The following post was drafted as an assignment between Danielle Chirdon, Anita Western, and I.

Executive summary: In order to conduct a proper assessment of the risks and liabilities in a merger or acquisition deal, the due diligence process must also include an assessment of the target corporation’s cybersecurity. An acquiring company must evaluate the strength of a target company’s cybersecurity processes and controls. In light of the increasing significance of cybersecurity threats, on February 2018, the SEC issued further guidance to its 2011 Guidelines on disclosure obligations relating to cybersecurity risks and cyber incidents. Companies operating in the European Union will also need to adhere to the new General Data Protection Regulations. The regulations require for certain data to be forgotten, designation of a data protection officer and reporting of data breaches within seventy-two hours.

 

Cybersecurity in M&A

Cybersecurity is one of the most overlooked issues in most M&A transactions.[1] An estimated “78% of global respondents believe cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”[2] Cybersecurity risk should be assessed by a corporation before it enters into a merger agreement with another company.[3] The acquirer needs to know the risk it is taking when taking over a target company.[4]

In 2017, Verizon, learning from the cyber-failures of TripAdvisor and Neiman Marcus, made cybersecurity a central part of its due diligence study.[5] During its due diligence review of Yahoo, Verizon found that the web company had suffered a large security breach.[6] This discovery allowed Verizon to discount its cost for Yahoo and develop a strategy for the potential risk.[7] It was later determined that several of Yahoo’s executives had known about the breach, but failed to comprehend or investigate the breaches properly.[8] Courts have found that an acquirer’s board of directors would be in breach of its fiduciary duty of care if it did not conduct a due diligence study on the target company before it merged or acquired it, or did not conduct an adequate due diligence study.[9]

 

What is Cybersecurity

Cyber Security is a set of principles and practices designed to safeguard your information systems and networks, company data, email messages, and information that are typically processed, communicated, and stored on the information systems.[10] The goal of cybersecurity is to protect against a wide range of threats. Doing so ensures business continuity, minimizes risk and maximizes business opportunities and returns for shareholders.[11]

A Corporation implements cybersecurity protocols to protect its data. A corporation holds data such as the personally identifiable information of its employees, customers, and other individuals;  corporate financial information; trade secrets;  intellectual property; and other sensitive and confidential information.[12] Hackers can access a company’s information through three primary methods: physical and environmental threats, technical threats, and people threats.[13] Physical and environmental threats involve the theft, damage, and destruction of the physical elements comprising the information system such as servers and laptops.[14] Technical threats are threats that are carried out through the use of computer code or other automated mechanisms.[15] People threats are those that come from individuals within the company, competing companies, or even foreign government entities.[16]

 

Cybersecurity Due Diligence

In 2016, cybercrime cost corporations on the average between $375 billion to $575 billion. [17] It has been projected that by 2019, cybercrime will cost corporations over two trillion dollars.[18] An example of a change in public reception would be the new found perception of Target and Equifax.[19] When acquiring a company, the target’s cybersecurity status and program are vital to an acquirer because a company with a poor cybersecurity program will require a large number resources to bring them into legal compliance.[20] An acquirer assumes the risk of the target company, and if it is found that the target company suffered numerous cyber instances and is sued, the acquirer may be on the hook.[21]

How can an acquiring corporation ensure that it is not one keystroke away from a major data breach or another cyber attack? Assessing a target’s cybersecurity risk requires an additional assessment in the traditional due diligence process.[22] An acquirer must must identify actual or potential cyber threats.[23] When conducting a cybersecurity assessment, an acquirer should begin by identifying and evaluating a company’s “high value digital assets.”[24] Hackers are targeting corporations’ intangible assets; for example, trade secrets, engineering designs, customer lists, personal identifying information, confidential bids on government programs, etc.[25] A key component of due diligence is to evaluate the data security plan of the company to determine if there are potential risks, and if so, develop a plan to address them.[26]

The acquiring company should investigate whether the target company has both processes and controls in place to address cyber-instances that may arise.[27] A data security process involves identifying, understanding, and monitoring critical information assets such personally identifiable information and IT systems.[28] A target company should be conducting cybersecurity risk assessments of their data security processes before the acquisition. Risk assessments are done by identifying vulnerabilities and threats that are aimed at the critical information and the potential impact if these threats were to occur. Documentation of risk assessments are often requested by the acquirers when conducting due diligence on the target company.

An acquirer should also request information on the security controls put in place by the target company. When investigating data security controls, an acquirer is seeking policies, processes, procedures, hardware, software, and teams put in place to help deter, monitor, and respond to threats that are aimed at the critical information of the company.[29] Security controls are made up of three types: preventive, detective, and reactive.[30] Preventive security controls are designed to defend against threats and prevent the occurrence of events that compromise security.[31] Detective security controls are designed to identify threats that have occurred such as security breaches.[32] Reactive security controls are designed to stop or contain threats, to determine the parties that are involved, and to recover information that has been damaged or loss.[33]

“Companies with poor security programs may be perilously close to a security breach that can have a major impact on its revenue and profitability.”[34] Conversely, target companies with robust cybersecurity programs may offer enhanced value to the acquirer, and give the acquirer more confidence in the value of the acquisition.”[35] During cyber due diligence, anything learned by the acquirer can be used for renegotiating the terms of the deal or alter the integration plan of the target into the acquirer’s company.[36] If the breach is found to be irreparable, it may lead to a termination of the merger or acquisition.[37]

 

