It is important to have the ability to improve one’s community. But it is just as important to retain the ability to reside in that community after the improvement have been made.

 

Civic Beautification Efforts

 

Imagine using local resources to empower those who reside in disinvested communities through crowdsourcing. Imagine affording local residents the ability to contribute to the restoration of their communities without gentrification. Crowdfunding can allow residents to turn creative, sustainable projects into a reality. Communities seeking to do restoration projects that do not have an economical return could use platforms like ioby or Citizinvestor.com, crowdfunding platforms that help residents raise money for public projects. Platforms like Citizinvestor.com also allow for residents to partner with the city to conduct joint projects. In communities that have had years of disinvestment, the government and community coalitions will need to create ways to restore public confidence to help win investors trust.

 

Economic Improvement Efforts

Crowdsourcing in such a community could function by allowing the residents to contribute their nominal funds to other residents’ nominal funds to create an investment fund. Each resident, based on their contribution, would have a certain percentage of ownership in the overall venture. These funds could be used to help create local groceries with actual fresh produce, community centers or programs for the youth, employment for local residents, and beautification initiatives. Ownership could be maintained on a private or public blockchain, which is considered to be immutable, depending on the needs of the group. Immutability can help build trust amongst those looking to invest in the projects of the community.

By Brooks Lockett and Justin Evans

 

 

Two recent developments are dramatically altering the biotechnology industry. First, there have been vast increases in the amounts of chemical herbicides used on genetically modified crops, and still further increases are scheduled to occur in the next few years. Second, the World Health Organization’s International Agency for Research on Cancer (IARC) has classified glyphosate, the herbicide most widely used on GM crops, as a “probable human carcinogen” and classified several other herbicides, including 2,4-dichlorophenoxyacetic acid (2,4-D), as “possible human carcinogens.”

 

These policy changes were fueled by litigation taken against agribusiness giants like Monsanto following hundreds of accusations of their products being toxic. For instance, Monsanto’s top-selling weed-killer RoundUp that was approved in the early 1970’s has recently faced claims by a man who testified that using the product for many years as a school groundskeeper caused him to develop terminal non-Hodgkin’s lymphoma.

 

The 46-year old’s case is one of the hundreds of others taken against biotech companies and their products. Despite prolific litigation, regulatory bodies have been slow to clearly define and differentiate their roles on the continuum of federal oversight. For this reason, cases like glyphosate distort public opinion of the biotechnology industry and misrepresent the incredible wave of innovation and scientific discovery it’s brought to our society. Furthermore, glyphosate-based products like RoundUp whose toxicity profiles have been widely debated make the regulation process considerably more difficult.

What does this mean for regulation of biotech products? Industry shifts call for regulatory bodies to adapt – quickly. This article will explore what steps are being taken by federal regulatory authorities to modernize our regulatory system in alignment with the currently shifting biotechnology landscape.

 

Our current regulatory system does its job protecting the health of our society and environment. However, oftentimes there is uncertainty about agency jurisdiction, leading to a lack of predictability of timeframes for review of new and marketed products. These problems result in avoidable costs that slow economic growth and stifle innovation.

 

In an attempt to mitigate these inconsistencies, the EPA updated the coordinated framework for the regulation of biotechnology in 2017, which stated that the EPA would regulate pesticides, herbicides, and pollutants, the FDA would regulate food, medical devices, and human drugs, and the USDA would regulate any products of biotechnology that may pose a risk to agricultural health or animal health.

 

Looking back at glyphosate, there are a few questions to address concerning which federal agency will have direct oversight. Since glyphosate is an herbicide, it falls under the umbrella of the EPA – but the USDA is responsible for the testing of crops, which herbicides are applied to. In glyphosate’s case, both agencies have specific supervision over different parts of the regulatory process. Not to mention, the FDA has the authority to enforce penalties for non-compliance.

 

We can see there is a large amount of overlap between the boundaries of oversight each regulatory authority has. This requires careful coordination among health authorities to minimize the room for interpretation when it comes to approving biotech products. The goal here is to seek out regulatory strategies that protect human and environmental health without stigmatizing emerging biotechnologies and diminishing public confidence in the oversight of products. In order to do so, there needs to be more predictable practices among regulatory authorities with overlapping jurisdiction.

 

What’s the next step?

 

Agencies should establish a regulatory model that is exceedingly predictable. In essence, the agencies practices should be so transparent that other health authorities should be able to accurately forecast how they will respond to certain situations.

 

This highly-predictive model will illustrate a plan for frequent, formal horizon-scanning assessments of new biotech and agricultural products to ensure that agencies are prepared for future products before federal regulation is required. Regulatory authorities should be able to ensure that every product evaluation is risk-based and grounded in the best science available. With this, regulatory activities will be able to be adjusted based on experiences with specific products and the environments into which they have been introduced. Theoretically, these practices would improve agencies’ abilities to assess the risks arising from future products of biotechnology. Had this been done for Monsanto’s glyphosate-based product RoundUp, the FDA, EPA, and USDA may have been able to better coordinate their responses to the World Health Organization’s 2015 announcement that glyphosate was heavily linked to cancer – and perhaps avoided the whirlwind of negative media attention it brought to the biotech sector.

 

Now that we have outlined several key issues regarding the federal regulatory efforts with respect to the biotechnology industry, what are ways to potentially improve this system and alleviate any unnecessary difficulties?

 

For a better understanding of the potential solutions to gaps in the United States’ regulatory system and how to fill them in, it is useful to draw comparisons to European regulatory practices.

 

European health authorities take an approach of austere caution when dealing with the approval and implementation of biotechnology products in its countries, whereas the United States’ approach is highly permissive. This is further supported by the varied responses by the two regions to the World Health Organization report on glyphosate. When contradictory findings on the potential risks of the use of glyphosate first surfaced, the European Union (EU) responded by delaying its renewal of the glyphosate license until it could conduct further scientific studies. The delay is largely a response to the disapproval of politicians, regulators, and researchers in the EU.

