Why (and What) You Need to Know About the FTC’s Endorsement Guides and FAQs

Endorsements are an important tool in the marketing and promotional toolbox used by both companies and individuals. A slightly paraphrased version of the FTC’s definition of an endorsement is a message, such as a statement, demonstration, or other communication, by a party not the manufacturer, provider or advertiser of a product or service which contains that third party’s opinions, beliefs, findings, or experiences regarding that product or service (which may be the same as those of the product/service manufacturer/provider or its advertiser).

LinkedIn profiles are chock full of professional endorsements and recommendations by colleagues, peers and others. Companies rely on endorsements to increase brand awareness, promote marketing communications, and drive sales. Traditionally, a company’s brand awareness or marketing message was spread through “word of mouth” by individuals who had a satisfying experience with that company’s products or services. Think back to the old 80’s Faberge Shampoo commercial with a person saying you’ll love the product and that “you’ll tell two friends, and they’ll tell two friends, and so on, and so on, and so on….” If a family member, good friend, or other trusted individual shares a positive review of or experience with a product or service, the logic is that you’ll be more inclined to learn more about it and/or give it a try based on an endorsement from a “trusted source.” Companies and their advertisers use paid celebrities as another form of trusted source to promote their products and services. More recently, a new category of trusted sources has arisen – bloggers and other online personalities, or “influencers,” who regularly provide their followers with their thoughts and opinions (often positive), including on products and services they use. Additionally, companies may seek to leverage their employees as trusted sources by asking them to re-tweet marketing messages and posts.

An unbiased endorsement based solely on a trusted source’s positive experience with the product or service is the best source of information for potential customers. But would a potential customer put the same stock in an endorsement if they knew that the trusted source providing the endorsement works for, received some tangible or intangible compensation or benefit from, or has some other material connection to the company or its advertiser whose products or services they are endorsing? For the last few years, the FTC has been paying more and more attention to online endorsers and influencers. In April 2017, the FTC sent over 90 letters to various influencers and the marketers of brands endorsed by those influencers, highlighting the requirement to clearly and conspicuously disclose any material connection between the endorser and advertiser. The FTC has also recently added to its guidance regarding online influencers, and in early September 2017 announced their first enforcement action against two individual online influencers for failing to properly disclosure their material connection with the company whose product they were endorsing. This may be just the start of more aggressive enforcement by the FTC against influencers, trusted sources, and others who do not “follow the rules” regarding endorsements.

How can companies/marketers and endorsers/influencers avoid trouble when making endorsements? As with many areas of compliance, consider a “center of the herd” approach. The animals in the center of the herd are not the ones that typically get picked off – it’s the ones out in front (e.g., those most desperate for water or who have another need to be first) and those in the rear (e.g., those not paying attention, who can’t keep up, or just don’t care). The same applies in business – the companies more likely to be fined or penalized are those who are willing to take aggressive risks to be in front of the pack, or the ones bringing up the rear due to a lack of focus on, or disregard for, compliance. The FTC has released a set of guides and FAQs to provide guidance to all parties involved with endorsements. Being familiar with these guides and FAQs, and following best practices such as the ones described at the end of this article, can help ensure both you and your company are in the “center of the herd” when it comes to endorsements.

The FTC Guides Concerning Use of Endorsements and Testimonials in Advertising

The FTC has offered guidance for decades on the issue of biased endorsements in marketing: the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising (16 CFR Part 255) (the “Endorsement Guides“), which apply to endorsements by consumers, celebrities, experts, and organizations. The Endorsement Guides were updated in 2009 to remove the “results not typical” safe harbor disclosure in endorsements and testimonials, to address connections between endorsers and companies/marketers, and to address celebrity endorsers. While contained in the Code of Federal Regulations, they are administrative interpretations only; deceptive advertising is governed by the Federal Trade Commission Act and state deceptive trade statutes, as well as other truth-in-advertising laws.

There are four principles at the heart of the Endorsement Guides:

  1. Endorsers should only endorse products they have tried, and should only say they use a product if they were a bona fide user at the time the endorsement was given.
  2. Endorsements must be truthful and not misleading (either expressly or by implication).
  3. Endorsers and companies/marketers should only make claims about a product if they have proof substantiating those claims.
  4. Endorsers and companies/marketers must disclose a material connection between an advertiser and an endorser if the connection may result in a perceived bias in the endorsement. A “material connection” is a connection between the person endorsing the product and the company which is producing or marketing the product which might materially affect the weight or the credibility given to the endorsement by its audience, such as but not limited to a business/family relationship, receipt of a payment, or receipt of a free product.

The guides include dozens of examples of real-world situations and how each situation should be treated under the Endorsement Guides. They are worth a careful read. If you find examples that align with your own current or planned marketing strategies and activities, read them carefully to ensure you understand what behavior the FTC expects in that situation.

The FTC’s FAQ on the Endorsement Guides

Released in 2010 and updated in 2015, the FTC supplemented the Endorsement Guides with a set of frequently-asked-questions titled The FTC’s Endorsement Guides: What People Are Asking (the “Endorsement FAQs“). The Endorsement FAQs collect frequently asked questions from companies, marketers, bloggers and others and provide answers from the FTC to supplement the guidance and examples provided in the Endorsement Guides. The FTC’s answers are extremely important as they provide important insight on how the FTC would likely come down on a particular position.

In September 2017, the FTC updated and modernized the Endorsement FAQs. Some of the key changes were:

  • The FTC made clear that if an individual endorser continues to fail to make required disclosures despite warnings, it may take action against that individual endorser.
  • New FAQs were added regarding donations to charity in return for a product review; family and friends eating for free at a new restaurant; YouTubers receiving free gifts in the hopes of a review; bloggers receiving free travel to a new product launch event; Instagram posts with a tag of the brand of clothing being worn; aspirational endorsements; reciprocal endorsements (“I’ll endorse your product if you endorse mine”); bloggers located outside the US targeting a US audience; where to place disclosures in Instagram posts; whether endorsers can rely on a social media platform’s built-in disclosure functionality; where the disclosure can be placed; disclosures for summary ratings including reviewers who have a material connection; and whether an employee’s like or share of a company’s post requires an endorsement disclosure.