Cyber Security Disclosure Requirements according to U.S. Securities & Exchange Commission

A cybersecurity due diligence analysis for a publicly traded company should also include disclosure statements registered with the U.S. Securities and Exchange Commission (SEC). The Securities Exchange Act of 1934 requires periodic reporting “as necessary or appropriate for the proper protection of investors and to insure fair dealing in the security.”[38] Regulation S-K requires that public companies provide “a discussion of the most significant factors that make the offering speculative or risky” are particularly relevant to cybersecurity threats.[39] In 2011, the Division of Corporate Finance issued guidelines for disclosure obligations of cybersecurity risks.[40] These guidelines are “neither a rule, regulation, nor a statement of the SEC.”[41] In light of the heightening awareness of cyber security risk, on February 21, 2018, the SEC announced that the Commission had voted to approve a statement and interpretive guidance to assist public companies in preparing disclosures of cybersecurity risks and incidents.[42] The statement emphasized the importance of “establishing and maintaining appropriate and effective disclosure controls and procedures,” as well as “the obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents” and how this applies to insider trading.[43]

Despite encouraging risk disclosure, the guidelines “indicate[] that materiality of the risk should be an overarching consideration affecting disclosure.”[44] The guidelines and statement discourage generic disclosure[45] or “providing a roadmap for those who seek to penetrate a company’s security protections.”[46] The new statement should have a stronger impact on disclosure of cybersecurity risks than the initial guidelines. In the Winter 2017-2018 edition of the Business law section of the ABA, the authors examined the impact of the guidelines on 10-K disclosures and found evidence that a relatively small portion of firms chose to modify their risk factor disclosures.[47] Also, those who did make disclosures experienced negative effects on their stock prices, rather than viewing disclosure as a positive signal of management attentiveness.[48] Currently, firms face the uncomfortable choice of needing to disclose risks for those buying securities to be informed and the fact that disclosing this vulnerability may encourage an attack.

 

Cybersecurity and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, intended to standardize a set of expectations for how an organization must manage and protect PII for employees, clients and other applicable data subjects.[49] The GDPR applies to any organization that holds data that belongs to EU citizens or processes data of subjects within the EU, regardless of their domiciliary.[50] The GDPR represents a significant overhaul of Europe’s current data protection law. It will replace local data protection laws and standardize protection rights throughout the EU.[51] The GDPR compliance goes into effect May 28, 2018.[52]

The regulation increases the rights that individuals have to their data.[53] The right to data portability is one of the most significant examples of the new rights granted to individuals.[54] The GDPR allows an individual to have the right to transport their data from one organization to the next, leaving no data with the prior organization.[55] In order for an individual to transport their data, personal data must be provided to the individual in a structured, commonly used and machine-readable format.[56] The GDPR also stipulates that when technically feasible, organizations should facilitate the electronic transfer of personal data from one to another, if the individual makes that request.[57]

The GDPR also allows new rights for data subjects, such as the ‘right to be forgotten.’[58] Personal data must be erased “without undue delay” when: (1) retention is not required, (2) data is no longer needed, (3) consent is withdrawn.[59] Individuals can ask their organization to delete their data.[60] Organizations that do not yet have a process for accommodating such requests will have to put processes in place to conform to the GDPR.[61] The GDPR also requires personal data breaches, accidental or unlawful access, to be reported to the supervisory authority within seventy-two hours of becoming aware of the data breach.[62]

Lastly, the GDPR requires organizations to appoint a data protection officer (DPO). Organizations will have to designate a DPO if their core activities, as either a data controller or data processor, involve “regular and systematic monitoring of data subjects on a large scale.”[63] For firms who already have a ‘chief privacy officer’ (CPO), transitioning that person to a DPO satisfies the GDPR. If there is no CPO or similar position in the organization, then a DPO role will need to be created.[64]

If an organization makes the mistake of not complying with the GDPR, then hefty fines for non-compliance will ensue.[65] An egregious violation of GDPR, such as poor data security leading to public exposure of sensitive personal information, could result in a fine in the millions or even billions of dollars.[66] One of the largest effects on M&A will be these enhanced penalties. When organizations commit a serious breach of the GDPR, they will face potential fines of up to $20 million in Euros or 4% of the worldwide profit.[67]

 

Citations can be provided.

Introduction:

For the past few years, business outlets have published numerous stories about failed mergers of gigantic corporations due to failed due diligence studies. In fact, Hewlett-Packard’s deal with Autonomy was one of those highly reported stories of a large corporation losing billions due to an oversight in its due diligence review.[1] In 2011, Hewlett Packard acquired Autonomy for 11.1 billion, a 64% premium over the company’s 1 billion in yearly revenue. What went wrong with this deal?[2] In its review of Autonomy, Hewlett Packard was unable to detect that the CFO and CEO of Autonomy had been cooking their books, reporting profits that it had not made. For ten months before its acquisition, Autonomy reported revenues that were within the 4 percent of analyst expectations.[3] How did Hewlett Packard miss this?
The answer lies in the gigabytes of data that Autonomy handed over to Hewlett Packard. Hewlett Packard’s attorneys had to wade through thousands of documents when conducting its due diligence study, and it is often difficult to catch every potential risk in the target company.[4] Artificial intelligence can change that and save a company from purchasing companies that have cooked its books or been hacked.[5] Artificial intelligence will allow the ability to take a global look at a company and highlight inconsistencies in the documents provided to the SEC, internally, and to acquiring company.[6]