 

Contrastingly, agencies in the United States like the Environmental Protection Agency (EPA), have failed to evaluate the human health risks arising from glyphosate including carcinogenicity, as well as the environmental risks. The Europeans approach is considered the precautionary principle, whereas the United States approach is that of substantial equivalence. Between these two modes of regulation, there are several critical differences to acknowledge.

 

The precautionary principle aims to prohibit products that may cause severe or irreversible damage to humans, animal and plant health, as well as the environment. European health authorities have not gone as far as banning all genetically modified products but instead established guidelines that should be used to constructively scrutinize the products being introduced. Many are skeptical of the United States’ approach because it is not believed that this approach was fueled from a place of consideration for the American citizens, but rather a push from the industry to approve its products more quickly.

 

Regulation of biotechnology products should be overseen by the coordinated efforts of one agency.

 

Another way to harmonize our regulatory system is to establish a single governmental agency that is responsible for the oversight of biotechnology products like glyphosate and genetically engineered organisms. This agency would eliminate the patchwork regulation done by the current 16 agencies. That way there is less room for error and for critical information regarding regulatory decisions to fall through the cracks. Having a more centralized structure would allow for a normalized standard, which would promote more clear guidelines for product compliance initiatives.

 

The efforts of this single agency should mirror the FDA’s actions in relation to drug screening. It should dedicate its resources to reviewing newly developed products of biotechnology and request studies, similar to clinical trials to test the safety of the products over time. I believe an agency dedicated strictly to food will help relieve the burden of the FDA so that it can focus on drugs exclusively. Many of the sixteen agencies are responsible for more than food safety, which increases the burden on the entity, by having to divide their efforts between responsibilities.

Because regulations fluctuate and inspections are done at different points, it is often difficult to respond to outbreaks. Proponents could argue that by having a staggered visitation, the sixteen agencies are visiting the company more than what a centralized entity would. Starting a new agency means that the entity will be starting over and will create a delay in the inspection process and would take years to get the point of flowing properly. The new agency may be affected by the same growing pains as the FDA. Even the FDA has struggled with its duties as of recent after the Congress passed the Food Safety Modernization Act. FDA learned very quickly that it could not take on food safety alone and would need help. It realized that it did not have the proper manpower nor the funding to properly train those running food facilities and inspectors. This could be a reason why a centralized entity might be the way to go. If the FDA needs to form alliances with the other 15 agencies to properly protect food safety, why not create a single entity?

 

Governmental agencies should separate its interest from that of the industry

 

This section goes without saying, but it is important to emphasize (governments should care more about people, not profits).

 

A prime example of why Americans have a lack of trust in government agencies comes from its revolving door policy with biotechnology and pharmaceutical companies. Governmental agencies should no longer allow for life science companies to place its employees into prominent positions of the government. For example, the FDA’s substantial equivalence policy, which justifies the use of genetically engineered products without extensive testing or labeling, was created by Michael Taylor, the FDA’s Deputy Commissioner of Food at its passing. Taylor began his career as a staff attorney with the FDA, before leaving to join King & Spalding’s food and drug practice, where he represented Monsanto. Decades later, he would return to the FDA as their Deputy Commissioner for Policy and thereafter become Monsanto’s vice president for public policy.

 

To provide an example from the pharmaceutical industry; Alex Michael Azar II, like Taylor, worked for a private firm before taking a prominent position in the government as the General Counsel of the United States Department of Health and Human Services during the Bush Administration. With the election of Obama, Azar left the Department of Health and Human Services to work as Eli Lilly’s top lobbyist and spokesman as its Senior Vice President of Corporate Affairs and Communications. As you may have guessed, with the election of Trump, Azar is back in government as the United States Secretary of Health and Human Services.

Taylor and Azar are just two out of hundreds of instances of this ‘revolving door’ that exists between the government and the life sciences industry. Experts say the convenient relationships don’t necessarily mean congressional staffers do favors for lobbyists they know, but the access doesn’t hurt. High-level appointees job-hopping between regulatory agencies and bioscience companies is an issue that goes much deeper than discussed, but nonetheless, it plays a factor in government regulation that leads people to believe that ‘business relationships’ are taking priority over what is best for patients.

 

To recap, federal regulatory bodies might benefit from establishing a single agency to oversee all aspects of the regulation of biotechnology – possibly resulting in better coordination of responses to situations like Monsanto, where a product that was previously thought to be non-toxic turns out to be toxic. This might help remedy the seemingly bad reputation of life science companies who are attempting to establish a culture of transparency among the government and also the general public. And above all else, putting the patient first.

 

Cease and Desist Letter Automation

———————————————————————————————————————————————————————————

Introduction:

On Friday, April 20th LegalRnD will host the “Measuring Lawyer Quality and Setting an Empirical Research Agenda for Legal Technology and Innovation” Conference from 9 am to 12 pm at the Kellogg Center in East Lansing. Students from Dan Linna Jr.’s Litigation: Data, Theory, Practice, Process Course will present on legal technology tools that have been developed to address real-world problems provided by project partners. Students were taught the Kata method to help identify potential solutions for the legal problems that they were provided.

Students were also trained in both Think Smart and Neota Logic artificial intelligence platforms, so that these solutions could be built for the project partner.  My group consisted of Erica PorterKaitlyn Huber and myself. We were given the following problem by Jeffrey Sharer of the Akerman Law Firm .

Industry
Law and Intellectual Property

Primary Business
Protection and enforcement of intellectual property rights. Intellectual Property involves intangible assets and creative works. It secures and enforces legal rights to inventions, designs, and artistic works.

The Challenge

Intellectual property rights are one of the most valuable assets of a corporation. In fact, it may be the most important asset the corporation possesses and therefore should be protected. In a recent survey, C-Level executives were asked whether they considered trademark infringement as something that they monitor in the company. Over 80% of these executives state that trademark infringements have become a growing issue for corporations over the past 5 years.

