Traditional Contracts and their Pain Points

“Business does not stand still, however traditional contracts do.” Professor Shadab explained that businesses need dynamic contracts that can be updated in real time. Businesses are in need of contracts that integrate with the business world and are constantly evolving. He explained that the goal of clause is to help develop open-source standards to help move dynamic smart contracts forward. Dynamic contracts (legal smart contracts) would allow for contract terms and conditions to be adjustable over time based on the current business condition. Parties would be able to monitor price changes, discounts, shipping status in a dashboard as they occur.  The price of aluminum fluctuates with demand and supply in the market, this would be of use to have automatically updated in the contract without having both parties guess its potential value for the contracting period. These dynamic contracts would monitor performance and compare the performance against the terms of the contract.

 

Integrating APIs and IOT in Dynamic Contracts

It is projected that there will be more than 20 billion connected devices in the next several years, from traffic lights to autonomous coffee makers. Corporations, like Amazon, are taking the stance that data collection is an invaluable asset and have taken steps to collect more, learn from it, and make modifications that increases profit/knowledge.

An API is a program that allows various products or services the ability to talk to other products or services. APIs allow for individuals or corporations to leverage their data by opening it up to other corporations. This allows for partners/consumers of the corporation’s firewall the ability to access its data. APIs that are incorporated into a contract has the ability to facilitate communication between smart contracts and the cloud.

An example would be a dynamic contract that is developed between a farmer of hay and a farmer of horses, which states that the horse farmer will purchase hay from the hay farmer if the rainfall does not exceed 4 inches that summer. The dynamic contract would pull data via the weather station’s API to monitor the amount of rainfall. If the rainfall remains below the 4-inch requirement then the smart contract will be automatically executed, whereas if it exceeds the requirement the smart contract will not proceed. The hay farmer could also incorporate IoT sensors in the ground to give a more accurate rate of rainfall, and have the information feedback into the dynamic contract. The horse farmer will be notified to allow for him/her to decide if 4 and a half inches is acceptable for executing the contract.

The importance of social media for a  business entity is becoming a critical part of how a corporation markets and connects with its consumers. With much of America’s citizens joining and using social media sites regularly, the social media industry is becoming a larger part of our lives. In fact, over 2 million corporations are using Facebook for promoting their products and services. Corporations have found that the use of social media allows for it to lower ad costs, reach its target audience, and analyze the effectiveness of its ad campaign. Though 61% of Fortune 500 CEOs have no presence on social media at all, there is a smaller subset of CEOs that are using their private accounts to build a brand for themselves and their companies. This has to lead to free PR for their company, with one such example being T-Mobile’s CEO John Legere.

 

But what happens when the CEO goes too far and crimples the business?

 

This is exactly what happened to Telsa. Its CEO, Elon Musk, has become a celebrity on Twitter with over 22 million followers. Musk has become one of the most influential CEOs on the platform. Musk has used the platform to display his self-expression and is often guilty of oversharing. An example of his oversharing was displayed in the following tweet:  

His tweet about taking the company private and having funding secured triggered the SEC to investigate his claims. The SEC was worried that his tweets might lead to market manipulation. In fact, the stocks soared by 11 percent. A week after the tweets, the SEC subpoena-ing Telsa about Musk’s statements. The SEC found that Musk nor Telsa had lined up the necessary financing aside from preliminary talks with investors. The Board of Telsa has requested for Musk to leave twitter during the investigation.

 

The SEC Deal

 

The SEC sued Musk for his statements of taking the company private. The SEC found that his statements about securing the funding to offer shareholders $420 per share, misleading. The SEC and Telsa settled the lawsuit for $40 million and required for Musk to step down from his chairman position. This marks the first time the SEC has reacted to social media post and online communications and is likely to not be its last.

 

It is important to have the ability to improve one’s community. But it is just as important to retain the ability to reside in that community after the improvement have been made.

 

Civic Beautification Efforts

 

Imagine using local resources to empower those who reside in disinvested communities through crowdsourcing. Imagine affording local residents the ability to contribute to the restoration of their communities without gentrification. Crowdfunding can allow residents to turn creative, sustainable projects into a reality. Communities seeking to do restoration projects that do not have an economical return could use platforms like ioby or Citizinvestor.com, crowdfunding platforms that help residents raise money for public projects. Platforms like Citizinvestor.com also allow for residents to partner with the city to conduct joint projects. In communities that have had years of disinvestment, the government and community coalitions will need to create ways to restore public confidence to help win investors trust.