The Due Diligence Process

The primary goal of mergers and acquisitions due diligence is to identify potential risk in the transactions.[7] The acquiring company wants full disclosure from the target company (target) to reduce its potential risk from acquiring the target while understanding the business that it is taking over.[8] As seen in Omnicare, where it refused to acquire NCS with conducting due diligence, due diligence also guides the transaction.[9] Due diligence begins when both parties sign a confidentiality agreement, and the target begins to gather relevant documents for the merger.[10] Gathering the appropriate documents can prove difficult because the documents and forms may be scattered across multiple locations or formats, which could result in important information being overlooked or lost[11].
Next, the acquiring company sends the target a checklist of the types of documents, forms, and information that it would like uploaded to a virtual data room for review.[12] Virtual data rooms offer both parties a secure online location to store and review these confidential documents.[13] Before, providing the acquiring the required documents, the target sends the forms to outside counsel for review.[14] Outside counsel is responsible for managing and protecting the sensitive information of the target.[15] Once the information has been cleared by the outside counsel, it is then provided to the acquiring company for due diligence review.

Due Diligence in The Stone Age

Currently, attorneys conducting due diligence studies, have to review hundreds or thousands of documents provided by the target company to their clients. In fact, attorneys representing a typical company worth 400 million euros in an M&A agreement, have to comb through 75 to 500 contracts during their due diligence contract review.[16] However, these companies do not have just 500 contracts but rather 5,000 to 10,000 contracts on file.[17] This means that the M&A attorneys for the acquiring company only review around 5% of the total contracts that are on file.[18] Why are they only reviewing 5%? The attorneys for the acquiring company are unable to review all of the company’s documents because the traditional due diligence process is time-consuming and expensive.[19] If attorneys took a strategic approach and increased the percentage of documents that are being reviewed, it would consume 30 to 60% of the legal fees that the company was paying.[20] Due diligence review is generally done by a team of associates, which can cost $1,200 or more a document.[21]
During the due diligence process, attorneys review documents provided by the target, to identify and allocate significant risks and determine the subsequent steps in the merger. [22]Attorneys have two categories of potential risk. The first category of risk includes pre-existing business, financial or liability.[23] The second category of potential risk flows from potential anti-assignment, change of control, or confidentiality provisions the target has entered into.[24] This stage of the process is critical for the due diligence process because any oversight at this stage could result in the acquiring company purchasing a liability.[25] It is often only after the merger that acquiring companies can find missed exclusivity, nonstandard indemnification clauses, and other unexpected obligations.

What is Artificial Intelligence?

Artificial intelligence is a branch of computer science that deals with the simulation of human intelligence processes by machines.[26] This process includes acquiring information and rules for using the information, using the rules to reach approximate or definite conclusions, and self-correction.[27] The main idea of AI is the ability of computers to do mundane and repetitive tasks that humans do. AI will not replace lawyers but will rather, will become a tool that we use to improve our efficiency.[28] In house legal departments are beginning to ask outside counsel to do work in less time and are not willing to pay for work it deems as low valued added services.[29] Corporate clients are now using AI tools for other places in the business and see its added value and are looking at law firms wondering why many of these tools are not being adopted.[30]

Artificial Intelligence to Save the Day

M&A attorneys are in need of tools that will reduce the burden of the due diligence process, and help alleviate potential liabilities.[31] Attorneys representing the target are also in need of AI tools, in that they are tasked with providing all relevant documents to the acquiring company.[32] The target is held in violation of the agreement for any relevant document that is excluded from the virtual room. In deals where there are large numbers of documents, AI tools can conduct full reviews, rather than 5%, which avoids having to only analyze only a sample.[33] Attorneys representing the target company can use trained AI tools to recognize relevant documents that are standard for M&A agreements.[34] The AI tool is trained by providing it with examples of several similar provisions found in M&A agreements.[35] Some common examples that can be used in the education of the tool include confidentiality, non-competition, infringement, indemnification, controlling governance, dispute resolution and change-of-control provisions.[36] AI tools can review near-identical documents and determine the differences in both documents.[37]
The education of the AI tool will be continual, as the language used from company to company often varies depending on the user.[38] Using AI tools without the proper education runs the risk that the system may result in overlooking documents or provisions or misinterpretation of ambiguous terms.[39] The AI tool will require training from a user to help identify and define uncommon and ambiguous terms. The AI system can then be tested for its ability to recognize and define these uncommon and ambiguous terms by granting it access to numerous examples such as contracts and documents, to test its accuracy.[40]
The implementation of AI will allow for identifying, classifying, organizing, prioritizing and highlighting documents, and determining which documents needs to be provided by the target company. [41]The current process results in the attorneys providing more documents than needed, making the job of the acquiring attorneys more rigorous when done manually.[42]
When the acquiring company is given access to the target company’s documents, it has an overwhelming task of having to organize and review the content provided.[43] AI tools can be used for the automating the highlighting and cataloging the relevant provisions of each document. While the system is highlighting and prioritizing documents, it can give weight to the more problematic sections for manual review. Using AI tools will help the attorneys working for the acquiring company, with higher efficiency and speed and lower cost I when compared to the traditional method. [44]