These recent updates, and the FTC’s “shots across the bow” of online influencers in April and September 2017, likely signal the FTC’s intention to more aggressively crack down on online influencers and others in the endorsement ecosystem (especially in the social media space) for endorsements that run afoul of the Endorsement Guides and the Endorsement FAQs or otherwise constitute deceptive advertising or trade practices.

Suggested Best Practices and Closing Thoughts

Here are some key takeaways from the Endorsement Guides and the Endorsement FAQs to keep in mind as you move forward with requesting or providing endorsements:

  • If there’s an actual, potential or perceived material connection, disclose it. If there’s a material connection between an online influencer, trusted source, or other endorser and the owner or marketer of the product/service being endorsed, e.g., an influencer is paid or receives a free product, free service, or other material benefit which may be perceived by a potential customer as biasing the endorsement, the endorsers must ensure the connection is disclosed (unless the connection is clear from the context of the endorsement). If you’re on the fence as to whether a connection is material or not, disclose that too. Remember to look at it from the correct perspective — it’s not whether the endorser thinks the received consideration affects his or her endorsement of the product or service, but whether knowing about the consideration could affect how the audience views the endorsement and/or create a perception of bias.
  • Make disclosures easy to understand (e.g., unambiguous). Disclosures such as “#partner” or “thanks to [company/advertiser]” are not sufficient as while they may disclose there’s some relationship between the endorser and the company/advertiser, they do not specify the nature of that relationship. While an endorser does not need to specify the details of the compensation received, he/she needs to disclose that the post, review or other endorsement is sponsored (as long as you’re not misleading your audience on how much compensation you received), and ensure the identity of the sponsor is clear. The Endorsement FAQs disclosures reference “#ad” or “#sponsored” as hashtags that denote that an ad, post, review, etc. is an advertisement or sponsored by the company/advertiser (don’t use “#sp” as it’s not sufficiently unambiguous). For an influencer who receives free products, saying “Thanks to [company/advertiser] for the free [product received]” may be sufficient. If you are an employee of or consultant to a company whose products or services you are endorsing, “#employee” or “#consultant” is not sufficiently unambiguous – “#ABC-Employee,” “#ABC-Ambassador,” or “#ABC-Consultant” is less ambiguous, where “ABC” is the company or brand name of the product/service you are endorsing. If you’re running an online context, ensure the disclosure clearly states it is part of a sweepstakes or contest, e.g., “#ABC_contest” or “#ABC_sweepstakes” (but not “sweeps”). Think about the hashtag from a consumer’s perspective — could they figure out the connection between the endorser and the company/advertiser within the context of the ad within no more than a second or two?
  • Make disclosures hard to miss (clear and conspicuous). Disclosures must appear clearly and conspicuously so they are hard to miss. Ensure the disclosure appears before the “more” link or button in digital marketing, and “above the fold” in printed marketing – consumers should not have to click anything or take any additional action to see the disclosure, i.e., they should not have to look for it. Make sure the disclosure stands out. Don’t put it in a string of tags/hashtags, as it’s more likely to be missed (i.e., it’s not conspicuous) – ensure it’s separated out, such as at the start of the advertisement, or in bold and separated with a divider (“|”) before the other hashtags at the end. In an image, superimpose the disclosure in a way that’s easy to notice and easy to read in the time a viewer is looking at the image. In videos, ensure the disclosure is on screen long enough to be seen, read, and understood by the viewer; for longer videos, consider repeating the disclosure at appropriate intervals. Don’t combine your name with “ad” in a hashtag as it makes the fact that the post is an advertisement easier to miss. If a social media platform offers a disclosure tool, it’s up to the endorser and the company/advertiser to ensure that the tool provides a clear and conspicuous disclosure of the material connection, otherwise they should use a different disclosure.
  • Companies/advertisers must educate and monitor their influencers, trusted sources, and other endorsers. The FTC has specifically noted that companies and their advertisers have a responsibility to educate their influencers, trusted sources, and other endorsers on the rules and requirements for making endorsements (including disclosing material connections), and for monitoring what those parties are doing from an endorsement perspective. Ensure you have a well-documented enforcement process and that it is being followed. Companies should ensure their social media/brand ambassador policies address posts and other communications by influencers and other endorsers, and provide the policies to their endorsers. Companies that do not currently have such policies should strongly consider putting them in place.
  • Remember the bigger picture – deceptive and unfair trade practices. All parties in the endorsement ecosystem should remember that the Endorsement Guides and the Endorsement FAQs are built on the foundation of the FTC Act and the FTC’s authority to regulate advertising practices, and are designed to help businesses and endorsers avoid endorsement activities that constitute deceptive or unfair advertising prohibited by the FTC Act. The concept of clear, conspicuous, and unambiguous disclosures applies to, but goes far beyond the ecosystem of, endorsements.

Finally, remember that changes to the Endorsement Guides and Endorsement FAQs are far outpaced by change in the world of online marketing. Pay attention to the release date of all FTC documents and guidance, and remember that the FTC’s answers were based on the world as of that date. If an assumption or a fact cited by the FTC in its answer is inaccurate or otherwise out of date, talk with marketing counsel as to the impact on the FTC’s stated position. If you’re looking for guidance on how to apply new technologies or marketing approaches to endorsements in a compliant fashion, think of the Endorsement Guides and Endorsement FAQs as tea leaves which can be read to help you take the temperature of how the FTC is likely to view that new technology or approach. The best thing parties in the endorsement ecosystem can do is to be familiar with the Endorsement Guides and Endorsement FAQs and use them to guide their endorsement strategy and approach to keep them in the middle of the herd from a compliance perspective.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

5 Proactive Steps For Employers and Businesses in a Post-Equifax World

Companies should proactively prepare for changes in consumer behavior and corporate responsibility.