There are a number of ways in which a trademark infringement can damage a company’s brand, resulting in loss of sales. One of the growing concerns for C-Level executives is the negative publicity that a brand may sustain on social media. This makes the response of a corporation and its legal team time sensitive. Traditionally, it takes an in-house lawyer or outside IP counsel approximately 2 to 4 hours to assess a potentially infringing mark and draft and appropriate cease and desist letter or other correspondence to the alleged infringer. For many large organizations, this can add up to hundreds or even thousands of hours per year. One Deputy General Counsel responsible for IP at a Fortune 100 company suggested that this process could be at least partially automated to allow for responses to be generated more quickly

The Solution

Law firms like Akerman, which build smart systems, are uniquely positioned to respond to this issue. Attorney Jeffrey Sharer and Professor Dan Linna Jr. decided to have a group in Dan’s Litigation Class develop a solution using Think Smart or Neota Logic to streamline the researching and drafting of a cease and desist letter. My group decided to use the Neota Logic artificial intelligence software platform to help clients determine their rights under Trademark law. The Neota Logic platform employs process management, document automation, and reasoning to build an intelligent application for addressing complex legal issues.A client using the system can draft a cease and desist letter in 15 to 20 minutes rather than the traditional 2 to 4 hours. This allows for the client’s IP counsel to address other issues for the corporation, rather than spending valuable time on the cease and desist process.

How it Works: Programming Neota with Actions, Variables, Question Flows, and Decision Trees:

When determining the best app to develop for clients, we discussed developing an app that would allow the client’s IP counsel to generate an automated cease and desist PDF, but decided that our app would be of better use if it empowered anyone on the legal team to determine the companies’ rights under Trademark law and drafts the cease and desist letter for them. The software’s functioning is similar to TurboTax in that regard, where you can file taxes without having to be a CPA. With seamless integration, Neota Logic opens the web interface of the Advisor where the user selects the appropriate template for the document type.

The Advisor starts automatically, prompting the user for a case number or other identifying information. The Advisor provides a link to the USPTO if the IP counsel needs to retrieve related data about the company’s trademark and prompts the user to fill in the remaining information required for the document type.

The Advisor generates the document using the template, merging the data obtained in the questionnaire, and from common content, and applying trademark rules as required.
The solution then routes the generated document automatically to the clients’ email.

The Draft Letter:

Results and achievements of this project:

  1. With automated document templates, the time spent by the legal department on drafting cease and desist letters is reduced by more than 80%!
  2. Automated templates significantly reduce mistakes in documents.

User Input

We strived to make the best app possible, so we wanted to make sure that we were able to incorporate input from those in the field and those in general practice. We wanted to make sure that our app has the content that a trademark attorney would need to feel empowered to continue using it, but we also wanted Akerman to be able to provide it to in-house counsel who does not work on trademarks as often. Jordan Galvin was incredible, as she was willing to go through our app and provide comments to help us make our app amazing. By incorporating user input, we were able to draft the questions so that all audiences could follow through and submit information for the letter. Martin Childs, a 2L working for a Chicago firm, stated that he wished he had taken this class because he felt that developing these tools directly address clients’ pain points. Professor Bean said he was impressed with our app and felt that it was very useful. Professor Carter Johnson, who worked in IP at a firm and now teaches IP at MSU, stated that our app was very interesting and a great start to an awesome idea.

What We Learned:
In creating this automated artificial intelligence software platform, we learned that you cannot simply throw technology at an issue. We opened the course by learning to implement the Kata method, which forced us not to jump to a conclusion but rather to employ the scientific method. We were forced to test our theories to determine if they were accurate. We employed process improvement and process mapping to eliminate waste, by using the data-driven approach to develop our system.

This innovative system was created through teamwork with my classmates and with our project partner, Jeffrey Sharer. We learned that in this era of Artificial Intelligence, the legal field could be significantly improved through the automation of data, leading to more efficient service delivery and improved client satisfaction.

Below is an abstract/summary of my paper with the Journal of Business, Entrepreneurship and the Law at Pepperdine Law School.

Motivated by the recent explosion of interest in artificial intelligence(AI), I examined whether it makes sense to implement AI in smart contracts, to make them more effective. The current state of smart contracts leaves one to wonder if these are true contracts themselves. Traditional contracts have an offer for acceptance, highlighting the fact that smart contracts are mere codes incapable of satisfying the required elements of a legal contract. Could smarter contracts, assisted by AI, satisfy the elements of a contract by offering a web-based platform that allows for parties to make offers and accept them, copying them into a smarter contract? Could the use of AI in contracting, reduce risk by comparing the current smarter contract with existing smarter contracts on the blockchain? Could AI help retain business relationships by allowing user inputs that track performance, fluctuations, and extending the time for performance?

These analyses will be the focus of this paper. Part I examines the issues with the current state of contracting and will elucidate potential sectors of the legal industry where the implementation of smart contracts would be of best use for attorneys and our clients. Part II examines the implementation of smart contracts, and how it would help attorneys add value to clients by making attorneys work more effectively and efficiently. Part III of this paper will also explain why the use of smart contracts should be augmented with artificial intelligence (AI) to assist with the validity of the contracts. Part IV of this paper will examine the creation of a new type of lawyer that technologists and corporate clients will need to assist with the understanding of the risk associated with the technology and the laws that govern them. Finally, in Part V this paper will examine potential client areas that could benefit from the use of smart contracts to save money and move more efficiently.

 

On March 30th, Houman B. Shadab, a founder of the Accord Project and professor of law at New York Law School, will lead a workshop at the University of Michigan Law School about blockchains, smart contracts, and the Accord Project. Professor Shadab is a prolific and influential expert at the intersection of law, business, and technology. His research focuses on financial technology, smart contracts, hedge funds, derivatives, commercial transactions, and blockchains. The workshop is a supplement to the “Legal Technology & Innovation” course taught at Michigan Law School by Professor Dan Linna. Students and members of the public may attend if they RSVP through the Detroit Legal Innovation Meetup.