 

Economic Improvement Efforts

Crowdsourcing in such a community could function by allowing the residents to contribute their nominal funds to other residents’ nominal funds to create an investment fund. Each resident, based on their contribution, would have a certain percentage of ownership in the overall venture. These funds could be used to help create local groceries with actual fresh produce, community centers or programs for the youth, employment for local residents, and beautification initiatives. Ownership could be maintained on a private or public blockchain, which is considered to be immutable, depending on the needs of the group. Immutability can help build trust amongst those looking to invest in the projects of the community.

By Brooks Lockett and Justin Evans

 

 

Two recent developments are dramatically altering the biotechnology industry. First, there have been vast increases in the amounts of chemical herbicides used on genetically modified crops, and still further increases are scheduled to occur in the next few years. Second, the World Health Organization’s International Agency for Research on Cancer (IARC) has classified glyphosate, the herbicide most widely used on GM crops, as a “probable human carcinogen” and classified several other herbicides, including 2,4-dichlorophenoxyacetic acid (2,4-D), as “possible human carcinogens.”

 

These policy changes were fueled by litigation taken against agribusiness giants like Monsanto following hundreds of accusations of their products being toxic. For instance, Monsanto’s top-selling weed-killer RoundUp that was approved in the early 1970’s has recently faced claims by a man who testified that using the product for many years as a school groundskeeper caused him to develop terminal non-Hodgkin’s lymphoma.

 

The 46-year old’s case is one of the hundreds of others taken against biotech companies and their products. Despite prolific litigation, regulatory bodies have been slow to clearly define and differentiate their roles on the continuum of federal oversight. For this reason, cases like glyphosate distort public opinion of the biotechnology industry and misrepresent the incredible wave of innovation and scientific discovery it’s brought to our society. Furthermore, glyphosate-based products like RoundUp whose toxicity profiles have been widely debated make the regulation process considerably more difficult.

What does this mean for regulation of biotech products? Industry shifts call for regulatory bodies to adapt – quickly. This article will explore what steps are being taken by federal regulatory authorities to modernize our regulatory system in alignment with the currently shifting biotechnology landscape.

 

Our current regulatory system does its job protecting the health of our society and environment. However, oftentimes there is uncertainty about agency jurisdiction, leading to a lack of predictability of timeframes for review of new and marketed products. These problems result in avoidable costs that slow economic growth and stifle innovation.

 

In an attempt to mitigate these inconsistencies, the EPA updated the coordinated framework for the regulation of biotechnology in 2017, which stated that the EPA would regulate pesticides, herbicides, and pollutants, the FDA would regulate food, medical devices, and human drugs, and the USDA would regulate any products of biotechnology that may pose a risk to agricultural health or animal health.

 

Looking back at glyphosate, there are a few questions to address concerning which federal agency will have direct oversight. Since glyphosate is an herbicide, it falls under the umbrella of the EPA – but the USDA is responsible for the testing of crops, which herbicides are applied to. In glyphosate’s case, both agencies have specific supervision over different parts of the regulatory process. Not to mention, the FDA has the authority to enforce penalties for non-compliance.

 

We can see there is a large amount of overlap between the boundaries of oversight each regulatory authority has. This requires careful coordination among health authorities to minimize the room for interpretation when it comes to approving biotech products. The goal here is to seek out regulatory strategies that protect human and environmental health without stigmatizing emerging biotechnologies and diminishing public confidence in the oversight of products. In order to do so, there needs to be more predictable practices among regulatory authorities with overlapping jurisdiction.

 

What’s the next step?

 

Agencies should establish a regulatory model that is exceedingly predictable. In essence, the agencies practices should be so transparent that other health authorities should be able to accurately forecast how they will respond to certain situations.

 

This highly-predictive model will illustrate a plan for frequent, formal horizon-scanning assessments of new biotech and agricultural products to ensure that agencies are prepared for future products before federal regulation is required. Regulatory authorities should be able to ensure that every product evaluation is risk-based and grounded in the best science available. With this, regulatory activities will be able to be adjusted based on experiences with specific products and the environments into which they have been introduced. Theoretically, these practices would improve agencies’ abilities to assess the risks arising from future products of biotechnology. Had this been done for Monsanto’s glyphosate-based product RoundUp, the FDA, EPA, and USDA may have been able to better coordinate their responses to the World Health Organization’s 2015 announcement that glyphosate was heavily linked to cancer – and perhaps avoided the whirlwind of negative media attention it brought to the biotech sector.