Kira Systems

During M&A due diligence, attorneys are provided and must review hundreds or thousands of documents that have not been organized and have been stored in any number of file formats.[45] Organizing and the converting all of the documents is only the first step in a long process. [46]However, AI tools like Kira systems can help curve the time spent on this process. Kira systems is a machine learning software (AI tool) that can identify, extract, and analyze the text in contracts, emails, etc.[47] In 2015, Kira was used in over 100 billion dollars worth of M&A transactions. [48]
Though many attorneys believe that manual review is the golden method, Kira has proven otherwise in a head to head comparison.[49] When Kira and attorneys were given the same documents and provisions for contract review analysis, the manual review was shown to be just as accurate as the AI but took significantly longer.[50] Kira offers attorneys the opportunity to conduct a more comprehensive review, by analyzing more documents in less time for less money. In fact, attorneys have reported a savings of 20 to 60% of their time in reviewing contracts.[51]
Kira allows a target company to analyze its own documents to help determine its own risks and ultimately its value to improve its negotiating position.[52] By having a global understanding of its company, it can negotiate from a more knowledgeable position.[53]

Mergers are often expensive and time consuming for both sides because of the way in which the target company stores its information. Target companies are not usually deal ready. Target companies are often reactionist to potential deals, and then put in a position that requires for them to gather emails, contracts, etc. rather quickly for the deal. Kira systems can save both the target company and acquiring company time and money by allowing for document management before a potential merger is in the air[54]. Conducting manual review would take away from the core business.[55] AI systems like Kira or VDR would allow the target company the ability to upload all documentation and data to the centralized repository.[56] This would enable smooth and easier tracking with internal parties and confidential sharing with outside counsel. Kira also allows for notification of upcoming renewal and expiration dates that exist in the contract portfolio, which allows for the target and acquiring company to have a better understanding of its obligations.

Conclusion

During due diligence for M&A, most of the attorney fees are generated from having to spend expensive hours reviewing documents for their clients. The clients have begun to push back against their outside counsel, requiring for fixed rates and higher value added. This provides an opportunity for automating the due diligence process, which would result in cheaper and faster transactions that allow for better management of risk. AI tools offer a potential efficient solution for classifying, organizing, and prioritizing documents being provided to the acquiring company, and provides a strategy for how the acquiring company addresses its review of these documents. AI tools also provide an opportunity for target companies to be M&A ready upfront.

[1] Jack Ciesielski, How autonomy fooled Hewlett-Packard, Fortune (Dec. 2016), http://fortune.com/2016/12/14/hewlett-packard-autonomy.
[2] Id.
[3] Angela Monaghan, Hewlett Packard offloads last Autonomy assets in software deal, The Guardian (Sep. 2016), https://www.theguardian.com/business/2016/sep/08/hewlett-packard-autonomy-assets-software-deal-micro-focus.
[4] Id.
[5] Roy Strom, Wall Street wakes up to legal AI for due diligence, The Am. Law. (Dec. 2017), https://www.law.com/americanlawyer/sites/americanlawyer/2017/11/30/wall-street-wakes-up-to-legal-ai-for-due-diligence/?slreturn=20180120224441.
[6] Id.
[7] Dewey Ray, What is merger and acquisition due diligence?, CIO (Jun 2015), https://www.cio.com/article/2931585/mergers-acquisitions/what-is-merger-and-acquisition-due-diligence.html.
[8] Id.
[9] Daniel Davis, Omnicare v. NCS Healthcare: A Critical Appraisal, Berk. Bus. Law J. 177, 183 (Mar. 2007).
[10] Dewey Supra, note 7.
[11] Id.
[12] Cassity Ming, The due diligence process for M&A: a complete guide, Securedocs (May 2016), https://www.securedocs.com/blog/the-due-diligence-process-for-ma-a-complete-guide.
[13] Id.
[14] Id.
[15] Id.
[16] Kira Systems, HOW AI IS TRANSFORMING THE DUE DILIGENCE PROCESS, Raconteur (Oct. 2018),https://www.raconteur.net/sponsored/how-ai-is-transforming-the-due-diligence-process.
[17] Id..
[18] Id.
[19] Preparing your company for sale: due diligence from a seller’s perspective, Lex. (Mar. 2012), https://www.lexology.com/library/detail.aspx?g=b2c90aed-1ece-424b-9bce-7b655e83536a.
[20] Kira Supra, note 16.
[21] Id.
[22] Supra, note 19.
[23] Id.
[24] Id.
[25] Id.
[26] Justin Evans, Why Law Students Should Embrace Artificial Intelligence, Intellectuallyjay (Sep. 2017), https://www.intellectuallyjay.com.
[27] Id.
[28] Id.
[29] Jennifer Smith, Law firms face fresh backlash over fees, The Wall St. J. (Oct. 2012), https://www.wsj.com/articles/SB10001424052970203400604578070611725856952.
[30] Id.
[31] David McLaughlin, How AI helps financial institutions perform customer due diligence, Upside (Aug. 2017), https://tdwi.org/articles/2017/08/30/adv-all-ai-helps-financial-institutions-perform-due-diligence.aspx.
[32] Kira, Supra note 16.
[33] Id.
[34] Id.
[35] Id.
[36] Julie Sobowale, How artificial intelligence is transforming the legal profession, ABA J. (Apr. 2016), http://www.abajournal.com/magazine/article/how_artificial_intelligence_is_transforming_the_legal_profession.
[37] Id.
[38] Kira, Supra note 16.
[39] Id.
[40] Cassity Supra, Note 12.
[41] Id.
[42] Id.
[43] Id.
[44] Id.
[45] Debra Weiss, DLA Piper to use artificial intelligence for M&A document review, ABA J. (Jun. 2016), http://www.abajournal.com/news/article/dla_piper_to_use_artificial_intelligence_technology_for_ma_document_review.
[46] Id.
[47] Kira Systems, Kira Systems’ Noah Waisberg, uncovering truths & myths for AI Bootcamp session at Legalweek New York 2018, Kira System Blog (Jan. 2018), https://info.kirasystems.com/blog/topic/due-diligence.
[48] Deloitte, Deloitte forms alliance with Kira Systems to drive the adoption of artificial intelligence in the workplace (Mar. 2016), https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/deloitte-forms-alliance-with-kira-systems-to-drive-the-adoption-of-artificial-intelligence-in-the-workplace.html.
[49] Mark Burdon, Artificial Intelligence – An Authentic Opportunity For Mergers And Acquisitions, The Deal Room (Aug. 2016), https://www.firmex.com/thedealroom/artificial-intelligence-an-authentic-opportunity-for-mergers-and-acquisitions.
[50] Supra, note 48.
[51] Id.
[52] Id.
[53] Id.
[54] Merrill Corp., BE M&A READY: DON’T MAKE MANAGING YOUR DOCUMENTS A LAST-MINUTE CONSIDERATION, Raconteur (Oct. 2018), https://www.raconteur.net/sponsored/be-ma-ready-dont-make-managing-your-documents-a-last-minute-consideration.
[55] Id.
[56] Id.