Blockchain has recently emerged as a disruptive technology that may revolutionize the way that attorneys will advise their clients. Applications for blockchain are currently being developed for key industries including finance, insurance, energy, healthcare and legal. A blockchain is a decentralized, trustless and continuously growing ledger that records and keeps track of every transaction across a peer-to-peer network of participants.

Recently, PWC made the news not only for launching a law firm in Washington D.C., but also for the release of its blockchain platform. The platform will help with managing business disputes and auditing of current implementations of blockchain applications by various corporations like Walmart, which is introducing a blockchain

application for improving food tracking. Blockchain appeals to corporate clients because the technology promises to provide security by design. Blockchain security comes from leveraging cryptographic protocols and distributed consensus algorithms, which provide anonymity, auditability and transaction immutability.

These same characteristics have also made blockchain appealing to lawyers and corporate clients for its potential use in “smart contracts”. The term “smart contracts” was originally coined by Nick Szabo, a cryptographer, who first saw the potential of 

automating contracts on blockchains. Szabo described contracts as a set of promises agreed to by a meeting of the minds, precisely as taught in my first-year contracts class by Professor Barnhizer. Szabo envisioned an automated contract that could be triggered by performance of either party to the agreement. The parties are not required to have a prior business relationship, and this structure allows for automated remedies if either side does not perform according to the terms of the agreement.

The original contract would be translated into code by blockchain trained attorneys representing either side. The code would contain a series of if-then statements that would carry out the completion of the contract once a condition is met. In summary, the term “smart contracts” refers to computer transaction protocols that execute the terms of a contract automatically based on a set of conditions. The use of smart contracts by corporate clients raises a number legal issues that will require advising by future and current attorneys.

The Accord project is a working group, made up of lawyers and organizations, that is focused on developing best practices and legal standards for smart contracts. The Accord project is led by the internet of things-enabled contract startup Clause, which was co-founded by Mr. Shadab. Mr. Shadab believes that having the Accord Project set standards for smart contracts will increase the chances that smart contracts will be implemented properly.

 

Come learn about blockchain and smart contracts with us.


All Students and Practitioners are Welcome! Please RSVP via the Detroit Legal Innovation Meetup.

 

Location:
University of Michigan Law School
Hutchins Hall Room 116

March 30th’s Agenda:
9-9:05 – Introductions
9:05-9:15 – Introduction to Clause and the Accord Project
9:15-10:00 – Introduction to Blockchain & Bitcoin
10:00-10:30 – Interactive Exercise
10:30-11:00 – Introduction to Smart contracts
11:00-12:30 – Smart legal contracts workshop
12:30-1pm – Roundtable discussion and wrap up
1pm – Closing and Networking

 

Yesterday  I attended the joint Process Improvement workshop for Lean Lawyering, which was hosted by several Florida public-interest lawyers and LegalRnD at the State Bar of Michigan. Here’s a link to the workshop’s website:

There were about 40 participants at the meeting, and I had the opportunity to meet and share ideas with practicing practitioners from law firms, legal aid entities, courts, and corporations from around Michigan.

The conference was very thoughtfully organized and included experiences from the implementation 

of process improvement techniques by Amy Burns, Deputy Director of Florida Rural Legal Services; Ilenia Sanchez-Bryson, Chief Information Officer at Legal Services of Greater Miami; Kristen Lentz, Managing Attorney for Disability Rights Florida; and Melissa Moss, Principal/owner of CatalystZone, LLC. Though I’ve attended a number of lean thinking and process improvement conferences, this was the first time that I’ve heard from actual attorneys who’ve implemented the process.

 

Discussion topics at the conference all centered around implementation of lean thinking (Toyota Way) for Law to improve efficiency and quality of services rendered. After learning of the speakers’ experiences incorporating process improvement into differing aspects of their practice and operations, attendees were given the opportunity to learn by doing.

To teach process improvement through the use of a real-world example, attendees were

broken into small groups to help streamline a legal aid’s walk-in service. The current conditions, as pictured, of the legal aid’s walk-in service results in an average of 58.2 minutes for clients to be serviced. Groups were asked to map the process, pictured to the right. The groups were asked to implement process improvement techniques to decrease the average time of service to 30 minutes. My group started off by mapping the current process and identifying areas for potential improvement. We next asked ourselves why the system took 58.2 minutes for clients to be serviced. Once we determined that it was a result of the process, we next asked ourselves why again. Once we were five levels deep into the why process, we finally had our answer!

 

The following post was drafted as an assignment between Danielle Chirdon, Anita Western, and I.

Executive summary: In order to conduct a proper assessment of the risks and liabilities in a merger or acquisition deal, the due diligence process must also include an assessment of the target corporation’s cybersecurity. An acquiring company must evaluate the strength of a target company’s cybersecurity processes and controls. In light of the increasing significance of cybersecurity threats, on February 2018, the SEC issued further guidance to its 2011 Guidelines on disclosure obligations relating to cybersecurity risks and cyber incidents. Companies operating in the European Union will also need to adhere to the new General Data Protection Regulations. The regulations require for certain data to be forgotten, designation of a data protection officer and reporting of data breaches within seventy-two hours.

