points of view. In brand management, this means the Board, the CEO, CFO, Chief risk management officer (if any), Chief Marketing Officer and legal, HR and compliance advisors.   The team must have a pre-designated credible spokesman, who would publicly respond in a manner duly authorized by the board of directors (here, a board of trustees).   In privacy breaches, a similar team might also include the CIO and IT team as well as account managers.  Ideally, the team should have pre-assigned roles and should do “table-top” training exercises in preparation for a real crisis.

3.    Listen to the Press.  In this case, television newscasters were portraying the alleged bribers as “avatars” of abuse by the super-rich, depriving equal opportunity for all applicants.  Being aware of the public policy and slant by the press is essential to a responsive action.

4.    Investigate with Confidentiality and Due Process.  Both internal and external investigators should be engaged.  External investigators lend credibility against suspicions of self-dealing, conflicts of interest by employees or simple incompetence.  External investigators under the supervision of an external lawyer (or law firm) can conduct the investigation under the protection of attorney-client privileged communications and privileged attorney work product.  (Internal lawyers run the risk of not having full “privilege” because some of their functions are managerial or administrative and thus subject them to inquiry as witnesses).  The investigators should show respect for those being interviewed and afford them “due process,” including opportunities to deny, negate claims and present their own side of the story.

5.    Don’t allege misconduct till you have proof.  Meanwhile, demonstrate you are investigating all avenues.  Otherwise, you might accuse an innocent employee and wind up with claims for defamation, invasion of privacy, intentional or negligent infliction of emotional distress, breach of contract, violation of internal policies, civil rights violations, fraud and racketeering (with triple damages claimed).

6.    Act Quickly.   In the era of viral Internet, delays only aggravate suspicions.  Announce early that you are investigating.

7.    Be accessible to your constituents.  Know their interests and address them.

8.    Reaffirm your values.  Identify why the situation violates your values and policies and show you intend to act upon the results of the presently incomplete investigation. Under your corporate governance and human resources management programs, adopt policies against reasonably foreseeable types of misconduct.  Hold your employees to compliance with written standards.  Announce that your investigation is not only about finding guilty parties, but raising the standards by which all employees and contractors are judged.

Investigations and corresponding remedies take time, effort and focus.   Used properly, they can deflect criticism and strengthen the loyalty of your constituencies while avoiding long-lasting impairment of brand value.  Neglected or improperly pursued or reported could prove detrimental to your operations and ultimately brand value.