 

Now that we have outlined several key issues regarding the federal regulatory efforts with respect to the biotechnology industry, what are ways to potentially improve this system and alleviate any unnecessary difficulties?

 

For a better understanding of the potential solutions to gaps in the United States’ regulatory system and how to fill them in, it is useful to draw comparisons to European regulatory practices.

 

European health authorities take an approach of austere caution when dealing with the approval and implementation of biotechnology products in its countries, whereas the United States’ approach is highly permissive. This is further supported by the varied responses by the two regions to the World Health Organization report on glyphosate. When contradictory findings on the potential risks of the use of glyphosate first surfaced, the European Union (EU) responded by delaying its renewal of the glyphosate license until it could conduct further scientific studies. The delay is largely a response to the disapproval of politicians, regulators, and researchers in the EU.

 

Contrastingly, agencies in the United States like the Environmental Protection Agency (EPA), have failed to evaluate the human health risks arising from glyphosate including carcinogenicity, as well as the environmental risks. The Europeans approach is considered the precautionary principle, whereas the United States approach is that of substantial equivalence. Between these two modes of regulation, there are several critical differences to acknowledge.

 

The precautionary principle aims to prohibit products that may cause severe or irreversible damage to humans, animal and plant health, as well as the environment. European health authorities have not gone as far as banning all genetically modified products but instead established guidelines that should be used to constructively scrutinize the products being introduced. Many are skeptical of the United States’ approach because it is not believed that this approach was fueled from a place of consideration for the American citizens, but rather a push from the industry to approve its products more quickly.

 

Regulation of biotechnology products should be overseen by the coordinated efforts of one agency.

 

Another way to harmonize our regulatory system is to establish a single governmental agency that is responsible for the oversight of biotechnology products like glyphosate and genetically engineered organisms. This agency would eliminate the patchwork regulation done by the current 16 agencies. That way there is less room for error and for critical information regarding regulatory decisions to fall through the cracks. Having a more centralized structure would allow for a normalized standard, which would promote more clear guidelines for product compliance initiatives.

 

The efforts of this single agency should mirror the FDA’s actions in relation to drug screening. It should dedicate its resources to reviewing newly developed products of biotechnology and request studies, similar to clinical trials to test the safety of the products over time. I believe an agency dedicated strictly to food will help relieve the burden of the FDA so that it can focus on drugs exclusively. Many of the sixteen agencies are responsible for more than food safety, which increases the burden on the entity, by having to divide their efforts between responsibilities.

Because regulations fluctuate and inspections are done at different points, it is often difficult to respond to outbreaks. Proponents could argue that by having a staggered visitation, the sixteen agencies are visiting the company more than what a centralized entity would. Starting a new agency means that the entity will be starting over and will create a delay in the inspection process and would take years to get the point of flowing properly. The new agency may be affected by the same growing pains as the FDA. Even the FDA has struggled with its duties as of recent after the Congress passed the Food Safety Modernization Act. FDA learned very quickly that it could not take on food safety alone and would need help. It realized that it did not have the proper manpower nor the funding to properly train those running food facilities and inspectors. This could be a reason why a centralized entity might be the way to go. If the FDA needs to form alliances with the other 15 agencies to properly protect food safety, why not create a single entity?

 

Governmental agencies should separate its interest from that of the industry

 

This section goes without saying, but it is important to emphasize (governments should care more about people, not profits).

 

A prime example of why Americans have a lack of trust in government agencies comes from its revolving door policy with biotechnology and pharmaceutical companies. Governmental agencies should no longer allow for life science companies to place its employees into prominent positions of the government. For example, the FDA’s substantial equivalence policy, which justifies the use of genetically engineered products without extensive testing or labeling, was created by Michael Taylor, the FDA’s Deputy Commissioner of Food at its passing. Taylor began his career as a staff attorney with the FDA, before leaving to join King & Spalding’s food and drug practice, where he represented Monsanto. Decades later, he would return to the FDA as their Deputy Commissioner for Policy and thereafter become Monsanto’s vice president for public policy.

 

To provide an example from the pharmaceutical industry; Alex Michael Azar II, like Taylor, worked for a private firm before taking a prominent position in the government as the General Counsel of the United States Department of Health and Human Services during the Bush Administration. With the election of Obama, Azar left the Department of Health and Human Services to work as Eli Lilly’s top lobbyist and spokesman as its Senior Vice President of Corporate Affairs and Communications. As you may have guessed, with the election of Trump, Azar is back in government as the United States Secretary of Health and Human Services.