On January 19th- 21st, Michigan State University (MSU) will be hosting its fourth annual student-run hackathon, SpartaHack IV. Spartahack is focused on bringing students across different disciplines together and giving them a platform to realize and harness their own fresh ideas. A hackathon is a perfect setting for discovery, where participants have the opportunity to get to know each other better, take on new roles, and utilize material that they are being taught in the classroom.

What is a Hackathon?

A hackathon is an event, typically lasting 24-48 hours, in which a large number of people (computer science students, student programmers, student data scientists, student project managers, business students, and law students) meet to engage in competitive collaborative purpose of achieving a potential solution for a specific set of challenges. The goals involve solving some kind of problem or challenge submitted by a ‘sponsor,’ usually an organization. Teams that create the most meaningful and innovative solutions under the specific judging criteria are awarded prizes from the sponsor.

At Spartahack, around 500 engineers, designers, law students, business students, and etc will get together to come up with something cool, useful, and amazing. The only condition is that students will have only 36 hours to work on their projects. Teams with the best ideas have the chance to win over 34 prizes, amounting to $20,443 in prize value.

Why Should Law Students Attend Hackathons?

Law students are given an opportunity to apply the concepts learned in the classroom to innovate the law or solve a set of legal problems. This allows law student to be in the trenches with programmers and coders who are responsible for developing the technology and other solutions for the issues being presented. Law students are given the chance to actively listen to the solutions proposed and brainstorming that occurs between the sponsors and the other students. Law students can learn to think like the programmers and coders. Hackathons allow for law students to improve their legal process and/or make the law more accessible to clients through the creation of user-friendly mobile apps, web platforms, interactive databases, or etc.

“A hackathon event can help an attorney better understand where the future of the profession is heading by allowing them to take an active role in developing technologies that improve access to justice. Rather than being told ‘this is the new technology, just use it,’ attorneys can play a key part in shaping the new technology.”-Franklin Graves

Rules:

– Participation is limited to students who have been enrolled in the past year.

– Teams can have a maximum of 4 members.

– All team members must be registered SpartaHack attendees.

– All team members must be physically present at SpartaHack.

Judging Criteria:

-Creativity

-Technical Impressiveness

-Implementation

Sponsors:

Sign up!
https://18.spartahack.com/

On Sunday, November 5th, LegalRnD had the honor of hosting Pamela Morgan, Founder, and CEO of Third Key Solutions. The theme of the morning workshop was educating future attorneys on what they need to know about Bitcoin, Blockchain, and Smart Contracts. “Bitcoin, blockchains, and smart contracts are coming to disrupt the legal practice. These technologies provide new ways of delivering services that are faster, more secure, and often eliminate the need for “trusted” third parties. They’ll impact the way lawyers, and their clients, do business.”

The workshop provided law students with a practical understanding of what’s happening now (and what’s just hype); what students, as future attorneys, and potential clients need to know about the technology and the laws that govern them; and how to further develop your practice in this niche area.

What is Blockchain

“A blockchain is a decentralized distributed public ledger, accessible to all nodes connected to the blockchain (Nodes are individual computers that contribute computing power to the blockchain). Each transaction is stored on several computers connected to a common network, which individually validates whether each transaction should occur. For information to be included on the blockchain, the network (comprised of all the nodes) must reach a consensus, usually at least a majority. The transactions are then aggregated (“batches”) into blocks for organization. Then each block is connected to the previous block, hence the name blockchain. Each block is accessible to each node on the blockchain. The block becomes an immutable record and ultimately secure.” – based on research from Danielle Chirdon and Justin Evans

Workshop Take-Aways

Students learned that when advising future clients about blockchain applications and platforms, they should consider some key questions:

Is the blockchain public or private (DLT)?
Blockchains should be established as a Peer-to-peer network. Blockchain systems are stronger when connected to other computers and consistently being validated. If the blockchain is closed and secure behind a corporation’s firewall, it is subject to attack.

2. Who can change the future/past?
When analyzing the closed blockchain platform being proposed, we must identify those who have the ability to change transactions on the blockchain? Under the traditional system, the content on the blockchain remains an unchangeable transaction and requires the introduction of a new block to update terms amongst the parties.