By now, most people have heard about the massive data breach at Equifax, one of the four US credit bureaus along with Experian, TransUnion and Innovis, affecting 143 million people. Credit bureaus (also known as consumer reporting agencies) compile and keep a file containing a person’s credit history, including things like the types of credit, how long credit accounts have been open, how much available credit is utilized/available, whether bills are paid on time, late payments/collection notices/foreclosure notices, and public records such as liens and bankruptcies, as well as personal information such as Social Security Number (SSN), date of birth (DOB), and current and previous addresses. Credit bureaus make a report of a person’s credit history (their “credit report”) available to that person, and to employers and other businesses.

Employers and businesses often want to base decisions on whether to offer a person their products or services such as a loan/mortgage/credit offer, the interest rate to charge on that offer, a cell phone plan, an insurance policy, etc., or extend that person an offer of employment or a lease, on as much available relevant information as possible.  This often includes a review of that person’s credit history. Credit reporting agencies monetize accumulated credit history and associated personal information by making credit reports available to employers, insurers, service providers and other businesses for a fee, as permitted by applicable law. If an employer or business wants to obtain your credit report, they obtain your permission to access your report as required by law and ask you to provide certain sensitive personal information about you which they will use to request your report, and they pay a fee to one or more of the credit bureaus to receive a copy of your credit report.

Many employers and businesses rely on easy access to credit reports.  However, this may be one of the more likely casualties of the Equifax breach. As noted earlier, 143 million Americans may now be at risk for identity theft using their sensitive personal information from this one breach event alone. Unlike a credit card number, which can be changed in the event the data is compromised, SSNs and DOBs (which were compromised in the Equifax breach) can’t be changed. This is why the Equifax breach is so significant – unlike most previous breaches, the scale of this breach and the nature of information compromised mean that consumers will be at risk for, and must remain vigilant for, identity theft for the rest of their lives, which will likely drive changes in the way people monitor and manage their credit reports and sensitive personal information.

Most of the advice and guidance regarding the Equifax breach to date has been consumer-focused – what consumers can and should do to protect themselves in the post-Equifax world. This includes recommendations for more robust use of credit freezes currently offered by the credit bureaus and use of third party monitoring services which alert consumers to (or require the consumer’s approval for) changes in their credit report, representing a shift in the spectrum towards consumer identity protection and away from access to easy credit such as point-of-sale, “save 20% if you open an account today”-type offers requiring an instant check of your credit. It is also likely the earthquake caused by the Equifax breach will result in additional security and legal requirements not just for credit bureaus, but for all companies possessing sensitive personal information such as SSNs and DOBs, as well as industry-driven or legislatively-mandated enhanced best practices and/or new ways for consumers to help them control access to their credit reports in an effort to minimize identity theft, such as a tool to manage security freezes at all three credit bureaus simultaneously and make it easier to impose, and temporarily lift, such freezes. The Equifax breach is also likely to increase consumer acceptance of more complex login processes, such as multi-factor authentication.

Employers and businesses should start thinking about how they can and should adapt to the coming post-Equifax changes in consumer and credit bureau behavior, and increases in corporate responsibility with respect to security and collection/use of sensitive personal information. By taking proactive steps, companies can demonstrate to their employees and customers that they are sensitive to the importance of identity protection and security. Here are 5 proactive steps companies may want to consider:

1. Address consumer credit freeze/release approval in the new employee hiring process and other processes requiring a consumer credit check (such as point-of-sale credit offers).

While implementing a credit freeze will help protect a person from identity theft, it’s not without its drawbacks. As of today, these drawbacks include the need to separately implement or lift freezes on a per-credit bureau basis, and the fact that the freeze must be lifted (temporarily or permanently) before an employer or business can perform a credit check. Despite this drawback, more people will likely implement credit freezes in the post-Equifax world, which will impact companies’ ability to easily complete background checks or receive point-of-sale credit offers.

  • Employers and other businesses performing a consumer credit check should anticipate this and consider proactively modifying their credit check process by adding a question to their credit report authorization form asking whether a person has a credit freeze, or whether that person’s approval is required for the release of their credit report. If that person answers “yes,” the employer or business should have a standard exception process to work with that person to ensure the freeze is temporarily lifted, or approval for the credit check is given, so the employer or business can perform the credit check.
  • Retailers offering point-of-sale credit offers should consider ensuring their offer disclosures include a statement that people with credit freezes may not be eligible for the offer due to the inability to verify their credit history. For those businesses which use sales associates to offer point-of-sale promotions, consider requiring them to ask whether the consumer has a credit freeze in place, and if so notify them if the freeze renders them ineligible for the offer.

Employers and businesses should also know which credit bureau(s) they use for background checks, and be prepared to provide this information to make it as easy as possible for a prospective employee or customer to implement a temporary lift of the credit freeze. It may be worth having a short URL handy which can be provided to a prospective employee or customer who wants to temporarily lift their credit freeze to enable them to take advantage of the offer on the spot or at a later time.

2. Enable multi-factor authentication for access to online services and consumer portals.

Most businesses use a username and password as access credentials. Some, but not all, have moved to a more secure authentication mechanism known as multi-factor authentication. Multi-factor authentication requires a user to provide not only a username, but two or more of the following “authentication elements” to validate the user’s identity: (1) something you know (e.g., a password, the answer to a challenge question), (2) something you have (e.g., a one-time PIN or password or a code delivered specifically through the user’s mobile device), and/or (3) something you are (e.g., facial recognition or fingerprint). Each factor must be independent of the other so that knowing one factor does not reveal another. Other data, such as geolocation information or time-based access requirements, can be used as well. The most commonly-known type of multi-factor authentication is two-factor authentication, where two authentication elements (of which one is typically a password) are required. Multi-factor authentication helps reduce the chance a bad actor could successfully exploit a username and password obtained through a security breach, through phishing, or through other social engineering attack vectors. Companies can use multi-factor authentication to demonstrate to its users (and potential users) that it places a high value on security.