Taylor and Azar are just two out of hundreds of instances of this ‘revolving door’ that exists between the government and the life sciences industry. Experts say the convenient relationships don’t necessarily mean congressional staffers do favors for lobbyists they know, but the access doesn’t hurt. High-level appointees job-hopping between regulatory agencies and bioscience companies is an issue that goes much deeper than discussed, but nonetheless, it plays a factor in government regulation that leads people to believe that ‘business relationships’ are taking priority over what is best for patients.

 

To recap, federal regulatory bodies might benefit from establishing a single agency to oversee all aspects of the regulation of biotechnology – possibly resulting in better coordination of responses to situations like Monsanto, where a product that was previously thought to be non-toxic turns out to be toxic. This might help remedy the seemingly bad reputation of life science companies who are attempting to establish a culture of transparency among the government and also the general public. And above all else, putting the patient first.

 

Cease and Desist Letter Automation

———————————————————————————————————————————————————————————

Introduction:

On Friday, April 20th LegalRnD will host the “Measuring Lawyer Quality and Setting an Empirical Research Agenda for Legal Technology and Innovation” Conference from 9 am to 12 pm at the Kellogg Center in East Lansing. Students from Dan Linna Jr.’s Litigation: Data, Theory, Practice, Process Course will present on legal technology tools that have been developed to address real-world problems provided by project partners. Students were taught the Kata method to help identify potential solutions for the legal problems that they were provided.

Students were also trained in both Think Smart and Neota Logic artificial intelligence platforms, so that these solutions could be built for the project partner.  My group consisted of Erica PorterKaitlyn Huber and myself. We were given the following problem by Jeffrey Sharer of the Akerman Law Firm .

Industry
Law and Intellectual Property

Primary Business
Protection and enforcement of intellectual property rights. Intellectual Property involves intangible assets and creative works. It secures and enforces legal rights to inventions, designs, and artistic works.

The Challenge

Intellectual property rights are one of the most valuable assets of a corporation. In fact, it may be the most important asset the corporation possesses and therefore should be protected. In a recent survey, C-Level executives were asked whether they considered trademark infringement as something that they monitor in the company. Over 80% of these executives state that trademark infringements have become a growing issue for corporations over the past 5 years.

There are a number of ways in which a trademark infringement can damage a company’s brand, resulting in loss of sales. One of the growing concerns for C-Level executives is the negative publicity that a brand may sustain on social media. This makes the response of a corporation and its legal team time sensitive. Traditionally, it takes an in-house lawyer or outside IP counsel approximately 2 to 4 hours to assess a potentially infringing mark and draft and appropriate cease and desist letter or other correspondence to the alleged infringer. For many large organizations, this can add up to hundreds or even thousands of hours per year. One Deputy General Counsel responsible for IP at a Fortune 100 company suggested that this process could be at least partially automated to allow for responses to be generated more quickly

The Solution

Law firms like Akerman, which build smart systems, are uniquely positioned to respond to this issue. Attorney Jeffrey Sharer and Professor Dan Linna Jr. decided to have a group in Dan’s Litigation Class develop a solution using Think Smart or Neota Logic to streamline the researching and drafting of a cease and desist letter. My group decided to use the Neota Logic artificial intelligence software platform to help clients determine their rights under Trademark law. The Neota Logic platform employs process management, document automation, and reasoning to build an intelligent application for addressing complex legal issues.A client using the system can draft a cease and desist letter in 15 to 20 minutes rather than the traditional 2 to 4 hours. This allows for the client’s IP counsel to address other issues for the corporation, rather than spending valuable time on the cease and desist process.

How it Works: Programming Neota with Actions, Variables, Question Flows, and Decision Trees:

When determining the best app to develop for clients, we discussed developing an app that would allow the client’s IP counsel to generate an automated cease and desist PDF, but decided that our app would be of better use if it empowered anyone on the legal team to determine the companies’ rights under Trademark law and drafts the cease and desist letter for them. The software’s functioning is similar to TurboTax in that regard, where you can file taxes without having to be a CPA. With seamless integration, Neota Logic opens the web interface of the Advisor where the user selects the appropriate template for the document type.

The Advisor starts automatically, prompting the user for a case number or other identifying information. The Advisor provides a link to the USPTO if the IP counsel needs to retrieve related data about the company’s trademark and prompts the user to fill in the remaining information required for the document type.