3. At what cost?
Can a member of the blockchain easily alter the material incorporated on the closed blockchain platform? Under the traditional system, the ability to change material on the traditional blockchain requires a large computational feat. Because the traditional blockchain requires a large computational feat, the material added to the blockchain is considered largely immutable (secure/unhackable). Clients need secure blockchain platforms, securing their data and transactions.

5. Who will know and how?
If the material on the blockchain platform is altered, who will know and how will they be notified that the material is changed? Clients need the security of knowing that their material is secured and not easily altered by the members of the closed blockchain platform.

ICO Crowdsourcing

Students learned that many startups are using Initial Coin Offerings (ICO), rather than the capital-raising process required by venture capitalists or banks, to fund their companies. For example, Martin Köppelmann, 31, Stefan George, 29, and Matt Liston, 25 sought to use the ICO platform to raise 12.5 million for their startup, and did so in 11.5 minutes!This works by the startup offering its coin, in which investors can purchase, giving the early investor a stake in the company. To help assist in crowdfunding for ICOs, the DAO, which stands for digital, decentralized autonomous organization, was created to act as a form of investor-directed venture capital fund. Recently, governing bodies such as the SEC have come out and ruled the offering of coins for a stake in the company as securities. As ICO crowdfunding continues, 21st-century lawyers are needed to help startups adhere to potential laws that may govern them.

Co-written by Danielle Chirdon

The 2017 Financial Legal Technology Conference at Chicago-Kent College of Law was a high intensity day packed with information from over twenty leaders in the crosshairs of technology in the legal and financial industry. In order to attempt to give a more accurate overview of the day’s events, [-] and I will be releasing a series of posts summarizing some of the main themes we saw throughout the day.

“Innovation means people sitting at the same table, talking the same language, with a common set of goals.”

“The field of law is moving too [slow],” David Cambria, Global Director of Legal Operations for Archer Daniels Midland. “The law looks like finance 50 years ago” Dan Katz, Director of the Law Lab at Illinois Tech Chicago College of Law. Katz opened the conference with establishing two major branches of Fintech: (1) removing the socially meaningless friction of “that’s the way we have always done something” and (2) how to characterize (price) risk using legal technology. Lawyers tend to think of themselves as risk adverse, but “it is meaningless in business to say something is risky.” Being a lawyer means helping to decide which risk is worth taking. Corporate clients need attorneys who speak their language and who understand their goals. Unfortunately, attorneys have not been properly trained during law school for optimal use by their corporate clients. Throughout the day, the need for law schools to alter their approach to training law students by freeing up the capacity for alternative streams of courses was a reoccurring theme. Lucy Bassli, Assistant General Counsel of Microsoft, spoke on how the traditional education of law and constraints on the unauthorized practice of law is a huge impediment to innovation. Why should educators care? Because they are preparing for their future careers

(Law + Tech + Design + Delivery) = education for the 21st century lawyer, Alexander Rabanal, Associate Director of The Law Lab at Chicago-Kent.

The delivery of legal services is evolving due to changes in market demand. Business partners and in-house legal teams are redefining the relationships with outside attorneys, requiring them to embrace the use of technology and improve their current processes. These clients are asking for greater value, mutual benefits and risks, and multidisciplinary teams. Is the current way things are done, the best way? The whole goal is to do the work better, faster, and cheaper. “Sometimes the best lawyer, is no lawyer at all.” Stephanie Corey , Chief of Staff and Legal Operations Senior Director, Uplevel Ops. Whether the tasks assigned to certain roles, in a current process, is the most efficient method of conducting a legal service is a question law firms may benefit from asking in the wake of changing demands from their clients. “You don’t need a surgeon to draw blood at clinic, like you don’t need a partner to do the work of a paralegal.” Applying process improvement techniques like lean thinking and putting people in leadership roles to work alongside attorneys, may help to improve current processes and help law firms maintain clients. “But please, stop using the term non-lawyer. They are the secret sauce.”

Corporate legal clients are using new technology to innovate and need trusted advisors who understand the technology and laws that govern them.

“The use of technology like Blockchain will revolutionize how corporate clients conduct business, increasing the need for attorneys who understand the technology and have the ability to address potential risk,” Justin Steffen, a partner of Jenner & Block. We can not advise clients on technology that we do not understand. Eric Woods, a partner of Chapman and Cutler, highlights that the use of smart contracts presents several issues that must be addressed before it’s widely implemented; what happens if a smart contract that is uploaded to the blockchain contains a bug or either party files for bankruptcy? What will be the fiduciary duty of the smart contract developer who codes the contract for you? “The current state of smart contracts is good for if-then statements, but are not coded for best judgment,” Justin Steffen. “Lawyers need to be able to collaborate with the clients and coders to properly move the technology forward,”Wulf Kaal, An Associate Professor and Director of the Private Investment Fund Institute.

Alternative legal groups are using technology to bridge the gap for access to justice

“Access to Justice should be frictionless for those who need legal services. The fact that legal service has such a high price tags illustrates one of the many potential frictions that exist for those needing these services.There are approximately 4 billion people on the Earth who live on less than 10$ a day. The legal infrastructure is too expensive for these individuals to obtain an attorney,”Eddie Hartman, Co-founder of LegalZoom.