Some companies argue that the burden of providing additional verification does not outweigh the simplicity of a username/password, especially where the company is not collecting any sensitive personal information. However, multi-factor authentication is an industry standard in certain areas, such as under the current Payment Control Industry Data Security Standard (PCI-DSS) for companies that are required to be PCI compliant, and will likely continue to gain traction as an industry standard, or customer expectation, in other areas. The National Institute of Standards and Technology (NIST) recommends using multi-factor authentication wherever possible. For companies where multi-factor authentication is not an industry standard or legal requirement, consider offering multi-factor authentication anyway, or offering it as an enhanced security option to customers concerned about protecting access to their accounts.

3. Evaluate whether there is a true need to collect SSNs and DOBs from consumers, and/or other creative ways to validate SSN and DOB information.

Companies which collect Social Security Numbers or dates of birth from their users should consider whether the collection of this information is truly required. One of the core tenets of data privacy is the Collection Limitation principle, which advocates for limits on companies’ collection of personal data. HIPAA takes this a step further and applies a “minimum necessary standard” – companies should limit the use and disclosure of collected personal information to the minimum necessary to accomplish the intended purpose. Companies should consider following HIPAA’s “minimum necessary standard” even if they are not subject to HIPAA. With respect to sensitive personal information such as SSN and DOB, companies should look carefully at whether they truly need to collect this information, and for what purpose. If there is another way to accomplish the same goal without collecting the information, consider implementing that alternative approach. Here are two examples:

  • With respect to SSNs, instead of asking for a user’s SSN for validation purposes considering asking for the sum of the digits in their SSN, or the sum of the digits in their SSN plus the digits in their home street address. This provides a strong identity validation mechanism without the need to capture and store SSNs.
  • With respect to DOBs, if validating a user’s age (e.g., for COPPA purposes), consider whether the month and year is sufficient, and keep a flag indicating that the age information was verified instead of the month/year information itself.

4. Review and freshen (or implement) their incident response and incident communications plan(s).

To many, Equifax’s response has been a lesson in how not to manage communications regarding a security breach. Companies should take the opportunity to learn from Equifax’s missteps and review and freshen up their incident response and incident communication plan(s). For companies still without an incident response/incident communications plan, now is the time to ensure one is in place. A few things to consider:

  • According to press reports, the Equifax breach allegedly stemmed from the failure to timely implement a security update to the Apache Struts Web Framework. As part of incident response preparedness, work with IT to ensure that your company is actively monitoring for hardware/software security patches, and is applying them as quickly as possible following release.
  • There have been numerous reports regarding sales of Equifax stock valued at $1.8 million by three senior Equifax executives within days of Equifax’s discovery of the breach. While Equifax has stated that the executives were not aware of the breach, whether or not the executives (including the CFO and President of US Information Systems) had knowledge doesn’t really matter – the perception and optics of it are awful in the eyes of the public, the SEC, and state attorneys general. Consider ensuring that the entire senior team is notified immediately in the event of a security breach, and have your General Counsel or external breach counsel discuss with them the risks of continuing with any automated stock sale programs in light of the breach.

5. Consider offering credit monitoring as an employee benefit.

Finally, employers may want to consider adding credit monitoring as an employee benefit, by offering subsidized or free credit monitoring services to their employees through a partnership with a credit bureau or a third-party provider such as AllClear ID. While there are some questions as to the value of credit monitoring in protecting against identity theft, services that notify you and/or require your approval before a new account is opened can be very valuable in fighting identity theft. As the possibility of identity theft is becoming a fact of life in the 21st century, companies may find it beneficial to help their employees guard their identity. Among other benefits to companies, minimizing identity theft reduces the time employees need to take away from work, whether as PTO or lost productivity, to deal with the repercussions of having their identity stolen, and provides employees with increased peace of mind with respect to identity protection.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The New Revenue Recognition Standards Are Coming – Will You Be Ready?

Most companies measure their financial performance by the revenues and other compensation they earn through their business operations, which in many cases means the sale of goods or provision of services. Knowing when to recognize the proceeds from a sale of good or provision of services as revenue is therefore critical to financial reporting. For many years, two different rules by two different standards organizations governed revenue recognition:

  1. The Financial Accounting Standards Board (“FASB“)’s Accounting Standards Codification (“ASC“) provide US generally accepted accounting principles (“GAAP“), including those governing revenue recognition. Under the current GAAP revenue recognition rule in ASC 605, revenue recognition varies by industry and in some cases by transaction, which makes revenue recognition a complex and difficult exercise in many situations.
  2. The International Accounting Standards Board (“IASB“)’s International Accounting Standards (“IAS“) provide an international standard for financial statements and accounting. Under the current international revenue recognition rule known as IAS 18, revenue recognition also varies by industry and transaction type, but IAS 18 provides less guidance than ASC 605 making it harder for companies to recognize revenue in a consistent fashion. The IASB is the successor to the International Accounting Standards Council (“IASC“) which originally promulgated the IAS.