The Advisor generates the document using the template, merging the data obtained in the questionnaire, and from common content, and applying trademark rules as required.
The solution then routes the generated document automatically to the clients’ email.

The Draft Letter:

Results and achievements of this project:

  1. With automated document templates, the time spent by the legal department on drafting cease and desist letters is reduced by more than 80%!
  2. Automated templates significantly reduce mistakes in documents.

User Input

We strived to make the best app possible, so we wanted to make sure that we were able to incorporate input from those in the field and those in general practice. We wanted to make sure that our app has the content that a trademark attorney would need to feel empowered to continue using it, but we also wanted Akerman to be able to provide it to in-house counsel who does not work on trademarks as often. Jordan Galvin was incredible, as she was willing to go through our app and provide comments to help us make our app amazing. By incorporating user input, we were able to draft the questions so that all audiences could follow through and submit information for the letter. Martin Childs, a 2L working for a Chicago firm, stated that he wished he had taken this class because he felt that developing these tools directly address clients’ pain points. Professor Bean said he was impressed with our app and felt that it was very useful. Professor Carter Johnson, who worked in IP at a firm and now teaches IP at MSU, stated that our app was very interesting and a great start to an awesome idea.

What We Learned:
In creating this automated artificial intelligence software platform, we learned that you cannot simply throw technology at an issue. We opened the course by learning to implement the Kata method, which forced us not to jump to a conclusion but rather to employ the scientific method. We were forced to test our theories to determine if they were accurate. We employed process improvement and process mapping to eliminate waste, by using the data-driven approach to develop our system.

This innovative system was created through teamwork with my classmates and with our project partner, Jeffrey Sharer. We learned that in this era of Artificial Intelligence, the legal field could be significantly improved through the automation of data, leading to more efficient service delivery and improved client satisfaction.

Below is an abstract/summary of my paper with the Journal of Business, Entrepreneurship and the Law at Pepperdine Law School.

Motivated by the recent explosion of interest in artificial intelligence(AI), I examined whether it makes sense to implement AI in smart contracts, to make them more effective. The current state of smart contracts leaves one to wonder if these are true contracts themselves. Traditional contracts have an offer for acceptance, highlighting the fact that smart contracts are mere codes incapable of satisfying the required elements of a legal contract. Could smarter contracts, assisted by AI, satisfy the elements of a contract by offering a web-based platform that allows for parties to make offers and accept them, copying them into a smarter contract? Could the use of AI in contracting, reduce risk by comparing the current smarter contract with existing smarter contracts on the blockchain? Could AI help retain business relationships by allowing user inputs that track performance, fluctuations, and extending the time for performance?

These analyses will be the focus of this paper. Part I examines the issues with the current state of contracting and will elucidate potential sectors of the legal industry where the implementation of smart contracts would be of best use for attorneys and our clients. Part II examines the implementation of smart contracts, and how it would help attorneys add value to clients by making attorneys work more effectively and efficiently. Part III of this paper will also explain why the use of smart contracts should be augmented with artificial intelligence (AI) to assist with the validity of the contracts. Part IV of this paper will examine the creation of a new type of lawyer that technologists and corporate clients will need to assist with the understanding of the risk associated with the technology and the laws that govern them. Finally, in Part V this paper will examine potential client areas that could benefit from the use of smart contracts to save money and move more efficiently.

 

On March 30th, Houman B. Shadab, a founder of the Accord Project and professor of law at New York Law School, will lead a workshop at the University of Michigan Law School about blockchains, smart contracts, and the Accord Project. Professor Shadab is a prolific and influential expert at the intersection of law, business, and technology. His research focuses on financial technology, smart contracts, hedge funds, derivatives, commercial transactions, and blockchains. The workshop is a supplement to the “Legal Technology & Innovation” course taught at Michigan Law School by Professor Dan Linna. Students and members of the public may attend if they RSVP through the Detroit Legal Innovation Meetup.

Blockchain has recently emerged as a disruptive technology that may revolutionize the way that attorneys will advise their clients. Applications for blockchain are currently being developed for key industries including finance, insurance, energy, healthcare and legal. A blockchain is a decentralized, trustless and continuously growing ledger that records and keeps track of every transaction across a peer-to-peer network of participants.

Recently, PWC made the news not only for launching a law firm in Washington D.C., but also for the release of its blockchain platform. The platform will help with managing business disputes and auditing of current implementations of blockchain applications by various corporations like Walmart, which is introducing a blockchain

application for improving food tracking. Blockchain appeals to corporate clients because the technology promises to provide security by design. Blockchain security comes from leveraging cryptographic protocols and distributed consensus algorithms, which provide anonymity, auditability and transaction immutability.