“There are over 25,000 pages of immigration law, which means that those needing immigration help need attorneys to help them with the paperwork. Only 15% of the individuals who need immigration help have the necessary funds to access it, leaving 75% underserved,”Javad Khazaeli, Founder of Road To Status LLC. In an attempt to bridge the gap for access to justice, companies like Road to Status and Paladin are using legal technology tools to serve the underserved population better.

Road to Status –

The goal of “Road to Status” is to assist those in need of help with citizenship with obtaining and filling out the necessary documents.Road to status has created an online platform that allows the client to complete all of their administrative work themselves. Road to status has provided pictures that illustrate the required information needed for each form, these forms are written in a way the best explains the information that is needed. To ensure that clients have submitted the necessary forms correctly, Road to Status uses of artificial intelligence to flag potential issues. Clients are also provided with attorney to support them and provide further review before submitting their documents.

Paladin –

There are more than 1.3 million American Attorneys who are required to perform at least 50 hours a year of pro bono work. This means that there are at least 65,000,000 hours that could be used to help bridge the access to justice. However, the legal system and profession does not provide a viable solution for how to effectively use these hours for representation of the unrepresented. Paladin is using technology to make pro bono easy, by working with law firms, in-house legal teams and law schools to reduce the administrative costs of pro bono to improve outcomes. Paladin provides personalized opportunities for these organizations to streamline, coordinate, and automate legal representation through workflow management.

Law firms and consultants are using technology to invest in litigation selectively

“Legal risk is similar to a toddler in that if you do not pay them the attention they will get into trouble. The legal industry should model themselves after CPAs, who have been managing and mitigating clients’ risk for years” Jillian Bommarito , Principal Consultant & Treasurer of LexPredict. Collection and mining of big data will change the way the legal industry approaches to risk and litigation. “Big and small data will be used by attorneys to put into a predictive modeling, scenario testing, and litigation decision tree modeling to provide strategic advice to clients on how to avoid and manage risk,” Eric Blinderman, Chief Executive Officer of Therium Inc.

Nearly 90% of U.S. corporation will be engaged in some litigation in the lifespan of the company, many cases simultaneously. In America, there are thousands of civil lawsuits that are filled annually, costing corporate clients billions annually.The use of technology in combination with the practice of law attorneys can use modeling processes to help their clients decide whether to allocate resources to litigating a course. “Litigation finance is growing and changing the way corporations pursue commercial litigation,” Russell Genet, Director of Longford Capital Management. Companies like Longford Capital management are revolutionizing the way litigation financed. Litigation finance firms provide non-recourse capital to (i) companies to pay attorneys’ fees and expenses incurred in litigation and (ii) invest in portfolios of cases managed by leading law firms.

On October 17th, Carl W. Herstein, a Partner at Honigman Miller Schwartz and Cohn and its Chief Value Partner, led the firm’s periodic value initiative meeting at Michigan State University Law School. Mr. Herstein opened the meeting by discussing the changing environment of law firms and corporate legal departments. Mr. Herstein also discussed his firm-wide efforts to deliver greater value to its clients through means such as Project Management, process improvement, and the implementation of technology.

This meeting will also include presentations by MSU Law students and LegalRnD Director Dan Linna and Innovation Counsel Jordan Galvin about how they are using the same disciplines to improve legal-service delivery and create value for clients through a “people, process, technology” approach.

(The Innovation Index will open deep discussions between firms and clients to improve legal-service delivery)

Dan Linna presented alongside Anita western, Sean Acosta, and Jameson Joyce on an index of legal-service delivery innovation, which they created to identify legal innovation and technology adoption in 260 of the world’s largest law firms. To determine the level of innovation in the legal industry, the team first created a catalog of 205 innovations implemented in law firms. Second, the team identified ten categories of legal-service delivery innovation and ran advanced Google searches across law firms’ websites to identify evidence of legal-services innovation and technology adoption.

(Using LegalRnD disciplines in the 54A district court we can save citizens’ homes)

Jordan Galvin, Nick Gamber, and Drew Sanders spoke about the core LegalRnD disciplines and how they’re being applied to an Eviction Diversion Pilot Program at the 54A district court. In the implementation and assessment of that pilot program, they are using discliplines such as process improvement, design thinking, and data analysis to create a more user-centric approach to legal service delivery. A core principle is to do test potential solutions and get feedback from users while gathering data about outcomes, not just efforts, to assess the program’s effectiveness.

(Using skills learned in Quantitative Analysis class we can better deliver legal services)

Dierdre McKinney presented on her project with Michigan Legal Help. Michigan Legal Help is a free legal information website that provides resources to pro se litigants. Using empirical research skills from Quantitative Analysis with Professor Linna, Dierdre is assessing information from users to determine which legal issues litigants need additional help with. This data will help provide Michigan Legal Help a better understanding of what additional resources they should make available on their website.

(“Blockchain, more than any other technology, will drive the next wave of legal innovation and transform the business of law”-Bob Craig, CIO at Baker Hostetler)

Danielle Chirdon and Jay Evans spoke on how emerging technologies like blockchain are revolutionizing the way clients conduct business. Clients are asking for and need trusted advisors who not only understand these technologies but also understand the laws that govern them.

We would like to provide a special thank you to Sarah McCormick, a 2017 LegalRnD MSU Law grad, who recently joined Honigman as a project manager and helped coordinate this event and helped make it possible. We would also like to thank again Carl Herstein, who also spoke at MSU Law last year. We appreciate his support of the program. He repeated this during the program, emphasizing the need for law schools to have programs like LegalRnD. He stated that programs like LegalRnD train not only nontraditional lawyers for positions like a legal project manager and legal solutions architect, but also trains traditional lawyers, who need to understand how to leverage project management, process improvement, metrics, data analytics, and technology to deliver better solutions for their clients.