 

Cybersecurity in M&A

Cybersecurity is one of the most overlooked issues in most M&A transactions.[1] An estimated “78% of global respondents believe cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”[2] Cybersecurity risk should be assessed by a corporation before it enters into a merger agreement with another company.[3] The acquirer needs to know the risk it is taking when taking over a target company.[4]

In 2017, Verizon, learning from the cyber-failures of TripAdvisor and Neiman Marcus, made cybersecurity a central part of its due diligence study.[5] During its due diligence review of Yahoo, Verizon found that the web company had suffered a large security breach.[6] This discovery allowed Verizon to discount its cost for Yahoo and develop a strategy for the potential risk.[7] It was later determined that several of Yahoo’s executives had known about the breach, but failed to comprehend or investigate the breaches properly.[8] Courts have found that an acquirer’s board of directors would be in breach of its fiduciary duty of care if it did not conduct a due diligence study on the target company before it merged or acquired it, or did not conduct an adequate due diligence study.[9]

 

What is Cybersecurity

Cyber Security is a set of principles and practices designed to safeguard your information systems and networks, company data, email messages, and information that are typically processed, communicated, and stored on the information systems.[10] The goal of cybersecurity is to protect against a wide range of threats. Doing so ensures business continuity, minimizes risk and maximizes business opportunities and returns for shareholders.[11]

A Corporation implements cybersecurity protocols to protect its data. A corporation holds data such as the personally identifiable information of its employees, customers, and other individuals;  corporate financial information; trade secrets;  intellectual property; and other sensitive and confidential information.[12] Hackers can access a company’s information through three primary methods: physical and environmental threats, technical threats, and people threats.[13] Physical and environmental threats involve the theft, damage, and destruction of the physical elements comprising the information system such as servers and laptops.[14] Technical threats are threats that are carried out through the use of computer code or other automated mechanisms.[15] People threats are those that come from individuals within the company, competing companies, or even foreign government entities.[16]

 

Cybersecurity Due Diligence

In 2016, cybercrime cost corporations on the average between $375 billion to $575 billion. [17] It has been projected that by 2019, cybercrime will cost corporations over two trillion dollars.[18] An example of a change in public reception would be the new found perception of Target and Equifax.[19] When acquiring a company, the target’s cybersecurity status and program are vital to an acquirer because a company with a poor cybersecurity program will require a large number resources to bring them into legal compliance.[20] An acquirer assumes the risk of the target company, and if it is found that the target company suffered numerous cyber instances and is sued, the acquirer may be on the hook.[21]

How can an acquiring corporation ensure that it is not one keystroke away from a major data breach or another cyber attack? Assessing a target’s cybersecurity risk requires an additional assessment in the traditional due diligence process.[22] An acquirer must must identify actual or potential cyber threats.[23] When conducting a cybersecurity assessment, an acquirer should begin by identifying and evaluating a company’s “high value digital assets.”[24] Hackers are targeting corporations’ intangible assets; for example, trade secrets, engineering designs, customer lists, personal identifying information, confidential bids on government programs, etc.[25] A key component of due diligence is to evaluate the data security plan of the company to determine if there are potential risks, and if so, develop a plan to address them.[26]

The acquiring company should investigate whether the target company has both processes and controls in place to address cyber-instances that may arise.[27] A data security process involves identifying, understanding, and monitoring critical information assets such personally identifiable information and IT systems.[28] A target company should be conducting cybersecurity risk assessments of their data security processes before the acquisition. Risk assessments are done by identifying vulnerabilities and threats that are aimed at the critical information and the potential impact if these threats were to occur. Documentation of risk assessments are often requested by the acquirers when conducting due diligence on the target company.

An acquirer should also request information on the security controls put in place by the target company. When investigating data security controls, an acquirer is seeking policies, processes, procedures, hardware, software, and teams put in place to help deter, monitor, and respond to threats that are aimed at the critical information of the company.[29] Security controls are made up of three types: preventive, detective, and reactive.[30] Preventive security controls are designed to defend against threats and prevent the occurrence of events that compromise security.[31] Detective security controls are designed to identify threats that have occurred such as security breaches.[32] Reactive security controls are designed to stop or contain threats, to determine the parties that are involved, and to recover information that has been damaged or loss.[33]

“Companies with poor security programs may be perilously close to a security breach that can have a major impact on its revenue and profitability.”[34] Conversely, target companies with robust cybersecurity programs may offer enhanced value to the acquirer, and give the acquirer more confidence in the value of the acquisition.”[35] During cyber due diligence, anything learned by the acquirer can be used for renegotiating the terms of the deal or alter the integration plan of the target into the acquirer’s company.[36] If the breach is found to be irreparable, it may lead to a termination of the merger or acquisition.[37]

 

Cyber Security Disclosure Requirements according to U.S. Securities & Exchange Commission

A cybersecurity due diligence analysis for a publicly traded company should also include disclosure statements registered with the U.S. Securities and Exchange Commission (SEC). The Securities Exchange Act of 1934 requires periodic reporting “as necessary or appropriate for the proper protection of investors and to insure fair dealing in the security.”[38] Regulation S-K requires that public companies provide “a discussion of the most significant factors that make the offering speculative or risky” are particularly relevant to cybersecurity threats.[39] In 2011, the Division of Corporate Finance issued guidelines for disclosure obligations of cybersecurity risks.[40] These guidelines are “neither a rule, regulation, nor a statement of the SEC.”[41] In light of the heightening awareness of cyber security risk, on February 21, 2018, the SEC announced that the Commission had voted to approve a statement and interpretive guidance to assist public companies in preparing disclosures of cybersecurity risks and incidents.[42] The statement emphasized the importance of “establishing and maintaining appropriate and effective disclosure controls and procedures,” as well as “the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and how this applies to insider trading.[43]

Despite encouraging risk disclosure, the guidelines “indicate[] that materiality of the risk should be an overarching consideration affecting disclosure.”[44] The guidelines and statement discourage generic disclosure[45] or “providing a roadmap for those who seek to penetrate a company’s security protections.”[46] The new statement should have a stronger impact on disclosure of cybersecurity risks than the initial guidelines. In the Winter 2017-2018 edition of the Business law section of the ABA, the authors examined the impact of the guidelines on 10-K disclosures and found evidence that a relatively small portion of firms chose to modify their risk factor disclosures.[47] Also, those who did make disclosures experienced negative effects on their stock prices, rather than viewing disclosure as a positive signal of management attentiveness.[48] Currently, firms face the uncomfortable choice of needing to disclose risks for those buying securities to be informed and the fact that disclosing this vulnerability may encourage an attack.