These same characteristics have also made blockchain appealing to lawyers and corporate clients for its potential use in “smart contracts”. The term “smart contracts” was originally coined by Nick Szabo, a cryptographer, who first saw the potential of 

automating contracts on blockchains. Szabo described contracts as a set of promises agreed to by a meeting of the minds, precisely as taught in my first-year contracts class by Professor Barnhizer. Szabo envisioned an automated contract that could be triggered by performance of either party to the agreement. The parties are not required to have a prior business relationship, and this structure allows for automated remedies if either side does not perform according to the terms of the agreement.

The original contract would be translated into code by blockchain trained attorneys representing either side. The code would contain a series of if-then statements that would carry out the completion of the contract once a condition is met. In summary, the term “smart contracts” refers to computer transaction protocols that execute the terms of a contract automatically based on a set of conditions. The use of smart contracts by corporate clients raises a number legal issues that will require advising by future and current attorneys.

The Accord project is a working group, made up of lawyers and organizations, that is focused on developing best practices and legal standards for smart contracts. The Accord project is led by the internet of things-enabled contract startup Clause, which was co-founded by Mr. Shadab. Mr. Shadab believes that having the Accord Project set standards for smart contracts will increase the chances that smart contracts will be implemented properly.

 

Come learn about blockchain and smart contracts with us.


All Students and Practitioners are Welcome! Please RSVP via the Detroit Legal Innovation Meetup.

 

Location:
University of Michigan Law School
Hutchins Hall Room 116

March 30th’s Agenda:
9-9:05 – Introductions
9:05-9:15 – Introduction to Clause and the Accord Project
9:15-10:00 – Introduction to Blockchain & Bitcoin
10:00-10:30 – Interactive Exercise
10:30-11:00 – Introduction to Smart contracts
11:00-12:30 – Smart legal contracts workshop
12:30-1pm – Roundtable discussion and wrap up
1pm – Closing and Networking

 

Yesterday  I attended the joint Process Improvement workshop for Lean Lawyering, which was hosted by several Florida public-interest lawyers and LegalRnD at the State Bar of Michigan. Here’s a link to the workshop’s website:

There were about 40 participants at the meeting, and I had the opportunity to meet and share ideas with practicing practitioners from law firms, legal aid entities, courts, and corporations from around Michigan.

The conference was very thoughtfully organized and included experiences from the implementation 

of process improvement techniques by Amy Burns, Deputy Director of Florida Rural Legal Services; Ilenia Sanchez-Bryson, Chief Information Officer at Legal Services of Greater Miami; Kristen Lentz, Managing Attorney for Disability Rights Florida; and Melissa Moss, Principal/owner of CatalystZone, LLC. Though I’ve attended a number of lean thinking and process improvement conferences, this was the first time that I’ve heard from actual attorneys who’ve implemented the process.

 

Discussion topics at the conference all centered around implementation of lean thinking (Toyota Way) for Law to improve efficiency and quality of services rendered. After learning of the speakers’ experiences incorporating process improvement into differing aspects of their practice and operations, attendees were given the opportunity to learn by doing.

To teach process improvement through the use of a real-world example, attendees were

broken into small groups to help streamline a legal aid’s walk-in service. The current conditions, as pictured, of the legal aid’s walk-in service results in an average of 58.2 minutes for clients to be serviced. Groups were asked to map the process, pictured to the right. The groups were asked to implement process improvement techniques to decrease the average time of service to 30 minutes. My group started off by mapping the current process and identifying areas for potential improvement. We next asked ourselves why the system took 58.2 minutes for clients to be serviced. Once we determined that it was a result of the process, we next asked ourselves why again. Once we were five levels deep into the why process, we finally had our answer!

 

The following post was drafted as an assignment between Danielle Chirdon, Anita Western, and I.

Executive summary: In order to conduct a proper assessment of the risks and liabilities in a merger or acquisition deal, the due diligence process must also include an assessment of the target corporation’s cybersecurity. An acquiring company must evaluate the strength of a target company’s cybersecurity processes and controls. In light of the increasing significance of cybersecurity threats, on February 2018, the SEC issued further guidance to its 2011 Guidelines on disclosure obligations relating to cybersecurity risks and cyber incidents. Companies operating in the European Union will also need to adhere to the new General Data Protection Regulations. The regulations require for certain data to be forgotten, designation of a data protection officer and reporting of data breaches within seventy-two hours.