Beginning in 2001, the IASB began replacing the IAS with new International Financial Reporting Standards (“IFRS“). In 2002, the FASB and IASB began collaborating on developing an improved. stronger, more robust, more useful, more consistent revenue recognition standard to make revenue recognition simpler and easier to consistently apply. This collaboration bore fruit 12 years later in May 2014, when the FASB and IASB released a converged revenue recognition standard titled Revenue from Contracts with Customers, codified as ASC 606 by FASB and IFRS 15 by IASB. Since 2014, there have been a few amendments (and implementation delays) by the FASB and IASB, and there have been a few small areas where the standards have diverged (e.g., the definition of what “probable” means). Despite this, for the most part the goal of a unified revenue recognition standard remains intact. These new standards will go into effect in December 2017 (for ASC 606) and January 2018 (for IFRS 15). All this background can be summarized in the following table:

A tabular representation of the history behind the ASC 606 / IFRS 15 revenue recognition standard.Here’s what you need to know about the new twin revenue recognition standards (for simplicity, this analysis is based on ASC 606):

How Revenue Recognition Works Under ASC 606/IFRS 15

To recognize revenue under the new standard, companies must do 5 things: (1) identify a customer contract, (2) identify the distinct performance obligations under that contract, (3) determine the transaction price (expected revenue), (4) allocate the expected revenue to the performance obligations, and (5) recognize allocated revenue when (or as) each performance obligation is satisfied. As stated in ASC 606, “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” As we go through each step, keep this visual representation in mind:

ASC 606 Revenue Recognition DiagramStep 1 – Identify the contract(s) with a customer. The first step of the revenue recognition process is to identify a contract, i.e., an agreement creating enforceable rights and obligations among two (or more) parties. A contract must be signed or otherwise approved by the parties, must have identifiable rights and payment terms, have commercial substance, and it must be probable that one party will receive the revenue or other consideration expected from the performance of its obligations (e.g., provision of goods or services). Remember that a contract does not have to be in writing to be considered a contract for revenue recognition purposes – oral or implied contracts may satisfy these requirements.

Step 2 – Identify the contract’s distinct performance obligations. For goods and services contracts, a “performance obligation” is promise to transfer a good or provide a service to another party. A “distinct” performance obligation is one that benefits the recipient alone or with other readily available resources (e.g., delivery of a computer that is usable with power and Internet access obtained separately) and can be identified separately from other obligations under the contract (e.g., a company is delivering 5 computers, delivery of all 5 computers should be combined into a single performance obligation). A series of distinct performance obligations that are substantially similar can still be treated as individual performance obligations (e.g., delivery of a new computer at the start of each quarter during a calendar year, 4 new computers total). In a services agreement such as a SaaS contract, implementation obligations and the provision of services may be separate obligations. A SaaS company may look at its distinct performance obligation as providing a service each day during the term of the Agreement, so each day would be a distinct performance obligation.

Step 3 – Determine the transaction price. The “transaction price” is the expected payment and other consideration to be paid/provided in return for satisfaction of the performance obligations. Financial consideration can usually be grouped into fixed (stated in the contract) vs. variable (contingent on the occurrence or non-occurrence of a future event). For variable consideration, companies should look at the expected value taking into account the potential for changes in the variable payment component. If compensation for a performance obligation will be deferred, and not paid contemporaneously with the satisfaction of the performance obligation, the present value of the deferred compensation should be considered. Non-cash compensation (e.g., bartered goods or services) should be measured at fair value, or if not available the standalone selling price. Other consideration such as coupons or vouchers may need to be deducted from the transaction price. For SaaS companies that use a tiered pricing structure and monthly or annual minimums, calculating the expected revenue can be tricky (e.g., by using a probability-weighted methodology).

Step 4 – Allocate the transaction price to the performance obligations. If your contract has one performance obligation, you’re already done with this step. If not, the next step is to allocate the transaction price among each distinct performance obligation, i.e., to separate the transaction price into each discrete “piece” of consideration a party expects to receive from satisfying the associated performance obligation. This can be done by allocating the standalone selling price (i.e., the price at which the good would be sold separately) to the performance obligation, or where that standalone price is not available, the selling entity should estimate it by utilizing as many observable data points as possible to come up with the best estimate possible. ASC 606 includes examples of estimation methods. If a company provides a discount, the discount should be allocated proportionally among the expected revenue for the performance obligations to which the discount applies.

Step 5 – Recognize allocated revenue when (or as) the performance obligations are satisfied. The final step is to recognize each allocation of the transaction price as each distinct performance obligation is satisfied (i.e., the promised good or service is transferred to the recipient). For physical assets, transfer occurs when the recipient obtains control of the asset. For services, a performance obligation is satisfied when the benefits from the provider’s performance are received and utilized, the provider’s performance creates and/or enhances an asset in the recipient’s control, or the provider’s performance creates a payment right without creating an asset with an alternative use to the recipient (e.g., a company is contractually restricted from using a provided service for other purposes). Performance obligations may be satisfied on a specific date (e.g., for delivery of goods) or over a specific time period (e.g., for delivery of services). If satisfied over a time period, revenue may be recognized based on the progress towards satisfying the performance obligation.

Get Prepared Now

While it may seem like there is plenty of time to prepare for the implementation of the new revenue recognition standard, there’s a lot of work that needs to be done to be ready, including the following:

  • Learn the details. It’s important to note that this article represents a very high-level summary of the new revenue recognition standard. Having a more in-depth understanding of the new standard and how it applies to your company and its costing models/contracts is critical. There is an abundance of articles, seminars, and other publicly-available materials available on ASC 606 and IFRS 15. Also, talk with your accounting firm on what they have done as a firm to prepare, and their recommended action plan for your business – they may have some great materials they can provide to get you and your company up to speed.
  • A lot of work be done proactively. Conduct a proactive review of existing contracts, contractual obligations, and other revenue sources that may be classified as a “contract” subject to the new revenue recognition standard. Analyze each to determine the distinct performance obligations, and determine the transaction price. Work with your accountants to allocate the transaction price among the performance obligations.
  • Review (and update if necessary) contract templates. Accounting should partner with Legal and Sales to review sales proposal templates and contract templates describing or creating performance obligations. Review all standard variations of pricing offered to clients to identify any issues under the new revenue recognition standards. Consider whether warranties, returns language, or other contractual terms create distinct performance obligations and how they can be satisfied. Make any updates as necessary to ensure your templates align with the new standards going forward.
  • Create a plan. Assign a resource to manage the process of preparing for the new standard. Consider creating a cross-departmental group to meet regularly to discuss progress and assign tasks. Consider what internal education will need to be done to prepare employees and groups for the new standard, what changes to internal or third party systems may be required, what additional disclosure requirements may be required, whether internal policies will need to be updated or created, and what changes may be needed to internal processes. Secure the support of executive sponsors, such as the CFO and CEO. If you have personnel who were involved in rolling out SOX compliance in the early 2000s, talk to them about lessons learned to avoid repeating the mistakes of the past.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