 

Cybersecurity and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, intended to standardize a set of expectations for how an organization must manage and protect PII for employees, clients and other applicable data subjects.[49] The GDPR applies to any organization that holds data that belongs to EU citizens or processes data of subjects within the EU, regardless of their domiciliary.[50] The GDPR represents a significant overhaul of Europe’s current data protection law. It will replace local data protection laws and standardize protection rights throughout the EU.[51] The GDPR compliance goes into effect May 28, 2018.[52]

The regulation increases the rights that individuals have to their data.[53] The right to data portability is one of the most significant examples of the new rights granted to individuals.[54] The GDPR allows an individual to have the right to transport their data from one organization to the next, leaving no data with the prior organization.[55] In order for an individual to transport their data, personal data must be provided to the individual in a structured, commonly used and machine-readable format.[56] The GDPR also stipulates that when technically feasible, organizations should facilitate the electronic transfer of personal data from one to another, if the individual makes that request.[57]

The GDPR also allows new rights for data subjects, such as the ‘right to be forgotten.’[58] Personal data must be erased “without undue delay” when: (1) retention is not required, (2) data is no longer needed, (3) consent is withdrawn.[59] Individuals can ask their organization to delete their data.[60] Organizations that do not yet have a process for accommodating such requests will have to put processes in place to conform to the GDPR.[61] The GDPR also requires personal data breaches, accidental or unlawful access, to be reported to the supervisory authority within seventy-two hours of becoming aware of the data breach.[62]

Lastly, the GDPR requires organizations to appoint a data protection officer (DPO). Organizations will have to designate a DPO if their core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”[63] For firms who already have a ‘chief privacy officer’ (CPO), transitioning that person to a DPO satisfies the GDPR. If there is no CPO or similar position in the organization, then a DPO role will need to be created.[64]

If an organization makes the mistake of not complying with the GDPR, then hefty fines for non-compliance will ensue.[65] An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars.[66] One of the largest effects on M&A will be these enhanced penalties. When organizations commit a serious breach of the GDPR, they will face potential fines of up to $20 million in Euros or 4% of the worldwide profit.[67]

 

Citations can be provided.

Introduction:

For the past few years, business outlets have published numerous stories about failed mergers of gigantic corporations due to failed due diligence studies. In fact, Hewlett-Packard’s deal with Autonomy was one of those highly reported stories of a large corporation losing billions due to an oversight in its due diligence review.[1] In 2011, Hewlett Packard acquired Autonomy for 11.1 billion, a 64% premium over the company’s 1 billion in yearly revenue. What went wrong with this deal?[2] In its review of Autonomy, Hewlett Packard was unable to detect that the CFO and CEO of Autonomy had been cooking their books, reporting profits that it had not made. For ten months before its acquisition, Autonomy reported revenues that were within the 4 percent of analyst expectations.[3] How did Hewlett Packard miss this?
The answer lies in the gigabytes of data that Autonomy handed over to Hewlett Packard. Hewlett Packard’s attorneys had to wade through thousands of documents when conducting its due diligence study, and it is often difficult to catch every potential risk in the target company.[4] Artificial intelligence can change that and save a company from purchasing companies that have cooked its books or been hacked.[5] Artificial intelligence will allow the ability to take a global look at a company and highlight inconsistencies in the documents provided to the SEC, internally, and to acquiring company.[6]

The Due Diligence Process

The primary goal of mergers and acquisitions due diligence is to identify potential risk in the transactions.[7] The acquiring company wants full disclosure from the target company (target) to reduce its potential risk from acquiring the target while understanding the business that it is taking over.[8] As seen in Omnicare, where it refused to acquire NCS with conducting due diligence, due diligence also guides the transaction.[9] Due diligence begins when both parties sign a confidentiality agreement, and the target begins to gather relevant documents for the merger.[10] Gathering the appropriate documents can prove difficult because the documents and forms may be scattered across multiple locations or formats, which could result in important information being overlooked or lost[11].
Next, the acquiring company sends the target a checklist of the types of documents, forms, and information that it would like uploaded to a virtual data room for review.[12] Virtual data rooms offer both parties a secure online location to store and review these confidential documents.[13] Before, providing the acquiring the required documents, the target sends the forms to outside counsel for review.[14] Outside counsel is responsible for managing and protecting the sensitive information of the target.[15] Once the information has been cleared by the outside counsel, it is then provided to the acquiring company for due diligence review.

Due Diligence in The Stone Age

Currently, attorneys conducting due diligence studies, have to review hundreds or thousands of documents provided by the target company to their clients. In fact, attorneys representing a typical company worth 400 million euros in an M&A agreement, have to comb through 75 to 500 contracts during their due diligence contract review.[16] However, these companies do not have just 500 contracts but rather 5,000 to 10,000 contracts on file.[17] This means that the M&A attorneys for the acquiring company only review around 5% of the total contracts that are on file.[18] Why are they only reviewing 5%? The attorneys for the acquiring company are unable to review all of the company’s documents because the traditional due diligence process is time-consuming and expensive.[19] If attorneys took a strategic approach and increased the percentage of documents that are being reviewed, it would consume 30 to 60% of the legal fees that the company was paying.[20] Due diligence review is generally done by a team of associates, which can cost $1,200 or more a document.[21]
During the due diligence process, attorneys review documents provided by the target, to identify and allocate significant risks and determine the subsequent steps in the merger. [22]Attorneys have two categories of potential risk. The first category of risk includes pre-existing business, financial or liability.[23] The second category of potential risk flows from potential anti-assignment, change of control, or confidentiality provisions the target has entered into.[24] This stage of the process is critical for the due diligence process because any oversight at this stage could result in the acquiring company purchasing a liability.[25] It is often only after the merger that acquiring companies can find missed exclusivity, nonstandard indemnification clauses, and other unexpected obligations.

What is Artificial Intelligence?