 

Cybersecurity in M&A

Cybersecurity is one of the most overlooked issues in most M&A transactions.[1] An estimated “78% of global respondents believe cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”[2] Cybersecurity risk should be assessed by a corporation before it enters into a merger agreement with another company.[3] The acquirer needs to know the risk it is taking when taking over a target company.[4]

In 2017, Verizon, learning from the cyber-failures of TripAdvisor and Neiman Marcus, made cybersecurity a central part of its due diligence study.[5] During its due diligence review of Yahoo, Verizon found that the web company had suffered a large security breach.[6] This discovery allowed Verizon to discount its cost for Yahoo and develop a strategy for the potential risk.[7] It was later determined that several of Yahoo’s executives had known about the breach, but failed to comprehend or investigate the breaches properly.[8] Courts have found that an acquirer’s board of directors would be in breach of its fiduciary duty of care if it did not conduct a due diligence study on the target company before it merged or acquired it, or did not conduct an adequate due diligence study.[9]

 

What is Cybersecurity

Cyber Security is a set of principles and practices designed to safeguard your information systems and networks, company data, email messages, and information that are typically processed, communicated, and stored on the information systems.[10] The goal of cybersecurity is to protect against a wide range of threats. Doing so ensures business continuity, minimizes risk and maximizes business opportunities and returns for shareholders.[11]

A Corporation implements cybersecurity protocols to protect its data. A corporation holds data such as the personally identifiable information of its employees, customers, and other individuals;  corporate financial information; trade secrets;  intellectual property; and other sensitive and confidential information.[12] Hackers can access a company’s information through three primary methods: physical and environmental threats, technical threats, and people threats.[13] Physical and environmental threats involve the theft, damage, and destruction of the physical elements comprising the information system such as servers and laptops.[14] Technical threats are threats that are carried out through the use of computer code or other automated mechanisms.[15] People threats are those that come from individuals within the company, competing companies, or even foreign government entities.[16]

 

Cybersecurity Due Diligence

In 2016, cybercrime cost corporations on the average between $375 billion to $575 billion. [17] It has been projected that by 2019, cybercrime will cost corporations over two trillion dollars.[18] An example of a change in public reception would be the new found perception of Target and Equifax.[19] When acquiring a company, the target’s cybersecurity status and program are vital to an acquirer because a company with a poor cybersecurity program will require a large number resources to bring them into legal compliance.[20] An acquirer assumes the risk of the target company, and if it is found that the target company suffered numerous cyber instances and is sued, the acquirer may be on the hook.[21]

How can an acquiring corporation ensure that it is not one keystroke away from a major data breach or another cyber attack? Assessing a target’s cybersecurity risk requires an additional assessment in the traditional due diligence process.[22] An acquirer must must identify actual or potential cyber threats.[23] When conducting a cybersecurity assessment, an acquirer should begin by identifying and evaluating a company’s “high value digital assets.”[24] Hackers are targeting corporations’ intangible assets; for example, trade secrets, engineering designs, customer lists, personal identifying information, confidential bids on government programs, etc.[25] A key component of due diligence is to evaluate the data security plan of the company to determine if there are potential risks, and if so, develop a plan to address them.[26]

The acquiring company should investigate whether the target company has both processes and controls in place to address cyber-instances that may arise.[27] A data security process involves identifying, understanding, and monitoring critical information assets such personally identifiable information and IT systems.[28] A target company should be conducting cybersecurity risk assessments of their data security processes before the acquisition. Risk assessments are done by identifying vulnerabilities and threats that are aimed at the critical information and the potential impact if these threats were to occur. Documentation of risk assessments are often requested by the acquirers when conducting due diligence on the target company.

An acquirer should also request information on the security controls put in place by the target company. When investigating data security controls, an acquirer is seeking policies, processes, procedures, hardware, software, and teams put in place to help deter, monitor, and respond to threats that are aimed at the critical information of the company.[29] Security controls are made up of three types: preventive, detective, and reactive.[30] Preventive security controls are designed to defend against threats and prevent the occurrence of events that compromise security.[31] Detective security controls are designed to identify threats that have occurred such as security breaches.[32] Reactive security controls are designed to stop or contain threats, to determine the parties that are involved, and to recover information that has been damaged or loss.[33]