7 Tips for Implementing a Records Retention Policy Employees Will Follow

How long to hang on to corporate information and records (records retention) is a common source of conflict within companies. Those in the “keep it” camp believe companies should keep any business records that are needed to conduct business operations effectively, records that serve as a company’s “corporate memory,” records that must be kept for legal, accounting or other regulatory compliance purposes, or have other value to the company (such as protecting the company’s interests). Those in the “destroy it” camp believe companies must promptly destroy records when there is no longer a legitimate business need to retain them, in order (a) to ensure they are minimizing the amount of information that could potentially be exposed in the event of a security breach, inadvertent disclosure, legal disclosure requirement such as a subpoena, or during the discovery phase of litigation, (b) to comply with legal, accounting and other regulatory requirements to destroy information after a certain time, and (c) to reduce the costs of discovery and of storing corporate information. Which side is right?

The answer, of course, is that they’re both right. All of the reasons to keep corporate records, and all the reasons to destroy them, are legitimate. This is the “double-edged sword” of records retention.  For every argument that “we might need that piece of information somewhere down the line,” there’s a counterargument that “we could get in trouble someday if we still have that piece of information around.” The way to ensure your company is striking the right balance between these two extremes is to have a written records retention policy that balances the reasons to retain information against the reasons to destroy it, by setting appropriate “retention periods” for various categories of corporate records and requiring employees to destroy data once the retention period is ended in most cases. It is an essential component of a company’s incident response planning process to reducing the amount of information potentially exposable in the event of a security incident or breach. The policy must cover corporate records wherever located, including physical and electronic data wherever stored (in employee workstations, on intranets and network drives, in third party data centers, in cloud-based service providers’ systems, etc.)  It should list the categories of business records governed by the policy (I prefer a table format), and the records retention period for each category. It should clearly explain to employees what they need to do to comply with the policy, including how to ensure records are properly destroyed when the retention period ends.

It’s easy to argue why companies need a records retention policy. It’s much harder to actually draft and successfully implement one. Here are 7 drafting and implementation tips to help drive the success of your records retention policy.

1. Success is directly proportional to simplicity and communication.

The simpler you can make a records retention policy, the easier it will be for employees to follow it and the greater the likelihood that employees will take time to follow it. Policies that add significant process requirements into the life of rank-and-file employees who already feel like they are “doing more with less” and may be resistant to new ways of doing things are often met with skepticism at best, and outright rebellion at worst. It can be very difficult to successfully implement and administer a records retention policy if employees feel it is onerous and unnecessarily impeding their ability to do their job. If that happens, employees may simply ignore the policy in favor of their day-to-day business duties, or worse, use the records retention policy as a scapegoat if they fail to deliver on their projects and goals.

To solve this problem, ensure your policy is written as simply as possible, take into account the employee’s perspective, and have a communication plan to roll it out. Ensure your policy overview answers questions such as “Why is having a records retention policy important to me?”, “How hard will it be to follow the policy?”, and “What do I have to do under the policy?” Consider using a “frequently asked questions” format for the policy overview. Have a few employees whose opinion you value give you feedback on the policy. Develop a communication plan to roll out the policy to all employees, and leverage HR and Marketing for their input to make it as effective as possible. Ensure your senior leadership team endorses the policy so employees understand it has top-level visibility.

2. Set a “once per year” date for retention periods to expire.

One way to write a records retention policy is to have a fixed retention period for each business record run from the date the record was created. Under that approach, retention periods will be expiring throughout the year.  If the records retention policy requires employees to destroy records immediately upon expiration of the retention period, the policy may require employees to be managing document destruction on a daily or near-daily basis. This may make compliance seem like a daunting task to employees, even if your policy allows employees to destroy expired business records one per month or once per quarter.

As an alternative, consider having the expiration date for all retention periods expire on the same day during each calendar year by having your retention period be measured in full “retention years,” defined as a full calendar year or other 12-month measurement period. For example, if you set December 31 as your annual date for expiration of records retention periods, a presentation created on May 15, 2016 which must be kept for 3 “retention years” would be kept from May 15, 2016 through December 31, 2019 (3 full calendar years from the date of creation). While this approach does extend the retention period for some documents by a bit, that may be an acceptable trade-off to a simple, once-per-year obligation to destroy records under the records retention policy. Consider tying your annual records retention period expiration date into an “office clean-up days” event in partnership with HR where everyone pitches in to tidy up the office, clean up their workspaces, and destroy any documents for which retention periods have expired under the records retention period.

3. Right-size the departments and categories of corporate records listed in the policy.

In an effort to be as comprehensive as possible, some records retention policies include a significant number of categories of information subject to retention requirements. This can result from using an “all purpose” template such as a template obtained from a law firm, from a colleague, or from online searches. In others, a company may want to ensure they are not missing anything by including everything employees have today or could have in the future. One size does not fit all with respect to records retention categories. Consider having a “general” or “common business records” category as the first section of business records in your policy, covering items like business presentations, contracts and agreements (both current and expired); general and customer/vendor correspondence; material of historic value; software source code; etc. Then determine which departments have additional, specialized categories of business records (e.g., HR, IT, Finance, Marketing, Legal, etc.) that should be listed specifically in the policy. For each such department, learn which business records they have and use to create a first draft of your categories list and retention periods. Using a general/departments grouping of categories allows employees to find the information on records retention applicable to them a targeted and streamlined fashion. There will likely still be a significant number of categories of corporate records, but taking the time to think through the right categories for your company’s records retention policy will help ensure it is as easy as possible for employees to read, follow and use.