Artificial intelligence is a branch of computer science that deals with the simulation of human intelligence processes by machines.[26] This process includes acquiring information and rules for using the information, using the rules to reach approximate or definite conclusions, and self-correction.[27] The main idea of AI is the ability of computers to do mundane and repetitive tasks that humans do. AI will not replace lawyers but will rather, will become a tool that we use to improve our efficiency.[28] In house legal departments are beginning to ask outside counsel to do work in less time and are not willing to pay for work it deems as low valued added services.[29] Corporate clients are now using AI tools for other places in the business and see its added value and are looking at law firms wondering why many of these tools are not being adopted.[30]

Artificial Intelligence to Save the Day

M&A attorneys are in need of tools that will reduce the burden of the due diligence process, and help alleviate potential liabilities.[31] Attorneys representing the target are also in need of AI tools, in that they are tasked with providing all relevant documents to the acquiring company.[32] The target is held in violation of the agreement for any relevant document that is excluded from the virtual room. In deals where there are large numbers of documents, AI tools can conduct full reviews, rather than 5%, which avoids having to only analyze only a sample.[33] Attorneys representing the target company can use trained AI tools to recognize relevant documents that are standard for M&A agreements.[34] The AI tool is trained by providing it with examples of several similar provisions found in M&A agreements.[35] Some common examples that can be used in the education of the tool include confidentiality, non-competition, infringement, indemnification, controlling governance, dispute resolution and change-of-control provisions.[36] AI tools can review near-identical documents and determine the differences in both documents.[37]
The education of the AI tool will be continual, as the language used from company to company often varies depending on the user.[38] Using AI tools without the proper education runs the risk that the system may result in overlooking documents or provisions or misinterpretation of ambiguous terms.[39] The AI tool will require training from a user to help identify and define uncommon and ambiguous terms. The AI system can then be tested for its ability to recognize and define these uncommon and ambiguous terms by granting it access to numerous examples such as contracts and documents, to test its accuracy.[40]
The implementation of AI will allow for identifying, classifying, organizing, prioritizing and highlighting documents, and determining which documents needs to be provided by the target company. [41]The current process results in the attorneys providing more documents than needed, making the job of the acquiring attorneys more rigorous when done manually.[42]
When the acquiring company is given access to the target company’s documents, it has an overwhelming task of having to organize and review the content provided.[43] AI tools can be used for the automating the highlighting and cataloging the relevant provisions of each document. While the system is highlighting and prioritizing documents, it can give weight to the more problematic sections for manual review. Using AI tools will help the attorneys working for the acquiring company, with higher efficiency and speed and lower cost I when compared to the traditional method. [44]

Kira Systems

During M&A due diligence, attorneys are provided and must review hundreds or thousands of documents that have not been organized and have been stored in any number of file formats.[45] Organizing and the converting all of the documents is only the first step in a long process. [46]However, AI tools like Kira systems can help curve the time spent on this process. Kira systems is a machine learning software (AI tool) that can identify, extract, and analyze the text in contracts, emails, etc.[47] In 2015, Kira was used in over 100 billion dollars worth of M&A transactions. [48]
Though many attorneys believe that manual review is the golden method, Kira has proven otherwise in a head to head comparison.[49] When Kira and attorneys were given the same documents and provisions for contract review analysis, the manual review was shown to be just as accurate as the AI but took significantly longer.[50] Kira offers attorneys the opportunity to conduct a more comprehensive review, by analyzing more documents in less time for less money. In fact, attorneys have reported a savings of 20 to 60% of their time in reviewing contracts.[51]
Kira allows a target company to analyze its own documents to help determine its own risks and ultimately its value to improve its negotiating position.[52] By having a global understanding of its company, it can negotiate from a more knowledgeable position.[53]

Mergers are often expensive and time consuming for both sides because of the way in which the target company stores its information. Target companies are not usually deal ready. Target companies are often reactionist to potential deals, and then put in a position that requires for them to gather emails, contracts, etc. rather quickly for the deal. Kira systems can save both the target company and acquiring company time and money by allowing for document management before a potential merger is in the air[54]. Conducting manual review would take away from the core business.[55] AI systems like Kira or VDR would allow the target company the ability to upload all documentation and data to the centralized repository.[56] This would enable smooth and easier tracking with internal parties and confidential sharing with outside counsel. Kira also allows for notification of upcoming renewal and expiration dates that exist in the contract portfolio, which allows for the target and acquiring company to have a better understanding of its obligations.

Conclusion

During due diligence for M&A, most of the attorney fees are generated from having to spend expensive hours reviewing documents for their clients. The clients have begun to push back against their outside counsel, requiring for fixed rates and higher value added. This provides an opportunity for automating the due diligence process, which would result in cheaper and faster transactions that allow for better management of risk. AI tools offer a potential efficient solution for classifying, organizing, and prioritizing documents being provided to the acquiring company, and provides a strategy for how the acquiring company addresses its review of these documents. AI tools also provide an opportunity for target companies to be M&A ready upfront.