“Companies with poor security programs may be perilously close to a security breach that can have a major impact on its revenue and profitability.”[34] Conversely, target companies with robust cybersecurity programs may offer enhanced value to the acquirer, and give the acquirer more confidence in the value of the acquisition.”[35] During cyber due diligence, anything learned by the acquirer can be used for renegotiating the terms of the deal or alter the integration plan of the target into the acquirer’s company.[36] If the breach is found to be irreparable, it may lead to a termination of the merger or acquisition.[37]

 

Cyber Security Disclosure Requirements according to U.S. Securities & Exchange Commission

A cybersecurity due diligence analysis for a publicly traded company should also include disclosure statements registered with the U.S. Securities and Exchange Commission (SEC). The Securities Exchange Act of 1934 requires periodic reporting “as necessary or appropriate for the proper protection of investors and to insure fair dealing in the security.”[38] Regulation S-K requires that public companies provide “a discussion of the most significant factors that make the offering speculative or risky” are particularly relevant to cybersecurity threats.[39] In 2011, the Division of Corporate Finance issued guidelines for disclosure obligations of cybersecurity risks.[40] These guidelines are “neither a rule, regulation, nor a statement of the SEC.”[41] In light of the heightening awareness of cyber security risk, on February 21, 2018, the SEC announced that the Commission had voted to approve a statement and interpretive guidance to assist public companies in preparing disclosures of cybersecurity risks and incidents.[42] The statement emphasized the importance of “establishing and maintaining appropriate and effective disclosure controls and procedures,” as well as “the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and how this applies to insider trading.[43]

Despite encouraging risk disclosure, the guidelines “indicate[] that materiality of the risk should be an overarching consideration affecting disclosure.”[44] The guidelines and statement discourage generic disclosure[45] or “providing a roadmap for those who seek to penetrate a company’s security protections.”[46] The new statement should have a stronger impact on disclosure of cybersecurity risks than the initial guidelines. In the Winter 2017-2018 edition of the Business law section of the ABA, the authors examined the impact of the guidelines on 10-K disclosures and found evidence that a relatively small portion of firms chose to modify their risk factor disclosures.[47] Also, those who did make disclosures experienced negative effects on their stock prices, rather than viewing disclosure as a positive signal of management attentiveness.[48] Currently, firms face the uncomfortable choice of needing to disclose risks for those buying securities to be informed and the fact that disclosing this vulnerability may encourage an attack.

 

Cybersecurity and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, intended to standardize a set of expectations for how an organization must manage and protect PII for employees, clients and other applicable data subjects.[49] The GDPR applies to any organization that holds data that belongs to EU citizens or processes data of subjects within the EU, regardless of their domiciliary.[50] The GDPR represents a significant overhaul of Europe’s current data protection law. It will replace local data protection laws and standardize protection rights throughout the EU.[51] The GDPR compliance goes into effect May 28, 2018.[52]

The regulation increases the rights that individuals have to their data.[53] The right to data portability is one of the most significant examples of the new rights granted to individuals.[54] The GDPR allows an individual to have the right to transport their data from one organization to the next, leaving no data with the prior organization.[55] In order for an individual to transport their data, personal data must be provided to the individual in a structured, commonly used and machine-readable format.[56] The GDPR also stipulates that when technically feasible, organizations should facilitate the electronic transfer of personal data from one to another, if the individual makes that request.[57]

The GDPR also allows new rights for data subjects, such as the ‘right to be forgotten.’[58] Personal data must be erased “without undue delay” when: (1) retention is not required, (2) data is no longer needed, (3) consent is withdrawn.[59] Individuals can ask their organization to delete their data.[60] Organizations that do not yet have a process for accommodating such requests will have to put processes in place to conform to the GDPR.[61] The GDPR also requires personal data breaches, accidental or unlawful access, to be reported to the supervisory authority within seventy-two hours of becoming aware of the data breach.[62]

Lastly, the GDPR requires organizations to appoint a data protection officer (DPO). Organizations will have to designate a DPO if their core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”[63] For firms who already have a ‘chief privacy officer’ (CPO), transitioning that person to a DPO satisfies the GDPR. If there is no CPO or similar position in the organization, then a DPO role will need to be created.[64]

If an organization makes the mistake of not complying with the GDPR, then hefty fines for non-compliance will ensue.[65] An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars.[66] One of the largest effects on M&A will be these enhanced penalties. When organizations commit a serious breach of the GDPR, they will face potential fines of up to $20 million in Euros or 4% of the worldwide profit.[67]

 

Citations can be provided.