As Mr. Herstein and Professor Linna pointed out, during their introductory comments, clients now expect their lawyers to be able to answer the question: “How are you using innovation and technology to improve not only efficiency but also substantive outcomes.” We would also like to thank the [10] Honigman lawyers and other professionals who attended this event in person. Finally, we would like to thank the Honigman lawyers and professionals who watched the event live from Honigman’s offices in Detroit, Chicago, Ann Arbor, Bloomfield Hills, Lansing, Kalamazoo, and Grand Rapids.

Allergan CEO Brent Saunders and chief legal officer Bob Bailey explained in a recent interview, that they are being forced to have to protect their patents against what the company considers to be “double jeopardy” in patent disputes.

Should pharmaceutical companies be subjected to double jeopardy? The Fifth Amendment of the United States Constitution provides that “No person shall … be subject for the same offense to be twice put in jeopardy of life or limb.” Are corporations considered to be a person by the court? The Supreme Court seems to have supported this theory in Citizens United v. Federal Election Commission and doubled down in ATM v. Bullock. In the United States Code, 1 U.S.C§1, it is stated that “[when] determining the meaning of any Act of Congress, unless the context indicates otherwise—the words “person” and “whoever” include corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals.”

So why are pharmaceuticals not protected by this law?

Allergan pharmaceuticals, the manufacturer of Botox and Restasis, is currently defending its therapeutic Restasis in a Texas Federal court against the generic giants Teva Pharmaceuticals USA, Inc., Apotex, Inc., Akorn, Inc. and Mylan Pharmaceuticals, Inc. Interestingly, Allergan is also defending Restasis against Teva Pharmaceuticals USA, Inc., Akorn, Inc. and Mylan Pharmaceuticals, Inc. through the U.S. Patent and Trade Office’s inter partes review (IPR) process. How is it that a pharmaceutical company, which is considered a person, is having to fight the same companies in both federal court and patent court to protect its patents?

Earlier this year Allergan reached a settlement with another generic pharmaceutical, extending the protection of its patent until 2024. In an attempt to protect its patents from litigation on multiple fronts for the next 7 years by another round of generic pharmaceutical companies, Allergan has decided to assign its patent rights to the Saint Regis Mohawk Tribe of Upstate New York. The Saint Regis Mohawk Tribe will in return license the patent back to Allergan for about 15 million dollars annually. The legal counsel for the tribe said that the new funding source will help bring much needed resources to the tribe.

Tribal Sovereign Immunity is a doctrine that states that Indian tribes are immune from judicial proceedings without their consent or Congressional waiver. In a recent Supreme Court Case, Michigan v. Bay Mills Indian Community, the Court reaffirmed the doctrine tribal sovereign immunity. The decision upholds Indian sovereign immunity against lawsuits brought by state governments, reaffirming that the Congress, not the court, can decide when Tribes can be brought to court.

Tribal Sovereignty has been instrumental in the establishment in many of deals that have lead many tribes to establish gaming enterprises. It has been reported that the gaming industry has helped Indian tribes decrease unemployment from 70% to 13%. The gaming industry and now pharmaceutical licensing could potentially help tribes “[break] debilitating economic dependence on federal spending programs and replenishing the social and cultural fabric that can support vibrant and healthy
communities and families.”

Pharmaceutical companies could potentially benefit, depending on the regulatory response from the tribe’s sovereign immunity by allowing them to avoid unfair and unnecessary disputes at the Patent Trial and Appeal Board (PTAB) and elsewhere in the federal courts. The current system allows for competitors to challenge patent validity before a panel at the PTAB and before a judge in federal circuit court. The chief executive, Brent Saunders, at Allergan calls the process double jeopardy for having to fight the same issue in two different venues. I would be inclined to agree if these were criminal suits, since both are civil suits, I believe that this violation is protected by Res judicata. Res judicata protects a defendant from having the same matter raised again, either in the same court or in a different court once the matter has been determined. Once the Texas federal court has handed down its decision, if there isn’t an appeal, Allergan should raise the issue of Res judicata in relation to the pending case at the PTAB. The supreme court has granted certiorari in Oil States vs. Greene’s Energy Group, et al, to determine whether the PTAB is unconstitutional by not allowing defendants trial by jury.

Ironically, the spokeswoman for Teva Pharmaceuticals, Denise Bradley, argues that the licensing patents from tribes will delay access to high-quality and affordable generic alternatives. I believe that allowing for lawsuits in multiple venues over the same issue will drive cost more than anything. These lawsuits are not cheap for a pharmaceutical company, who is already trying to see a return on its investment. Pharmaceutical companies, like Allergan, spend millions in research and development of new therapeutics to help improve global health. Generic pharmaceutical companies are not required to conduct these intensive studies to bypass regulatory approval. Generic pharmaceuticals make their profits off of the investment of other pharmaceutical companies’ research and development of therapeutics. If the Supreme Court wants to continue to support globe health, it should prevent pharmaceutical companies from being hailed into federal court and the PTAB for the same issue. If pharmaceutical companies and medical device companies are forced to fight on multiple fronts for the same issue, we will see an increase in drug prices or a decrease in innovation in the health industry.