[1] Jack Ciesielski, How autonomy fooled Hewlett-Packard, Fortune (Dec. 2016), http://fortune.com/2016/12/14/hewlett-packard-autonomy.
[2] Id.
[3] Angela Monaghan, Hewlett Packard offloads last Autonomy assets in software deal, The Guardian (Sep. 2016), https://www.theguardian.com/business/2016/sep/08/hewlett-packard-autonomy-assets-software-deal-micro-focus.
[4] Id.
[5] Roy Strom, Wall Street wakes up to legal AI for due diligence, The Am. Law. (Dec. 2017), https://www.law.com/americanlawyer/sites/americanlawyer/2017/11/30/wall-street-wakes-up-to-legal-ai-for-due-diligence/?slreturn=20180120224441.
[6] Id.
[7] Dewey Ray, What is merger and acquisition due diligence?, CIO (Jun 2015), https://www.cio.com/article/2931585/mergers-acquisitions/what-is-merger-and-acquisition-due-diligence.html.
[8] Id.
[9] Daniel Davis, Omnicare v. NCS Healthcare: A Critical Appraisal, Berk. Bus. Law J. 177, 183 (Mar. 2007).
[10] Dewey Supra, note 7.
[11] Id.
[12] Cassity Ming, The due diligence process for M&A: a complete guide, Securedocs (May 2016), https://www.securedocs.com/blog/the-due-diligence-process-for-ma-a-complete-guide.
[13] Id.
[14] Id.
[15] Id.
[16] Kira Systems, HOW AI IS TRANSFORMING THE DUE DILIGENCE PROCESS, Raconteur (Oct. 2018),https://www.raconteur.net/sponsored/how-ai-is-transforming-the-due-diligence-process.
[17] Id..
[18] Id.
[19] Preparing your company for sale: due diligence from a seller’s perspective, Lex. (Mar. 2012), https://www.lexology.com/library/detail.aspx?g=b2c90aed-1ece-424b-9bce-7b655e83536a.
[20] Kira Supra, note 16.
[21] Id.
[22] Supra, note 19.
[23] Id.
[24] Id.
[25] Id.
[26] Justin Evans, Why Law Students Should Embrace Artificial Intelligence, Intellectuallyjay (Sep. 2017), https://www.intellectuallyjay.com.
[27] Id.
[28] Id.
[29] Jennifer Smith, Law firms face fresh backlash over fees, The Wall St. J. (Oct. 2012), https://www.wsj.com/articles/SB10001424052970203400604578070611725856952.
[30] Id.
[31] David McLaughlin, How AI helps financial institutions perform customer due diligence, Upside (Aug. 2017), https://tdwi.org/articles/2017/08/30/adv-all-ai-helps-financial-institutions-perform-due-diligence.aspx.
[32] Kira, Supra note 16.
[33] Id.
[34] Id.
[35] Id.
[36] Julie Sobowale, How artificial intelligence is transforming the legal profession, ABA J. (Apr. 2016), http://www.abajournal.com/magazine/article/how_artificial_intelligence_is_transforming_the_legal_profession.
[37] Id.
[38] Kira, Supra note 16.
[39] Id.
[40] Cassity Supra, Note 12.
[41] Id.
[42] Id.
[43] Id.
[44] Id.
[45] Debra Weiss, DLA Piper to use artificial intelligence for M&A document review, ABA J. (Jun. 2016), http://www.abajournal.com/news/article/dla_piper_to_use_artificial_intelligence_technology_for_ma_document_review.
[46] Id.
[47] Kira Systems, Kira Systems’ Noah Waisberg, uncovering truths & myths for AI Bootcamp session at Legalweek New York 2018, Kira System Blog (Jan. 2018), https://info.kirasystems.com/blog/topic/due-diligence.
[48] Deloitte, Deloitte forms alliance with Kira Systems to drive the adoption of artificial intelligence in the workplace (Mar. 2016), https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/deloitte-forms-alliance-with-kira-systems-to-drive-the-adoption-of-artificial-intelligence-in-the-workplace.html.
[49] Mark Burdon, Artificial Intelligence – An Authentic Opportunity For Mergers And Acquisitions, The Deal Room (Aug. 2016), https://www.firmex.com/thedealroom/artificial-intelligence-an-authentic-opportunity-for-mergers-and-acquisitions.
[50] Supra, note 48.
[51] Id.
[52] Id.
[53] Id.
[54] Merrill Corp., BE M&A READY: DON’T MAKE MANAGING YOUR DOCUMENTS A LAST-MINUTE CONSIDERATION, Raconteur (Oct. 2018), https://www.raconteur.net/sponsored/be-ma-ready-dont-make-managing-your-documents-a-last-minute-consideration.
[55] Id.
[56] Id.

On January 19th- 21st, Michigan State University (MSU) will be hosting its fourth annual student-run hackathon, SpartaHack IV. Spartahack is focused on bringing students across different disciplines together and giving them a platform to realize and harness their own fresh ideas. A hackathon is a perfect setting for discovery, where participants have the opportunity to get to know each other better, take on new roles, and utilize material that they are being taught in the classroom.

What is a Hackathon?

A hackathon is an event, typically lasting 24-48 hours, in which a large number of people (computer science students, student programmers, student data scientists, student project managers, business students, and law students) meet to engage in competitive collaborative purpose of achieving a potential solution for a specific set of challenges. The goals involve solving some kind of problem or challenge submitted by a ‘sponsor,’ usually an organization. Teams that create the most meaningful and innovative solutions under the specific judging criteria are awarded prizes from the sponsor.

At Spartahack, around 500 engineers, designers, law students, business students, and etc will get together to come up with something cool, useful, and amazing. The only condition is that students will have only 36 hours to work on their projects. Teams with the best ideas have the chance to win over 34 prizes, amounting to $20,443 in prize value.

Why Should Law Students Attend Hackathons?

Law students are given an opportunity to apply the concepts learned in the classroom to innovate the law or solve a set of legal problems. This allows law student to be in the trenches with programmers and coders who are responsible for developing the technology and other solutions for the issues being presented. Law students are given the chance to actively listen to the solutions proposed and brainstorming that occurs between the sponsors and the other students. Law students can learn to think like the programmers and coders. Hackathons allow for law students to improve their legal process and/or make the law more accessible to clients through the creation of user-friendly mobile apps, web platforms, interactive databases, or etc.

“A hackathon event can help an attorney better understand where the future of the profession is heading by allowing them to take an active role in developing technologies that improve access to justice. Rather than being told ‘this is the new technology, just use it,’ attorneys can play a key part in shaping the new technology.”-Franklin Graves

Rules:

– Participation is limited to students who have been enrolled in the past year.

– Teams can have a maximum of 4 members.

– All team members must be registered SpartaHack attendees.

– All team members must be physically present at SpartaHack.

Judging Criteria:

-Creativity

-Technical Impressiveness

-Implementation

Sponsors:

Sign up!
https://18.spartahack.com/