4. Use a limited number of retention periods, with “permanent” used as sparingly as possible.

Another common issue with records retention policies is the use of a large number of retention periods. Different departments may have different periods under which they currently retain documents, and they may put pressure to keep their own retention periods in an enterprise-wide policy. A policy with a large number of retention periods will make it harder for employees to follow, and harder for IT and others to operationalize. Remember, simplicity where possible is key to success. Consider using a limited number of retention periods (e.g., 1 year, 3 years, 5 years, 7 years, Permanent) which will simplify administration of, and compliance with, the policy. For departments with different existing retention periods, determine which of the next closest periods (longer or shorter) will work, and be prepared to explain to the head of that department why a limited number of periods is essential to the successful implementation of an enterprise-wide policy.

It can be tempting to put many things into a “permanent” bucket (those in the “keep it” camp are likely candidates to ask for this category). However, overuse of the “perpetual” category cuts against the reason for implementing the policy in the first place. While some documents may need to be kept perpetually, for example, information subject to a document preservation notice due to litigation, document categories should be assigned a “permanent” retention period very sparingly. Use it where it is legally necessary to preserve a category of documents (e.g., it’s required for regulatory purposes), or where there is a compelling business interest in keeping it forever (e.g., prior art that may have value in defending against a future patent infringement claim). One way to find a “happy medium” with those in the “keep it” camp is to include in your policy a mechanism by which Legal and the CISO/CIO can approve an exception to the retention period on a case-by-case basis, but make clear that exceptions will be rarely very sparingly and only where legally necessary or where there is a compelling business interest.

5. Partner with department heads to solicit and incorporate their feedback, and to turn them into champions of an enterprise-wide policy.

One of the keys to the successful roll-out of a records retention policy is to have the support of senior management and department heads. Compliance with a records retention policy should be driven from the top down, not bottom up. It’s also important to consider that just because a company has not implemented an enterprise-wide records retention policy does not mean that some departments have not “gone it alone” and implemented their own limited retention and destruction schedule. Partnering with department heads to gain their support for an enterprise policy, and ensure their own efforts are leveraged as part of the broader policy, is essential.

Once a draft policy is prepared, set up one-on-one meetings with the leader of each department to let them know that you want the enterprise policy to be a collaborative (and not an imposed) effort on his/her department. If they have department-specific document categories or retention periods, leverage them to the greatest extent possible to minimize the impact the enterprise policy will have on that department. If they do not, walk them through the reasons why having a well-followed enterprise records retention policy will benefit the company as a whole. Walk the department head through the draft policy, and ensure they agree with the categories and retention periods applicable to their business unit. Try to incorporate their feedback wherever possible, and talk them through where you cannot (e.g., they ask for a non-standard retention period). Finally, ask for their help in rolling the policy out to their department, e.g., by sending a note to the department as a follow-up to the enterprise-wide policy announcement. By meeting with department heads, you will not only ensure the policy hews as closely as possible to the operational and compliance needs and practices of each department, but also establish a contact for future revisions/enhancements to the policy, and hopefully foster an internal champion to help drive the success of the policy.

6. Ensure the policy accounts for document preservation notices. 

One critical element of any records retention policy is a very important exception — information subject to a litigation hold or other document preservation notice (such as in the event of litigation or anticipation of future litigation, where the company receives a subpoena, etc.) If employees follow the records retention policy and destroy business records that are relevant to a legal proceeding or subpoena, the company could face very significant fines and penalties. Ensure that the records retention policy makes it very clear that a document preservation notice supersedes the records retention periods, and that any documents and business records subject to a litigation hold or other document preservation notice must be kept for as long as the preservation notice is in effect regardless of the expiration of the retention period. It’s also important to communicate that once an employee is notified that a document preservation notice has been canceled, any documents subject to the notice should be destroyed at the next anniversary date. Ensure that any systems and processes used by the company to operationalize the records retention policy (e.g., automatic deletion of emails after a certain amount of time) account for the preservation of documents and business records subject to a preservation notice irrespective of the retention periods.

7. Partner with IT to implement technical safeguards to minimize policy “workarounds.”

Finally, partnering with IT will be critical to the success of the policy. In many cases, some document destruction processes can be automated (for example, emails can be deleted after a certain period, files older than a certain date can be automatically deleted from network shares, etc.) Work with your IT group to determine what technological solutions can be put in place to help operationalize the records retention policy. At the same time, some employees may believe that their needs trump the records preservation policy, and will try to work around it (e.g., by saving emails to a PST, printing them to a PDF and saving them on a network drive, “backdating” them by changing the system date before saving files, etc.) Partner with your IT team to put as many appropriate technical safeguards in place as possible to minimize employee workarounds to the records retention policy.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. He works primarily from his home office outside of Minneapolis, Minnesota. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Practical Tips for Managing Risks in Vendor, Supplier, and other Partner/Provider Relationships

The best place to stop a snowball from rolling the wrong way is the top of the hill.

When it comes to managing risk in business, there are two fundamental principles:

  1. You can’t disarm all of the land mines. A risk is like a land mine – it will detonate sooner or later once the right factors occur. Part of risk management is having enough information to know (or make an educated guess) at which risk “land mines” are more likely to go off than others, so you can stack rank and disarm the land mines in the right order. That way, hopefully you’ll disarm each one in time, and if one does goes off before you can disarm it it will cause minimal damage.
  2. You don’t have to stop every factor from occurring; you have to stop at least one factor from occurring. If a risk “land mine” detonates, a number of things all went wrong at the same time. Think of it as the lock on Pandora’s Box – for the lock to open (the land mine going off), the pins in the cylinder (the environmental factors) must align perfectly with the key (the catalyst). As long as one of the pins are misaligned, the lock won’t open. If you don’t have the resources or ability to ensure all pins are misaligned, try to ensure at least one pin is misaligned so the land mine can’t go off. (If more than one is misaligned, that’s even better.)

To manage a risk, a business must first mitigate and shift the risk to reduce the chance of the land mine detonating to the greatest extent possible, and then accept or rejectthe residual risk to the business. (For more on this, please see my earlier LinkedIn article on Revisiting Risk Management).

When it comes to your relationships with your key vendors, suppliers and other partners/providers, risk management principles should be applied to both existing partners/providers, prospective partners/providers, and “inherited” partners/providers (e.g., through acquisition). There are a number of ways to mitigate and shift risk in these relationships:

Mitigating the Risks

  • Do due diligence on your partners and providers. Perform research to see if the partner/provider has had security or privacy problems in the past. If they are public, look at the risk factors in their securities filings. Look at the partner/provider’s privacy policy to see if they make any claims they likely cannot live up to, or are overly broad in what they can do with your company’s data. Watch out for unrealistic marketing statements regarding privacy, security or their ability to perform the obligations you are contracting for. Use RFPs to gather information on prospective partners/providers up front (and keep it in case you need to refer to it later on if something they told in you in RFP proves not to be true).
  • Don’t automatically disqualify companies that have had past problems. If an RFP reveals that a partner/provider has had a past issue, focus on what steps they have taken to remediate the issue and protect against a recurrence. The result may be that they have a more robust security and risk management program than their peers.
  • Ask them what they do. Consider adding privacy and security questions to your RFP to gather information on current practices and past problems/remediation efforts (and to make them put it in writing). Watch out for answers that are too generic or just point you to their privacy policy.
  • Set online alerts, such as Google Alerts, to stay up-to-date on the news relating to your prospective or current partner/provider during the course of your negotiations and relationship, and escalate any alerts appropriately. If the partner/provider is public, set an alert for any spikes (up or down) in stock price.
  • Plan for the inevitable. Inevitably, your business relationship will end at some point. It could end when you’re ready for and expecting it, but you can’t count on that. If your partner/provider is mission-critical, develop an “expected” and “unexpected” transition plan and confirm that the partner/provider can locate and provide you the data you need to execute on that plan. For example, ensure you have all information and data you may need if the partner/provider ceases operations (for example, routinely download reports and data sets from their portal, or set up an automated feed). Alternatively, consider ways to ensure that if a partner/provider creates and stores mission-critical information (e.g., order or personal information, critical reports or data, etc.), it’s mirrored securely to a location in your control on a regular basis so that if there’s a problem, you have a secure and current data set to work from. This may be required or important under your company’s business continuity plan, and your contractual commitments to your clients.
  • Know your alternatives. Keep abreast of alternative partners/providers, do initial vetting from a security perspective, and maintain relationships with them. If a problem occurs, the company may have to switch partners/providers quickly. If you have taken the time to cultivate a “rainy day” relationship, that partner/provider may be happy to go out of their way to help you onboard quickly should a problem with your existing partner/provider occur (in the hopes that your company may reward their help with a long-term relationship).
  • Know what you have to do to avoid a problem. Once negotiated, contracts often go in the drawer, and the parties just “go about their business.” Make sure you know what your and your partner/provider’s contractual obligations are, and follow them. If they have “outs” under the contract, ensure you know what you need to do in order to ensure they cannot exercise them. If terms of use or an Acceptable Use Policy (AUP) or other partner/provider policies apply, make sure the right groups at your company are familiar with your obligations, and ensure they are being checked regularly in case they are updated or changed. If possible, minimize the number of “outs” during the negotiation. For existing or inherited partners/providers, consider preparing a list of the provisions you want to try to remove from their agreements so you can try to address them when the opportunity arises in the future (e.g., in connection with a renewal negotiation).
  • Put contractual provisions in place. Sales and Procurement should partner with IT and Legal to ensure that the right risk mitigation provisions are included in partner/provider agreements on an as-needed basis. Consider adding a standard privacy and security addendum to your agreements, whether on their paper or yours. Common provisions to consider include a security safeguards requirement; obligation to protect your network credentials in their possession; obligation to provide security awareness training (including anti-phishing) to their employees (consider asking for the right to test their employees with manufactured phishing emails, or getting an obligation that they will do so); requiring partners/providers to maintain industry standard certifications such as ISO 27001 certification, PCI certification, SOC 2 Type 2 obligations, etc.; obligation to encrypt sensitive personal information in their possession; obligations to carry insurance covering certain types of risks (ensure your company is named as an additional insured, and try to obtain a waiver of the right of subrogation); rights to perform penetration testing (or an obligation for them to do so); a obligation to comply with all applicable laws, rules and regulations); an obligation to complete an information security questionnaire and participate in an audit; language addressing what happens in the event of a security breach; and termination rights in the event the partner is not living up to their obligations. Not all of these provisions make sense for every partner/provider. Another approach to consider is to add appropriate provisions to a supplier/vendor code of conduct incorporated by reference into your partner/provider agreements (ensure conflicts are resolved in favor of the code of conduct).

Shifting the Risks

  • Use contractual indemnities. An indemnity is a contractual risk-shifting term through which one party agrees to bear the costs and expenses arising from, resulting from or related to certain claims or losses suffered by another party. Consider whether to include in your partner/provider agreement an indemnity obligation for breaches of representations/warranties/covenants, breach of material obligations, breach of confidentiality/security, etc. Consider whether to ask for a first party indemnity (essentially insurance, much harder to get) vs. a third party indemnity (insulation from third party lawsuits). Remember that an indemnity is only as good as the company standing behind it. Also, pay close attention to the limitation of liability and disclaimer of warranties/damages clauses in the agreement to ensure they are broad enough for your company.
  • Request a Parental Guaranty. If the contracting party isn’t fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a performance and payment/indemnification guaranty to ensure you can pursue the parent if the subsidiary you are contracting with fails to comply with its contractual obligations.
  • Acquire insurance. Finally, consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance, and consider asking your broker walk you through your coverage on an annual basis.